Check Point Express, Reviewed: June 2004
: Check Point Express provides comprehensive security features as well as an excellent firewall.
: It costs considerably more than other software firewalls.
: With its wealth of extra features and its cross-platform capabilities, it sets a high standard.
SummaryAs one of the best-known firewall systems, Check Point's software has an established and formidable reputation. Available for Linux, Unix and Windows systems, it offers options and features that will handle most requirements.
The printed support is a 40-page guide that covers steps to install the software. There are also 17 manuals on the installation CD. The software can be configured in several ways, distributing components across several systems and managing large numbers of devices.
We installed the software on a Windows 2000 system in its simplest configuration with all the components on one server. The installation went smoothly – setting up the software, creating administration accounts and "hardening" the operating system before rebooting. This was effective and the host machine did not respond to our port scanning attempts.
The system is controlled by the "SmartDashboard" that is its GUI. It is possible to configure firewall security policies, set Network Address Translation (NAT), configure the "SmartDefense" system and manage VPN connections.
The SmartDefense IDS monitors traffic and will generate alerts for denial-of-service attacks, port scans and address spoofing, and will also apply application protection, detect and report web worms, cross-site scripting and other exploits.
SmartDashboard graphically represents relationships among network objects and can help avoid configuration problems. Network objects represent servers, gateways, networks and groups of objects and are easily created. It is very easy to determine an object's properties, including where it is used. Rule creation is done by selecting items from extensive drop-down lists.
There is a policy verification facility that will check for errors and provide a "sanity check" for rule bases before installing them on individual firewalls. It is possible to install the same policy on a number of firewalls simultaneously.
The system provides real-time monitoring and logging facilities for all aspects of performance.