Clever Move, Cheap Buy and Stops Losing Sales
This is an overall good move for Checkpoint. In the middle of the bad recession, Nokia who, lets face it, is the only hardware partner they have, tries to sell the appliance division after ten years of trying to make it into something bigger. Nokia seems to be desperate to sell, and it seems reasonable to assume the Checkpoint got the business for a cheap price.
But does anyone also want to make a bet that sales were under threat ? How many companies stopped purchasing while they waited to hear about the future of the IPSO platform ? How many started to reconsider their firewall platform dependent on who bought the IPSO hardware ? Yeah, I am pretty sure that management at Checkpoint were very nervous about what might happen and were forced to step in.
The network security market is now converged on using appliances at almost every level and this has left Checkpoint with a twenty year old strategy and no options. If they integrate the hardware and software, they now look like a viable security vendor, customers will be able to buy their firewalls from a single vendor.
Internally, there are going to be problems too. Checkpoint has always said that they are a software company and they rely on partners for hardware, therefore they might not have any “hardware culture”. They are going to need to find it quickly. Their own appliance team for their UTM software are going to be wondering what is going to happen.
Oh yeah, Crossbeam is going to be in trouble and users with Crossbeam hardware are going to be asking serious questions. I would expect Crossbem to release their own firewall products quickly. Since Crossbeam is at the biggest sites, some very big Checkpoint customers could be unhappy.
Customer Viewpoint and Experience
Finally, the Checkpoint / IPSO platform will come from a single vendor. No longer will I have to sit in meetings discussing why Nokia and Checkpoint claim its not their fault (yes, we have all had that experience).
The scary part is whether anything will ever get done. Usually, it was Nokia that was able to get Checkpoint to fix things.
Will we see integration between Checkpoint and IPSO as last ?
Let me quote Joe from the comments at The Register
Wow, what have we to look forward to? Yup more bad service and support from CP! Oops i mean overpriced bad support.
The reason why we stuck with CP the last decade is because Nokia gave better support for CP than CP does. Now we will have to learn Hebrew so we can translate their pathetic documentation. That’s why we paid Nokia so we didn’t have to. Tis sad sad days ahead. Now i suppose they are going to kill off IPSO and run everything on SPLAT. That really sucks! Anyone who has used both can testify that IPSO is so much more mature and manageable platform. I guess when our FWs come up for replacement we will just exit completely from CP and continue down the road with Juniper.
Why WOULD you buy Checkpoint firewalls ?
This move makes it look easier to buy Checkpoint firewalls. However, why would you ? I have had so much pain with Checkpoint / Nokia support and products that I don’t regard them as a serious vendor.
Let me give you a brief list of my complaints and problems with Nokia / Checkpoint firewalls:
- The price of Nokia and Checkpoint maintenance contracts is astronomical.
- New features and capabilities take a l-o-n-g time to appear in the product, usually after every other vendor has delivered.
- Upgrading and managing Provider-1 is much harder and more painful than Cisco Security Manager or Netscreen Security Manager. Yes, I have installed and operated them all.
- Using Cisco Security Manager and Netscreen Security Manager is much easier and intuitive than using Provider-1
- The process for upgrading IPSO / Firewall-1 software is painful compared to Cisco ASA / Juniper NetScreen.
- IPSO / Firewall-1 performance is low and poor value for money. Delivering multi-gigabit performance is pointless exercise since its costs so much in licenses and hardware.
- legendary support – so legendarily bad that many people don’t even bother contacting Checkpoint with problems.
- poor integration – loading a static arp in IPSO for every NAT rule in Firewall-1 makes my teeth ache.
- Documentation is atrocious, and hidden behind a paywall.
and I could go on. And on.
Viewpoint
Checkpoint firewalls were one of the first products in the security marketplace. And they look and act like it. Features and performance are limited, and the software, when compared to other vendors, is not competitive. So why do they still exist ? Because it’s too hard to change.
In fact, migrating from one firewall brand to another is an easier task these days. All firewalls are similar in function, have similar interfaces, and deliver the same outcome – many people don’t believe this, especially people who have a narrow view after ten or fifteen years of Checkpoint hell. I wonder if these people believe that all other firewalls must be difficult and painful, and therefore it is better to stay with the “one you know” instead of moving into the next generation. Both Cisco and Juniper have software tools that migrate Firewall-1 rules to make it even easier.
