The top men at NetScreen and Check Point go head-to-head on security solutions.

THEW: Does the addition of the S-Box and the recent announcement of your VPN-1 Edge product (which appears to be the same platform as the S-Box) indicate your recognition of customer demand for dedicated security appliances vs PC implementations and a subsequent shift in your product and development strategy?

FERGUSON: Check Point customers have always demanded and been delivered dedicated security appliances. In fact, most of our implementations run on optimised appliances from partners such as Nokia, Alteon, and Resilience. Most importantly however, to allow upgradeability and maximum configuration options (providing maximum investment protection for our customers), security deployment must be a software application running on a hardware platform rather than ASIC-based technology.

FERGUSON: How do you deal with integration of product after a company acquisition, in particular, amalgamating management platforms?

THEW: NetScreen's acquisition philosophy is to seek technologies and companies that fulfil our product goals as a network security company and whose underlying technology can most easily be adapted to our platforms.

NetScreen views management of the security layers to be crucial to an effective security strategy. Our NetScreen-Security Manager "NSM" was architected with this thought in mind. NSM was designed to manage F/W, VPN, DoS, antivirus, and IDP policies consistently across the security layers, as well as to easily port the management of acquired technologies to it. This breakthrough management product has recently finished beta with both carriers and enterprises and will be publicly released in November 2003.

THEW: With the addition of your appliance-based products, do you intend to increase your performance and functionality with ASIC or other hardware-based silicon?

FERGUSON: Our performance is already multi-gigabit. For over two years we have offered our customers ASIC-based performance enhancement products, which offload much of the networking, not security, functions to dedicated processors.

FERGUSON: What strategy do you employ for retaining talented employees after the acquisition of a company?

THEW: People are the greatest asset of any company and it is NetScreen's philosophy to retain as many of the acquired staff as possible. This was the case in our acquisition of OneSecure and it is certainly our intention following our stated acquisition of Neoteris. Both of these companies were in local proximity to NetScreen, have similar corporate cultures, and develop significantly advanced technologyâ€"all of which assist in the integration process.

THEW: A portion of the Check Point strategy has been to partner with a number of hardware vendors to deploy Check Point software. The strategy would appear to create competition between these hardware vendors with an obvious result being that many of them would go out of business or be acquired prior to failure, resulting in disappointed customers which are stuck with these products. If this strategy is to remain the same, will Check Point begin partnerships with more mature companies to alleviate or minimise such occurrences?

FERGUSON: Our key hardware vendor partners are Nokia, Sun, IBM, and HP. We don't see any of them going out of business in the near future.

The Check Point strategy is to offer our customers choice of platform and operating system. This way our customers can leverage the investment they have already made in training, sparing, and vendor relationships etc, without the need to deploy and learn about a proprietary system.

FERGUSON: What is NetScreen's vision for its role in the IT marketplace?

THEW: NetScreen is considered by many security analysts to be gaining the most market share in the major Asia-Pacific countries. With the recent expansions in our appliance-based product line and ever-increasing features, it is our intention to become the number one market share leader in Australia and New Zealand.

THEW: Approximately 35 percent of your revenue comes from your relationship with Nokia. Will the introduction of your recent appliances and potentially additional appliances affect your relationship and subsequent revenue stream from Nokia, especially given Nokia has begun to offer their own security products such as their recent SSL VPN product?

FERGUSON: Our relationship with Nokia has a long and successful history. I don't see that changing in the future. Nokia actually rebadge some of our appliances. We have no issue with Nokia's SSL VPN product offering and in fact welcome it as yet another option our customers can take advantage of. Nokia platforms are among the most robust, secure, and reliable available on the market today, and their customer service is second to none. We only see our relationship at both a local and global level becoming even stronger in the future.

FERGUSON: We have seen some recent reports regarding the regional discontent within NetScreen's channel partners. What is your channel strategy?

THEW: Our NetScreen APAC channel partner meeting, held in Australia in August, in fact indicated our channel partners are quite happy with their NetScreen relationship and the two-tier model, with major account sales personnel supporting targeted accounts. Indeed the fact that NetScreen partners in Australia have more than doubled partner revenues in the last 12 months is very telling. To satisfy growing demand and to support our broadening product line, we have recently added additional partners in Australia and New Zealand to extend our reach.

