grouptest: Firewalls - Check Point

Check Point Firewall-1 running on Linux

When Nokia pulled out of the test, Checkpoint stepped in. We were provided with a dual Intel Pentium III 750MHz machine with 512MB of RAM. The server was running Red Hat Linux 7.2 with the kernel upgraded to 2.4.9-13.

Network connections were provided by one quad- and two dual-port Fast Ethernet Cards, giving us eight ports in total.

However, while the rest of the products in the test are small rack-mountable devices, the Checkpoint offering is a beast of a machine. It also takes a lot more looking after as there's a fully functional operating system to think of as well.

The advantage to this setup is that the hardware on the machine can be upgraded as needed, which provides a better upgrade path.Control of the machine comes in two formats: a GUI and cpconfig. Accessing the Linux shell the cpconfig utility gives a text-based entry into the system. It's straightforward, but it's not as flexible as the GUI, which runs on a Windows-based PC.

It has recently gone through a complete makeover with the introduction of the NG line of products. Firing it up displays a graphical view of the network. In large environments this is going to prove very useful, as it can be difficult to visualise how the network is made up.

The software retains the centralised approach to management as the old system. This means that policies are created centrally and then distributed. The software is built from the ground-up to be an enterprise product.Check Point distributions are built from a series of modules, which can be expensive. If you want VPN functions, then this requires an additional licence to the firewall.

Also, the hardware that you'll be using for the firewall won't have any cryptographics acceleration on it, which makes it even more expensive to get a decent VPN platform.

Inside the firewall module, you get a good range of options and a scalable, flexible platform. The idea of rigid interfaces doesn't exist in the Check Point world. Instead, it's more free form. Rules are based on the flow of traffic between ports, making the software ideal for the centre of the network or the edge.

Performance tests showed the limitations of standard hardware. The firewall coped well until we went past 4000 connections per second. Then the drop-off rate was high. We were impressed by the number of simultaneous connections that the hardware could support, and this can be improved by upgrading the memory.

Product Info

Management 5/5
Features 3/5
Build Quality 3/5
Performance 4/5
Value for Money 3/4
Overall 4/5

Contact Check Point 01223 713600
www.checkpoint.com