To make things worse, the development of entire security ecosystems means that it is even more important to make the change now. Cisco and Juniper have both built the IPS hardware into their firewalls, Checkpoint still uses a separate device – an obsolete and expensive option.
I would suggest that this is a good time to be considering your security platform, and looking to evaluate whether Juniper or Cisco will deliver better, cheaper, faster and with a stronger future. Migrating away from Checkpoint is much easier than you think, have better operational functions and can save a lot of money. Think about that in the next budget session.
About Greg Ferro
Spot on there brother. HATE Checkpoint support with a passion.
For me its just anything that comes from Nokia/siemens that’s just a pain. I have to say though the IPSO platform up till a while back was not so badly off. I have used their GGSN and 3G sgsn running on the said platform…what I wonder is who will lead the development/enhancements for IPSO for other products?
Yes, the SGSN and GGSN platforms are worrying because Nokia are very big in this space. If Nokia is moving to focus on handsets, where does this leave the telcos ?
Not to Worry. The OS that the Nokia Siemens Networks (NSN) GGSN and SGSN runs on branched off of IPSO many years ago. NSN has ample software development knowledge and resources to continue supporting their OS for years to come.
Greg,
I always enjoy reading your opinions. They are well thought out and justified. This is no exception. However, there are lots of folks who prefer CP over Cisco or Juniper and actually have experience to back it. I too have worked all three products in small and large environments. They each have their good and bad side. In the end, A layer 3 firewall is exactly that. Layer 3 (or 4 or both whatever you want to call it). If that is your entire defense your are seriously lacking. You need layer 7 FWs, IDS/IPS, logging correlation, etc. I’m a command line fan and had a tough time adjusting to CPs mostly GUI only options. I was much happier with PIX or NetScreen. This is trivial at least in my opinion as I spend very little time actually configuring. Once a configuration is in place, it’s usually stagnant. What we spend more time doing than anything is troubleshooting. To clarify: I mean that the world seems more and more complicated and the people who understand networking and security and “black boxes” seem to be a smaller and smaller subset of the IT population. So we spend a lot of time explaining to people (a) what we see and (b) what is actually happening. For this, I actually prefer IPSO and CP. TCPDUMP with headers only tells me what is broken and where 90% of the time on the network.
1. It’s not getting to me.
2. You’re sending a RST.
3. I’m NATting like you asked but you are blocking me.
Captures on PIX and snoops on Juniper are ok but not as efficient to me. Being able to apply custom scripts is very convenient as well.
That said, the cost of maintenance and licensing on CP is ridiculous. Especially compared to other platforms. We are a mixed vendor shop due to mergers and whatnot and won’t think twice about pulling a pair of 515s out of the lab and throwing them in production if we have a small implementation or need a quick solution.
PS: We get our maintenance thru another source as opposed to going thru CP for the same reasons most people do. It is painful.
Your comment about IPS is interesting. We actually separate these functions by design. It may mean more gear but it simplifies troubleshooting and management/control issues as well. IDS/IPS is a separate group from the FW guys. Checks and balances so to speak.
In the end I think they all balance out. We are having our CP and reseller come talk to us in the next few weeks to get a gauge for how much panic we really need to apply to this announcement. We’ll see how things go.
I have to disagree. Because the troubleshooting on the Checkpoint / Nokia is not integrated you don’t get a coherent view of problems on the firewall. That is, the fact that logging is one in multiple places, with different interfaces and language makes it very difficult to use, learn and maintain. Sure, if all you do is trace packets then it works well enough but if you are attempting to work out why an intermittent fault occurs then CP/NK is the most frustrating product to work on.
When this is coupled with the very high price of purchase and support, Checkpoint is an unsuitable choice for almost every situation. Even if you have a CP/NK in place, you can usually get ROI in less than one year by replacing with Cisco/Juniper.
I’ve posted a retort here…
http://fwadmin.blogspot.com/2011/08/little-firewall-debate-is-healthyright.html