Check Point Software Technologies Ltd. this week announced it will introduce two products by mid-2004 that will address Web security and internal network security for businesses. Called Web Security and Internal Security, these two product families can be deployed independently or integrated with current Check Point products such as VPN-1/Firewall-1. In an interview with Tim Greene, Check Point's Chairman and CEO Gil Shwed gave some flavor of what the new products would include.
Q: What is Check Point up to?
We're in the process of launching a new strategy that's based on three technological areas: perimeter security, internal security and Web security.
On the perimeter security side, I think we are known for many years. I think what we see more and more interesting is companies that need to protect internally their network. We've seen all the recent worms that attacked once and got to one computer, but somebody downloading something spread it around the company so we see a lot of need to provide multiple levels of security inside the company, internal gateways all the way down to the desktop to provide that kind of internal security. I think the solution that we have is some good technology - which can be a good basis but it does require some new innovation.
On the Web security front we see an increasing need for using the Web and an increasing need to provide a more consistent, more uniform and more global type of access to Web resources. Today there's a lot of discussion of SSL VPNs, which are in some cases good point products, but they need to be something much bigger than that in the way you can manage access to Web resources.
Q: You say SSL remote access is a point product. What ought it evolve into so it's not a point product?
Getting all the kinds of access and all the kinds of security for Web access and remote access combined. For example, SSL VPNs can provide a reasonable solution so you can access information. If you access information and it's not very classified - let's say a past article or things that you share with other people - good. But if you try to access very confidential data - now you want to download the presentation or download the document - if you don't have control over the endpoint you might find that you are leaving files behind and creating a very big security hole.
So today there would be two different solutions, as opposed to say some kind of access you can do from anywhere, and some kind of access where you need a secured endpoint device. There are some places where SSL and Web is adequate for access, and some places where you should do IPSec remote access.
One of the things we are seeing especially in this area of Web access is that you need a unified approach to get the right level of eligibility and security.
Q: A lot of the SSL point product vendors are quite concerned about securing the endpoint and are devoting a lot of time and products to that. Doesn't that answer the problem you just raised?
They're addressing some of the issues, but the leading solutions today don't address the endpoint. For example we have the Secure Remote secure client solution. They are deployed by millions of users and they can be a good starting point. We don't want the company now to have three solutions for the endpoint - one for the SSL VPN which may be clientless or 'client-ful' or whatever, and another one for the IPSec that creates a little bit of a mess. And by the way this mess is not just expensive and hard to manage, it's also not so good for security because it forces people in companies to make compromises on security.
Q: They could restrict access. They could say if you have a certain kind of access you can't get to the sensitive documents. I don't see where it necessarily means that it compromises security.
No, it doesn't mean it compromises. Just that the user says I can't have three systems. If I want to access confidential information I use system A. If I want to access more confidential, use system B. And that's where companies are being forced to make compromises. System administrators say they can't manage five systems.
Q: So what should the picture look like?
The picture should look like you have a unified system in which you can define what data can be asked about, by whom and from where. So you define what data can be accessed by any SSL client and what proper authentication you will require. That's one level of access.
You find more levels of access. This data can be only accessed through other systems. To access this data you must have endpoint security, and so on.
And then you can have a unified management and unified security to address all of that. Then you might get an error message saying, 'No, you can't access this data because you aren't running on the company laptop,' for example.
Q: So how will this look when it is played out with Check Point equipment? It sounds like you already have some of what you describe.
We have some of it. We have a lot of the technology. We've had SSL termination in our products for a while. We know how to manage authentication and authorization. We've got a lot of these components. There are obviously some components we don't have, and one of the things we are working on is coming up with new products that will come in the next six months that will provide this universal access and universal security.
Q: Will it incorporate using non-corporate endpoints?
Yes. It will have all the functionality that SSL VPNs have. I think that is a valuable type of access and many people want to do that, but this is much bigger.
Q: Will you be expanding the capabilities of your current SSL termination?
Yes. We might come out with a new product.
Q: What will be new?
In the Web I think what we'll be doing will be fairly unique. On the one hand it will compete and it will replace SSL VPN solutions. On the other hand there are few Web security companies that will do what we are doing. There are a few Web security companies that will remain complementary to what we are doing. But I think the overall combination is going to be a unique combination.
Q: You say it will do away with the need for SSL remote access technology?
I'm saying it will do pretty much everything that an SSL VPN solution does and more.
Q: What's the difference between what the SSL people do and what you propose doing?
The SSL people do only SSL, for example. Most of them don't address the endpoint security. They don't have multiple types of access and enough levels of access to the system. And they also don't tie back to the management infrastructure of the network security. All of these solutions today are point solutions.
