The new device, called Check Point 61000, is available now, and fully loaded the 14-slot chassis achieves 200Gbps firewall throughput, with that number growing to 400Gbps next year with new blades and eventually to 1Tbps with yet another generation of blades, the company says. Pricing starts at $195,000.
A second device that is designed for data centers -- Check Point 21400 -- is smaller, but still larger than the company's current largest security platform. Also available now, the 21400 supports 50Gbps firewall throughput that can be doubled by adding an acceleration card, the company says. Pricing starts at $115,000.
Measuring security power units
Check Point is also introducing a new way of measuring the performance of its devices with the intent of making it simpler for customers to figure out what hardware best fits their needs. Using a metric called SPU (Security Power Units), customers can match their needs to Check Point products.
An SPU is a representation of the security functions a device can support and the size of the network connection the device has. So a customer that wants to run a firewall, IPS, URL filtering and application control on a device that is connected to an 800Mbps network would need a device with an SPU rating of 1,170, the company says.
If the customer wanted to run just IPS and application control on a 500Mbps connection, the device would need a 290 SPU rating.
Check Point provides a calculator for customers to figure out their SPU needs. They can also use the calculator to estimate future needs, so they can buy devices with enough headroom to meet projected demand, the company says.
Check Point is rolling out a new version of its modular security software platform that runs on its appliances as well as off-the-shelf hardware. New with the R75.20 release is URL filtering that can block Web applications that aren't URL-based, such as Skype. Policies for this type of Web application and for URLs are controlled from one dashboard.
The URL filtering draws on a cloud-based database of sites that can be downloaded to update individual customer security gateways. Users can override URL blocking by checking a box that says the site is needed for a work-related activity and what that reason is. That information can be used to monitor activities and help decide whether filtering policies need to be changed, the company says.
R75.20 software adds a proxy that terminates SSL sessions so the traffic can be run through security filters. Customers can configure exceptions so, for instance, employees may carry on SSL transactions with their banks without it being decrypted by the gateway.
The software extends the capabilities of its data-loss protection software blade to internal email. So it could prevent sensitive financial data from being sent to anyone outside the finance department of the company. The new capability works with Outlook and Active Directory. Before the DLP blade could apply filters only to email traveling in and out of the corporate network.
Read more about wide area network in Network World's Wide Area Network section.