Check Point Software is announcing a supplemental NAC architecture this week that integrates its deep-inspection firewalls with Intel-based network interface cards to block rogue behavior.
The latest version of Check Point's VPN-1 NGX software enables postadmission NAC by finding traffic that violates security policies and shutting it down at the NIC of the machine generating it.
This requires NICs in desktops based on Intel's vPro technology, which contains programmable hardware filters to block traffic.
Check Point already had a means to block malicious traffic at the desktop via its Integrity client software, which includes a firewall that can block traffic based on set policies. The software also scans desktops and laptops for security posture, and that information can be used to allow or deny network access.
Adding access controls via firewalls and NICs gives customers an additional option for deploying admission security. For example, a company that upgrades its PCs routinely might acquire the Intel hardware needed to execute admission policies. HP and Gateway have announced desktops employing vPro technology.
Customers could use the NICs to enforce NAC policies without deploying the Integrity client, a time-consuming task to take on, because it includes not only installation and configuration but ongoing maintenance.
The new Check Point software release supports cooperative enforcement between its VPN-1 firewalls and the NICs. To enable the enforcement, customers must write scripts that instruct the NICs what traffic to block or divert to quarantine VLANs. Check Point says that in later releases, the script writing will be masked behind a graphical user interface that will make it simpler to configure NAC policies for the NICs to enforce.
The added work the VPN-1 firewalls must do is supported by software revisions that makes them perform better on standard IBM server hardware. The software performed at 10Gbps last fall, and Check Point says the latest software version performs at 12Gbps. This enables customers to turn on more security features and still have enough processing power to meet line speed for most networks, the company says.
Check Point is also overhauling its management platform so it doesn't require a much downtime when it is being upgraded. Major management updates previously required server downtime to install software changes, but the new management software can be upgraded using plug-ins. So adding management for a new Check Point product can involve adding a plug in, and not requiring any refresh of the rest of the platform, the company says.
The first plug-in available supports policy management for Check Point's SSL VPN gear that enables central setting of SSL VPN policies. Before these policies had to be set machine by machine. Disruption of the entire management server while the plug-in is added will be minimal, Check Point says.