This "Firewall Appliances" document was written in 2003 by Thomas Jerry Scott to use in his Computer Security classes. Some original material in included here as well as information from many web sources.

Checkpoint Firewall Appliances Table of Contents

  1. Checkpoint's Efforts to Provide Firewalls to Different Businesses

  2. Nokia's Checkpoint Firewall Appliances

  3. Celestix Sofaware Low Cost Firewall Appliances

  4. Return to the Main Menu

Return to the Beginning of This Document

Checkpoint Develops Different Firewall Appliances

Checkpoint originally developed FW1 to run on Windows NT. Customers migrated their 10 Mbps hubbed Ethernets to much faster 100 Mbps swtiched Ethernets, and demanded faster throughput speeds than NT4 could deliver. It was well-known that Unix/Solaris and Linux would deliver over 40% more network throughput than Windows NT when 100 Mbps Ethernets were used.

To meet this need, Checkpoint first ported their FW1 product to run on Unix operating systems. This interesting "reverse-port" used the tools from Bristol software. At that point, Checkpoint had two code-bases, one for their NT line, and the newly ported Unix version.

As the Unix code port was achieved, Checkpoint started working with OEM's to develop and deliver firewall appliances, mostly based on Unix. Next, Checkpoint retooled its entire software line to produce one code base, which would run similarly on both Windows, including NT and 2000 servers, XP workstations, and unix/linux environments. The new Checkpoint was named FW1-NG, where the "NG" stands for "Next Generation".

The first major Checkpoint OEM to deliver a Unix solution was Nokia, who delivered a line of Checkpoint appliances, designed to meet different customer needs. Nokia started off with a freeware version of Unix than ran on Intel-based systems. The Nokia engineers started with the open source code and then eliminated all the unix features that a firewall does not need, and then hardened this version of unix. Since the resulting hardened Unix was Intel based, this gave Nokia a wide and inexpensive range of hardware solutions, which could meet many meet business requirements ranging from small to large businesses.

Next, Checkpoint developed the "SofaWare" firewall products, which are unix-based hardware products designed to run on low-cost Intel based hardware, and to be administered from any web browser. The Sofaware products are designed to compete with the very low-cost firewall boxes, such as the LinkSys, SMC, or NetGear boxes that many home users and small businesses with cable/dsl internet capabilities use to protect their computers. As we will see in this document, the Sofaware products are higher priced than similar Linksys products. To offset this cost, Sofaware products offer two distinct advantages:

Return to the Beginning of This Document

Nokia provides a range of Checkpoint firewall appliances. Nokia produced a hardened version of Unix, which they call IPSO, short for IP Security Operating System. Nokia puts a number of routing protocols into their firewalls, so that many Nokia firewalls provide both router and firewall services. In many small businesses, the Nokia firewall serves both as router and firewall for securing Internet activity.

Nokia also developed secure access protocols into their routers, such as SSH. Most of the firewalls come with 3 or more Ethernet ports and serial ports for either WAN access or local management. Nokia also provides telnet, http, and other protocols to provide remote management.

View the Nokia IP120 DataSheet

There are many Nokia models, including the following:

Table 1: Nokia Firewalls
Nokia Model Characteristics Speeds
IP 120 3 10/100 Ethernets, T1/EI,
ISDN BRI, Single V.35
100 Mbps/ 4.4 Mbps 3DES
IP 330 3 10/100 Ethernets, Optional Dual 10/100 Ethernet, T1/E1, Single V.35, Analog Modem, ISDN-BRI 139 Mbps/ 22 Mbps 3DES
IP 530 4 10/100 Ethernets, 3 CPCI
Interfaces, HSSI, ATM Fiber Interface, V.35 Interfaces
507 Mbps / 115 3DES
IP 710 4 Ethernet ports, 4 CPCI, T1/E1, ISDN BRI, Dual V.35, MultiMode Fiber Ethernet 700 Mbps / 139 3DES
IP 740 4 10/100 Ethernets, 4 CPCI, ISND BRI, E1/T1, Dual V.35,
Multimode Fiber Ethernet
2.0 Gbps/ 139 3DES

Return to the Beginning of This Document

Celestix Sofaware Small Business Appliances

A number of Sofaware vendors make Checkpoint appliances to meet different home and business needs. The Celestix line of Sofaware products has been chosen to illustrate the cost, number of users served, and NIC/VPN capabilities of these appliance firewalls.

There are many Celestix Sofaware models, but we concentrate on the following six models:

  1. FV100-Safe@Home -- The Home User with a couple of Computers

  2. FV100 Safe@Home Pro -- Small Office with up to 10 Users and 5 VPN channels

  3. FV100-Safe@Office -- Up to 10-25 Users and 10 VPN Tunnels

  4. FV435 -- 3 NICS, 50 Users, 50 Mbps Firewall, and 10 Mbps VPN Support

  5. FV830 -- 3 NICS, 190/45 Mbps Firewall/VPN Throughput

  6. FV940 -- 5 NICS, 25+ Users, 305/122 Mbps Firewall/VPN Throughput

These differing firewalls deliver security solutions to home offices, small businesses and distributed enterprises. The street/internet prices range from about $250 for the FV100 Safe@Home to $2000 for the high-end FV940. Each of these models provides the following benefits:

Return to the Beginning of This Document

The FV100 - Safe@Home Appliance Firewall

FV100-Safe@Home - designed for home PC protection with 2 10/100 Mbps ethernet ports. The FV100-Safe@Home is a firewall only device designed for small remote sites requiring network access without a VPN. It supports a maximum of five users inside the private network, and behind the FV100. The internet/street price for the FV100 is approximately $225.

