Check Point Safe@Office 1000N: Enterprise grade security for branch offices

It's hard to miss a Check Point appliance, because they all have bright orange boxes and bright yellow front panels. The 1000N is no exception, and the small metal box with the gaudy paint job stands out. Check Point has a large number of security products, but the Safe@Office 1000N and the wireless enabled 1000NW are the only small business specific products.

Supersize your WAN

All the connections are on the back of the box, with status lights on the front. There are four 10/100/1000 Gigabit Ethernet ports, one dedicated WAN port, a combo WAN2/DMZ port, and a console RJ45 serial port. Accessories include a serial to RJ-45 cable for command line fans, an Ethernet patch cable, a documentation CD, an illustrated Getting Started Guide, and a sales pitch for optional advanced services features.

Check Point calls the 1000N a firewall more than a router, and they advertise gigabit throughput, plus 400 VPN tunnels that can run as fast as 200Mbps. You can also run two 1000N units linked together for high availability.

Since there are multiple optional software modules, setting the price for the 1000N can be difficult. Check Point says the price starts at $750, but street prices range from $850 to $1,250 depending on the number of users and the installed modules. The price tag may give smaller businesses pause, but IT departments buying for branch offices can justify the price based on the firewall throughput speeds and comprehensive security modules available.

Installation and configuration

Following the Getting Started Guide is easy. Connect WAN1, connect your network and configuration computer, and turn on the 1000N. The client will receive a DHCP address in the 192.168.10.x range, slightly different than most default addresses. You don't have to remember that, however, to connect to the admin utility, because you use http://my.firewall to access the router.

The setup wizard forces you to set a password with at least five characters, then the Internet wizard takes over. Perhaps "wizard" is a little overblown, since it basically asks for the type of broadband connection, then tries to connect. We linked up first time with no issues. Almost immediately we had Internet access through the 1000N.

Changing the LAN IP address range was also simple. Both the LAN IP address settings and DHCP range are on the Network > My Network page, found by clicking the Edit icon on the LAN section. Reboots all around, and the LAN address is changed

Adding in the second WAN link was also simple. Network > Internet page, then edit the secondary WAN link. A quick trip through the WAN choices, rebooted the cable modem, and the 1000N grabbed hold and connected.

Just below the Internet connection listing is the WAN Load Balancing controls. They use a very simple metaphor: an on/off switch. Slide the switch to 'On' and both lines share traffic. You have no control over what type of load balancing is used, but you can set the ratios between the two WAN connections.

We found that the control is hidden far too deeply. You have to click through Network > Internet > Edit Connection > Show Advanced Settings, then scroll to the bottom of the page to the Load Balancing Weight field. The default is a 50/50 traffic split between broadband lines.

Operation

The 1000N ships with 90-day trial versions of gateway antivirus updates, antispam, URL filtering, Dynamic DNS, and special logging and report utilities. When you open the admin screen, a sales pitch for service upgrades awaits. Past that, there's not a great screen that monitors the dual-WAN connection for traffic.

The best is Reports > Networks to bring up the Network Interface Monitor page. Clicking on the tree menu on the left on either Primary Internet or Secondary Internet displays the connection details, including packets sent and received. You can refresh the screen but not clear the statistics, making it harder to see if a ratio adjustment between WAN links makes a difference.

Even without much control (such as whether the balancing is based on packets or bytes), performance is right in line with the other units. When network traffic is light, the 1000N will maximize bandwidth well, but most of the time performance is about average for the group.

Though firewall details are beyond our purview for this review, the 1000N does a good job making them understandable. Going to Security > Firewall displays another sliding switch to set the security level to low, medium (the default), high, or block all.

The SmartDefense system, Check Point's Intrusion Detection System and Intrusion Prevention System, displays a tree list on the left with explanations and default settings explained in the right side of the window. Blocking ICQ traffic, for instance, is not a set of rules to build, but two choices from pull-down menus on one page.

Much like the SonicWall TZ200, the Check Point 1000N offers enterprise level security granularity in a presentation that won't scare off non-experts. But the SmartDefense controls combined with sliding settings give 1000N the edge for being easier to understand. Add in the fact the complexity is there for larger companies providing these to branch offices, and you have a security appliance that covers both ends of the IT experience spectrum.

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies