L.
Taylor - July 25, 2000
Vendor
Genesis
Israeli based Check Point Software Technologies, Ltd., headquartered
on the outskirts of Tel Aviv, was founded in 1993. On June 28, 1996, Check
Point launched its IPO on NASDAQ under ticker symbol CHKPF. On March 3,
1999, they changed their ticker symbol to CHKP.
Check
Point's founder, Chairman, President, and CEO, Gil Shwed developed his
security skills while working in the intelligence unit of the Israeli
Army. With fellow founders, Marius Nacht, and Shlomo Kramer, he was able
to launch the first release of FireWall-1 in 1994. The wholly owned U.S.
subsidiary, Check Point Software Technologies, Inc., was formed in 1995
to lead the company's marketing initiatives. Today the United States represents
60% of the company's market.
Vendor
Strategy and Trajectory
Check Point is positioning itself to be the worldwide leader in securing
the Internet. In line with that, Check Point has done a nice job of securing
itself as market leader in firewall products. Though a firewall alone
cannot guarantee that your website or network will not be broken into,
if configured correctly it can certainly reduce the risk by a large margin.
Check Point's FireWall-1 product is undoubtedly their most popular and
sought after product. FireWall-1 is a carrier class product, and is used
as the basis of a Managed Firewall Service at numerous ISPs, ASP, Telcos,
and MSPs.
Figure 1. Check Point soars over leading market indicators.
Check
Point has done a nice job of building a wide distribution channel that
includes France Telecom, Sprint, and Nokia.
ANALYSIS
Vendor Strengths
Technology
Leadership: Check Point invented, patented, and coined the terminology
Stateful [Packet] Inspection. Though Proxy firewall architectures were
around long before Stateful Inspection, by the late 90s, the firewall
market was seeing more demand for Stateful Inspection firewalls than Proxy
firewalls. In part the demand for Stateful Inspection firewalls increased
as a result of Check Point's successful marketing initiatives to discredit
Proxy firewalls.
Among
security professionals, the security of Proxy firewalls vs. Stateful Inspection
firewalls has been a long-standing religious war. IT decision makers are
more likely to get recommendations to go with either one of these architectures
most likely based on which product an integrator or VAR is more familiar
with. Both architectures are sound and secure if implemented correctly.
To
Check Point's advantage, the development cycle for Stateful Inspection
firewalls is typically shorter than the development cycle for Proxy firewalls,
and initially, some Proxy firewalls could not deliver the same performance
throughput as Stateful Inspection firewalls.
Reseller
Partnerships: Last October 19th, Check Point and Nokia announced an
expanded partnership where they will promote the Nokia IP330, IP440 and
IP650 firewall/VPN appliances. If you purchase these appliances through
Check Point, they are known as the VPN-1 Appliance 330, 440, and 650.
This suite of security appliances marks the first time a firewall or VPN
product has debuted with built-in high-availability and load sharing.
Figure 2. The Nokia IP650 uses Check Point Firewall-1 technology.
Nokia IP650
Breadth
of Coverage: From its initial firewall product, Check Point has expanded
their product offering to Intranet and Extranet VPNs as well as Secure
Remote Access VPNs. Secure Remote Access VPNs
are a way for remote and mobile users to connect to their corporate network
through a secure encrypted channel.
Open
Platform Focus: Check Point has created an Open Platform for Security
(OPSEC) guideline for other information security products that is a security
certification, as well as a way for Check Point to make sure that other
security products interoperate with theirs. Today Check Point has over
200 OPSEC partners. OPSEC partners use published OPSEC APIs, which allows
partners to embed Check Point technology into other network devices such
as routers and switches. OPSEC also enables customers to choose from best-of-breed
content security solutions (i.e., URL filtering, virus-scanning, intrusion
detection systems) that are tightly integrated with Check Point solutions.
Network
Management Capabilities: The Check Point solution to firewalls, now
includes a carrier-class network management console known as Provider-1.
