Clever Move, Cheap Buy and Stops Losing Sales
This is an overall good move for Checkpoint. In the middle of the bad recession, Nokia who, lets face it, is the only hardware partner they have, tries to sell the appliance division after ten years of trying to make it into something bigger. Nokia seems to be desperate to sell, and it seems reasonable to assume the Checkpoint got the business for a cheap price.
But does anyone also want to make a bet that sales were under threat ? How many companies stopped purchasing while they waited to hear about the future of the IPSO platform ? How many started to reconsider their firewall platform dependent on who bought the IPSO hardware ? Yeah, I am pretty sure that management at Checkpoint were very nervous about what might happen and were forced to step in.
The network security market is now converged on using appliances at almost every level and this has left Checkpoint with a twenty year old strategy and no options. If they integrate the hardware and software, they now look like a viable security vendor, customers will be able to buy their firewalls from a single vendor.
Internally, there are going to be problems too. Checkpoint has always said that they are a software company and they rely on partners for hardware, therefore they might not have any “hardware culture”. They are going to need to find it quickly. Their own appliance team for their UTM software are going to be wondering what is going to happen.
Oh yeah, Crossbeam is going to be in trouble and users with Crossbeam hardware are going to be asking serious questions. I would expect Crossbem to release their own firewall products quickly. Since Crossbeam is at the biggest sites, some very big Checkpoint customers could be unhappy.
Customer Viewpoint and Experience
Finally, the Checkpoint / IPSO platform will come from a single vendor. No longer will I have to sit in meetings discussing why Nokia and Checkpoint claim its not their fault (yes, we have all had that experience).
The scary part is whether anything will ever get done. Usually, it was Nokia that was able to get Checkpoint to fix things.
Will we see integration between Checkpoint and IPSO as last ?
Let me quote Joe from the comments at The Register
Wow, what have we to look forward to? Yup more bad service and support from CP! Oops i mean overpriced bad support. The reason why we stuck with CP the last decade is because Nokia gave better support for CP than CP does. Now we will have to learn Hebrew so we can translate their pathetic documentation. That’s why we paid Nokia so we didn’t have to. Tis sad sad days ahead. Now i suppose they are going to kill off IPSO and run everything on SPLAT. That really sucks! Anyone who has used both can testify that IPSO is so much more mature and manageable platform. I guess when our FWs come up for replacement we will just exit completely from CP and continue down the road with Juniper.
Why WOULD you buy Checkpoint firewalls ?
This move makes it look easier to buy Checkpoint firewalls. However, why would you ? I have had so much pain with Checkpoint / Nokia support and products that I don’t regard them as a serious vendor.
Let me give you a brief list of my complaints and problems with Nokia / Checkpoint firewalls:
- The price of Nokia and Checkpoint maintenance contracts is astronomical.
- New features and capabilities take a l-o-n-g time to appear in the product, usually after every other vendor has delivered.
- Upgrading and managing Provider-1 is much harder and more painful than Cisco Security Manager or Netscreen Security Manager. Yes, I have installed and operated them all.
- Using Cisco Security Manager and Netscreen Security Manager is much easier and intuitive than using Provider-1
- The process for upgrading IPSO / Firewall-1 software is painful compared to Cisco ASA / Juniper NetScreen.
- IPSO / Firewall-1 performance is low and poor value for money. Delivering multi-gigabit performance is pointless exercise since its costs so much in licenses and hardware.
- legendary support – so legendarily bad that many people don’t even bother contacting Checkpoint with problems.
- poor integration – loading a static arp in IPSO for every NAT rule in Firewall-1 makes my teeth ache.
- Documentation is atrocious, and hidden behind a paywall.
and I could go on. And on.
Checkpoint firewalls were one of the first products in the security marketplace. And they look and act like it. Features and performance are limited, and the software, when compared to other vendors, is not competitive. So why do they still exist ? Because it’s too hard to change.
In fact, migrating from one firewall brand to another is an easier task these days. All firewalls are similar in function, have similar interfaces, and deliver the same outcome – many people don’t believe this, especially people who have a narrow view after ten or fifteen years of Checkpoint hell. I wonder if these people believe that all other firewalls must be difficult and painful, and therefore it is better to stay with the “one you know” instead of moving into the next generation. Both Cisco and Juniper have software tools that migrate Firewall-1 rules to make it even easier.
To make things worse, the development of entire security ecosystems means that it is even more important to make the change now. Cisco and Juniper have both built the IPS hardware into their firewalls, Checkpoint still uses a separate device – an obsolete and expensive option.
I would suggest that this is a good time to be considering your security platform, and looking to evaluate whether Juniper or Cisco will deliver better, cheaper, faster and with a stronger future. Migrating away from Checkpoint is much easier than you think, have better operational functions and can save a lot of money. Think about that in the next budget session.