Check Point Software has come up with a way for its firewall customers to deploy network access control technology without client software, using Intel-based network interface cards to block rogue behaviour instead.
The latest version of Check Point's VPN-1 NGX software enables post-admission NAC by finding traffic that violates security policies and shutting it down at the NIC of the machine generating it.
This requires NICs in desktops based on Intel's vPro technology, which contains programmable hardware filters to block traffic. HP and Gateway have announced desktops employing vPro technology.
Check Point already offered a means to block malicious traffic at the desktop via its Integrity client software, which includes a firewall that can block traffic based on set policies. The software also scans desktops and laptops for security posture, and that information can be used to allow or deny network access.
Now customers can use the NICs to enforce NAC policies instead, avoiding the need to deploy, configure and manage Integrity clients.
The new software supports co-operative enforcement between VPN-1 firewalls and the NICs. Customers must write scripts that instruct the NICs what traffic to block or divert to quarantine VLANs. Check Point said that in later releases, the script writing will be masked behind a graphical user interface that will make it simpler to configure policies for the NICs to enforce.
Check Point said it has also increased the performance of VPN-1 on standard IBM servers to support the new features. The software performed at 10Gbit/s last year, and Check Point said the latest version performs at 12Gbit/s. This enables customers to turn on more security features and still have enough processing power to meet line speed for most networks, the company said.
Check Point is also overhauling its management software so it doesn't require as much downtime when it is being upgraded. Major management updates previously required server downtime, but the new management software can be upgraded using plug-ins.
The first plug-in available supports policy management for Check Point's SSL VPN gear that enables central setting of SSL VPN policies. Before these policies had to be set machine by machine. Disruption of the entire management server while the plug-in is added will be minimal, Check Point said.