THEW: Nokia has recently shifted its Check Point-related security into a different business unit within Nokia, wherein the security component is a minor portion of that business unit revenue. Since the Check Point/Nokia security product revenue is such a small portion of this business unit and not a Nokia core competency, does Check Point have alternative strategies to make up for any loss from this revenue stream?

FERGUSON: Nokia has been focused on the security market since its acquisition of Ipsolon. The revenue stream is comparatively small compared to other product lines that they sell, but they do see this market as of strategic importance. From discussions that we have had, I do not see the revenue stream decreasing but in fact increasing in the coming months.

FERGUSON: Have you seen a significant uptake in wireless technology amongst NetScreen customers?

THEW: We have seen customers investigating potential deployments of wireless computers due to its ease of deployment and obvious advantages, but we haven't seen many wide-scale implementations as yet. While many companies are deploying VPNs as one way to secure wireless, many are waiting for the standards organisations to finalise 802.11i which specifically addresses key issues of security for wireless devices.

NetScreen already provides specific advantages to wireless within the infrastructure such as accelerated VPN termination on every port, scalable managed VPN/FW clients, and high ramp rates for large-scale environments. We intend to be a significant provider to this community of users with new upcoming features.

THEW: Industry analyst reports are reflecting increasing demand from customers for integrated security to increase total cost of ownership, easier management and deployability.  As such, do you intend to embed technologies such as antivirus and IDP technology and if so would that technology be based on a single appliance-based platform?

FERGUSON: Our customers have demanded fully integrated security since we began the company in 1993. Check Point has offered this in conjunction with our 350 OPSEC (Open Platform for Security) partners, as is deployed and managed through Check Point's OPSEC Manager. The allows customers to operate from a single centralised management platform and deploy consistent policies and rules across multiple technologies and push them to the point of enforcement. This way our customers can choose the products and technologies needed to secure their business from market leading vendors.

Examples include: antivirus from Trend Micro and Symantec, content and URL filtering from Websense or Surf Control, authentication from RSA, ID from ISS, forensics from NetForensics. Our customers can choose from over 170 products, secure in the knowledge that they fully integrate with Check Point gateways and management.

FERGUSON: What is NetScreen's migration strategy for customers deploying new and emerging technologies?

THEW: Gartner and other key analysts have highlighted customer demand for the integration of security technologies, for total cost of ownership, ease of deployment, and consistent policy management across the numerous security layers. From its inception, NetScreen has addressed these issues, focusing on the integration of disparate security layers into silicon. NetScreen was the first to integrate Firewalls, VPNs, DoS, and now IDP and antivirus into a single hardware-based appliance. Our belief is that providing integrated manageability of these layers empowers the security manager and will minimise policy conflicts across the various security layers.

THEW: Your recent "AI" product offering is based on proxy technology versus stateful inspection, which requires more development per supported protocol and makes high availability nearly impossible to achieve.  Will proxy-based technology become your technology direction for future application inspection development versus doing deeper inspection within the packet while maintaining stateful inspection?

FERGUSON: Next-generation Application Intelligence is an innovative technology that is predicated on stateful inspection. Stateful inspection is a Check Point patented invention delivered to the market since the mid 1990s. It is the deepest form of packet inspection available on the market today. Some of the functions within Smart Defence, an operational element of Application Intelligence, use Security Server to enforce RFC's around commonly used protocols such as HTTP, SMTP, and FTP. Stateful inspection operates from layer 2 to layer 7 of the OSI 7 layer model. With Security Server the gateway itself acts as a proxy and supports rigorously the protocol RFCs. Most of the functions of Application Intelligence are located in the kernel and as such operate at wire speed. We take a heuristic approach to packet inspection with 167 protocol definitions running within the kernel. Only Check Point's stateful inspection examines in detail and in context the data payload within the packet. Stateful inspection is our core technology today and into the future.

FERGUSON: Check Point believes in intrusion prevention vs intrusion detection. What is NetScreen's view on this?

