Check Point Software Technologies Ltd. is making a major move into the application security and intrusion prevention markets with a new set of capabilities for its widely deployed FireWall-1 and VPN-1 boxes.
The features contained in the new Next Generation with Application Intelligence software build on the core functionality of the platform and add the ability to detect and prevent application-level attacks and other malicious behavior that network-level firewalls often miss.
Check Point officials said the move to be announced this week is the companys biggest product enhancement in nearly two years and comes in response to similar efforts from competitors such as Cisco Systems Inc. and Network Associates Inc. Industry watchers say the new capabilities should give Check Point, which has a large installed base, a leg up in integrated network defenses.
The new offering is based on a four-part defense strategy designed to validate compliance with standards and with expected use of protocols, block malicious data, and control hazardous application operations. All are aimed at protecting networks against application attacks—the attack of choice for many crackers.
To accomplish this, the system not only looks at what applications and processes are allowed to do but also what they are expected to do. Most systems block binary data in HTTP headers because it violates the protocol. The Check Point system also blocks unusually long headers, which are the main attack vector for exploiting buffer overruns.
The Application Intelligence functionality of the product is an extension of the SmartDefense feature set, which Check Point has been introducing gradually for the past year. The capabilities are integrated into the SmartDashboard console, which provides detailed views of protection options. The system can also block cross-site scripting attacks and inspect Common Internet File System traffic to identify processes searching for open network shares—a common behavior of worms as they try to replicate across networks.
The offerings come amid a flurry of new intrusion prevention technology. Cisco, which bought Okena Inc. several months ago, plans to integrate that companys intrusion prevention capabilities into its security products. NAI has similar plans for Entercept Security Technologies Inc. and IntruVert Networks Inc., the two companies it purchased earlier this year.
Application-level firewalls are nothing new. But adding that kind of protection to network firewalls could help make the devices, which are frequently criticized for missing too many attacks, more useful.
It was a move that Check Point almost had to make, industry observers say. “Check Point is in a great position of having an installed base to work from, and they very clearly want to be the perimeter device that does all of the checking up through the application layer,” said Pete Lindstrom, an analyst with Spire Security LLC, in Malvern, Pa. “Were all very clear that network firewalls dont protect against Port 80 attacks. Folks who arent buying specific Web application firewalls may be more inclined to buy this.”
Customers who have tested the beta code of Application Intelligence are impressed with its capabilities.
“Its an advantage to have that application security ability that far upfront in the security architecture,” said Scott Loach, senior information security engineer at Raymond James Financial Inc., in St. Petersburg, Fla. “No company can give you an all-in-one solution. But this can find unknown attacks and … deals with attacks at the firewall.”
Check Point, based in Ramat Gan, Israel, will release Next Generation with Application Intelligence June 3. There wont be a separate license fee, although a subscription to the SmartDefense update service will cost $1,000 per gateway.
Most Recent Security Stories: