FireWall-1
Encyclopedia
VPN-1 is a firewall and VPN product developed by Check Point Software Technologies Ltd.
VPN-1 is a stateful firewall
which also filters traffic by inspecting the application layer
. It was the first commercially available software firewall to use stateful inspection. Later (1997), Check Point registered U.S. Patent # 5,606,668 on their security technology that, among other features, included stateful inspection. VPN-1 functionality is currently bundled within all the Check Point's perimeter security products. The product, previously known as FireWall-1, is now sold as an integrated firewall and VPN solution.
VPN-1 is one of the few firewall products that is still owned by its creators (Check Point Software Technologies). By contrast, most other commercial firewalls such as Cisco PIX
and Juniper
NetScreen were acquired by their present owners.
, which provides the protocol stack, file system, process scheduling and other features needed by the product. This is different from most other commercial firewall products like Cisco PIX
and Juniper
firewalls where the firewall software is part of a proprietary operating system.
Although traditionally sold as software only, VPN-1 is also sold in appliance form as Check Point's UTM-1 (starting 2006) and Power-1 appliances. These appliances run the SecurePlatform operating system.
As of version R70, VPN-1 supports the following operating systems:
Previous versions of Check Point firewall supported other operating systems including Solaris, HP-UX
and IBM AIX. See the table in the Version History section below for details.
VPN-1 running on the Nokia platform on IPSO is often called a Nokia Firewall as if it were a different product, but in fact it runs the same VPN-1 software as other platforms.
Upon completing the acquisition of Nokia Security Appliance Business in 2009, Checkpoint started the project named Gaia aimed at merging two different operating systems—SecurePlatform and IPSO—into one. This new OS is positioned to finally replace both existing operating systems at some point in the future.
The product is licensed in several variants. In the decimal releases, the license determined what encryption strength was available for the VPN (DES or "Strong"). Since NG, the license always includes strong cryptographic capabilities and was instead split into VPN-1 Pro or VPN-1 Express. VPN-1 Express was intended for simplified deployment while VPN-1 Pro provided more configurability. In NGX R62, the branding was changed to VPN-1 Power (instead of Pro) and VPN-1 UTM (instead of Express). VPN-1 UTM includes certain content inspection features such as antivirus and more recently, web filtering.
Version 3.0 was also sold by Sun Microsystems
as Solstice FireWall-1. This was essentially the same product, but with slightly different packaging and file system layout.
The table below shows the version history. The Platforms column shows the operating systems that are supported by the firewall product:
SmartDefense (IPS) This feature adds to the built-in stateful inspection and inherent TCP/IP protocols checks and
normalization inspection of most common application protocols. Starting NGX R70 this feature has been rebranded as IPS.
Quality of service (Floodgate-1) Checkpoint implementation of the Quality of service (QOS). It supports
bandwidth guaranteeing or limiting per QOS rule or per connection. Also the priority queuing can be done (LLQ). Nevertheless,
RFC based QOS implementation, be it Differentiated services
or Ip precedence, are not supported
Content Inspection Starting with NGX R65 this new feature has been introduced providing 2 services:
Check Point
Check Point Software Technologies Ltd. is a global provider of IT security solutions. Best known for its firewall and VPN products, Check Point first pioneered the industry with FireWall-1 and its patented stateful inspection technology...
VPN-1 is a stateful firewall
Stateful firewall
In computing, a stateful firewall is a firewall that keeps track of the state of network connections traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections...
which also filters traffic by inspecting the application layer
Application layer
The Internet protocol suite and the Open Systems Interconnection model of computer networking each specify a group of protocols and methods identified by the name application layer....
. It was the first commercially available software firewall to use stateful inspection. Later (1997), Check Point registered U.S. Patent # 5,606,668 on their security technology that, among other features, included stateful inspection. VPN-1 functionality is currently bundled within all the Check Point's perimeter security products. The product, previously known as FireWall-1, is now sold as an integrated firewall and VPN solution.
VPN-1 is one of the few firewall products that is still owned by its creators (Check Point Software Technologies). By contrast, most other commercial firewalls such as Cisco PIX
Cisco PIX
Cisco PIX is a popular IP firewall and network address translation appliance. It was one of the first products in this market segment....
and Juniper
Juniper Networks
Juniper Networks is an information technology and computer networking products multinational company, founded in 1996. It is head quartered in Sunnyvale, California, USA. The company designs and sells high-performance Internet Protocol network products and services...
