Check Point VPN-1
VPN-1 is a stateful firewall which also filters traffic by inspecting the application layer. It was the first commercially available software firewall to use stateful inspection. Later (1997), Check Point registered U.S. Patent # 5,606,668 on their security technology that, among other features, included stateful inspection. VPN-1 functionality is currently bundled within all the Check Point's perimeter security products. The product, previously known as FireWall-1, is now sold as an integrated firewall and VPN solution.
VPN-1 is one of the few firewall products that is still owned by its creators (Check Point Software Technologies). By contrast, most other commercial firewalls such as Cisco PIX and Juniper NetScreen were acquired by their present owners.
The VPN-1 software is installed on a separate operating system, which provides the protocol stack, file system, process scheduling and other features needed by the product. This is different from most other commercial firewall products like Cisco PIX and Juniper firewalls where the firewall software is part of a proprietary operating system.
Although traditionally sold as software only, VPN-1 is also sold in appliance form as Check Point's UTM-1 (starting 2006) and Power-1 appliances. These appliances run the SecurePlatform operating system.
As of version R70, VPN-1 supports the following operating systems:
- Windows Server 2003 and 2008;
- Red Hat Enterprise Linux (RHEL);
- Check Point SecurePlatform (a Check Point Linux distribution based on Red Hat Enterprise Linux, often called SPLAT);
- Nokia IPSO;
- Check Point Gaia (a Check Point Linux distribution, unifying IPSO and SecurePlatform into a single operating system);
- Crossbeam XOS and COS
VPN-1 running on the Nokia platform on IPSO is often called a Nokia Firewall as if it were a different product, but in fact it runs the same VPN-1 software as other platforms.
Upon completing the acquisition of Nokia Security Appliance Business in 2009, Checkpoint started the project named Gaia aimed at merging two different operating systems—SecurePlatform and IPSO—into one. This new OS is positioned to finally replace both existing operating systems at some point in the future. On April 17, 2012 Check Point announced the general availability of the Gaia operating system as part of the R75.40 release.
The VPN-1 version naming can be rather confusing because Check Point have changed the version numbering scheme several times through the product's history. Initially, the product used a traditional decimal version number such as 3.0, 4.0 and 4.1 (although 4.1 was also called Check Point 2000 on the packaging). Then the version changed to NG meaning Next Generation and minor revisions became known as Feature Packs. Then the name changed to NG AI which meant NG with Application Intelligence, and the minor revisions became known as Rxx e.g. NG AI R54. Most recently, the version name has changed to NGX.
The product is licensed in several variants. In the decimal releases, the license determined what encryption strength was available for the VPN (DES or "Strong"). Since NG, the license always includes strong cryptographic capabilities and was instead split into VPN-1 Pro or VPN-1 Express. VPN-1 Express was intended for simplified deployment while VPN-1 Pro provided more configurability. In NGX R62, the branding was changed to VPN-1 Power (instead of Pro) and VPN-1 UTM (instead of Express). VPN-1 UTM includes certain content inspection features such as antivirus and more recently, web filtering.
Version 3.0 was also sold by Sun Microsystems as Solstice FireWall-1. This was essentially the same product, but with slightly different packaging and file system layout.
