Background
With the R70 release of Check Points security gateway and management platform imminent, the venerable security vendor has seized the opportunity to make changes to its licensing model. The beloved UTM and Power software product lines are being gradually replaced with what they are referring to as the Check Point Software Blade Architecture. So what is it?
Lets start with a little history. Check Point's Security Gateways (aka firewalls) have always been feature rich, supporting many different functions (SSL VPN, Remote Access VPN, Site to Site VPN, Firewall, NAT, IPS, Software Acceleration, QoS, Web Application Firewall, Dynamic Routing, Clustering... the list goes on). Because of this, the Check Point license enforcement mechanism is equally rich and flexible (i.e. cp.macro* plus the associated code) which allows the vendor to create a myriad of licenses. For example, the software infrastructure is available to license things from the Database Revision Control feature of the GUI to the support for NAT on the Gateway, although Check Point license these features, and always have, as part of the SmartCenter and Gateway respectively.
This new architecture allows the most important of the many features are represented by a conceptual component called a Software Blade with each different type of Blade offering a different feature. The software blades are portable amongst security gateways so for example, if you have a gateway that has changed roles from a perimeter device to an internal device, and no longer terminates VPNs, you can remove it's VPN software blade and place it into another gateway much in the same way as you can move a hardware blade from one chassis into another. The metaphor is a good one.
Gateway Software Blades - Giving your Gateway it's Security Features
There are Software Blades available which will activate the following features:
Firewall, VPN, IPS, Acceleration & Clustering, Advanced Networking, Anti-Virus, Anti-Spam, VoIP Security and finally Web Security. Although the Acceleration & Clustering and Advanced Networking Software Blades appear to be new, they are in fact a combination of four existing features:
If you work for a Check Point reseller you should immediately recognize most if not all of the features mentioned so far. The Firewall, VPN & IPS come from the core gateway product since the Express/Pro line, the Anti-Virus, Anti-Spam & URL Filtering are taken from the VPN-1 UTM product, and the Acceleration and Advanced networking from the Power product. As a result they are all neatly split up into to separate parts that can be licensed in a piece meal fashion. The customer can buy what he needs, not more, not less.
You can see an example of a Check Point Gateway fitted with all of the currently available Software Blades. The only Software Blade that might make you look twice is the VoIP Security. It's not my place to explain this however you should review the R70 'What's New' document when it's available.
Gateway Containers - Giving the Gateway it's Multi-Core support and User Count
What's also vital to point out is the gateway container. You need to purchase a Container before any of the blades become useful, and it's the container that governs how many cores and how many users the gateway will support. Some containers come bundled with many Software Blades, some come with only the Firewall Blade.
They are available in the following varieties:
SG80x - 8 cores / unlimited Users
SG40x - 4 cores / unlimited Users
SG20x - 2 cores / 500 Users
SG10x - 1 core / 25 users
I'll discuss what the x stands for in a moment, however, we can see that the first number simply reflects the number of cores and users the gateway will support.
You'll notice less variety in the available user counts versus the previous price list. 1 core container will only support up to 25 users and the2 core container, 500 users. This is a major change. We've lost the granularity of the old licenses which were available in brackets of 25, 50, 100, 250, 500 & of course Unlimited.
Putting it all together!
Now lets talk about the pre-populated, Containers. These are effectively bundles of a Container and the most commonly used Software Blades and closely resemble the products from the previous UTM/Power price list.
We clearly understand what the first number in the new Software Blade Gateway Bundles indicates, but what about the third number (the second number is always zero - so we'll skip it here)? Well, it simply tells us the initial number of software blades that are included in the bundle. In essence the bundles are made up of one or more of three different components which I've grouped under somewhat familiar names. (Remind yourself that the ACCL Blade includes SecureXL and ClusterXL, and the ADN Blade includes QoS and Dynamic Routing).
