the outside but to enable people to connect to their network from the road in a secure way, for companies to start sharing information using the
Internet as a Virtual Private Network (VPN).
BYTE:
How are companies' security needs changing?
Shwed:
Two things have happened. One, companies have discovered the possibilities of connectivity. With that they need to secure. They have more doors, they have more connection points, they use public networks, they have to secure them. The first trend involves employees or other companies that are calling from the outside. The second trend is with the emergence of the Internet, people realize the security risks that they have. Later they may realize that a major part of the risk actually resides within the corporation. Companies are using more network security inside the company for compartmentalisation among different departments. Once the company is connected, you don't want the wrong people to get to the finance department computers or for the software developers to test their software on the production machine by mistake.
BYTE:
How have new Internet "push" software and similar new services on the Net changed firewalls?
Shwed:
A firewall has to support the policy [of the company] and part of the policy means that there are new services every day and each one of these new services optionally needs to be supported or blocked. What we offer people is the ability to add these services themselves or through us, and the support for these changes. These changes happen every day so it is critical to be able to support new services like BackWeb or Real Audio through the Internet.
BYTE:
What are the current and future dangers? We've seen much concern lately about Java and Active X security.
Shwed:
We have an open architecture with our FireWall-1 product, and it lets the user plug in whatever they want. It provides basic capabilities so that the user can choose where they want to allow Java applications or Active X applica
tions. This lets administrators decide if they want to get Active X or not get Active X, and from which site. One of the customer demands we have found is that people are afraid of Java applets, but they also need them because they write enterprise applications that need them. Instead of forcing them to choose between screening Java out or screening it in, we allow administrators to disable Java when users are visiting sites on the Internet that are unknown.
BYTE:
What are Checkpoint's main technological strengths?
Shwed:
From the technology standpoint there are two main achievements. One is the stateful inspection architecture, and the achievement there is that we allow people to use all of the communications protocols and to secure the passage of all communications protocols. That is necessary as the Internet evolves and that is even more necessary in the enterprise network, in the corporate network, because there you can't say I want to disconn
ect protocol X. The CEO needs to access the finance department so this protocol must be allowed through the network. You can't say, I don't know how to let this protocol through. So that is the first innovation that we brought to market.
The benefit of stateful inspection is that it can inspect all types of communications and can decide how to handle each one of them and is not dedicated to a very small set of predefined applications. It does that in a very efficient and transparent manner.
The second thing we brought to the market, which is no less important, is ease of use. We allow people to define their policy in a very clear way, and without writing in assembly code, in addresses and bits and bytes. We let them define it in an easy way, without having to be a programmer. It is designed for the system administrators. But the most important factor is that they don't have to be security experts, they don't have to be networking gurus, they don't have to spend months writing and analyzing things
. They can just write the policy in a way everybody can understand, not just the system administrator, and enforce it in very easy way. And this ease of use is critical when the market grows up quickly. Our product wasn't the first firewall, it was the first software-only product. Something so that everybody can take the box, install, and use it. All of the products that existed before were a combination of consulting, hardware, software, and services, rather than just plain software that system administrators can take out of the box and install themselves.
BYTE:
Can you explain how stateful inspection differs from application proxies?
Shwed:
Stateful inspection intercepts communications between layers two and three of the OSI stack, before they reach the operating system. It extracts state information from the communications and checks information against the defined security policy before deciding whether to allow or disallow communications thro
ugh the firewall. This contrasts with application gateways or proxies, which don't make a security decision until the communication has reached the application layer (the highest layer in the OSI 7-layer model). The latter approach exposes the operating system to vulnerabilities and also increases overhead because the communications have to pass through so many additional pieces of software.
Stateful inspection provides full application-layer awareness but, unlike an application gateway, does not require a separate proxy for every service to be secured. Proxies are a limiting factor for throughput and performance, because the architecture provides for a duplicate application (proxy) for every application you want to use (e.g., two processes for each application). This incurs a lot of processing overhead. With the number of users trying to get through the firewall and the high-bandwidth applications they want to use (e.g., multimedia), application gateways don't scale to the way the Internet is being use
d today. Stateful inspection doesn't impose those limitations on users, providing high-performance and scalability to users.
Another benefit of stateful inspection is the number of applications it can support. Today, FireWall-1 supports over 120 applications and services. Application gateways can only support about 8-10 applications overall. That's another way that stateful inspection is more scalable.
For more information on Check Point, see
http://www.checkpoint.com
.
Internet Gatekeeper
