Checkpoint Firewall-1 - An advanced firewall for network security

Checkpoint Firewall-1 is one of the advanced firewalls used for security solutions like password managers and security apps. This article tells its working, features and price.

Checkpoint Firewall-1 is used in many high end security solutions like password managers and security apps. Versions of the firewall run on Windows NT and other operating systems.

Every system administrator will swear by Checkpoint Firewall-1. A survey revealed that it is one of the best-selling firewalls in world. Firewall-1 is basically a policy-based stateful inspection filter which comes with an integrated Network Address Translator (NAT) and a set of some non-integrated protocol specific security filters. A stateful inspection filter secures the packet filters without requiring the proxy server's overhead.

How a stateful inspection filter works?

What happens is that the original data packets move to network after passing a series of tests applied by the inspector module. If any deformation remains undetected, it easily passes through without being modified by the firewall module. Thus, these pass/fail checks are not foolproof. Stateful inspection filters make these tests more rigorous. These filters are a middle ground between application proxies and simple packet filters. They keep details of each connection. However, they lack the ability to monitor internal content of some protocols. They can only perform a cursory examination of the information in TCP layer.

How Checkpoint Firewall-1 filter is highly secure?

  • A simple stateful inspection filter can't monitor some protocols like HTTP, FTP and SMTP. Thus, Firewall-1 allows plug-in protocol filters which understand & monitor the content, inspect and make pass/fail decisions on such protocols. Firewall-1 supports over 120 protocols. Plug-in protocol filters are very similar to actual proxies which are more secure. They can even perform advanced filtering functions like stripping attachments and blocking Java.

  • The SMTP filter of Checkpoint Firewall-1 is a true proxy as it writes emails to disk and then forward them through gateway by means of a separate service. This prevents buffer overflow problems.

  • User authentication process is handled transparently by protocol content filters.

  • The Content Vectoring Protocol (CVP)-compatible filters perform various functions like stripping attachments, checking virus and blocking URL.

  • Unlike most other firewalls, Firewall-1 converts the existing border routers into strong firewalls.

  • Salient features

    Support for high speed networks

    Performance is paramount in high speed networks. Firewall-1 is especially designed to provide support to such networks. With the support of this firewall, companies use proxy servers in their networks to enhance internal security on low speed links.

    Policy based management

    To make the configuration process simpler to view and manage, Firewall-1 allows users to create protocol definitions or objects. These objects associate a name with a set of protocol identifiers like IP protocol type and port number. This makes it easier for the user to understand the configuration of this firewall and reduce mistakes as well.

    Automatic address translation

    When an object is defined, address translation mode is assigned to it. Once this is done, address translation rules are automatically generated for each case where an object is used. Objects are thus handled individually. Note that if the user wants, rules can be modified as well.

    Client/server management

    From a centralized set of management consoles, users can control multiple firewall modules. UNIX, NT computers or commercial routers like ones from Cisco or Bay Networks are needed to run firewall modules.

    Firewall module synchronization

    If one of the two firewalls which are running on same connection fails, the other connections will not get affected. This feature helps in load-balancing across firewalls.

    Interface view

    The GUI of Firewall-1 is very easy to understand. As you can see in the image below, the first rule says that if the packet is from 'any' source, destination is 'monk' and services are 'any', reject the packet and alert the network administrator. The rule-based interface creates different levels of security for different groups. Users can create their own address translation rules.

    Services & Pricing

    The price of the basic 25-user firewall is around $2000. The single gateway product supports only limited number of users and is suitable for small businesses having less IP addresses. The gateway and the console will be installed on one desktop.

    The RealSecure VPN and remote authentication module costs around $100 per additional user. It protects unlimited number of internal hosts and is suitable for large organizations.

    Firewall-1 has one of the best online documentations in the business. Everything from theory to application is explained in detail with examples. This is especially good for new network administrators with less prior experience. However, if you still need any telephone technical support, Checkpoint charges $400 per incident which is way too much. And in this paid telephonic conversation, a solution to your problem is not even guaranteed.

    Read Xent Raptor - A superfast proxy firewall


    No responses found. Be the first to comment...

  • Do not include your name, "with regards" etc in the comment. Write detailed comment, relevant to the topic.
  • No HTML formatting and links to other web sites are allowed.
  • This is a strictly moderated site. Absolutely no spam allowed.
  • Name: