By: Shlomo Kramer, Check Point Software & Cato Networks Co-Founder
As one of the founders of Check Point Software and more recently Cato Networks, I’m often asked for my opinion on the future of IT in general, and security and networking in particular. Invariably the conversation will shift towards a new networking technology or the response to the latest security threat. In truth, I think the future of firewall lays in solving an issue we started to address in the past.
FireWall-1, the name of Check Point’s flagship firewall, is a curious name for a product. The product that’s become synonymous with firewalls wasn’t the first firewall. The category already existed when I invented the name and saved that first project file (A Yacc grammar file for the stateful inspection compiler, if you must know.) In fact, one of the first things Gil did when we started our market research for Check Point in 1992 was to subscribe to a newly formed firewall-mailing-list for, well, firewall administrators.
But FireWall-1 was the first firewall to make network security simple. It’s the stroke of simplicity that made FireWall-1. From software to appliances, firewall evolution has largely been catalyzed by simplicity. It’s this same dynamic that three years ago propelled Gur Shatz and me to start Cato Network and capitalize on the next firewall age, the shift to the cloud.
To better understand why simplicity is so instrumental, join me on a personal 25-year journey of the firewall. You’ll learn some little-known security trivia and develop a better picture of where the firewall, and your security infrastructure, is headed.
The Software Age and Simplicity Revolution
When we started developing FireWall-1, the existing firewalls were complicated beasts. Solutions, such as Raptor Firewall or Trusted Information Systems Firewall Toolkit (FWTK) relied on heavy professional services. Both came out of corporate America (If I remember correctly Raptor from DuPont and FWTK from Digital).
The products required on going attention. Using new internet applications could mean installing a new proxy server on the firewall. Upgrading an existing application could require simultaneously upgrading the existing proxy servers, or risk breaking the application. No surprise, the solutions were sold to large organizations willing to pay for the extensive customization and professional services required to implement and maintain them.
They say “necessity is the mother of invention” and that was certainly the case for Gil, Marius, and I. We were anything but corporate America. Extensive on-site support, custom implementations, professional services — the normative models wouldn’t work for us sitting in my grandmother’s apartment 10,000 miles away from the market, suffering the sweltering Israeli summer with no air conditioning and only $300,000 in the company bank account.
We needed a different strategy. What we needed was a solution that would be:
- Simple to use without customer support,
- Simple to deploy without professional services,
- Simple to buy from a far, and, above all,
- Simple enough for three capable developers to build before running out of budget (about 12 months).
To make the firewall simple to use, two elements were key:
- A stateful and universal inspection machine that could handle any application given the right, light-weight configuration file. No longer was there a need to deploy and update custom proxy servers for each application. In the coming years, when Internet traffic patterns changed to include an ever growing number of applications, stateful inspection became critical.
- An intuitive graphical user interface that any sys admin could understand and use almost immediately.
Actually, we didn’t get the UI right the first time around. After a few months of development, we ran a "focus group” with friends that luckily were PC developers. During those days, PC developers were much more advanced UI folk than us Sun Workstation guys. Our focus group hated the UI, which led us to start all over, and develop a PC-like interface that looked like this:
Caption: A screenshot of FireWall-1’s early interface.
I still think it’s pretty great. By the way, you might notice a host called “Monk” in the rule base. It was one of the two Sun workstations we owned (actually borrowed as a favor from the Israeli distributor of Sun), and named Monk after Thelonious Monk, the American jazz pianist and composer. The other machine was named Dylan. And all of those cool Icons? They were drawn by Marius who doubled as our graphic artist. He worked on a PC.
To make the product simple to deploy, we made a special effort to compress the entire distribution into a single diskette with the install manual printed on the diskette’s label:
Caption: An early FireWall-1 disk. Note the installation instructions on the label.
The last critical point was making the product simple to buy. In a world where the competition sold direct and made a considerable part of their revenues off of professional services, we decided to become a pure channel company and sell exclusively through partners.
We were very lucky to sign up early on with SunSoft, the software arm of the then leading computer manufacturer, Sun Microsystems, and become part of their popular Solstice suite. Sun's distribution know-how and capabilities were critical in the early days. In the pull market that followed, the fact that buying FW-1 through our partners was simple became critical.