Check Point Software Technologies Ltd. could save a lot of marketing ink on Next Generation Feature Pack 1, its firewall/VPN update, by just saying, "Hey folks, its a lot easier to use."
In eWeek Labs tests, we determined that the add-on Feature Pack 1, at $3,495 for a license to protect 25 IP addresses, is a worthwhile purchase, especially for the improved administrator security. We could create administrators with a limited scope of responsibilities, thereby distributing management tasks for specific firewalls without giving away the proverbial keys to the kingdom.
However, although network security can be made less tedious, it is still a complex chore. In NG FP1, which began shipping in November, Check Point has done a good job of eliminating the chances of making mistakes, but network managers should make sure they have a well-thought-out plan on paper before they even sit down at the keyboard to implement security policies.
NG FP1 still suffers from a complex licensing structure. Although it was clear which components needed to be upgraded, we had to wade through a number of installation steps to get all VPN-1 and Firewall-1 gateway machines up to speed. NG FP1 includes both products. As before, licensing keys enable various components.
NG FP1 has one big advantage over comparably priced competitors including Cisco Systems Inc.s PIX firewall and VPN (virtual private network) products from a wide variety of vendors. The new One-Click policy tools made it simple for us to define VPN links and firewall policies. We could then distribute these policies to Check Point devices in the network. This procedure worked without a hitch, even when we created mixed site-to-site VPNs.
It Takes a VPN Community
Check point based this feature on what it calls VPN Communities. Without too much effort (some planning is required), we were able to reduce the amount of work needed to create these multisite VPNs by more than half compared with the same task using previous versions of Check Point.
The other big advantage of using the One-Click tool is that it eliminates configuration errors that can be introduced when setting up rules by hand. This makes it a much more reliable way to set up and change VPNs in large IT deployments.
Two other new One-Click utilities in NG FP1 eased our workload when it came to integrating extranets and providing digital certificates to VPN-1 SecureClients. In the case of One-Click Extranets, we were able to quickly build rules that governed the process of integrating two networks, one run by BenchTen and the other run by eWeek Labs (both fictitious entities used only for testing).
We were able to establish trust relationships, define which objects—such as data files—could be exchanged over the extranet and build rules that governed access. This was significantly easier than the elaborate process required in the previous version of Check Point Next Generation.
Enhancements to the way NG handles digital certificates in FP1 made it possible for us to issue our own encryption and authentication credentials to users. In the previous version, Check Point credentials could be easily given only to gateway devices, not to end users. Although we could have used certificates from providers such as VeriSign Inc., home-grown certificates are a good alternative for security-conscious, budget-wise organizations.
Sites with large numbers of remote users, especially users who create large amounts of traffic, will appreciate NG FP1s load balancing improvements. We configured clients to randomly select among the five VPN gate machines at the edge of our network. This involved additional configuration work in the client setup but was well worth the effort. When we downed one or two of the VPN gateways, forcing the clients to reselect their connection, we nearly always ended up with a reasonably balanced distribution of clients.
Although this is a big improvement in client flexibility, it requires a little more record keeping—which NG FP1 does not provide. For example, when we added several VPN gateways during the test, there was no convenient way to update clients with this information, nor was there a good way to keep track of which clients had which gateways.
Senior Analyst Cameron Sturdevant can be contacted at [email protected]