Next-Generation Firewall Buying Guide: Check Point - Page 2
Software blades can add identity-aware application controls to Check Point firewalls.
"The last digit of each [Power-1] model is the number of blades that you're using; the digit before represents performance," explained Sultan. For example, the Power-1 11065 can run 5 blades, while the 11067 runs 7 blades, firewalling up to 15 Gbps. The 11075 and 11077 support up to 20 Gbps, while the 11085 and 11087 top out at 30 Gbps.
"You can add Acceleration, Advanced Networking, or additional security blades. With R75, one appliance can have up to 11 blades," said Sultan. 11000 series firewalls can also be upgraded by adding network cards. For example, the 11065 ships with 16 10/100/1000 Ethernet ports, but the 11075 and 11085 need GbE fiber ports for higher throughputs.
According to Sultan, "Back in 2009, customers were skeptical about putting IPS on the same platform as firewall due to performance and potential slowdown. But [in NSS Labs tests] we've proven we can get 15 Gbps of IPS throughput," she said.
Digging into apps
Check Point has added new blades over time; Application Control was introduced in R75. "This blade enables customers to look at how users are using Web 2.0 and block or limit usage with Application Control widgets," explained Sultan.
Rules are based on Check Point's Application Control database, acquired from FaceTime (now Actiance). That database currently recognizes more than 4,500 Web 2.0 applications and 100,000 widgets. For example, Facebook is an application; Bejeweled is a Facebook widget. A complete list can be searched on-line at Check Point's AppWiki. Check Point assigns each entry a risk level to help admins focus on high-risk apps and widgets.
Many NGFW installations use Application Control in conjunction with Identity Awareness. "This blade changes how the firewall works from looking at traffic coming from IP addresses to looking at traffic coming from users and going to particular websites," said Sultan.
"Before you'd have policies for port 80 traffic; [with Identity Awareness] you can have policies for Julia. Now you can say I'll give FaceBook access to Julia only, or to my entire organization, but only outside of working hours. You can see users and groups connecting to applications, and whether those connections are exceptions to policy."
Helping organizations refine policy
Check Point believes the latter is critical to NGFW deployment. "In today's world, especially with attacks that start with social engineering, the people component is critical. We include people in the security process by providing alerts to users. If a user wants to access an application, policy may allow access but caution the user about corporate policy, requiring the user to indicate business or personal use," explained Sultan.