The table below shows the version history. The Platforms column shows the operating systems that are supported by the firewall product:
|1.0||April 1994||SunOS 4.1.3, Solaris 2.3|||
|2.0||Sep 1995||SunOS, Solaris, HP-UX|||
|3.0b||1997||Windows NT 3.5 and 4.0; Solaris 2.5, 2.5.1 and 2.6; HP-UX 10.x; AIX 4.1.5, 4.2.1|
|4.0||1998||Windows NT 4.0, Solaris 2.5, 2.5.1, 2.6 and 7 (32-bit); HP-UX 10.x; AIX 4.2.1 and 4.3.0|
|4.1||2000||Windows NT 4.0 and 2000; Solaris 2.6, 7 and 8 (32-bit); HP-UX 10.20 and 11; Red Hat Linux 6.2 and 7.0 (2.2 kernel); IPSO 3.4.1 and 3.5; AIX 4.2.1, 4.3.2 and 4.3.3||Also known as Check Point 2000|
|NG||Jun 2001||Windows NT 4.0 and 2000; Solaris 7 (32-bit) and 8 (32 or 64-bit); Red Hat Linux 6.2 and 7.0 (2.2 kernel)||NG stands for Next Generation|
|NG FP1||Nov 2001||Windows NT 4.0 and 2000; Solaris 7 (32-bit) and 8 (32 or 64-bit); Red Hat Linux 6.2, 7.0 (2.2 kernel) and 7.2 (2.4 kernel), IPSO 3.4.2|
|NG FP2||Apr 2002||Windows NT 4.0 and 2000; Solaris 7 (32-bit) and 8 (32 or 64-bit); Red Hat Linux 6.2, 7.0 (2.2 kernel) and 7.2 (2.4 kernel), IPSO 3.5 and 3.6, SecurePlatform NG FP2|
|NG FP3||Aug 2002||Windows NT 4.0 and 2000; Solaris 8 (32 or 64-bit) and 9 (64-bit); Red Hat Linux 7.0 (2.2 kernel), 7.2 and 7.3 (2.4 kernel), IPSO 3.5, 3.5.1 and 3.6, SecurePlatform NG FP3|
|NG AI R54||Jun 2003||Windows NT 4.0 and 2000; Solaris 8 (32 or 64-bit) and 9 (64-bit); Red Hat Linux 7.0 (2.2 kernel), 7.2 and 7.3 (2.4 kernel), IPSO 3.7, SecurePlatform NG AI, AIX 5.2||The full name is NG with Application Intelligence|
|NG AI R55||Nov 2003||Windows NT 4.0, 2000 and 2003; Solaris 8 (32 or 64-bit) and 9 (64-bit); Red Hat Linux 7.0 (2.2 kernel), 7.2 and 7.3 (2.4 kernel), IPSO 3.7 and 3.7.1, SecurePlatform NG AI||Version branches: NG AI R55P (for IPSO 3.8), NG AI R55W (contains web intelligence)|
|NG AI R57||April 2005||SecurePlatform NG AI R57||For product Check Point Express CI (Content Inspection), later VPN-1 UTM (Unified Threat Management)|
|NGX R60||Aug 2005||Windows 2000 and 2003; Solaris 8 and 9 (64-bit); RHEL 3.0 (2.4 kernel), IPSO 3.9 and 4.0, SecurePlatform NGX||Version branches: NGX R60A|
|NGX R61||Mar 2006||Windows 2000 and 2003; Solaris 8, 9 and 10; RHEL 3.0 (2.4 kernel), IPSO 3.9, 4.0 and 4.0.1, SecurePlatform NGX|
|NGX R62||Nov 2006||Windows 2000 and 2003; Solaris 8, 9 and 10; RHEL 3.0 (2.4 kernel), IPSO 3.9 and 4.1, SecurePlatform NGX|
|NGX R65||Mar 2007||Windows 2000 and 2003; Solaris 8, 9 and 10 (Ultra-SPARC architecture); RHEL 3.0 (2.4 kernel), IPSO 4.1 and 4.2, SecurePlatform, SecurePlatform 2.6||Version branches: NGX R65 with Messaging Security (Dec 2007), R65.4 (Feb 2009)|
|R70||Feb 2009||Windows 2003 and 2008; IPSO 6.0.7 and 6.2; SecurePlatform; XOS|| Minor versions: R70.1, R70.20 (2009), R70.30 (March 2010), R70.40 (Dec 2010), R70.50 (Oct 2011)|
|R71||April 2010||Windows 2003 and 2008; IPSO 6.2; SecurePlatform; XOS|| Minor versions: R71.10, R71.20, R71.30, R71.40|
|R75||January 2011||Windows 2003 and 2008; IPSO 6.2; SecurePlatform; Crossbeam XOS 9.5 or later; Gaia (since R75.40)|| Installation files were publicly available in December 2010.