A picture is worth a thousands words:
Firstly we can see that the x06 at the top provides the same features as the previous VPN-1 UTM product but it's only available as a the single core/25 user SG106. We've no matching product in the 2xx, 4xx & 8xx series. This in my mind makes sense, as it omits the SecureXL Acceleration feature (included in the ACCEL blade) which could not accelerate UTM inspected traffic so the customer is unlikely to need it. In addition, a 25 user site would not need to scale it's gateway performance using a Load Sharing Cluster (again included in the ACCL blade); a High Availability Cluster would suffice, and so the omission of the ACCEL blade does the product line no harm.
Moving up, we've got the x05 (as a SG205 in this in this example). This is, feature wise, a VPN-1 Power product with the addition of Dynamic Routing (SecurePlatform Pro) and ClusterXL Load Sharing as part of the ACCEL and ADN blades.
Second to last, we've got the x07 which is the equivalent of the 'fully loaded' VPN-1 UTM/Power product but again with the addition of Dynamic Routing and ClusterXL Load Sharing included in the ADN and ACCL respectively.
Last but not least is another x05 this time in 8 core U user SG805 variety. This is the high performance FW/VPN/IPS gateway including SecureXL software acceleration, and 8 cores of packet processing wonderment! Again, 800 series is limited, this time to only the x05. I believe this makes sense as an 8 Core Gateway with no SecureXL Acceleration does not optimize the potential of the machine as a gateway. (In fact, the usefulness of the SXL feature depends on traffic mix, and the use of the IPS and 'UTM' features).
What's unclear at the time of writing is whether or not a blade from a bundled product can be removed from the container or not. If you have the answer, put it in the comments!
Roll Your Own (Firewall)!
Whilst the Gateway Bundles are great, they might give you more feature than you actually want. If this is the case you are able to create a completely customized gateway with only the feature your need for your business starting off with a x01 container as below.
This addresses one of the major pain points for user buying Check Point software. You might have heard it before: "I don't want to pay for features that I am not using!". With the previous price list, even the most inexpensive gateway was bundled with VPN and IPS features which put off the customer who only wants a firewall.
Essentially you have three steps in building your own bespoke Security Gateway:
1. Choose the number of cores and users you wish the gateway to support.
2. Choose your Software Blades.
3. Make your purchase.
Now lets look at an example. Yes, it's story time!
Here we have a Gateway that is going to be placed on the perimeter of a 300 user office and it'll run on a lovely new HP quad core box. We've already got a stand-alone IPS product from Check Point, and have decided that we don't need the Security Gateways IPS feature. Also there is another device terminating VPN connections so we'll not need this in the gateway either. Rather than waste cash on features we won't use, we purchase a SG401 container which only includes a Firewall Software Blade and provides support for our quad-core box.
After the Gateway was put in place maintenance on our URL filtering and Anti-Spam solution expired, so we purchased the ASPM and URLF blades to provide this feature on the gateway.
A year later, the CPU on the gateway was beginning to top out at 70%. After taking a look at the traffic, it was apparent that database replication was taking place through the Gateway and pushing the CPU% up. The ACCL blade was then purchased to provide SecureXL traffic acceleration. This brought the CPU down nicely.
Loss of Granularity in User Count
The user count change primarily makes the licensing easier to understand. In fact, the Software Blade concept in general is an improvement as there are a smaller number of licenses to choose from which removes a lot of confusion when putting together a solution. However, when we look at some of the lower user count licenses, for example the VPN-1 UTM 100 we find that there is no comparable Software Blade product. The closest is the SG106, which matches the features completely, but this is double the price of the VPN-1 UTM 100 and supports only 50 users.
Another example of the low end licenses loosing out is the VPN-1 Power 50. Here we have the SG103 that looks to be match. It has the same user count, core count, FW, VPN, and IPS feature, and is the same price. But the new SG103 drops the QoS and the SXL feature. If you wanted to add these features you would have to add the ACCL (Acceleration & Clustering) Blade and the ADN (Advanced Networking) Blade at $1,500 each. Bringing the total price up to $7,000 from $4,000.
