Check Point delivers long-awaited appliance

The Check Point UTM-1 series impressed us in our exclusive Clear Choice Test with its integrated manageability and showed its performance chops with basic firewall and intrusion-prevention-system rules in place.

How we tested Check Point UTM

Chart showing testing results

Archive of Network World tests

Subscribe to the Network Product Test Results newsletter

The UTM-1 450 we tested, which was designed to support 250 simultaneous users, carries the same $7,500 price tag as Check Point’s software-only 250-user-license offering. Therefore, buying the former is like getting the hardware for free. The new appliances, unlike Check Point’s software-only package, do not limit the number of users that can access it. So, going from 250 users to the occasional 251 users incurs no additional cost.

This market move catapults Check Point out of the now-nonexistent “software firewall” category and puts it against chief hardware-only competitors — Cisco and Juniper — port for port, feature for feature.

The many value-added resellers integrating Check Point software into their own hardware will find it difficult to compete with this new combination. Even Check Point’s high-end partners Nokia and Crossbeam should find these appliances significant competition. Nokia, for example, has a broader line of products, better management and significant expandability, but those advantages may be important to only a small fraction of its users.

The firewall and management software of the UTM-1 is identical in features, function and control to that shipping with the VPN-1 UTM software-only offering Check Point began shipping last May. The UTM-1 bundle comprises firewall, , Smart Defense IPS (including antispyware) and antivirus built into the system.

UTM add-ons include a Web server application firewall, SSL VPN network extension, controls and URL filtering. Our test focused on the capabilities of the UTM-1 appliance itself. The question we set out to answer was, “if you want to run Check Point, is the new UTM-1 the right choice?” For most midsize enterprise customers, the answer is a resounding “yes!”

All will come equipped with four 10/100/1000 Ethernet ports while the 1050 and the 2050 models have an additional four 10/100 Ethernet ports.

The UTM-1 devices have layers of Web-based and command-line management wares that control the underlying operating system, including software upgrades and downgrades; backup and recovery; and basic system operations, such as IP addressing and dynamic routing. You use a Web browser to set up UTM-1 itself and then jump into the traditional Check Point SmartDashboard GUIs to control the firewall and UTM features.

Existing Check Point customers can integrate a UTM-1 appliance into their management systems easily, or can move their existing VPN-1 management server into the UTM-1 itself. No additional management server is required.

To exercise the management features of the UTM-1, we changed IP addresses, Network Time Protocol and DNS configuration. Then we rebooted and upgraded software, and everything went exactly as we would have expected. We found the features in the underlying appliance management to be good for midsize enterprises and fairly simple deployments.

Check Point’s documentation is a bit lacking in its coverage of the appliance. That said, we didn’t find we needed much documentation because the interface was well designed and intuitive. And, because this is built on SecurePlatform (Check Point’s hardened, Linux-based operating system for dedicated firewall appliances), you can get to a Unix shell prompt to debug or fine-tune the parameters.

A rough spot in this management implementation lies in the UTM-1’s two disaster-recovery features. One of those features is the ability to boot the appliance from a USB key and use it to reinitialize to factory defaults. The other is the ability to back up the configuration off the appliance and restore it to another system.

But the Check Point implementation doesn’t let you use the same USB key to back up and restore the appliance. Instead, you run periodic backups — these can be automatically done and moved to a file server — and then use the backup to restore your appliance if disaster hits.

When restored to a new UTM-1, the configuration was flawless. However, within the confines of that process, Check Point had restored the now-invalid license from the old firewall. We had to dig around in the command line to put everything pertaining to licensing in order. Not restoring the old license during the restoration would have saved a lot of aggravation.

We also found one issue with the integration of the firewall with UTM-1 itself. When you ratchet up the Smart Defense IPS settings on the appliance, you can no longer manage the appliance because Smart Defense doesn’t know yet about the UTM-1 Web interface. Fortunately, Smart Defense does know about the traditional firewall management interface, so you can always add a rule to re-enable management.

Measuring performance

Our performance tests focused on the appliance as a tool to protect a corporate network, with most of the traffic being outbound Web browsing with only a minimum of inbound connects (see How we did it).

With no UTM features enabled, and a heavy load of simulated users, we were able to peg the UTM-1 450 at 389Mbps, only a few percentage points below Check Point’s 400Mbps specification. However, we saw response time increase to more than five seconds per page at that rate.

When we turned on the default IPS feature set, we found no degradation in performance at all, a serious statement about the efficiency of the Smart Defense software. However, the default Smart Defense features are fairly trim and won’t do much to help protect outbound Web browsers. To tune Smart Defense for safer Web browsing parameters, we enabled the full set of Web-client protections that help detect and filter attacks against browsers. That tuning had a more significant impact: Performance immediately dropped to 37Mbps.

Applying antivirus protection had an even more dramatic impact. With Smart Defense turned off and antivirus turned on, the total goodput rate was 28Mbps. (See graphic below for more feature combinations and their effects on performance.)

Normally, our tests find that adding useful IPS and antivirus features to a UTM firewall routinely causes a 90% drop in performance. In a 400Mbps firewall such as the UTM-1 450, that would usually be fine, because you would be able to keep up with a 45Mbps

DS-3 circuit with ease. In this case, enabling the full suite of UTM features took performance significantly below what we would consider safe for anyone with a DS-3.

Buying guide

If you’ve decided that Check Point UTM is the firewall combination for your company, these new appliances are an obvious way to deploy high-end software quickly and with a minimum of hassle. Out of the box and configured within five minutes, the enterprise-ready UTM-1 is as easy to deploy as a small-office or home-office firewall.

Like supermarket cheddar cheese, these boxes are not gourmet, but they will satisfy your hunger for a solid, predictable firewall quite well. If you’re still debating Check Point vs. Cisco or Juniper, these boxes give Check Point additional ammunition to win your business. With the option for integrated multidevice management and local logging storage, VPN, Web application firewall and URL filtering, these appliances have features that push them ahead of similar devices from the other heavyweights.

Snyder is a senior partner at Opus One, a consulting firm in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.

Snyder is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.