Check Point Leads Firewall Market

Check Point Leads Firewall Market
L. Taylor - July 25, 2000

Vendor Genesis

Israeli based Check Point Software Technologies, Ltd., headquartered on the outskirts of Tel Aviv, was founded in 1993. On June 28, 1996, Check Point launched its IPO on NASDAQ under ticker symbol CHKPF. On March 3, 1999, they changed their ticker symbol to CHKP.

Check Point's founder, Chairman, President, and CEO, Gil Shwed developed his security skills while working in the intelligence unit of the Israeli Army. With fellow founders, Marius Nacht, and Shlomo Kramer, he was able to launch the first release of FireWall-1 in 1994. The wholly owned U.S. subsidiary, Check Point Software Technologies, Inc., was formed in 1995 to lead the company's marketing initiatives. Today the United States represents 60% of the company's market.

Vendor Strategy and Trajectory

Check Point is positioning itself to be the worldwide leader in securing the Internet. In line with that, Check Point has done a nice job of securing itself as market leader in firewall products. Though a firewall alone cannot guarantee that your website or network will not be broken into, if configured correctly it can certainly reduce the risk by a large margin. Check Point's FireWall-1 product is undoubtedly their most popular and sought after product. FireWall-1 is a carrier class product, and is used as the basis of a Managed Firewall Service at numerous ISPs, ASP, Telcos, and MSPs.

Figure 1. Check Point soars over leading market indicators.

Check Point has done a nice job of building a wide distribution channel that includes France Telecom, Sprint, and Nokia.


Vendor Strengths

Technology Leadership: Check Point invented, patented, and coined the terminology Stateful [Packet] Inspection. Though Proxy firewall architectures were around long before Stateful Inspection, by the late 90s, the firewall market was seeing more demand for Stateful Inspection firewalls than Proxy firewalls. In part the demand for Stateful Inspection firewalls increased as a result of Check Point's successful marketing initiatives to discredit Proxy firewalls.

Among security professionals, the security of Proxy firewalls vs. Stateful Inspection firewalls has been a long-standing religious war. IT decision makers are more likely to get recommendations to go with either one of these architectures most likely based on which product an integrator or VAR is more familiar with. Both architectures are sound and secure if implemented correctly.

To Check Point's advantage, the development cycle for Stateful Inspection firewalls is typically shorter than the development cycle for Proxy firewalls, and initially, some Proxy firewalls could not deliver the same performance throughput as Stateful Inspection firewalls.

Reseller Partnerships: Last October 19th, Check Point and Nokia announced an expanded partnership where they will promote the Nokia IP330, IP440 and IP650 firewall/VPN appliances. If you purchase these appliances through Check Point, they are known as the VPN-1 Appliance 330, 440, and 650. This suite of security appliances marks the first time a firewall or VPN product has debuted with built-in high-availability and load sharing.

Figure 2. The Nokia IP650 uses Check Point Firewall-1 technology.

Nokia IP650

Breadth of Coverage: From its initial firewall product, Check Point has expanded their product offering to Intranet and Extranet VPNs as well as Secure Remote Access VPNs. Secure Remote Access VPNs are a way for remote and mobile users to connect to their corporate network through a secure encrypted channel.

Open Platform Focus: Check Point has created an Open Platform for Security (OPSEC) guideline for other information security products that is a security certification, as well as a way for Check Point to make sure that other security products interoperate with theirs. Today Check Point has over 200 OPSEC partners. OPSEC partners use published OPSEC APIs, which allows partners to embed Check Point technology into other network devices such as routers and switches. OPSEC also enables customers to choose from best-of-breed content security solutions (i.e., URL filtering, virus-scanning, intrusion detection systems) that are tightly integrated with Check Point solutions.

Network Management Capabilities: The Check Point solution to firewalls, now includes a carrier-class network management console known as Provider-1. Using Provider-1, large organizations, including managed service providers, can manage hundreds of security policies from a single point. For companies that employ the use of hundreds of firewalls, and some do, this advantage lowers the cost of ownership by alleviating the problem of putting a security engineer physically in every location where a firewall lives. Typically, after a firewall is installed and implemented, the most common change of configuration that it will need is a change in its firewall rule set, or information security policy.

Management Architecture: Check Point's conventional management architecture allows customers to manage multiple firewalls that are in different physical locations, from one central location. The difference with Provider-1 is that one can manage multiple customer implementations, each of which represent many, many firewalls/VPN gateways from one location. Each customer or office location has a unique security policy that is administered across multiple enforcement points. One network administrator is then able to manage multiple customers' security policies. This is a product that is in line with what managed VPN service providers need as well as enterprises with large branch offices requiring multiple firewalls/VPN gateways and different security policies for each region.

Vendor Challenges

AXENT's Raptor firewall, is as secure as Check Point's, and has more to offer in the way of Proxy capabilities. As well, the Raptor firewall is easier and faster to implement. A common complaint among expert security professionals is that Check Point's documentation is hard to follow, and is not as straightforward as it could be. Further, engaging Check Point's customer support for product implementations is difficult and expensive.

Another advantage that AXENT has over Check Point is that Raptor interoperates with HP OpenView, a widely used network management station. This means that in Network Operation Centers (NOCs) at service provider locations, if they are using HP-OpenView for an NMS, do not have to run a separate network management station just for the firewall(s).


Vendor Predictions

Check Point's security products are in high demand in a rapidly increasing market. Their firewall product is the market leader, and will continue to be for the foreseeable future. Warburg Dillon Read forecasts that Check Point Software will earn $2.10 per share for 1999 and $2.76 per share for 2000. On June 30, Check Point announced a two for one stock split that will take affect on July 14. TEC anticipates that Check Point will continue to develop cutting-edge security products and lead the firewall market into 2001.

Figure 3. Check Point Earnings Per Share Summary and Forecast[2]

[1] Earnings Per Share (EPS) is equivalent to profit per share for each outstanding share of common stock. [2] Source: NASDAQ Stock Market, Inc.

Figure 4. Check Point's Net Income from 1995 to 1999 Shows an Impressive Trend.

Vendor Recommendations

In order to gain more market share, Check Point needs to stop discrediting Proxy solutions and embrace them. The firewall market of the future is the hybrid market, which consists of an architecture that includes stateful packet inspection as well as proxy capabilities. Because certain protocols such as the Simple Object Access Protocol (SOAP) can be passed through firewalls, there are some security problems that only Proxies can solve. SOAP is being widely supported by IBM and Microsoft, and likely its utilization will increase in the future.

Another area of concern is the installation and licensing procedures for Check Point security products. Polly Siegal, Director of Engineering at Rainfinity, Inc. a Check Point VAR says, "The installation, licensing and configuration is overly complex, requiring more expertise than should be necessary."

User Recommendations

Because Check Point's customer support process is complex, using a VAR for support that has Check Point Certified Systems Engineers (CCSEs) on staff is recommended instead of going through Check Point directly. The installation and licensing is complex enough that it is well worth hiring a FireWall-1 knowledgeable consultant rather than having your IT team sweat out a gnarly installation process.

With security engineers hard to find, and a competitive job market, it's important to make sure that the CCSEs that a VAR had on staff last month, are still there this month. Ask your Check Point VAR how many CCSE's they have on staff before signing an installation and integration contract.

If high-availability is important to your site, you can't go wrong by purchasing a Nokia/Check Point FireWall-1 firewall appliance - it is without question, the leading firewall appliance on the market today.

comments powered by Disqus