Check Point overhauls its security software architecture

Software Blades, dedicated processing power and build-your-own UTMs on tap
  • Tim Greene (Network World)
  • 25 February, 2009 08:20

Check Point is in the midst of a major overhaul of its security software architecture so customers can pick and choose the applications they want and dedicate computing resources to each depending on the performance they want to guarantee.

The company has taken the first step with the latest R70 version of its software that separates its various applications -- firewall, VPN, Web filtering, intrusion detection/prevention systems (IDS/IPS) -- into software blades that are available to customers a la carte or in pre-packaged bundles.

And Check Point is working toward being able to dedicate part of the computing power of multi-core processors to a single application, starting with its IDS/IPS platform. This capability will be expanded to the company's other security platforms over time.

The software-blade architecture is being announced Tuesday at Check Point's international customer meeting in Paris and will enable loading a custom mix of applications on a single, multi-core machine and dedicate entire cores to individual applications to guarantee performance, the company says.

Check Point calls this dedication of computing power Core XL and has applied for patents on it.

In earlier software versions, Check Point's security applications were bound to each other, as in its unified threat management (UTM) software that includes a firewall, IPS, virus and spyware protection, antispam, a Web-application firewall, VoIP security, instant messaging and peer-to-peer application blocking and Web filtering.

With the new architecture, customers could buy just those applications they want to create their own version of a UTM or to add more applications to today's UTM bundle, for example. Check Point calls this custom UTM capability XTM, to express that it is possible to extend UTM capabilities to add features.

This software-blade architecture could make deploying security more efficient for Visa, says the company's director of network security Chuck Riordan. "We're working toward consolidation and globalization and eliminating separate tools," he says. Rather than having a separate IDS/IPS platform as it does now, for instance, the company might put it on a single, multi-function platform, he says.

By running multiple security applications on a single, multi-core machine, the company could consolidate its hardware while preserving performance. "Using core technology on the hardware chipset itself, you could dedicate compute power to Web filtering and not affect stateful inspection," Riordan says.

Page Break

The new architecture allows more flexibility than the old one or the alternative of using separate appliances from multiple vendors, he says. "On the fly you could add or remove a function," he says.

Visa has not yet tested the new Check Point software, but plans to. "We'll run it through the mill to see how we might take advantage of the core technology," he says.

Eric Ogren, a security analyst with the Ogren Group, says that the software-blade architecture holds the promise of focused security applications with recommended policies preset and ready to go out of the box.

"So instead of the poor IT guy trying to figure out which IPS rules to use for voice over IP traffic or at some point down the road virtual desktops, Check Point could build that right in," Ogren says. "They could say we're going to give you a voice-over-IP-security module, and it will have a policy that says these are the types of exploits that we're looking at. And that saves IT a kind of headache."

Another feature of the R70 software version is its improved performance -- as much as 22 times faster than the previous software -- which will make its use as part of a custom UTM more attractive, Ogren says. "That's an order of magnitude times two. With these performance improvements, I can see the IDS as one less box, one less bump in the wire," he says.

The software-blade architecture extends to Check Point's management platform as well, carving it up into more than 20 individual capabilities that customers can buy separately.

Check Point is offering security gateway packages of its software blades that sell for less than buying each application separately. For instance, a package called SG207 costs US$11,000 and includes a firewall, VPN, IPS, antispam, e-mail security, URL filtering, antivirus, antimalware, acceleration and clustering. Individually, the same package would cost $17,000, the company says.

R70 is available in March as is the IPS Core XL blade and a VoIP provisioning blade. A change management blade is due in the second quarter and a data loss prevention blade is due in the second half of this year. Others such as browser security will come later, Check Point says.