Minor versions: R75.10 (May 2011), R75.20 (Sep 2011), R75.30 (Jan 2012), R75.40 (April 2012), R75.46 (Feb 2013), R75.47 (Jul 2013)
|R76||May 2013||Windows 2003 and 2008; IPSO 6.2 MR4; SecurePlatform; Gaia; ||As of R76 Check Point prefers GAIA as Operating System. R76 also introduces full support for IPv6.|
While started as pure firewall and vpn only product, later more features were added. And while they are licensed separately, they have since began to be bundled in default installations of the VPN-1 as well.
SmartDefense (IPS) This feature adds to the built-in stateful inspection and inherent TCP/IP protocols checks and normalization inspection of most common application protocols. Starting NGX R70 this feature has been rebranded as IPS.
Quality of service (Floodgate-1) Checkpoint implementation of the Quality of service (QOS). It supports bandwidth guaranteeing or limiting per QOS rule or per connection. Also the priority queuing can be done (LLQ). Nevertheless, RFC based QOS implementation, be it Differentiated services or Ip precedence, are not supported
Content Inspection Starting with NGX R65 this new feature has been introduced providing 2 services:
- Antivirus scanning - scanning of the passing traffic for viruses
- Web filtering - limiting access of internal to the firewall hosts to the Web resources using explicit URL specification or category rating.
- "Check point software technologies Ltd. awarded patent for stateful inspection technology" (Press release). Check Point Software Technologies Ltd. 1997-03-17. Retrieved 2009-04-01.
- Gaia project
- "Check Point Introduces Revolutionary Internet Firewall Product Providing Full Internet Connectivity with Security; Wins 'BEST OF SHOW' Award at Networld+Interop '94" (Press release). Check Point Software Technologies Ltd. 1994-05-06. Retrieved 2007-03-14.
- Management’s Discussion and Analysis of Financial Condition and Results of Operations (PDF). Check Point Software Technologies Ltd. 1998-07-24. Retrieved 2007-03-14.
- Tolly, Kevin; Curtis, John; Passarge, Elke (June 17, 1996), "Firewall-1 2.0", LANTimes
- "Check Point Adds Antivirus Protection to Integrated Security Solution for Mid-sized Businesses" (Press release). Check Point Software Technologies Ltd. 2005-04-11. Retrieved 2007-03-14.
- "Check Point Introduces Groundbreaking New UTM-1 Total Security Solutions, Now Including Best-In-Class Messaging Security" (Press release). Check Point Software Technologies Ltd. 2007-12-03. Retrieved 2008-01-25.
- XOS was supported in older releases already but was not mentioned in release notes. Solaris and Red Hat Enterprise Linux is supported for the management server only.
- "Check Point Introduces Latest Security Gateway and Management Release Based On New Software Blade Architecture" (Press release). Check Point Software Technologies Ltd. 2009-02-24. Retrieved 2009-03-28.
- Solaris and Red Hat Enterprise Linux is supported for the management server only.
- "Check Point Raises the Bar on Performance of Antivirus and URL Filtering Software Blades" (Press release). Check Point Software Technologies Ltd. 2010-04-13. Retrieved 2010-06-04.
- Solaris, Red Hat Enterprise Linux and Windows XP/7 is supported for the management server only.
- Windows 2008 R2, Solaris, Red Hat Enterprise Linux and Windows XP/7 is supported for the management server only.
- www.checkpoint.com — Check Point Software Technologies web site
- www.fw-1.de — information about VPN-1
- Check Point Official Forums
- CPUG: The Check Point User Group
- Check Point IPsec IKE Implementation details