Check Point CEO marks milestone

Check Point Software recently announced that 100,000 of its software VPN gateways have been sold and that an overhauled version of its VPN-1/Firewall-1 software, called NG for Next Generation, is shipping. CEO Gil Shwed last week spoke with Network World Senior Editor Tim Greene about the company, VPNs and the tight economy.

Your revenues have gone from $141 million in 1998, to $219 million in 1999, to $425 million in 2000, but Check Point issued an advisory recently that sales might not meet Wall Street expectations. What's going on there?

We said the environment is tough and we've been saying that for quite a few months. That will be felt in soft revenues, again, not bad revenues. [We'll have] amazing revenues with more than 50% growth over last year and so on, but still, compared to some expectations, a little bit on the low side.

This is an uncertain time for users as well. What is the compelling reason to go ahead with installing a firewall and VPN even if a company has a shrinking IT budget?

Security is a must-have, and you don't want to compromise over it. The other reason is cost cutting. So if you just say 'OK I want to move just my top users to a VPN-based remote access,' you can usually pay [for] a new firewall and VPN from Check Point within a month or two even without migrating the full environment. I'm not talking about making radical changes overnight, which is obviously always risky, but making small changes, like moving 100 users, then 500 users, from dial-up remote access to VPN access.

Service providers have reined back their spending. How are you faring with them?

The interest is there. The spending is there, too, but not at the level we have expected. They used to represent close to 20% of our business. I would tend to say it will shrink down closer to 10%.

Everybody talks about convergence of voice and data. Are the internal quality-of-service mechanisms in your VPN-1/Firewall-1 NG product sufficient to support voice?

The [internal mechanisms] are sufficient for that. With NG, the [internal mechanisms] can be translated to Diff-Serv instructions. So you can have your policy propagate through the ISP network if the ISP supports that.

Many people are looking to MPLS-based VPNs. Is that a threat to Check Point, which is not based on MPLS?

There's a lot of confusion about the difference between an MPLS network and IPSec or secure VPNs. MPLS is much more how to route traffic effectively through IP networks. What we call an IPSec VPN is much more about how do you make sure this data is secure when it crosses the line. It just gives you a much broader set of requirements than just relaying the traffic over an IP network. MPLS doesn't give you much security. It doesn't encrypt the traffic, it doesn't authenticate it. It doesn't enforce a policy. It just gives you a very good way to route your traffic over a very big IP network. That's very complementary to IPSec-based VPNs.