Thursday, December 5, 2013

Three reasons why Check Point DDOS Protector is NOT a Check Point solution

Last year Check Point has added a number of so-called DDOS Protector appliances to its portfolio.

It is not a secret that this solution is in fact OEM of Radware DefensePro appliances, rebranded as Check Point.

There is no fun in stating obvious. It is not only about colours. Check Point's and Radware's security philosophies are essentially different. Here are three reason why I cannot consider box painted blue from the first picture to be a Check Point solution:

1. Security Architecture

In its firewalls Check Point performs inspection before forwarding the traffic. FW kernel is placed in between NICs and IP stack, so in general, traffic cannot be forwarded before a security decision to accept it is being reached*. 

In DefensePro/DDOS Protector solution network module and analysis module are separated. Traffic flows through the box while being analysed. Traffic is only interrupted once analysis module detects an attack. Detection is not immediate, and before anything, connectivity is maintained. 

2. Central management

In Check Point world management is a distinct entity. Although it can coexist with a firewall module in so-called standalone configuration, it is still a separate product. Working with management requires GUI tools. This set: GUI, management and enforcement point is called "three tier infrastructure". This separation helps building flexible centrally managed security systems.

With Radware DDOS solution, management is an integral part of the product in whole. It always is on the box, and to work with it, one uses WebUI instead of a standalone application. With such approach single box deployment is simple and straight forward while having a distributed centrally managed security system might be a challenge.

3. Integration

The only integration DDOS Protector has with Check Point is about logs. One cannot run it as part of centrally managed security system. DDOS Protector lacks built-in mechanism to share its own decision with the rest of the infrastructure and to reuse security decisions made by other parts of Check Point security system. Generally speaking, it has exactly the same level of integration as any other third party OPSEC product.

*Strictly speaking, that is not exactly true for some specific cases of streaming-based inspection. Some IPS features require analysis of application stream and cannot be performed on per packet basis. The difference with Radware here is that packets are still going through FW kernel while being streamed, and thus are subject for FW inline stateful inspection anyway. FW needs not accept the flow through its security rulebase before any further in-depth inspection is performed.


  1. This reminds me my first interview with CheckPoint, some 13 years ago. They wanted me to join or probably lead a team to build management GUI for the firewall. All went well, but after we were happy with each other, the would-be manager told me: "I understand that with your HTML experience you will advocate a web client solution, but I want it to be MFC".

    1. Too bad, Alex. Full blown GUI is one of the most attractive CP features