You'd think Check Point Software Technologies might be hitting its peak given that network security has become the top priority for so many IT shops. But the firewall/VPN company actually is facing some of its stiffest challenges.

Putting the pressure on Check Point are Alcatel, Cisco Systems and Enterasys Networks, which have introduced frameworks for safeguarding networks that involve embedding security enforcement in routers and switches. Separately, Juniper Networks spent US$4 billion to snap up NetScreen Technologies, one of Check Point's biggest rivals. Meanwhile, security software vendors Internet Security Systems, Symantec and others are offering firewalls and VPNs alongside applications such as anti-virus, intrusion prevention and intrusion detection.

As competitors have made their moves, Check Point hasn't sat idly by. In a departure from its history as a software-focused company, Check Point has rolled out a series of appliances to meet demand for simpler-to-implement security gear. And it has expanded its technology scope with two appliances to protect not only network perimeter and WAN connections but also Web and LAN traffic.

And earlier this year, the company acquired Zone Labs for US$205 million to obtain endpoint security technologies used for checking remote computers before granting them network access.

Still, the company was slow to get into these new areas and paid the price, says Jason Wright, program leader for security technologies at Frost & Sullivan. "In 2002 and 2003, they put out virtually no new products. In the past 12 months they've fixed that problem, but it cost them market share," he says.

Check Point's share of the firewall/VPN gateway market tumbled from 27 percent in 2001 to 19 percent last year, Wright says. The company is optimistic about coming back though, with a revenue growth forecast in line with the 19 percent growth expected in the VPN/firewall market as a whole, he says.

Fighting back

Since its founding in 1993, Check Point has been near the top of the firewall and later firewall/VPN market (Infonetics says the company is No. 3 behind Cisco and Juniper in the latest quarter based on sales). The company has sold its software directly to IT shops, which run the software on hardware the shops select, and to appliance makers, such as Nokia.

To keep itself among the industry leaders, Check Point annually has devoted at least 6 percent of its revenue on research and development, which Wright says puts it in about the middle of the range of what competitors spend.

It's the introduction of a series of new boxes over the past year that signals perhaps the biggest change at Check Point, which has maintained profit margins of 43 percent or better over the past five years by concentrating on software. These offerings include an Secure Sockets Layer remote-access appliance, a LAN firewall/quarantine device and a firewall/VPN box for small and home offices.

But the company isn't entirely out of the woods. By selling hardware and software, it is drastically changing the rules by which it does business, which affects its extensive and lucrative open platform for security (OPSEC) program. OPSEC partners include 3Com, NEC, Nortel Networks and Symantec, whose gear either incorporates Check Point technology or is certified to work with it.

The OPSEC partner most successful at putting Check Point software on appliances is Nokia, which sells enough of the boxes to rank fourth among firewall/VPN appliance vendors, according to IDC. But now that Check Point is selling appliances, it now competes with Nokia. "The partnership is wavering a bit," Wright says.

Initially the new Check Point appliances don't compete directly with those of its major hardware partners such as Nokia, but that inevitably will happen, says Jeff Wilson, director of research for Infonetics.

Check Point will need to do a good job maintaining relationships with partners as it goes about selling its own gear, Wilson says. That's because the company needs to strengthen its partnerships with network equipment vendors in the face of stepped-up competition from companies such as Cisco, Enterasys and Juniper, he says. "This is something they absolutely have to do," Wilson says.

Zeus Kerravala, vice president of network equipment for financial firm Detwiler, Mitchell, Fenton and Graves, says Check Point must ensure that its technology plays a key role in network equipment vendors' security schemes. "I think they become more 'Check Point inside,'" he says.

As Check Point integrates its technologies with those of others, it needs to make things easy for customers, says Joel La Calamita, manager of infrastructure and communications for the American Institute of Physics. He ditched Check Point-powered Nokia boxes after the two vendors couldn't figure out over an eight-week period why the boxes were acting up after an upgrade, he says.

"(Check Point's VPN-1/Firewall-1) is still one of the strongest products out there, but I didn't have the luxury to stay with it," says La Calamita, who switched to Juniper gear.

He says problem solving just became too complex given that a valued-added reseller, hardware company and software company all were involved.

If Check Point can resolve such issues, the company could continue its comeback from a revenue and earnings plunge suffered in 2002 alongside so many other IT suppliers.

"Check Point is an incredibly strong brand," Kerravala says.

But investors aren't giving the company a lot of wiggle room. Last month Check Point announced that it met its revenue goal for the second quarter, but its stock price immediately fell to US$17.70, its the lowest point this calendar year. Why? The company didn't break out separate accounting of revenue from the Zone Labs acquisition, and it projected slightly lower third-quarter revenue than some Wall Street analysts wanted to hear.