Check Point adds application protection

IDG News Service - A new generation of firewall technology from Check Point Software Technologies Ltd. will protect against attacks directed at applications in addition to safeguarding networks, the company announced today.
Check Point Next Generation with Application Intelligence adds new capabilities to Check Point's FireWall-1 product, enabling it to actively protect applications behind the firewall such as Web servers, e-mail servers and Domain Name System servers. The new application intelligence features will be available June 3 and are included with the SmartDefense product, which comes with FireWall-1.
The new features enable FireWall-1 to thwart attacks concealed in common application protocols such as HTTP, FTP and SMTP, Check Point said.
Incoming traffic can be validated for compliance to protocol standards and typical usage, and traffic can be blocked from forbidden network programs such as instant messaging or peer-to-peer file-sharing systems. In addition, the new application intelligence features can stop targeted application attacks containing malicious commands or data, such as those used by worms or in cross-site scripting attacks.
The SmartDefense user interface has been modified to include features for managing applications across a network, in addition to perimeter defenses. Application defenses can be grouped by categories such as "Web," "FTP" and "Mail." Within a category, security administrators can drill down, adding or modifying filters to weed out particular types of traffic or protections for specific servers.
The new features will put competitive pressure on other companies selling firewall products, said Mark Kraynak, a marketing manager at Check Point. He compared the addition of application intelligence features to the company's introduction of stateful inspection technology in FireWall-1 in the early 1990s. Stateful inspection technology is a firewall architecture that tracks packet contents passing through a firewall, in addition to tracking packet header information. It became standard in other firewall products.
The new version of FireWall-1 got high marks from Mike Chenetz, a network security analyst at computer consulting company Dynamic Strategies Inc. in Cranberry, N.J.
Chenetz is evaluating the product for one of his firm's clients. He used the new FireWall-1 for about two months in a test environment made up of a number of PCs connected to a router. "I was impressed with the ability [of the device] to not just do port filtering, but to have intelligence about what was going out over the ports," he said.
Check Point Next Generation with Application Intelligence performed well in spotting and stopping instant-message traffic from the test environment, said Chenetz, who added that he was impressed with the ability to set network "quotas" that can

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.