Check Point FireWall-1/VPN-1
Distributed security
Check Point divides the implementation of its network security policy into three components: a graphical interface for administration; a management server that stores security policies and logs; and an enforcement point--a network gateway that actually implements that policy, blocking or allowing traffic where appropriate. In smaller implementations, the management server resides on the same box as the enforcement point.
In general, most firewalls perform a similar combination of functions--storing, implementing, and logging violations of a security policy. Check Point's approach is unique in that it lets you define more than one enforcement point. For example, suppose you have several wide area network (WAN) connections: one to the Internet, two more to satellite offices, and another to a business partner's network. In a case like this, you may want as many as four enforcement points, one for each connection. To accomplish this with Check Point, you must still develop a single security policy on your management server. You can then install the applicable parts of that security policy for each of your enforcement points. This kind of scalability is why many large organizations with extremely complicated networks--GTE Internetworking, for instance--use Check Point for their security needs.
Stateful inspection
FireWall-1 blocks traffic by means of technology that Check Point calls stateful inspection. As traffic arrives at the firewall, Check Point examines it and compares it to the set of existing, and allowed, network conversations already underway. If a packet is part of an existing conversation, it can pass. If the traffic is unfamiliar but allowed, a new entry is created in the list of existing conversations, and the traffic can pass through the firewall. Otherwise, it is blocked.
With stateful inspection, you can specify rules more easily than you can with basic packet filters. Stateful inspection describes traffic according to who initiates the connection, and other traffic can be allowed or denied based on existing connections. Most popular firewall packages implement similar technology for tracking connections. Darren Reed's IP Filter package for various versions of BSD Unix and the new iptables software for Linux are examples of firewalls that use stateful packet filtering. Check Point claims that its stateful inspection technology is more sophisticated because it builds state--entries in the list of network conversations--by taking advantage of much more information from HTTP and other protocols higher in the network protocol stack.
Virtual private networking
Check Point offers the most effective integration of VPN and firewall functionality we've seen. Check Point's VPN-1 is merely an encryption add-on to FireWall-1; such tight integration makes VPN setup much easier by providing a common interface for both firewall and VPN administration. It also lets you apply security policies to traffic in the VPN--a task that's nearly impossible when using a separate VPN concentrator located inside a firewalled perimeter.
In addition to supporting network-to-network VPNs, Check Point supports client-to-network VPNs through its SecureClient and SecuRemote applications. These two add-on packages are Windows-based apps that let users connect their systems to the firewall network through an encrypted network tunnel to access services on the network. This terrific infrastructure facilitates affordable telecommuting. Secure Client offers the added advantage of protecting a workstation from attack so that remote users' computers cannot become platforms for attacking a company's network. The SecuRemote add-on is free; SecureClient costs $100 per seat, with discounts for larger numbers of licenses.
Installation
Once you understand Check Point's security model, installation is a fairly simple process. You run a text-mode script that installs some RPM packages and runs cpconfig, Check Point's text-based configuration program. During installation, you can choose to install a distributed configuration (with the enforcement point and the management server separated, as described above), or you can install everything on a single server. You can also specify how many nodes to protect. Then you identify the external interface and specify the security policy that should be in place while the firewall is booting, and which users at which client workstations should be allowed to administer the firewall. We were somewhat disappointed that Check Point's GUI does not run on Linux; currently it supports only Windows and commercial versions of Unix (AIX, HP-UX, and Solaris). However, this is more of an annoyance than a serious hindrance, since any network large enough to warrant a Check Point firewall is likely to employ Windows-based machines.
Licensing
Check Point is one of the only firewall vendors that licenses its software based on the number of protected devices (IP addresses for internal interfaces that are visible to the firewall). Protected devices can include print servers, virtual Web hosts, and routers (along with all of the machines on a company's network). And in case you're wondering, it is not legal to hide IP addresses behind a proxy server or network address translation (NAT) device to circumvent the licensing scheme. If you exceed the license maximum, all traffic is still subject to the rules that are in place. You cannot add new rules, however, and alerts are sent to the administrator on a regular basis.
Bottom line
In porting Check Point FireWall-1 and VPN-1 to the Linux platform, this market-leading security company lends significant credibility to Linux as a viable security platform. However, it's important to note that Check Point FireWall-1 and VPN-1 are not for the faint of heart; installing and configuring the products will involve some study and a fair bit of planning. But for organizations that believe they can benefit from a scalable management infrastructure and integrated VPN functionality, Check Point is unmatched on the Linux platform. Pricing for FireWall-1/VPN-1 depends upon the number of licenses purchased. A 25-user license for FireWall-1 (standalone with built-in management console) costs roughly $4,000, which includes software, support, and a year's worth of upgrades. VPN-1 costs about $500 more. The Check Point Command Center Enterprise Management Bundle lists at just less than $25,000.