NetScreen were acquired by their present owners.
Platforms
The VPN-1 software is installed on a separate operating systemOperating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
, which provides the protocol stack, file system, process scheduling and other features needed by the product. This is different from most other commercial firewall products like Cisco PIX
Cisco PIX
Cisco PIX is a popular IP firewall and network address translation appliance. It was one of the first products in this market segment....
and Juniper
Juniper Networks
Juniper Networks is an information technology and computer networking products multinational company, founded in 1996. It is head quartered in Sunnyvale, California, USA. The company designs and sells high-performance Internet Protocol network products and services...
firewalls where the firewall software is part of a proprietary operating system.
Although traditionally sold as software only, VPN-1 is also sold in appliance form as Check Point's UTM-1 (starting 2006) and Power-1 appliances. These appliances run the SecurePlatform operating system.
As of version R70, VPN-1 supports the following operating systems:
- Windows Server 2003Windows Server 2003Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...
and 2008; - Red Hat Enterprise LinuxRed Hat Enterprise LinuxRed Hat Enterprise Linux is a Linux-based operating system developed by Red Hat and targeted toward the commercial market. Red Hat Enterprise Linux is released in server versions for x86, x86-64, Itanium, PowerPC and IBM System z, and desktop versions for x86 and x86-64...
(RHEL); - Check Point SecurePlatform (a Check Point Linux distribution based on Red Hat Enterprise LinuxRed Hat Enterprise LinuxRed Hat Enterprise Linux is a Linux-based operating system developed by Red Hat and targeted toward the commercial market. Red Hat Enterprise Linux is released in server versions for x86, x86-64, Itanium, PowerPC and IBM System z, and desktop versions for x86 and x86-64...
, often called SPLATSplatSplat may refer to:* Splat, An Orca Soundings Book written by Eric Walters* A mark or spot on a surface caused by a liquid material, such as paint* Splat , an element of the chair...
); - Nokia IPSONokia IPSOCheck Point IPSO is the operating system for the 'Check Point firewall' appliance and other security devices, based on FreeBSD, with numerous hardening features applied.....
. - CrossbeamCrossbeam SystemsCrossbeam Systems is headquartered in Boxborough, Massachusetts and has offices in Europe, Latin America and Asia Pacific. The company makes an open, high-performance hardware and software network security platform that is designed to deploy network security applications from third-party security...
XOS and COS
Previous versions of Check Point firewall supported other operating systems including Solaris, HP-UX
HP-UX
HP-UX is Hewlett-Packard's proprietary implementation of the Unix operating system, based on UNIX System V and first released in 1984...
and IBM AIX. See the table in the Version History section below for details.
VPN-1 running on the Nokia platform on IPSO is often called a Nokia Firewall as if it were a different product, but in fact it runs the same VPN-1 software as other platforms.
Upon completing the acquisition of Nokia Security Appliance Business in 2009, Checkpoint started the project named Gaia aimed at merging two different operating systems—SecurePlatform and IPSO—into one. This new OS is positioned to finally replace both existing operating systems at some point in the future.
Version history
The VPN-1 version naming can be rather confusing because Check Point have changed the version numbering scheme several times through the product's history. Initially, the product used a traditional decimal version number such as 3.0, 4.0 and 4.1 (although 4.1 was also called Check Point 2000 on the packaging). Then the version changed to NG meaning Next Generation and minor revisions became known as Feature Packs. Then the name changed to NG AI which meant NG with Application Intelligence, and the minor revisions became known as Rxx e.g. NG AI R54. Most recently, the version name has changed to NGX.The product is licensed in several variants. In the decimal releases, the license determined what encryption strength was available for the VPN (DES or "Strong"). Since NG, the license always includes strong cryptographic capabilities and was instead split into VPN-1 Pro or VPN-1 Express. VPN-1 Express was intended for simplified deployment while VPN-1 Pro provided more configurability. In NGX R62, the branding was changed to VPN-1 Power (instead of Pro) and VPN-1 UTM (instead of Express). VPN-1 UTM includes certain content inspection features such as antivirus and more recently, web filtering.