Now, I don't think these cost rise on a few of the low-end products is intentional, I believe it's simply a side effect of the simplification of the licensing, something that all Check Point customers and partners have been hoping for. And if we look at the UTM-1 product line, we find that there are cost effective replacements for the smaller licenses in a hardware package which benefits the customer in that they need not purchase an Intel server to run the Check Point software.
A few Punchy Points
Here we'll briefly summarize the key changes between the old and new price list. It will not provide a complete differential, but will point you towards some of the changes that jumped out at us.
- ClusterXL (needed for Load Sharing Clusters) is less expensive: is now $1,500 as part of the Clustering & Acceleration blade. Previously $3,000 or $6,000 users per gateway. Also includes SecureXL which was previously $6,000.
- SecurePlatform Pro bundled with QoS for more value: was $1,500 for only dynamic routing. Is now $1,500 BUT includes both QoS and dynamic routing as part of the Advanced Networking Blade.
- Web Intelligence now sold as a Software Blade. No longer sold per protected server. Is now $1,500 regardless. Previously $5,000 for three protected servers, $10,000 for 10 protected servers, and $20,000 for Unlimited protected servers.
- SmartCenter UTM 5 site now the SM1003. BUT licensed based on gateways. Assuming clusters of two gateways, the product is identical.Was $10,000 is now $9,000.
- New SmartCenter (SM2500) for 25 gateways. Appears to be regular SmartCenter plus SmartView Monitor, SmartProvisioning (new R70 feature!), & IPS Event Analysis. No UTM/Power SmartCenter to compare this to.
- SmartCenter Power Unlimited is now more expensive as the SMU007. Was $22,000 is now $27,000. Appears to be missing SmartMap (my gut tells me it's been collapsed into one of the other blades, time will tell). SmartPortal is no longer included, and is a separate Software Blade. IPS Event Analysis & SmartProvisioning has been added however. Still includes SmartDirectory, SmartView Monitor (now part of the Monitoring Blade), and of course SmartView Tracker, SmartDashboard, & SmartUpdate (as part of Provisioning).
- Customer Logging Module appears to have become more expensive. Previously $1,000 now $5,000 as the SM1001. Only supports logging from 10 gateways also rather than the Unlimited as previously.
Summary
In this blog entry we took a brief look at Check Point's Software Blade Architecture and how it effects the purchasing of their software Security Gateway product line. Key points are as follows:
Container: Gives us the User Count, Core Count, and the Firewall feature
The containers remove the need for separate Multi-Core licenses (one less SKU on the pricelist!), and also take care of user count they are the basic foundation of a security gateway. They enable the Security Blades to be user count agnostic.
The x01 Firewall-only Containers keep the cost of the basic gateway low and give users what they've been asking for: a gateway that does only firewalling at a reasonable price (for a four core/unlimited user gateway the SG401 is $12,500 versus $16,000 for the U2 Power on the previous list).
Software Blades: Gives us the flexibility we need
With the Software Blades priced at $1,500 regardless of gateway user count or core count (excluding the Services Blades), adding additional features to your gateway is now as simple and a one line purchase order. I cannot overstate this. Previously it would involve either a 'trade in' or 'functionality upgrade' process, which was complex, and time consuming for both end user, reseller and Check Point themselves.
The portability of the software blades between gateways also means that you can 'drag' a feature from one gateway and 'drop' it on another, allowing customers to move an unused gateway feature to a gateway that really needs it, saving on cost.
Conclusion
All in all this is an improvement. Whilst the Management components seem to have had the biggest price changes, these may well provide good ROI to the customer in the form of the new Management features in R70. I can't wait to see them. The gateway changes appears to offer customers good value and the flexibility they've been requesting for a long while. I personally hope that this model stays with us for some time.