Software firewalls have lost favor recently because they require more administrative time in order to secure the underlying operating system. Additionally, the increasing use of VPNs (virtual private networks) has led to the need for faster performance, something that cannot easily be achieved by a software solution. To alleviate these problems, Check Point Software Technologies Ltd. began offering its Firewall-1 and VPN-1 software on a Nokia appliance, naming the combination the VPN-1 Appliance.
Check Point offers three versions of the VPN-1 Appliance . The VPN-1 Appliance 330 is an entry-level product for small businesses. The VPN-1 Appliance 440 and 650 products are more powerful and contain fault-tolerant hardware components and expandable interfaces that are ideal for larger, more complex environments. The 650 model provides more highly availability features than the 440, such as hot-swappable network interface cards, making it a better choice for mission-critical applications.
We tested the VPN-1 Appliance 440, which is an enterprise-class firewall and VPN. It is powerful and flexible in policy configuration, though more complex than some of the newer appliance products such as Netscreen. The management GUI is one of the best available. It is very detailed in its logging of all network activity passing through its interfaces, providing administrators with concise yet thorough information about security events.
For deployment and configuration, Check Point's VPN-1 Appliance 440 requires someone with a fair amount of security knowledge. To this end, Check Point provides extensive training classes and certifications to help with the processes. Although this firewall/VPN appliance is not the most efficient or the most cost-effective solution available, its extensive logging capability and management GUI make it deserving of a Very Good rating.
Installing and configuring the Check Point VPN-1 Appliance was a little more difficult than configuring the Netscreen product. Many of the problems we had concerned licensing issues, namely getting the appropriate licenses installed on the appliance so it would function properly. Configuring basic outbound connectivity and remote access VPNs also took a little longer. But once we became familiar with the Check Point Management GUI, things ran more smoothly.
Check Point products are not always the cheapest solutions available. Often they are the most expensive because Check Point bases its licenses on the number of IP addresses protected by the firewall. The company's VPN-1 Appliances are no exception. Furthermore, features such as VPN acceleration and QoS (quality of service) are available as separate modules for additional cost. Most firewall/VPN appliances include these features.
One advantage of going with Check Point, however, is its OPSec (Open Platform for Security) partner program, a one-stop shop for integrated security solutions, including intrusion detection, content security, user authentication and authorization, high availability, and event reporting.
Another plus about Check Point is the option to purchase SecureClient, a personal firewall that can be used to protect internal and remote access systems and be controlled from the Check Point management console. This greatly helps administrators by providing one central management point for all firewall policies, both enterprise and remote access policies.
Mandy Andress (mandy @arcsec.com) is chief security officer at Evant (www.evant.net) and president of ArcSec Technologies (www.arcsec.com).
THE BOTTOM LINE: VERY GOOD
VPN-1 Appliance 440
Business Case: Although you pay a premium for Check Point products, you get first-rate security. This enterprise-class firewall/VPN appliance lowers administrative costs by providing a central management point for all firewall policies.
Technology Case: In conjunction with other Check Point products, this VPN-1 Appliance can help provide a highly integrated, enterprise-wide security solution, allowing security administrators to avoid becoming experts in solutions from multiple vendors.
+ First-rate GUI for centralized management+ OPSEC partner program+ Flexible configuration+ Informative loggingCons:
- Licensing based on number of IP addresses- Unusually complex configurationCost: Prices range from $US4,945 to $US16,995 for the base modelPlatform(s): Windows 9x, Windows NTCheck Point Software Technologies, Redwood City, Calif.; (650) 628-2000; www.checkpoint.com.