Version 3.0 was also sold by Sun Microsystems
Sun Microsystems
Sun Microsystems, Inc. was a company that sold :computers, computer components, :computer software, and :information technology services. Sun was founded on February 24, 1982...
as Solstice FireWall-1. This was essentially the same product, but with slightly different packaging and file system layout.
The table below shows the version history. The Platforms column shows the operating systems that are supported by the firewall product:
| Version | Release date | Platforms | Notes |
|---|---|---|---|
| 1.0 | April 1994 | SunOS SunOS SunOS is a version of the Unix operating system developed by Sun Microsystems for their workstation and server computer systems. The SunOS name is usually only used to refer to versions 1.0 to 4.1.4 of SunOS... 4.1.3, Solaris Solaris Operating System Solaris is a Unix operating system originally developed by Sun Microsystems. It superseded their earlier SunOS in 1993. Oracle Solaris, as it is now known, has been owned by Oracle Corporation since Oracle's acquisition of Sun in January 2010.... 2.3 |
|
| 2.0 | Sep 1995 | SunOS, Solaris, HP-UX HP-UX HP-UX is Hewlett-Packard's proprietary implementation of the Unix operating system, based on UNIX System V and first released in 1984... |
|
| 2.1 | Jun 1996 | ||
| 3.0 | Oct 1996 | ||
| 3.0a | |||
| 3.0b | 1997 | Windows NT Windows NT Windows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. It was a powerful high-level-language-based, processor-independent, multiprocessing, multiuser operating system with features comparable to Unix. It was intended to complement... 3.5 and 4.0; Solaris 2.5, 2.5.1 and 2.6; HP-UX 10.x; AIX 4.1.5, 4.2.1 |
|
| 4.0 | 1998 | Windows NT 4.0, Solaris 2.5, 2.5.1, 2.6 and 7 (32-bit); HP-UX 10.x; AIX 4.2.1 and 4.3.0 | |
| 4.1 | 2000 | Windows NT 4.0 and 2000 Windows 2000 Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the... ; Solaris 2.6, 7 and 8 (32-bit); HP-UX 10.20 and 11; Red Hat Linux Red Hat Linux Red Hat Linux, assembled by the company Red Hat, was a popular Linux based operating system until its discontinuation in 2004.Red Hat Linux 1.0 was released on November 3, 1994... 6.2 and 7.0 (2.2 kernel); IPSO Nokia IPSO Check Point IPSO is the operating system for the 'Check Point firewall' appliance and other security devices, based on FreeBSD, with numerous hardening features applied..... 3.4.1 and 3.5; AIX 4.2.1, 4.3.2 and 4.3.3 |
Also known as Check Point 2000 |
| NG | Jun 2001 | Windows NT 4.0 and 2000; Solaris 7 (32-bit) and 8 (32 or 64-bit); Red Hat Linux 6.2 and 7.0 (2.2 kernel) | NG stands for Next Generation |
| NG FP1 | Nov 2001 | Windows NT 4.0 and 2000; Solaris 7 (32-bit) and 8 (32 or 64-bit); Red Hat Linux 6.2, 7.0 (2.2 kernel) and 7.2 (2.4 kernel), IPSO 3.4.2 | |
| NG FP2 | Apr 2002 | Windows NT 4.0 and 2000; Solaris 7 (32-bit) and 8 (32 or 64-bit); Red Hat Linux 6.2, 7.0 (2.2 kernel) and 7.2 (2.4 kernel), IPSO 3.5 and 3.6, SecurePlatform NG FP2 | |
| NG FP3 | Aug 2002 | Windows NT 4.0 and 2000; Solaris 8 (32 or 64-bit) and 9 (64-bit); Red Hat Linux 7.0 (2.2 kernel), 7.2 and 7.3 (2.4 kernel), IPSO 3.5, 3.5.1 and 3.6, SecurePlatform NG FP3 | |
| NG AI R54 | Jun 2003 | Windows NT 4.0 and 2000; Solaris 8 (32 or 64-bit) and 9 (64-bit); Red Hat Linux 7.0 (2.2 kernel), 7.2 and 7.3 (2.4 kernel), IPSO 3.7, SecurePlatform NG AI, AIX 5.2 | The full name is NG with Application Intelligence |
| NG AI R55 | Nov 2003 | Windows NT 4.0, 2000 and 2003 Windows Server 2003 Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005... ; Solaris 8 (32 or 64-bit) and 9 (64-bit); Red Hat Linux 7.0 (2.2 kernel), 7.2 and 7.3 (2.4 kernel), IPSO 3.7 and 3.7.1, SecurePlatform NG AI |
