Check Point VPN-1 UTM Gateway

Check Point and its hardware partners -- Crossbeam, IBM and Nokia-- each submitted different hardware platforms for this test running a common application: Check Point’s VPN-1 software. Likewise, we used Check Point’s Smart Center management system, running on a dedicated server, to manage and monitor all four sets of gateways.

Editor’s note: This is a summary of our testing of this product, for a full rundown of how it fared in our testing across ten UTM categories, please see our full coverage.

Check Point and its hardware partners -- Crossbeam, IBM, and Nokia-- each submitted different hardware platforms for this test running a common application: Check Point’s VPN-1 software. Likewise, we used Check Point’s Smart Center management system, running on a dedicated server, to manage and monitor all four sets of gateways.

Since the late 1990s, Check Point has been a leader in the firewall market, largely because of its superior management application. Early out of the gate with the right security model and the right approach, Check Point has dominated the enterprise firewall space and done well for its customers by continuing to build VPN and deep inspection features into their products.

VPN features continue to be a tremendous strength for Check Point as well. Its remote access VPN capabilities are the most sophisticated of any of the firewalls UTM products we tested, and site-to-site VPNs are also easily managed and monitored. In fact, it’s our opinion that Check Point has almost no competition when it comes to the creation and control of very large and very complex site-to-site VPNs.

We looked the current version of VPN-1 software in two basic configurations: one integrated with Nokia’s IPSO operating system, and the other running on Check Point’s own Linux-derived Secure Platform operating system. VPN-1 is the same firewall in both cases, though Nokia’s Voyager management system for such features as high availability, dynamic routing and appliance management is more sophisticated and flexible than CheckPoint’s equivalent Web-based GUI.

In our testing, we found that Check Point has lost some of the innovation and creativity obvious in its earlier versions VPN-1 firewall. While the features we examined, antivirus and intrusion prevention, are fully present in the VPN-1 firewall, we didn’t find them aimed at enterprise network manager in either their configurability or controls. 

For example, the IPS policy is applied on a per-firewall basis, rather than a per-rule one as within a firewall. The result is very little granularity. This might have been appropriate in early versions of Check Point’s SmartDefense IPS, but it isn’t going to fly at this level. Similarly, antivirus parameters are applied not per firewall, but uniformly across all firewalls that have the feature enabled — there is no easy way to have more granular controls.

Check Point has also not integrated the concept of zones — a common feature in many of the other UTM firewalls we tested — into the VPN-1 firewall. Therefore, creating a policy and/or managing a firewall that has many zones of control becomes difficult. Whether the company intends it or not, Check Point management capabilities and feature set really drive the security architect to implementing a lot of smaller UTM firewalls rather than one large one. Check Point’s VPN-1 remains a leader in the firewall space, but by a thinner margin than ever before.

Learn more about this topic

Buyer's Guide: Unified threat management

Check Point introduces next top security certification

06/04/07

Check Point releases multifunction security box for SMBs

06/27/06

Insider Tip: 12 easy ways to tune your Wi-Fi network
Join the discussion
Be the first to comment on this article. Our Commenting Policies