Check Point updates mgmt., security software

Check Point is wheeling out a big software upgrade across its product lines that increases security and makes it easier for users to manage its platforms day-to-day.

The upgrade, called NGX, runs on a dozen Check Point platforms, including its firewalls, IPSec VPN, management software, application security, SSL VPN, internal security gateways and event-correlation software. The goal is to provide a unified security architecture that businesses can add to their networks without whole upgrades to network gear, Check Point says.

Management improvements are the most significant features that set it apart, says Paul Stamp, an analyst with Forrester Research. "This allows you to update software across different components and analyze events more effectively and cohesively," he says. Check Point competes against 3Com, Cisco, Juniper and Nortel to sell security gear that addresses perimeter and internal security.

NGX software - which is part of a dozen Check Point products that run on servers, clients or appliances - pulls together management of Check Point's VPN-1, Connectra SSL VPN and Intraspect internal security gateway. This makes it possible to distribute updates once, rather than platform by platform. Administrators also can get a unified view of logs from all three platforms.

But NGX doesn't let you change policies from one console. That still requires three separate management applications.

The software includes SmartPortal, a new, read-only Web view of Check Point platforms to give broader access to security policies that have been set without compromising them to changes.

The feature could aid help desk workers who deal with complaints that a certain application is inaccessible. The worker could check policies via a SmartPortal to determine whether policies deny a user access to the application. If so, the caller can be passed on to an administrator with authority to alter the policy. If not, the help desk can continue troubleshooting.

NGX supports dynamic routing, which makes it possible to route traffic through current IPSec tunnels. So if a tunnel fails, routers can find alternative tunnels over which to direct traffic. Previously, Check Point software used static routes that had to be changed manually on each device.

For instance, the Department of Public Safety and Correctional Services in Maryland uses NGX to connect 430 law-enforcement sites via an IPSec VPN. Dynamic routing makes it easier to set up new sites and change policies for current sites, says Victor Fooks, chief network officer in the division of IT and communication for the Maryland Department of Public Safety and Correction Services.

Rather than reconfigure each VPN-1 Edge appliance to accommodate a new site, he changes the central firewall settings and policies in the network routers. Dynamic routing lets routing protocols, such as Border Gateway Protocol and Open Shortest Path First, decide which tunnels are best to route traffic to its destination.

Fooks says he is testing NGX's support for securing VoIP as groundwork for his department adopting it. NGX makes it easier for IP voice traffic to survive network address translation (NAT) as it crosses Check Point firewalls. NAT masks the IP addresses of private networks, which make it difficult for incoming phone calls to find the end devices they are looking for.