Check Point has traditionally produced high-end security products such as Firewall-1 and VPN-1, which are attractive to larger organisations but not affordable for small and medium companies. Check Point Express has been produced specifically for this latter market. The package runs on Windows NT/2000, Solaris, Linux, AIX, Nokia's firewall hardware and Check Point's own "SecurePlatform" OS; our review used a 1GHz server with 1GB RAM running Windows 2000 Server SP4.
The package includes the main components of a modern firewall. The core is Check Point's Firewall-1 security system, and you also get the VPN-1 server and the SecuRemote VPN client. The SmartDefense IDS technology that's built into Check Point's other products (see the earlier review of Check Point’s InterSpect) is also included, as is the SmartCenter centralised management tool.
The installer is fairly straightforward – you just pick the items you want to install (the ones that are checked by default will usually do the job just fine) and let it run. The SmartCenter management tools can be run either on the firewall machine itself or on a remote workstation – you can tell the system what IP addresses or hostnames to "trust" as management consoles as part of the installation process.
Once the installation is complete, you're walked through a wizard that lets you define administrator IDs, trusted management console addresses and secure certificate keystrings, as well as importing licence details. Licensing is a bit of a nuisance, as you have to register your product's activation code on Check Point's site, obtain a licence file, then import that licence file into the control panel application, but at least you only have to do this once.
In operation, the management GUI will be familiar to anyone who's ever used Firewall-1 or any of Check Point's other products. Firewall and VPN rules are defined in terms of source and destination machine/network/address range, and as you'd expect you can define groups of machines (for easy reference) as well as specifying your own connection types (to cater for home-grown client-server applications or other programs that aren't catered for by the in-built application definitions).
The administrator gets a vast wad of applications for controlling the system. The Configuration tool is the low-level setup widget, and doesn't rely on being able to connect over the network, so it's here that you define and edit administrator accounts and management IP addresses. The SmartDashboard tool is the main rule editor that Firewall-1 users will be familiar with, though it also now includes the management tool for the SmartDefense facility (including the facility to pull down updated signature files, assuming you've bought the appropriate subscription).
The SecureClient Packaging Tool lets you build a one-hit installer for the VPN client based on your specific requirements (authentication methods, whether you want the user to see the installer, and so on). Finally, SMARTLSM and SmartUpdate are a pair of tools that provide control and policy management over a distributed network of Check Point installations around the corporate network and/or the Internet.
There's plenty of activity and status monitoring/logging, too. SmartView Monitor lets you monitor what’s going on with your firewalls (you can define your own reports, though it comes with a bunch of standard ones along the usual "top ten" theme). SmartView Reporter is a more complex report collation tool that lets you do more complex reporting than the Monitor package. SmartView Status works more along the lines of general status monitoring and alert tracking/collation. And SmartView Tracker allows you to drill down into the Express logs and filter items by type, interface, source, destination and so on so that you can see the wood for the trees when investigating issues on a highly active firewall. Finally, the User Monitor tool is used to monitor SecuRemote users as they come in and out of your VPN world.
Check Point Express is a sensible extension of Check Point's product line, and includes everything you'd expect in an SME firewall, along with some more modern IDS technology in the form of SmartDefense. The company's history as one of the longest-established firewall/VPN vendors can also only be a good thing.
Check Point Express brings a well-known, respected firewall into an affordable price range for the SME. Bear in mind, though, that if performance is going to be an issue you may prefer to go for a hardware-based unit from the likes of Cisco or NetScreen, as these tend to work faster than packages that run on workstation hardware under a traditional operating system.