InterSpect is Check Point's first venture into the appliance market. The unit, which in the case of our review model shipped on a Dell PowerEdge 1750 server, is an intrusion detection and prevention device aimed at the internal security market. That is, instead of sitting like a traditional firewall at the edge of the network, it is intended to sit inside the corporate LAN and provide protection between the various segments.

The unit operates in one of three modes. The default is Switch Mode, where the unit is invisible to the network and traffic is passed between ports just like a standard network switch would do. In Bridge Mode, you start to divide the network into "zones", with each port belonging to a different zone and bridging traffic between that zone and the backbone (but without changing the source addresses in the packets as they pass through).

Finally, Router Mode takes the concept a step further and acts just like a router – i.e. packets are forwarded not with their original source addresses but with the address of the appropriate port on the InterSpect.

Secure Defence?
Whichever mode the unit is in, its purpose is to inspect the packets as they go through the unit to decide whether the contents pose any threat. The system is based on Check Point's SecureDefense technology, which works at pretty well all levels between the IP layer (spotting SYN floods, for instance, or identifying packets with duff sequence numbers) and the application layer (picking out HTTP headers, for instance, or ensuring that an FTP data connection is acceptable in the context of the FTP control commands it's seen). This isn't anything particularly innovative, of course (Check Point have been doing that kind of thing with Stateful Inspection for years now) but obviously the analysis functions have evolved over time to cope with new applications, and more significantly have been made sufficiently fast to work at LAN speeds instead of being stuck out on the WAN connection.

The easiest way to start is to run up the device with a keyboard and screen, and to set the IP address of the main Ethernet port via the text-based interface. Once you've done this, you can connect it to the network and connect via a Web browser. This allows you to download the four management applications that are used to monitor and manage the unit (note that at present, you have to manage devices one-by-one – a multi-device management tool will be available in due course, though).

The main configuration tool is SmartDashboard. This is where you define the zones on the network (if you're using Bridge or Router mode) and also where you tell the unit which types of attack you want it to protect against. The attacks are split into two categories: network security (ping of death, port scans, SYN floods and such like) and application intelligence (HTTP, peer-to-peer applications, verification of DNS message correctness, and so on). Protection against each attack type can be turned on or off, and you can also select "monitor only" mode for any or all attack types – which is useful when you first connect the device as you can see what's going on without unwittingly breaking users' programs.

SmartView Monitor is the basic reporting tool for the system, and provides a real-time view on the traffic the InterSpect is seeing; the display automatically updates when new traffic types are seen, and you can record data to disk for later replay if you so desire. There are plenty of built-in reports (including the usual culprits such as the usual "top 10" types) but you can define your own custom-built selections if you wish.

A more complex reporting tool, SmartView Reporter, works on historical data to produce graphical and text-based reports (you pick the reports you want, hit Generate, and a few seconds later the results are fired up in a Web browser). The final data viewing tool is SmartView Tracker, which is another monitoring tool that displays network behaviour information line by line, but with the ability for the system manager to define customised filters so that only "interesting" information is displayed on the screen.

The idea of LAN-based intrusion protection is definitely a fine idea. It's hard to get excited about InterSpect, but to be fair to Check Point this is probably because the actual protection technology they're bringing to the market is nothing particularly new and exciting – the interesting bit is that it's no longer sitting at the edge of the network, but that it's in the middle protecting the various areas of the LAN from each other. We have no doubt that this type of protection will become very popular, very quickly, and Check Point is in exactly the right place at the right time.

Our only concern about this type of device is that it's a PC-based appliance. Check Point assures us that the throughput of the top-end model, the InterSpect 610, really is 1Gbit/sec; some independent lab figures are needed to back this up and reassure potential customers.


Bear in mind that if you have multiple units, you'll have to manage them separately until the multi-unit manager is available.