I found your letter extremely misleading and irresponsible. Your analysis is flawed and incomplete in many areas. You start out by making some very odd and false assumptions that we readers are supposed to blindly accept:
“Opportunities in Network Security surpass those of the existing size of the market?”
- What opportunities are those? Are these real numbers or “analyst” numbers?
“Check Point customers are less protected from outside threats than when they first became their customers?”
- Huh? If I became a customer last week, I am now less secure today? Why? So you are telling us that customers running the current NGX version are less secure than those running say 4.1 (from 1999). You do know that NGX provides Deep Inspection which you said would be the new direction for firewalls back in 2004. You do know that SmartDefense and Web Intelligence address the SANS top 20, OWASP Top 10 and more. These technologies are why NGX is EAL4 certified for IDS/IPS which properly configured would certainly make NGX more secure than a firewall without inspection. How could customers possibly be less secure from “outside threats?” This is an absurd and irresponsible statement.
“Check Point is not paying attention to start-up activity in Silicon Valley”
- What exactly does this mean and why does this matter? Is there something they should be taking a look at? Why only Silicon Valley?
Then you continue with more disinformation and incomplete arguments:
“First and foremost, the operations and corporate administration of CheckPoint Software must move to the United States.”
You give no real reason for this statement, nor demonstrate how it is an advantage. I will offer that it is a huge advantage to keep the bulk of operations where it is. The fact that a country like Israel is surrounded by hundreds of millions of people screaming for their eradication has forced Israel and its citizens to take a hard look at security. This mindset flows directly into a good portion of what Israel produces, and I strongly believe that this contributes quite successfully to Check Point’s approach with security. The Israelis know defense.
- Keeping the headquarters in Israel allows Check Point to more easily draw from one of the most highly educated group of people in the world.
“Check Point firewalls must be hardware appliances.”
Why? Define “appliance.” Is your idea of an “Appliance” a Nokia or Crossbeam that use an Intel processor? Is it like the feeble Cisco ASA which is simply two low-end Intel motherboards jammed in a case? Maybe you are referring to Juniper and the mighty ASIC? Making a move like this would make Check Point’s offerings ungodly expensive and inflexible. Besides Juniper can barely push 500Mb of throughput despite using their ASIC (in a $100k+ firewall). Even Juniper is walking away from the ASIC and their new SSG introduced this year is further proof that code that is not flexible and optimized will never reach desirable results.
- Finally if you really need a box with a “Check Point” bezel on it (and an Intel platform is acceptable) contact a reseller and ask about “FireFly.” Check Point does not need its own appliance and the customers using SecurePlatform understand why.
“Across all of these segments your products need a major overhaul. They must be capable of processing entire packets and even sessions at speeds that exceed what your current products do with just packet headers.”
- Why did you neglect to qualify “sessions at speeds?” Apparently you are not aware of the recent announcement of Check Point’s partnership with Intel that produced a 10Gig firewall. I would think 10Gig would be fast enough, but if not then add few more to the cluster and you can scale even beyond that. Note that this is achieved on a platform that would cost $5k to $7k.
“Check Point must be in a position to deliver virtualized firewall, VPN, and other security services in carrier equipment.”
- Wow. Have you not heard about VSX? This is Check Point’s virtualized firewall product, and it has been around for 5+ years. Oh and by the way it is used by the largest carriers in the world. Provider-1 is a virtualized management product which has been around for 5+ years, and is again used by the largest carriers in the world. Why would you not consider these products “virtualized” solutions?
Your letter is quite unfair and grossly misleading to its readers. The information you have tried to piece together is outdated and incomplete. While Check Point may have some flaws, you have done an extremely poor job in your analysis and have failed to present a sound argument as to what those flaws may be.
One last thought. If you would have us believe that you are truly concerned about the state of Information Security why would Check Point be your target for something like this? Surely there are bigger fish with bigger problems. Let me give an example of what I would consider to be a more appropriate opening for your “Open Letter”:
Given the 34 known security vulnerabilities in your product line so far this year, why should we put any faith in the SAFE architecture? Seriously who is defending the “self-defending network?”
Richard how can we (let alone Gil) take your letter seriously?