Software blades can add identity-aware application controls to Check Point firewalls.
As business applications migrate to Web 2.0, IP/port-based control is becoming far less effective. Next-generation firewalls (NGFWs) up the ante by identifying and inspecting application content, independent of port, to detect application-specific attacks and enforce more granular rules.
In this EnterpriseNetworkingPlanet buyer's guide, we examine the NGFW capabilities available to Check Point Software's firewall customers. As a firewall market leader, Check Point doesn't view NGFW a new kind of firewall, but rather as new modular services – software blades – that can be added to existing firewalls like the Power-1.
"When we introduced our blade architecture in 2009, we took every security appliance and recreated it as software blade," explained Juliette Sultan, Head of Global Marketing. "Customers now choose what they want to run on a Check Point firewall, like IPS or Application Control, by adding blades. Just go to your management console and click on a blade to activate it, leveraging topology and policies already in the system."
Blades as building blocks
Check Point's NGFW blades build upon this architecture. "Every blade works on every Check Point appliance, from our [entry level] UTM-1 to our largest Power-1. Blades can also run on open servers from IBM, Fujitsu, Dell, Crossbeam, etc," said Sultan.
Endpoint Security blades secure individual hosts, such as disk and media encryption or anti-malware scanning. Security Management blades support administrative tasks, such as policy management, logging, provisioning, and reporting. Security Gateway blades perform traditional network security services (e.g., firewall, VPN, IPS) and NGFW services (i.e., Application Control, Identity Awareness).
Check Point sells blades in bundles. For example, the SG103 is a small/branch office Security Gateway that can run firewall, VPN, IPS, Application Control, and Identity Awareness on a single-core platform for up to 50 users. The SG205i can run those blades on a dual-core platform for up to 500 users. The SG1207 adds Advanced Networking, Acceleration, and Clustering blades, ramping up to 8 cores for data center deployment.
Powering up performance
Firewall, VPN, IPS, Application Control, and Identity Awareness are the security software blades included with Check Point's flagship Power-1 11000 series security appliances. These field-upgradeable appliances let customers expand capacity and connectivity over time, without hardware replacement.
"The last digit of each [Power-1] model is the number of blades that you're using; the digit before represents performance," explained Sultan. For example, the Power-1 11065 can run 5 blades, while the 11067 runs 7 blades, firewalling up to 15 Gbps. The 11075 and 11077 support up to 20 Gbps, while the 11085 and 11087 top out at 30 Gbps.
"You can add Acceleration, Advanced Networking, or additional security blades. With R75, one appliance can have up to 11 blades," said Sultan. 11000 series firewalls can also be upgraded by adding network cards. For example, the 11065 ships with 16 10/100/1000 Ethernet ports, but the 11075 and 11085 need GbE fiber ports for higher throughputs.
According to Sultan, "Back in 2009, customers were skeptical about putting IPS on the same platform as firewall due to performance and potential slowdown. But [in NSS Labs tests] we've proven we can get 15 Gbps of IPS throughput," she said.
Digging into apps
Check Point has added new blades over time; Application Control was introduced in R75. "This blade enables customers to look at how users are using Web 2.0 and block or limit usage with Application Control widgets," explained Sultan.
Rules are based on Check Point's Application Control database, acquired from FaceTime (now Actiance). That database currently recognizes more than 4,500 Web 2.0 applications and 100,000 widgets. For example, Facebook is an application; Bejeweled is a Facebook widget. A complete list can be searched on-line at Check Point's AppWiki. Check Point assigns each entry a risk level to help admins focus on high-risk apps and widgets.
Many NGFW installations use Application Control in conjunction with Identity Awareness. "This blade changes how the firewall works from looking at traffic coming from IP addresses to looking at traffic coming from users and going to particular websites," said Sultan.
"Before you'd have policies for port 80 traffic; [with Identity Awareness] you can have policies for Julia. Now you can say I'll give FaceBook access to Julia only, or to my entire organization, but only outside of working hours. You can see users and groups connecting to applications, and whether those connections are exceptions to policy."
Helping organizations refine policy
Check Point believes the latter is critical to NGFW deployment. "In today's world, especially with attacks that start with social engineering, the people component is critical. We include people in the security process by providing alerts to users. If a user wants to access an application, policy may allow access but caution the user about corporate policy, requiring the user to indicate business or personal use," explained Sultan.
Sultan said that involving users can provide valuable feedback to firewall administrators, helping organizations determine what policies should be. "Many companies find they are blocking legitimate usage. These alerts help users be educated about policy, and helps the IT department learn what users really need to access for business purposes," she said.
Check Point introduced two more blades in R75: Data Loss Prevention and Mobile Access (smartphone SSL VPN). "For DLP, we involve users in defining whether the sensitive data they're trying to share via email or file transfer should really be shared," said Sultan. "Before, if security policy blocked you from accessing a site, you often got an obscure message to contact IT. We're moving away from this by letting customers give very clear explanations [to users] and make exceptions."
Power-1 customers might not start with DLP, Check Point's architecture makes it easy to add optional blades like this over time. "With blades, we provide a model for customers to buy licenses to activate software. If you want to add blades not in the original package, you can do so for as little as $1500 – with no CAPEX, no new management console, and no additional complexity in your data center," said Sultan.
Check Point's blade architecture gives existing and future firewall customers more flexibility. "This has been very well received because customers don't always know what they'll need in a year and don't want to be locked into a solution. Well over one third of our customer base has already migrated to this architecture," said Sultan.
But the architecture decouples software modules, exposing seams between Firewall, Application Control, Identity Awareness blades (albeit managed through the same console). Check Point's array of platforms, Power-1 models, software releases, and options can also be hard to navigate. On the flip side, features like the AppWiki and UserCheck prompting can ease NGFW policy development and adoption.
To learn more about Check Point Software's Power-1 series of enterprise firewalls, capable of running Application Control and Identity Awareness blades, visit this link.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.