Q: What impact do you think your answer to SSL remote access needs will have on SSL remote-access vendors? Are you going to upset their market?
Yeah. It's a new market. I think one of the things that everybody challenges in that market is they say, is there enough technology there? Or is it a commodity that they are doing? And my answer, to be honest, is not that it's a commodity. My answer is that some of the things of SSL VPNs are a commodity, but some of the things they do are technologies that are hard to get. By the way, some of those technologies have little to do with security. They have more to do with Web portal technology and Web proxying technology, which are less security technologies. We will incorporate both but we will also enhance it with security technologies that I think are very important.
Q: When we first see this will it be just separate products?
Initially we are going to come up with separate products which specifically address the needs of Web security and internal security between the products. It's a very focused approach. Q: What more can you do with the Web?
There is more to do on the Web, which is enforcing the proper use of the Web, saying you can't host a fax server, a music server on your desktop inside the company. Or you can use instant messaging for certain service but not to another service. A company needs to be able to understand that the Web is used the way they want it to be used.
Q: You've already started to address the internal security to some degree. What more needs to be done there?
One of the challenges with internal networks is the networks already exist. They run hundreds of applications, usually more applications than are being run on the perimeter gateway. The challenge is not to say, 'OK, now we are going to redesign that network or reprogram everything we have.' The challenge is that now you need to say, 'I want to just snap something into the network, have the network continue to operate.' But we still want to block all the attacks. We still want to segment the network - this segment is clients only, or this segment is very classified, so why would someone try to go to it? A lot of it would be a very, very simplified way to manage that in a way that doesn't require complicated rule bases and doesn't offer the same thing that at traditional firewall does.
Q: How will you deal with application attacks?
With application intelligence. We do have a lot of technology there, like understanding the full stream of traffic and not just looking at packets and a lot of other things that are very, very relevant to the analysis of an application.
Q: Such as?
First is understanding the application itself. We talked about the Web. So a lot of technology focuses on Web applications. A lot of enhancement to make it transparent, operating at very fast speeds, resilient to a lot of different tweaks in the protocol.
Q: Do you see anyone else that has launched into these areas?
Yes, there are some companies. Yes and no. There are other companies trying to address this area with intrusion prevention solutions, but I think they take a slightly different approach. Most of them by the way are more focused on the perimeter, putting another device behind the firewall. That's why I think what we will do is a new kind of solution. Very few of them are brave enough to run in-line to actually segment the network and just sit around and watch what's going on. We take that challenge on ourselves and say we will be in-line, we will pass the traffic and we will stop the traffic if we need to. We are trying to compete with some products, but we believe it's a newer approach to the problem.
Q: When you say you'll be in-line, does that mean you'll need multiple devices of the same kind in front of key segments of the network?
You can have multiple devices of the same kind, and you can have, say, one device in front of four or five segments.
That you would say is unique. It's along the lines of what the intrusion protection and prevention people are trying to do.
Well, protection (people) don't know how to do it. Some intrusion prevention are trying to do that, and again their focus is much more on the perimeter and on the signature identification. I'm saying we will run into some of those, but I still think what we have is a different approach.
Q: On that internal security, will it involve no reconfiguring of my network?
That's the objective.
Q: I just add it there with its policies...
Bridging, switching in a bridged, switched mode that should be transparent to the network infrastructure.
Q: So will this new product reduce the need for internal firewall segments?
It will replace some of them. I think it's a fairly new market. We're going for the ones that don't use Firewall-1 for internal security. I've seen a lot of demand even with the customers that use Firewall-1 in a huge way - it has 100 firewalls and many of them are used internally. They just say this is a great approach and we will use one on every floor on every network segment and just make sure that these network attacks are blocked at the source and every attempt to play with the network is being segmented and blocked right away.
Q: If I'm a potential customer do I have to have a particular size before I'd be interested?
Any company that has a network of any size should be interested. Right now we're not targeted to the small business; we're not targeted to the company with 20 users for the most part but we are targeted to any enterprise.
Q: When these two new products come, will there be corresponding new tools for management?
Yes. These tools will be sold independently. There is no precondition that you change the management or upgrade the management or even use the same management. It's the same architecture, they will connect to one another, and we will use the same architecture, so there will be a lot of benefits to doing that.
Q: Is there nobody who approaches what you are about to do?
I think these solutions will be unique in their category. We are trying, by the way, to address the broadest and the widest categories because addressing a category that's a very small niche category unfortunately is not enough for our customers or for what we are trying to do.