Using Provider-1, large organizations, including managed service providers,
can manage hundreds of security policies from a single point. For companies
that employ the use of hundreds of firewalls, and some do, this advantage
lowers the cost of ownership by alleviating the problem of putting a security
engineer physically in every location where a firewall lives. Typically,
after a firewall is installed and implemented, the most common change
of configuration that it will need is a change in its firewall rule set,
or information security policy.
Management
Architecture: Check Point's conventional management architecture allows
customers to manage multiple firewalls that are in different physical
locations, from one central location. The difference with Provider-1 is
that one can manage multiple customer implementations, each of which represent
many, many firewalls/VPN gateways from one location. Each customer or
office location has a unique security policy that is administered across
multiple enforcement points. One network administrator is then able to
manage multiple customers' security policies. This is a product that is
in line with what managed VPN service providers need as well as enterprises
with large branch offices requiring multiple firewalls/VPN gateways and
different security policies for each region.
Vendor
Challenges
AXENT's Raptor firewall, is as secure as Check Point's, and has more to
offer in the way of Proxy capabilities. As well, the Raptor firewall is
easier and faster to implement. A common complaint among expert security
professionals is that Check Point's documentation is hard to follow, and
is not as straightforward as it could be. Further, engaging Check Point's
customer support for product implementations is difficult and expensive.
Another
advantage that AXENT has over Check Point is that Raptor interoperates
with HP OpenView, a widely used network management station. This means
that in Network Operation Centers (NOCs) at service provider locations,
if they are using HP-OpenView for an NMS, do not have to run a separate
network management station just for the firewall(s).
BOTTOM
LINE
Vendor Predictions
Check
Point's security products are in high demand in a rapidly increasing market.
Their firewall product is the market leader, and will continue to be for
the foreseeable future. Warburg Dillon Read forecasts that Check Point
Software will earn $2.10 per share for 1999 and $2.76 per share for 2000.
On June 30, Check Point announced a two for one stock split that will
take affect on July 14. TEC anticipates that Check Point will continue
to develop cutting-edge security products and lead the firewall market
into 2001.
Figure
3. Check Point Earnings Per Share Summary and Forecast[2]
[1]
Earnings Per Share (EPS) is equivalent to profit per share for each outstanding
share of common stock. [2] Source: NASDAQ Stock Market, Inc.
Figure
4. Check Point's Net Income from 1995 to 1999 Shows an Impressive
Trend.
Vendor
Recommendations
In order to gain more market share, Check Point needs to stop discrediting
Proxy solutions and embrace them. The firewall market of the future is
the hybrid market, which consists of an architecture that includes stateful
packet inspection as well as proxy capabilities. Because certain protocols
such as the Simple Object Access Protocol
(SOAP) can be passed through firewalls, there are some security problems
that only Proxies can solve. SOAP is being widely supported by IBM and
Microsoft, and likely its utilization will increase in the future.
Another
area of concern is the installation and licensing procedures for Check
Point security products. Polly Siegal, Director of Engineering at Rainfinity,
Inc. a Check Point VAR says, "The installation, licensing and configuration
is overly complex, requiring more expertise than should be necessary."
User
Recommendations
Because Check Point's customer support process is complex, using a VAR
for support that has Check Point Certified Systems Engineers (CCSEs) on
staff is recommended instead of going through Check Point directly. The
installation and licensing is complex enough that it is well worth hiring
a FireWall-1 knowledgeable consultant rather than having your IT team
sweat out a gnarly installation process.
With
security engineers hard to find, and a competitive job market, it's important
to make sure that the CCSEs that a VAR had on staff last month, are still
there this month. Ask your Check Point VAR how many CCSE's they have on
staff before signing an installation and integration contract.
If
high-availability is important to your site, you can't go wrong by purchasing
a Nokia/Check Point FireWall-1 firewall appliance - it is without question,
the leading firewall appliance on the market today.