Check Point next month intends to announce its major software upgrade of the year - a package that will include VoIP improvements and enhanced auditing - in a move industry experts call critical to the company's long-term success.
As big network vendors encroach on Check Point's territory and threaten to undermine its position as a dominant security software player, the company must demonstrate how its network security scheme stacks up, experts say.
Cisco and Juniper "are threatening Check Point big time," says Jon Oltsik, senior information security analyst for Enterprise Strategy Group. Similarly, the security features that Microsoft is adding to its servers and operating systems add pressure, experts say.
Some of Check Point's challenge stems from its widespread reputation as only a firewall and VPN vendor. But that perception overshadows its newer technologies, analysts say. Those newer offerings include its Integrity endpoint security, Connectra SSL VPN gear, InterSpect internal security gateway and Eventia Analyzer software, which gathers log data from other Check Point gear and other network devices and correlates security events. This also includes the company's multi-featured management platform that unites the individual products.
Calling its next software release its biggest news of the year, Check Point says the new version of its VPN-1/Firewall-1 software will address differences that VoIP equipment vendors have in how they implement signaling protocols that can make firewall configuration difficult, says Gonen Fink, the company's vice president of solutions and strategy.
Check Point firewalls already support VoIP, he says, but configuring them is admittedly challenging, and configuration varies from VoIP vendor to VoIP vendor. "With the next release there will be a significant improvement," he says.
The new release, which will be announced in mid-May, will have more intelligence about the major VoIP protocols so the software can better detect abnormal protocol behavior that might signal attacks, Fink says.
Also promised with next month's upgrades are enhanced auditing capabilities of what security measures are in place, what users have tapped what resources, and when they were accessed. Reports on such activity are becoming increasingly necessary to meet regulatory requirements for keeping certain financial and healthcare data secret.
Check Point will make these announcements on a stage where much larger network companies are focusing more heavily on security, posing a potential threat to Check Point's livelihood, experts say.
Competitors are offering an expanding array of security features and integrating them in their switches and routers. Juniper, for instance, will be shipping an intrusion-prevention blade for its ISG 2000 switch this spring, and Cisco is adding intrusion-prevention systems to certain of its switches, firewalls and routers.
To garner more customers for its endpoint security, internal gateways, intrusion-prevention and event-correlation software, Check Point should think along the lines of TippingPoint Technologies, now owned by 3Com; Crossbeam (which supports Check Point firewalls and VPNs on its hardware); and Fortinet, says Joel Conover, an analyst with Current Analysis. These other companies have a single hardware platform running multiple security applications in parallel.
"Theoretically, Check Point would come out with a new framework that would allow them to plug in all these components in rapid fashion and maybe expand into new technologies if the opportunity presents itself," Conover says. "The mission would be to become, from a software perspective, less monolithic, to become more modular."
Assuming Check Point can do that, customers would want an equally integrated management platform to keep an eye on all the data the device gathers, says Trent Henry, a senior analyst with Burton Group. The various Check Point offerings can block entrance to networks, discover attacks, restrict traffic between defined network zones and quarantine zones from which malicious activity is generated. What's needed is a way to double-check that the security policies as set are actually being carried out, he says.
"Increasingly with compliance mandates, we need to have some segregation of duties between those who are authorized to make changes to the infrastructure and those who can actually assess that changes were done in a controlled fashion and in accordance with policy," he says. This would help companies that need to prove they are following proper procedures to comply with government mandates about how financial and healthcare data is handled, he says. "My clients want to know what the next step is for compliance and audit and control," he says.
This sounds similar to references Check Point's Fink made during an interview about auditing enhancements the company has slated for its May release.
Part of what Check Point needs might be an overhaul of its business model that would let it accept lower profit margins, Oltsik says. The company also needs to invest more in a salesforce that can bring its products directly to customers, he says.
Most of the company's sales come through channel partners, companies that sell a variety of gear directly to business customers, according to Gregg Moskowitz, a senior analyst with Susquehanna Financial Group. This arrangement is one of three key factors that keep the company's profit margins extraordinarily high, he says. The other two are the fact that its R&D is conducted in Israel where it costs about 40% of what it would cost in the U.S. and because of Israel's favorable tax system, Moskowitz says.
As a result, the company enjoys a 57% operating margin, he says. "That's just phenomenal. With most companies, if they reach 30% that's remarkable, and this is almost double that," Moskowitz says.
Oltsik says he thinks that the company must push its products directly to corporations if it wants to stave off network vendors. "They're at a decision point right now. They either invest in a direct sales force and become a direct enterprise security provider or find distribution channels for some of their other products quickly, and I don't think [the latter] is a viable alternative," Oltsik says.
Check Point's Fink says the threat from Cisco, Juniper and the other network vendors isn't that dire. For instance, Cisco's network admission control initiative to interrogate network devices to make sure they meet security policies is still an initiative, whereas Check Point's Integrity software and InterSpect are available now.
In either case, Microsoft is looming as yet another competitor as it adds security features to its operating system and mounts its own network-based security initiative called Network Access Protection . This leaves Check Point in a bind, with network behemoths closing in from all sides, Oltsik says, and it needs to now start making clear how its products are a good investment for the long term. "For Check Point, they need to figure [that] out pretty quickly. It will get ugly in the next 12 to 24 months," he says.
But Fink says Check Point's strength is reacting quickly to whatever new exploits attackers come up with, and that will carry the company through. "What we're really good about is adaptability to change," he says.