Competitive Assessment: Palo Alto Networks vs Check Point

Check Point Overview

The originator of stateful inspection, Check Point is moving from being a software only vendor to a hardware vendor (UTM-1, Power-1, IP appliances), introducing competition to their existing hardware partners. At the heart of the Check Point solution is Stateful Inspection, which has proven to be relatively ineffective in dealing with the new class of applications and their evasive tactics such as moving from port to port, emulating HTTP or using SSL. Check Point strengths include: Long time security vendor, stable, providing comfort in economically challenging times. First to market with a stateful inspection FW (1994). Broad line of security products from a combination of development and acquisitions.

Key Points to Consider

Check Point visibility and control problem that IT faces todayeven with multiple elements. Check Point cannot solve the visibility and control problem that IT faces today. They may claim to be able to do so using a combination of their many products, but in reality, they cannot address the lack of visibility and control over applications, users and content. The Palo Alto Networks next-generation firewall brings visibility and control over applications, users and content back to the IT department using three unique technologies: App-ID, User-ID and Content-ID. Delivered as a purpose-built platform with function specific processing for networking, security, threat prevention and management. Check Point sees only ports and protocolsnot applications. Check Point uses Stateful Inspection, a port-based classification mechanism to identify traffic and therefore is unable to accurately identify applications. The IPS card option brings the ability to detect a limited set of known bad applications (some P2P and IM). Palo Alto Networks is the only firewall that is based on App-ID, a patent pending traffic classification that users four different techniques (application protocol detection and decryption, application decoding, application signatures, and heuristic analysis) to identify more than 820 applications irrespective of port, protocol, SSL encryption or evasive tactic employed. The identity of the application is then used as the basis of all policy decisions as well as any applicable logging and reporting output. Check Point firewalls cannot see users. Check Point firewalls still use IP addresses as a means to identify users and implement policy, severely limiting the visibility and control capabilities that the IT department has at their finger tips. User-ID, available only on a Palo Alto Networks next-generation firewall, provides visibility and policy control into who is using the application and the related activity through seamless integration with both Active Directory and Citrix/TSE. User identity is pervasive throughout the interface (ACC, App-Scope, policy creation, traffic logs, reporting) providing consistency in management. Check Point blade licensing and platforms are complex and costly. Disguised as revolutionary, the Check Point Blade concept is merely another licensing scheme that is costly and complex. Add to that the fact that Check Point now has multiple platform families (UTM-1, Power-1, IP appliances from Nokia) that compete with partner platforms (CrossBeam, Sun, HP, etc) so it is not surprising that customers are confused. Palo Alto Networks licensing is simple two options (URL filtering and Threat prevention) both of which support unlimited users on all 6 platforms. All other features (App-ID, User-ID, data filtering, SSL VPN) are included as part of the base price. Platform selection is simple: choose from 1 of 6 platforms with standard interface density of 8 to 24 ports. Check Point blades are inefficient, introducing latency and management complexities. UTM (or XTM) based appliances are merely mechanisms of bolting technology onto a port-based firewall as a means of lowering the costs. The result of the sheet metal integration is the introduction of latency and management complexity. The Palo Alto Networks single pass parallel processing architecture performs policy functions once on a given set of traffic within the software engine. Threat prevention, URL filtering, malware protection, data filtering (Content-ID) are all performed in a single pass, based on a single policy rule, for any number of applications. The parallel processing hardware platform applies function specific processors to networking, security, threat prevention and management to deliver multi-Gbps throughput with minimal latency.

June 2009 - Competitive data is generated from public information sources. Reasonable efforts were made to verify the data. - 1 -