THEW: NetScreen acquired OneSecure just over a year ago, allowing it to provide a leading solution for intrusion detection and prevention (IDP). NetScreen is the first company to tightly integrate this technology into its existing platforms to create the industry's first "Deep Inspection Firewall". This new breed of firewall addresses the increased need for solutions due to the massive growth of viruses, Trojans, worms, and other application-layer attacks.

THEW: Gartner and other key analysts have predicted a continued trend for security appliances which provide more integration of security technologies and tighter integration into the network infrastructure. Is Check Point going to provide tighter network integration which would include dynamic VPNs using routing protocols, to include full mesh redundancy, virtual routers, IPV6 (with IPV6 Gateway functionality), etc?

FERGUSON: Check Point has an absolute belief that security must reside above the network layer. This has been validated recently, as we see multiple attacks at the operating system, protocol and application layer increasing in frequency and severity. Clearly any security offering needs an awareness of the network componentry and topology, but the network should also be transparent to the security offering. We have been offering dynamic VPN and fully meshed VPN topologies since 2001. VPN routing must reside above the network layer. Dynamic VPNs can be considered a security vulnerability due to the dependency on obtaining routing information from an external source. Our VPN technology sits within the gateway and is an integral part of the firewall. VPNs are crafted from the gateway, the application server or the deviceâ€"whether that be a desktop, a laptop, an Apple Macintosh, a PDA, or even a mobile phone. We are IPV6 compliant and announced support for IPV6 in May 2001. However the relevance of IPV6 is at the networking layer and the only relevance to security is the addressing and direction of traffic.

FERGUSON: Check Point has a strong philosophy in supporting and delivering education through Australian tertiary institutions to help address the skills shortage in the marketplace. What is NetScreen's philosophy on this?

THEW: NetScreen has an extensive array of training programs, which are offered to authorised training partners, channel partners, and end customers. We are aggressively increasing the number of authorised training partners to ensure customers have ready and close access for their training needs. NetScreen also has an extensive security seminar program in place to provide information to end-users.

THEW: Customers are rapidly securing more points within their intranet and require implementations to be as transparent as possible so that network reconfigurations are limited or non-existent. In light of this trend, will Check Point develop a "transparent mode" feature to accommodate their needs?

FERGUSON: Check Point already sees the network as transparent. Since we operate at layer 7, our customers haveâ€"and always have hadâ€"complete freedom to design and implement their networks in a manner that is most appropriate for their business needs. Their choice of transport layer is entirely based on their business requirement. So from our perspective a customer can deploy whatever networking technology they want whether it be any form of wireless or wire based technology both with the local area and the wide area network.

FERGUSON: According to IDC, NetScreen has less than 10 percent of the global market, but has a very strong position in Asia. How do you explain your relative strength in Asia?

THEW: NetScreen actually has a 16 percent share of the global market according to IDC's Q2 WW Security Appliance Tracker. Historically, NetScreen has and continues to do extremely well in Asiaâ€"leading in Japan with 23 percent market share and experiencing significant growth in all other APAC countries.

One of many reasons we have been successful in Asia are the NetScreen innovations which have enabled competitive business advantages for service providers due to our cost/performance and ease of use/deployment. Innovations such as Virtual Systems which provides many firewall domains within a single device, our transparent mode which enabled deployments without major network reconfigurations, scalable performance, ease of management, and breadth of product are just some of the reasons for success.

THEW: Have you managed to entice many clients on to the hot pink Check Point outrigger canoe down at Pittwater?

FERGUSON: Yes J.

FERGUSON: Who would you like to see playing the Wallabies in the World Cup Final?

THEW: Anybody, just as long as you can guarantee that the Wallabies will get to the Final!

About Check Point Check Point Software Technologies specialises in securing the Internet, concentrating on VPN and firewall markets. Its Next Generation product line provides perimeter, internal and Web security solutions that protect business communications and resources for corporate networks and applications, remote employees, branch offices and partner extranets.

About NetScreen NetScreen Technologies is a developer of integrated network security solutions. NetScreen's solutions provide key security technologies, such as virtual private network, denial of service protection, firewalls, and intrusion prevention, in a line of security appliances and systems. www.netscreen.com