Check Point adds application protection

By Paul Roberts

A new generation of firewall technology from Check Point Software Technologies Ltd. will protect against attacks directed at applications, in addition to protecting networks, the company said Monday.

Check Point Next Generation with Application Intelligence adds new capabilities to the FireWall-1 product, enabling it to actively protect applications behind the firewall such as Web servers, e-mail servers and DNS servers.

The new application intelligence features will be available June 3 and are included with the SmartDefense product, which comes with FireWall-1, Check Point said.

The new features enable FireWall-1 to thwart attacks concealed in common application protocols such as HTTP, FTP and SMTP, Check Point said.

Incoming traffic can be validated for compliance to protocol standards and typical usage while traffic can be blocked from forbidden network programs such as instant messaging or peer-to-peer file-sharing.

In addition, the new application intelligence features can stop targeted application attacks containing malicious commands or data, such as those used by worms or in cross-site scripting attacks.

The SmartDefense user interface has been modified to include features for managing applications across a network, in addition to perimeter defences.

Application defences can be grouped by category such as “Web,” ‘FTP,” and “Mail.” Within a category, security administrators can drill down, adding or modifying filters to weed out particular types of traffic or protections for specific servers.

The new features will put competitive pressure on other companies selling firewall products, said Mark Kraynak, a marketing manager at Check Point.

Kraynak compared the addition of application intelligence features to the company’s introduction of stateful inspection technology in FireWall-1 in the early 1990s. Stateful inspection technology is a firewall architecture that tracks packet contents passing through a firewall, in addition to tracking packet header information. It became standard in other firewall products.

The new version of FireWall-1 got high marks from Mike Chenetz, a network security analyst at computer consulting company Dynamic Strategies Inc. (DSI) of Cranberry, N.J., who is evaluating the product for a DSI customer.

Chenetz used the new FireWall-1 for about two months in a test environment made up of a number of PCs connected to a router.

“I was impressed with the ability (of the device) to not just do port filtering, but to have intelligence about what was going out over the ports,” he said.

FireWall-1 Next Generation with Application Intelligence performed well in spotting and stopping instant message traffic from the test environment and Chenetz was impressed with the ability to set network “quotas” that can spot elevated traffic levels and stop denial of service attacks.

However, Chenetz did not try out all of the product’s new features and did not test its worm filtering capabilities, he said.

Filters for many common applications and threats such as the Nimda virus are provided in the product. For patterns that were not provided, the SmartDefense interface makes it easy to create one, he said.

While the new application intelligence features in FireWall-1 are significant, they fall short of offering comprehensive “deep packet inspection” required for true application security, said Richard Stiennon, vice-president of research at Gartner Inc.

Competitors in the application firewall space such as NetContinuum Inc., Fortinet Inc. have specialized products based on application-specific integrated circuits (ASIC) capable of more extensive and faster inspections of application-layer traffic, Stiennon said.

Redesigning FireWall-1 to compete directly with such products would require a total overhaul of the product, a move that Stiennon thinks is unlikely.

While not comparable to those products, the new version of FireWall-1 will give Check Point customers much of what they need in the area of application security without requiring them to buy additional application security products, he said.

The new features will also turn up the heat on Check Point’s main competitors, such as Cisco Systems Inc. and NetScreen Technologies Inc. to deliver application level defense features in their own products, Stiennon said.

Pricing for Check Point FireWall-1 Next Generation ranges from US$2,000 for 25 IP addresses to US$7,000 for an unlimited number of IP addresses.

In addition, an annual subscription is required to keep the SmartDefense service up to date. That subscription costs US$1,000 a year for each gateway or US$10,000 for more than 10 gateways.

For existing FireWall-1 customers who subscribe to Check Point’s annual subscription service, the new version of FireWall-1 with application intelligence will be available as a software update, a company spokeperson said.