Version branches: NG AI R55P (for IPSO 3.8), NG AI R55W (contains Web Intelligence Web intelligence Web intelligence is the area of study and research of the application of artificial intelligence and information technology on the web in order to create the next generation of products, services and frameworks based on the internet.... ) |
| NG AI R57 | April 2005 | SecurePlatform NG AI R57 | For product Check Point Express CI (Content Inspection), later VPN-1 UTM (Unified Threat Management Unified threat management Unified Threat Management is a comprehensive solution that has recently emerged in the network security industry and since 2004, has gained widespread currency as a primary network gateway defense solution for organizations... ) |
| NGX R60 | Aug 2005 | Windows 2000 and 2003; Solaris 8 and 9 (64-bit); RHEL 3.0 (2.4 kernel), IPSO 3.9 and 4.0, SecurePlatform NGX | Version branches: NGX R60A |
| NGX R61 | Mar 2006 | Windows 2000 and 2003; Solaris 8, 9 and 10; RHEL 3.0 (2.4 kernel), IPSO 3.9, 4.0 and 4.0.1, SecurePlatform NGX | |
| NGX R62 | Nov 2006 | Windows 2000 and 2003; Solaris 8, 9 and 10; RHEL 3.0 (2.4 kernel), IPSO 3.9 and 4.1, SecurePlatform NGX | |
| NGX R65 | Mar 2007 | Windows 2000 and 2003; Solaris 8, 9 and 10 (Ultra-SPARC architecture); RHEL 3.0 (2.4 kernel), IPSO 4.1 and 4.2, SecurePlatform, SecurePlatform 2.6 | Version branches: NGX R65 with Messaging Security (Dec 2007), R65.4 (Feb 2009) |
| R70 | Feb 2009 | Windows 2003 and 2008; IPSO 6.0.7 and 6.2; SecurePlatform; XOS | Minor versions: R70.1, R70.20 (2009), R70.30 (March 2010), R70.40 , R70.50(Oct 2011) |
| R71 | April 2010 | Windows 2003 and 2008; IPSO 6.2; SecurePlatform; XOS | Minor versions: R71.10, R71.20, R71.30, R71.40 |
| R75 | January 2011 | Windows 2003 and 2008; IPSO 6.2; SecurePlatform; Crossbeam XOS 9.5 or later | Installation files were publicly available in December 2010. Minor versions: R75.10 (May 2011), R75.20 (Sep 2011) |
Features
While started as pure firewall and vpn only product, later more features were added. And while they are licensed separately, they have since began to be bundled in default installations of the VPN-1 as well.SmartDefense (IPS) This feature adds to the built-in stateful inspection and inherent TCP/IP protocols checks and
normalization inspection of most common application protocols. Starting NGX R70 this feature has been rebranded as IPS.
Quality of service (Floodgate-1) Checkpoint implementation of the Quality of service (QOS). It supports
bandwidth guaranteeing or limiting per QOS rule or per connection. Also the priority queuing can be done (LLQ). Nevertheless,
RFC based QOS implementation, be it Differentiated services
Differentiated services
Differentiated Services or DiffServ is a computer networking architecture that specifies a simple, scalable and coarse-grained mechanism for classifying and managing network traffic and providing Quality of Service on modern IP networks...
or Ip precedence, are not supported
Content Inspection Starting with NGX R65 this new feature has been introduced providing 2 services:
- Antivirus scanning - scanning of the passing traffic for viruses
- Web filtering - limiting access of internal to the firewall hosts to the Web resources using explicit URL specification or category rating.
External links
- www.checkpoint.com — Check Point Software Technologies web site
- FireWall-1 — information about the product although it is not being sold separately anymore.
- VPN-1 UTM — UTM product version for small and medium business
- VPN-1 Power — version for enterprise business
- VPN-1 UTM Power — UTM product version for enterprise business
- www.fw-1.de — information about VPN-1
- Check Point Official Forums
- CPUG: The Check Point User Group
- Check Point IPsec IKE Implementation details