Next-Generation Firewall Buying Guide: Check Point
Software blades can add identity-aware application controls to Check Point firewalls.
As business applications migrate to Web 2.0, IP/port-based control is becoming far less effective. Next-generation firewalls (NGFWs) up the ante by identifying and inspecting application content, independent of port, to detect application-specific attacks and enforce more granular rules.
In this EnterpriseNetworkingPlanet buyer's guide, we examine the NGFW capabilities available to Check Point Software's firewall customers. As a firewall market leader, Check Point doesn't view NGFW a new kind of firewall, but rather as new modular services – software blades – that can be added to existing firewalls like the Power-1.
"When we introduced our blade architecture in 2009, we took every security appliance and recreated it as software blade," explained Juliette Sultan, Head of Global Marketing. "Customers now choose what they want to run on a Check Point firewall, like IPS or Application Control, by adding blades. Just go to your management console and click on a blade to activate it, leveraging topology and policies already in the system."
Blades as building blocks
Check Point's NGFW blades build upon this architecture. "Every blade works on every Check Point appliance, from our [entry level] UTM-1 to our largest Power-1. Blades can also run on open servers from IBM, Fujitsu, Dell, Crossbeam, etc," said Sultan.
Endpoint Security blades secure individual hosts, such as disk and media encryption or anti-malware scanning. Security Management blades support administrative tasks, such as policy management, logging, provisioning, and reporting. Security Gateway blades perform traditional network security services (e.g., firewall, VPN, IPS) and NGFW services (i.e., Application Control, Identity Awareness).
Check Point sells blades in bundles. For example, the SG103 is a small/branch office Security Gateway that can run firewall, VPN, IPS, Application Control, and Identity Awareness on a single-core platform for up to 50 users. The SG205i can run those blades on a dual-core platform for up to 500 users. The SG1207 adds Advanced Networking, Acceleration, and Clustering blades, ramping up to 8 cores for data center deployment.
Powering up performance
Firewall, VPN, IPS, Application Control, and Identity Awareness are the security software blades included with Check Point's flagship Power-1 11000 series security appliances. These field-upgradeable appliances let customers expand capacity and connectivity over time, without hardware replacement.