Embed Size (px)
Citation preview
q&
a40
Info
security To
day
July/August 2005
Why did you and Gil Shwed set upCheck Point?
I did not want to become an employ-ee. I’d been in the air force for nineyears, and did not want to be follow-ing orders. I just don't have the men-tality of obeying.
We had been keeping an eye onthe internet since about 1990, and es-pecially when DARPA opened it up tothe public in 92-93.We then had aconcept of network protection,though not the word 'firewall' assuch.
How did you get the company going?
We got $300,000 as a loan from BRMCapital — who were, essentially, some
friends of ours who'd sold some AVtechnology, and started funding fromthat.
We've taken pride in having boot-strapped the company with that$300k.We’re proud of having donequality work with limited resources.Sometimes a wealth of resources de-focuses you, and I love the eleganceof what we do.
So, we strive for quality, especiallyin execution.
Who wass your first customer?
Our first customer was a big lawfirm, but a more interesting story canbe told about our seventh customer— a bank on Wall Street.We went tothem with our firewall 1.0 product,which fitted onto a floppy disk. Inthose days — this was early 1994 —you had either packet filteringrouters or proxy gateways.We wereneither.We had invented stateful in-spection, and we were not in thetextbooks.
So, we had a technology that wasnot in the text books, we had funnyaccents, and they said to us: "Whyshould we bet our security on an un-known start up from Israel?"
And so, we gave the product(again, on a floppy) to their R&D de-partment to test.
They liked it.They liked its simplici-ty. It was rock solid security-wise, theuser interface was very intuitive, andit allowed them to do things that oth-
er products could not — things likeSun RPC, DNS, and UDP.
So, they wanted the product, butwould only buy direct, whereas ourmodel was a channel model.However, at that time, we didn't havea reseller in Manhattan, so we had tofind one very quickly!
You are launching what you are call-ing your NGX unified securityy archi-tecture? What makes this stand out inthe market, in your view?
No one else has a unified platformacross the four domains of perimeter,web, internal, and endpoint, or evenhas a desire to create such platform.
There is a view in the inddustry thatNetscreen came from nowhere, like ameteor, and have stolen a march onCheck Point. What’’s your take onthat?
Netscreen/Juniper Networks havedone well with those companies thatpreferred a 'box approach'.They'vemore been competing with Ciscothan us.
Their technology is fine for thosewho have a box mentality, but for themore sophisticated people — who re-alize that security needs to be agile,flexible, and innovative, and that itcannot be locked down to an ASICchip, it's not .
And when you look at market shareyou need to look at the market, notonly the vendors — so you have tofactor in Check Point partners, in
Security architect– Marius Nacht Check Point Software was a firewall pioneer in the early 1990s. Co-founder and seniorvice president, Marius Nacht recently spoke to Brian McKenna about the company’sorigins, philosophy, and roadmap.
Marius Nacht: proud of Check Point’selegance.
IS0206p40-41.qxd 19/07/2005 10:15 Page 40
q&
a41
Info
security To
day
July/August 2005
terms of hardware and distribution(unlike our competitors, we do notsell direct).
More fundamentally, the 'brains' ofIT security is in the software. It's notlike you can have a box with nothingrunning inside it!
The infosec world is now gluttedwith ‘intrusion prevention’ players.Why is Check Point differeent?
There are two major differences. First,intrusion prevention is done withinthe firewall, which is more cost effi-cient.And second, our technology isnot signature-based.We have signa-ture capabilities, but the focus andmain thrust is for generic and pre-emptive protection and notreactive/specific ones like signatures.
We’ve got a patent pending onwhat we call Malicious CodeProtection, which protects againstany buffer overflow attack. It's verypowerful — it is independent of theapplication affected, and independentof the OS affected.
But the major trend we see now isa demand for advanced security, butwith simplicity in the management ofthat.
You make much of the claim that youoffer the capacity to manage enter-prise security in an end-to-end way.But why can Check Point do this uni-fied management piece?
There are three reasons. Firstly, man-agement is a software game and thatis what we do. Secondly, we had cen-tral security management from v1.0of the product 12 years ago.Andthirdly, we have not done what Ciscoand Juniper have done — constantlyacquiring companies whose technolo-gy and businesses then have to be in-tegrated, and so on.
And yet you did accquire Zone Labs.Why have you not been more acquisi-tive? For example, you could havebought an SSLL VPN supplier ratherthan take time out to develop yourown product, which was about a yearbehind wwhen released last May. Andyou have the example of Symantec,which has made the interesting move
of acquiring a storage vendor, Veritas,broadening its enterprise range.
Well, the jury is still out on the wis-dom of the Symantec acquisition ofVeritas.As for Check Point, we are notafraid to do acquisitions, but we are asecurity company, and I can't see usobtaining a back up, like a storagecompany.
When we developed our SSL VPNproduct, Connectra, we decided totake a hit and develop it ourselves,rather than buying a company. Hadwe gone down the acquisition route,we would have had to give it a lot ofmanagement attention, and so on.And this technology is not rocketscience. SSL VPN is really not that so-phisticated.
The sophisticated stuff that we do(in addition to the SSL VPN) is theprotection of the entire web infra-structure: web server, applicationserver, database server – behind theConnectra; and the browser and OSattempting to SSL to the Connectragateway.
Check Point is one of a slew ofIsraeli-born IT security companies.Why has Israel proved to be so strongin IT security? Arre the reasons as ob-vious as they might appear?
Intelligent people are very curious,and in the case of Israel that curiosityhas gone into security. I'm not talkinghere about the military side of securi-ty, however; it is more general thanthat.
We are a non-conforming people,basically, and that has to do with theHolocaust.We won't be told what todo ever again. Now, this mentalitycan be a pain in the butt, with peo-ple not doing what they are told,and so on. If you are looking for anexact opposite, Switzerland could bethat that. In Israel, if you tell peoplewhat to do the first thing they askis: "why?"
Why are there so few hackers andvirus writers from Israel, though? Theobvious comparison is with Russia,which also is rich in mathematicaltalennt?
Well, the point is not to inflict dam-age.As for the Russians, the secondbiggest demographic in Check Point,is Russian. Israel got that big wave ofRussian immigration after the col-lapse of the USSR. But the language ofthe company is English. In fact I can'ttype Hebrew very fast at all!
Who do you admire in the infosec
field?
The Zone Labs people, whom we
acquired, are a real inspiration.They
have shown a lot of foresight in the
way they have developed their tech-
nology. For example, the way Zone
Alarm or Integrity is installed on the
PC.The first thing malware tries to do
is unseat our software.To counter
that we have a very sophisticated way
that our software gets installed into
the OS — basically in a way that pre-
vents attacks against the PC and also
against our own software.
There are stories that Al-Qaeda, and
other Islamistt groups, are vying with
organized crime to recruit hackers. Is
cyber-terrorism a realistic concern, in
your view?
I think we need to be more con-
cerned about cyber criminals.After
all, these people are not risking their
lives.And it is not just organized
crime, it is also companies with lower
ethical standards or countries where
intellectual property is not so appre-
ciated as it is in the West. Business es-
pionage, in a phrase
Finally, there is much comment in
the infosec community to the effect
that the perimeter is going away:
that companies are undergoing ‘de-
perimiterization’ as borders between
companies become more porous.
And one of the original perimeter
protection suppliers what do you
think about this?
The idea here is like getting rid of
security at the entrance to a hotel
and making each guest responsible
for guarding their own room. It
would be like countries without bor-
ders.The perimeter will not go away.
Companies are more porous, it is
true, but the perimeter still exists.
IS0206p40-41.qxd 19/07/2005 10:15 Page 41
