As we all know the only thing constant in IT is change and as a result of that I’ve been using Check Point firewalls a lot lately, a departure from my usual ASA and ISA firewalls. I’m going to do a series of posts documenting what I find, as I haven’t seen a good resource which wasn’t either out of date or simply didn’t cover the basics.
With any new product there is always a little confusion, but with Check Point this seems to have been taken to a whole other level and I’ve had a great deal of difficulty working out what it is that they sell, what it actually does and how it all fits together. Check Point appear to have gone through a great deal re-branding, and with a lot of older versions still supported everything now has more than one name depending on which version of the software you are talking about. I’ll try and simplify it here as I understand things. The main thing to remember with Check Point is that, to a much greater extent than with other products, you are looking at two very different and separate things with regards to the hardware and the software.
The hardware you choose for your firewalls will determine how fast and big it can go, as you might expect. It also determines which software features you can use on that particular bit of tin (which I’ll talk about shortly). Check Point give you a large number of options for your hardware depending on your needs.
- IP appliances – the appliance formerly known as Nokia. These are the mid to high end firewalls and range from 1Gb to 30Gb of throughput (with the right model and expansion cards). For your money you get a piece of tin with various ports and space for extra modules. This is very much a pure networking appliance with support for all the basics such as VPN, plus support for advanced features like IPS, routing protocols, clustering, QoS and VoIP.
- Power-1 appliances – these are more datacenter oriented, and run from 9Gb up to 30Gb throughput and are again a piece of tin. They support a few more edge defence features than the IP appliances such as URL filtering, antivirus, antispam, antimalware. Apart from this though they look very similar performance-wise to the high-end IP appliances.
- UTM-1 appliances – I see these as the low end version of the Power-1, tin again. Performance is from 1.5Gb to 4.5Gb, but you can get all the features of the Power-1 plus a few extra ones like built in management and monitoring.
- “Open server” – also known as SPLAT (Secure PLATform). This is kind of like Bring Your own Box, you install the Check Point into a standard bit of server hardware. The license determines things like how many cores your server can have and what features you are allowed, but after that the performance is down to your hardware. SPLAT itself is a modified version of Linux into which various Check Point software modules can be installed.
There are a few other variations including a virtualised version, but these are the main ones. For my testing I’ll be using a SPLAT system running in VMware.
Check Point has gone through a lot of different versions of their software. The good news is that every device runs a version of the same software, and is managed through the same tools. Configuring rules on a SPLAT is exactly the same as configuring rules on one of the appliances. The bad news is that due to the number of iterations and the different licensing for them, you can be left scratching your head.
The first bit of confusion is that way back in 1994 when Check Point made their first firewall they decided to name it Firewall-1, and quickly followed with a VPN product called VPN-1. If you fast forward to today you’ll still find references to Firewall-1, VPN-1, and a whole raft of other things called xxx-1. The 1 has nothing to do with the version of the software as you might imagine, its simply the name of the product. It makes more sense if you think of these as identifiers of feature sets.
The way you differentiate between older and newer software is via the version number of the software. Wikipedia has the full details, but the numbering is roughly:
|NG AI R54||Jun 2003|
|NG AI R55||Nov 2003|
|NG AI R57||April 2005|
|NGX R60||Aug 2005|
|NGX R61||Mar 2006|
|NGX R62||Nov 2006|
|NGX R65||Mar 2007|
Anything prior to NGX R65 is end of life, NGX R65 itself is nearing end of life, and R75 has just been released. Lots of people are currently in the process of upgrading from NGX R65, and if you have existing licenses Check Point are currently running an upgrade promotion.
If you are looking at NGX products and earlier, you combine a feature set and a version number to label your software. Eg, a VPN-1 UTM NGX R65 has a defined set of features from the VPN-1 UTM label, and is the NGX R65 software version of those features.
With R71 and later Check Point have adopted a software blade architecture. You still have a software version, but the features which you run inside of that are a lot more mix and match and are deployed as virtual blades (providing your hardware supports it).
With all the different product names and the mix of people on different versions currently, Check Point is very confusing to the newcomer. Over the next few posts I’m going to go through some basic installation and configuration, starting with an NGX R65 set up. Depending on how things go I may throw in some more advanced stuff like the failover clustering and and upgrade to R71.