advertise here



Industry Comment Research   RSS Feed

Webinars Buyers' Guide Podcasts

Related Publications Foward Features




  In partnership with:

Security architect – Marius Nacht

Check Point Software was a firewall pioneer in the early 1990s. Co-founder and senior vice president, Marius Nacht recently spoke to Brian McKenna about the company’s origins, philosophy, and roadmap.

Why did you and Gil Shwed set up Check Point?

I did not want to become an employee. I’d been in the air force for nine years, and did not want to be following orders. I just don't have the mentality of obeying.

We had been keeping an eye on the internet since about 1990, and especially when DARPA opened it up to the public in 92-93. We then had a concept of network protection, though not the word 'firewall' as such.

How did you get the company going?

We got $300,000 as a loan from BRM Capital — who were, essentially, some friends of ours who'd sold some AV technology, and started funding from that.

We've taken pride in having boot-strapped the company with that $300k. We’re proud of having done quality work with limited resources. Sometimes a wealth of resources defocuses you, and I love the elegance of what we do.

So, we strive for quality, especially in execution.

Who was your first customer?

Our first customer was a big law firm, but a more interesting story can be told about our seventh customer — a bank on Wall Street. We went to them with our firewall 1.0 product, which fitted onto a floppy disk. In those days — this was early 1994 — you had either packet filtering routers or proxy gateways. We were neither. We had invented stateful inspection, and we were not in the textbooks.

So, we had a technology that was not in the text books, we had funny accents, and they said to us: "Why should we bet our security on an unknown start up from Israel?"

And so, we gave the product (again, on a floppy) to their R&D department to test.

They liked it. They liked its simplicity. It was rock solid security-wise, the user interface was very intuitive, and it allowed them to do things that other products could not — things like Sun RPC, DNS, and UDP.

So, they wanted the product, but would only buy direct, whereas our model was a channel model. However, at that time, we didn't have a reseller in Manhattan, so we had to find one very quickly!

You are launching what you are calling your NGX unified security architecture? What makes this stand out in the market, in your view?

No one else has a unified platform across the four domains of perimeter, web, internal, and endpoint, or even has a desire to create such platform.

There is a view in the industry that Netscreen came from nowhere, like a meteor, and have stolen a march on Check Point. What’s your take on that?

Netscreen/Juniper Networks have done well with those companies that preferred a 'box approach'. They've more been competing with Cisco than us.

Their technology is fine for those who have a box mentality, but for the more sophisticated people — who realize that security needs to be agile, flexible, and innovative, and that it cannot be locked down to an ASIC chip, it's not .

And when you look at market share you need to look at the market, not only the vendors — so you have to factor in Check Point partners, in terms of hardware and distribution (unlike our competitors, we do not sell direct).

More fundamentally, the 'brains' of IT security is in the software. It's not like you can have a box with nothing running inside it!

The infosec world is now glutted with ‘intrusion prevention’ players. Why is Check Point different?

There are two major differences. First, intrusion prevention is done within the firewall, which is more cost efficient. And second, our technology is not signature-based. We have signature capabilities, but the focus and main thrust is for generic and pre-emptive protection and not reactive/specific ones like signatures.

We’ve got a patent pending on what we call Malicious Code Protection, which protects against any buffer overflow attack. It's very powerful — it is independent of the application affected, and independent of the OS affected.

But the major trend we see now is a demand for advanced security, but with simplicity in the management of that.

You make much of the claim that you offer the capacity to manage enterprise security in an end-to-end way. But why can Check Point do this unified management piece?

There are three reasons. Firstly, management is a software game and that is what we do. Secondly, we had central security management from v1.0 of the product 12 years ago. And thirdly, we have not done what Cisco and Juniper have done — constantly acquiring companies whose technology and businesses then have to be integrated, and so on.

And yet you did acquire Zone Labs. Why have you not been more acquisitive? For example, you could have bought an SSL VPN supplier rather than take time out to develop your own product, which was about a year behind when released last May. And you have the example of Symantec, which has made the interesting move of acquiring a storage vendor, Veritas, broadening its enterprise range.

Well, the jury is still out on the wisdom of the Symantec acquisition of Veritas. As for Check Point, we are not afraid to do acquisitions, but we are a security company, and I can't see us obtaining a back up, like a storage company.

When we developed our SSL VPN product, Connectra, we decided to take a hit and develop it ourselves, rather than buying a company. Had we gone down the acquisition route, we would have had to give it a lot of management attention, and so on. And this technology is not rocket science. SSL VPN is really not that sophisticated.

The sophisticated stuff that we do (in addition to the SSL VPN) is the protection of the entire web infrastructure: web server, application server, database server – behind the Connectra; and the browser and OS attempting to SSL to the Connectra gateway.

Check Point is one of a slew of Israeli-born IT security companies. Why has Israel proved to be so strong in IT security? Are the reasons as obvious as they might appear?

Intelligent people are very curious, and in the case of Israel that curiosity has gone into security. I'm not talking here about the military side of security, however; it is more general than that.

We are a non-conforming people, basically, and that has to do with the Holocaust. We won't be told what to do ever again. Now, this mentality can be a pain in the butt, with people not doing what they are told, and so on. If you are looking for an exact opposite, Switzerland could be that that. In Israel, if you tell people what to do the first thing they ask is: "why?"

Why are there so few hackers and virus writers from Israel, though? The obvious comparison is with Russia, which also is rich in mathematical talent?

Well, the point is not to inflict damage. As for the Russians, the second biggest demographic in Check Point, is Russian. Israel got that big wave of Russian immigration after the collapse of the USSR. But the language of the company is English. In fact I can't type Hebrew very fast at all!

Who do you admire in the infosec field?

The Zone Labs people, whom we acquired, are a real inspiration. They have shown a lot of foresight in the way they have developed their technology. For example, the way Zone Alarm or Integrity is installed on the PC. The first thing malware tries to do is unseat our software. To counter that we have a very sophisticated way that our software gets installed into the OS — basically in a way that prevents attacks against the PC and also against our own software.

There are stories that Al-Qaeda, and other Islamist groups, are vying with organized crime to recruit hackers. Is cyber-terrorism a realistic concern, in your view?

I think we need to be more concerned about cyber criminals. After all, these people are not risking their lives. And it is not just organized crime, it is also companies with lower ethical standards or countries where intellectual property is not so appreciated as it is in the West. Business espionage, in a phrase

Finally, there is much comment in the infosec community to the effect that the perimeter is going away: that companies are undergoing ‘deperimiterization’ as borders between companies become more porous. And one of the original perimeter protection suppliers what do you think about this?

The idea here is like getting rid of security at the entrance to a hotel and making each guest responsible for guarding their own room. It would be like countries without borders. The perimeter will not go away. Companies are more porous, it is true, but the perimeter still exists.



 

 
Search this Site:
Google Custom Search



Click here...