Monday, 24 August 2009

Checkpoint Software Blade Architecture

I received an email this morning from Checkpoint advertising their new software blade architecture.

Checkpoint already provide a hardware virtualization platform in the VSX-1, so could this be a blade-center version? No, the blades here are not actual blades in the sense that the rest of the industry uses the term, they are infact software modules.

So what is it?
It's a "new" architecture to Checkpoint systems that allows you to choose which software modules you want installed on your gateway/smart center servers.

So whats the difference between this and R65's cpconfig software install section?
It has templates (and possibly a GUI).

Is there anything new here?
Kind of, if you dig a bit deeper there are some interesting bits to R70, but they're nothing to do with blades or this software blade architecture.

The Checkpoint blade architecture seems mainly to be a new model for licensing, it'd be nice to avoid the confusion of the past. The old licenses seem so simple in theory, but in practice quickly become painful, especially when you have upgraded a complex system through several releases (and who runs Checkpoint on anything other than a complex system). I'll be watching with interest!

I do wish they'd called it something else though, blade is a fairly well known term and using it in this context is likely to cause confusion.

So what is new?
R70 replaces smart defence with IPS, URL filtering, anti-spam and anti-virus modules. These are software only modules, not like the Cisco ASA IDS/IPS units, and they run on the same hardware. It'll be interesting to see how well these perform in the wild as I don't currently have any data on them.


Nokia/IPSO support in R70
It may (or may not) be news to some but R70 now is being released for Nokia/IPSO platforms. I'm a bit suprised that Checkpoint are still supporting the Nokia boxes now that they have their own line of hardware running SPLAT.

Nokia is no longer a supported platform for Sourcefire and I can't see Checkpoint supporting them indefinitely. Both SPLAT and IPSO are Unix-based systems but SPLAT is a Linux kernel and IPSO is FreeBSD based so they won't be using identical code and it must be expensive for Checkpoint to develop and maintain both lines.

Nothing has been announced that I'm aware of but it would seem like a good idea to start thinking about migrating away from the Nokia boxes if you use them currently.