Product Review: UTM – Check Point UTM-1 2050

Supplier: Check Point Software Technologies

Price: From £7,803 (excluding VAT); £9,766 with SmartDefencesubscription included


Check Point moves into the fiercely contested UTM appliance arena with anew family of three products. The top-of-the-range UTM-1 2050 targetsmid-range businesses and enterprise remote offices. As with Astaro's ASGappliances, Check Point operates an unlimited user-licensing scheme,which makes the 2050 particularly good value although the vendorrecommends a maximum of 1,000 users.

The appliance combines Check Point's highly respected Firewall-1 withseven other security services: web-content filtering, a web applicationfirewall, anti-virus, anti-spyware and options for IPsec and SSL VPNs.The firewall also has the ability to identify and control applicationssuch as IM, peer-to-peer and VoIP. Anti-spam is not included, but wewere advised that Check Point may add this feature at a later date.

The 2050 delivers a decent hardware specification built around a Pentium4 651 3.4GHz processor and 2GB of memory and has enough horsepower tohandle a firewall throughput of up to 2Gbps. You get four gigabitethernet and four fast ethernet ports, with the first group handlingstandard internal, external and DMZ connection duties. Installationstarts by connecting a PC to the appliance's internal port and pointinga browser at its default IP address. A quick-start wizard gets you setup, and then you download Check Point's SmartConsole package from theappliance.

All the action takes place at the SmartConsole dashboard, where youdeploy security policies to selected appliances. Rules must be createdto open up access to selected services. These contain source anddestination objects, services and time schedules, and logging can becustomised individually for each one. Actions cover the usual permit,deny and drop options, but you can also implement user and sessionauthentication.

Check Point's extensive use of network objects helps with rule creationas you can select objects, services, users and groups from the side barand drop them directly into the relevant location in the rule. However,we had to set up our internal and external interface objects first,declare which one was connected to the internet and manually activatenetwork address translation on it. Usefully, modifications are notapplied until the policy containing them has been pushed to selectedappliances.

Check Point's SSL VPN features are vastly superior to those offered byother vendors. You need to activate the visitor mode at the applianceobject and set up special rules and users, but these determine preciselywhich services on the LAN may be accessed remotely. Mobile clients justpoint a browser at the appliance's external port and enter theircredentials at the login portal. Once authenticated, an Active X networkextender is downloaded to their system, a secure tunnel created and avirtual IP address assigned from a predefined pool. You can protectagainst mobile workers attempting to come in via an unsecured publicaccess system by activating the Integrity security scanner.

The optional SmartDefense feature provides update services foranti-virus scanning and activates the web-content filter. Bothcomponents are configured from the same content inspection tab inSmartConsole and anti-virus measures come courtesy of ComputerAssociates' eTrust. You can apply scanning to HTTP, FTP, POP3 and SMTPtraffic in either direction and can also scan traffic passing betweeninternal networks.

Web content filtering is handled by SurfControl, which was beingacquired by Websense when we wrote this review. It offers a choice of 40URL categories that can be blocked or allowed and you can add customblack and white URL lists and network exceptions. You can also decidewhich UTM-1 gateways will be used to enforce content filtering. Wetested across a wide variety of websites and access to all sites thatcame under the categories listed in the URL blocking policy wasrestricted. Sites known to harbour spyware were also dealt withefficiently.

SmartDefense offers proactive protection against worms and probes, alongwith web and application vulnerabilities. You get the usual protectionagainst standard denial-of-service attacks, port scans andanti-spoofing, which are regularly updated.

Check Point scores highly for its sophisticated management features,being one of few vendors that provides the tools to manage multipleappliances as standard. The SmartDashboard can keep track of all yourgateways once they are defined as network objects, and you can choose onwhich ones you want to install selected policies. The SmartView Monitorprovides real-time statistics on appliance utilisation, and trafficgraphs for areas such as the top-ten services, quality-of-service rulesand even VoIP users.

The UTM-1 2050 may not be the easiest appliance to deploy, but it doesdeliver a quality range of security services. Anti-spam functions wouldround it off nicely, but the centralised management features it provideswill be very hard to beat.

Features: ****
Ease of use: ***
Performance: ****
Documentation: ***
Support: ****
Value for money: ****
Overall Rating: ****

For: Centralised management of multiple gateways, good range of securityfeatures, quality reporting tools, unlimited user licence, sophisticatedSSL VPNs

Against: No anti-spam service yet, initial configuration could be madeeasier

Verdict: A quality range of security capabilities in a well-specifiedappliance, complete with classy management and reporting tools includedin the price.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.