With Check Point's CloudGuard, customers secure their branch offices by routing source traffic through a VPN tunnel. Traffic then gets inspected by Check Point's cloud security service in order to ensure threat prevention, access control and HTTPS Inspection.
The protocol for the tunnels can be either IPSec or GRE.
There are some security implications when selecting GRE. Consequently, Check Point always recommends selecting the IPSec option.
GRE (Generic Routing Encapsulation) provides simple transport between 2 known endpoint IP addresses.
Unlike IPSec, there is:
- No encryption of the data
- No validation of the source and destination endpoints.
The fact that there is no encryption of the data results in exposing the internal IP addresses of the sender for any server that is a part of the traffic flow, in any protocol.
Another security risk is encountered when using non-encrypted protocols. In that case, the entire content of the packet can be modified by a middle-man, before reaching the receiver.
The fact that there is no validation of the source and destination endpoints could result in a spoofing attempt of the source IP. The receiver may attempt to reply to the sender, not knowing that the host matching the IP of the sender has never made such a request.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.