View the Celestix FV100 Different Models

Return to the Beginning of This Document

FV100 Safe@Home Professional Appliance Firewall

FV100-Safe@Home Pro - enables small business branch offices and partners to cost-effectively and securely communicate with a main office protected by a FV100-@Office appliance.

The FV100-Safe@Home Pro includes firewall and VPN client capabilities to securely connect to a corporate LAN from home, or a small office to connect to the corporate headquarters or data center.

Return to the Beginning of This Document

FV100 Safe@Office Professional Appliance Firewall

FV100-Safe@Office - protects your network and data from hackers and reduce network downtime, so you can focus on running your business. For small business and branch offices of 10-25 users, providing integrated firewall and site-to-site VPN.

FV100-Safe@Office enables teleworkers, partners and suppliers to securely access business resources, such as email, Web-based and database applications that reside at your business behind the FV100-Safe@Office gateway. FV100-Safe@Office integrates firewall and IPSec VPN capabilities to authenticate identities of remote users, encrypt communications, and verify that data communications have not been altered.

Teleworkers and traveling employees can securely access the corporate network. Branch offices can securely communicate with one another, and partners can securely access the corporate Extranet.

To enable teleworker access, a VPN client, such as VPN-1 SecuRemote or FV100-Safe@Home Pro, must reside on the teleworker's personal computer.

An unlimited number of VPN-1 SecuRemote licenses are provided free-of-charge with FV100-Safe@Office. To enable branch office and partner access a VPN client or a VPN gateway, such as FV100-Safe@Office, must reside at their site. For small business and branch offices of 10-25 users, FV100-Safe@Office provides integrated firewall and site-to-site VPN support.

FV100-Safe@Office enables teleworkers, partners and suppliers to securely access business resources, such as email, Web-based and database applications that reside at your business behind the FV100-Safe@Office gateway. FV100-Safe@Office integrates firewall and IPSec VPN capabilities to authenticate identities of remote users, encrypt communications, and verify that data communications have not been altered.

Return to the Beginning of This Document

FV435 Security Appliance

The Celestix FV435 VPN/security appliance brings enterprise-class Internet security to small offices. As with the Safe@Office appliance, the FV435 allows remote and branch offices to communicate together securely.

The FV435 allows up to 50 users, has 50 Mbps of Firewall throughput and up to 10 Mbps of VPN throughput. The Internet/Street price for the FV435 is approximately $550.

This performance is thus adequate for outgoing T3 connections for the Firewall, but not quite adequate for T3 output for the VPN. For those small offices with T1 or Fractional T1's out to the Internet, this small, inexpensive firewall provides all the necessary throughput. If the FV435 is used as an Intranet firewall for switched 100 Mbps networks, it will become a bottleneck.

The FV435 integrates market-leading VPN-1®/FireWall-1® SmallOffice™ FP-1/FP-2/FP-3 Next Generation (NG) or NG with Application Intelligence (Enforcement only) software from Check Point™ Software Technologies with the powerful and low-cost Aries hardware security appliance.

The FV435 security appliance is both small and powerful. With VPN-1/FireWall-1 SmallOffice NG pre-installed for rapid deployment, it needs only a Web browser for easy, centralized hardware administration.

The FV435 also has three 10/100 Mbit Ethernet ports, so that the third NIC can be used to enable a DMZ or Separate Services Network. Because of its minimal cost, the FV435 is cost effective for those seeking an integrated VPN/Firewall appliance with easy to install remote VPN clients for workstations and laptops.

Return to the Beginning of This Document

FV830 Security Appliance

The FV830 Security Appliance comes with 3 10/100 Mbps Ethernet ports and brings enterprise class security to large enterprises, remote offices, and small businesses. The Internet/Street price for the FV830 with 50 user license is approximately $1,000. The cost per user connection can be as low as $20/user.

The FV830 can deliver up to 190 Mbps of firewall and 45 Mbps of 3DES VPN throughput. It has been designed to handle two 100 Mbps switched networks for your private networks. The third 10/100 Mbps Ethernet port can be used for your outbound T1, Fractional T3, or T3 connections to the Internet.

With its lean and hardened OS, the FV830 can achieve its superior level of performance using an Intel Celeron processor running in excess of 900Mhz, with "only" 256MB of RAM, and a smallish 10GB HDD.

Return to the Beginning of This Document

The High End FV940 Security Appliance

The Celestix FV940 Security Appliance is designed to deliver "Best of Breed" security solutions to mid-size businesses, service providers and data center. The FV940 rack-mount appliance comes with 3 10/100 Mbps Ethernet ports and also comes with pre-installed market leading VPN-1/FW1(NG) software from Check Point™ Software Technologies. The FV940 security appliance delivers a flexible and affordable device that is easy to deploy.

The FV940 delivers up to 305 Mbps of firewall and 122 Mbps of 3DES VPN throughput with its builtin VPN acceleration. To achieve its speed the FV9400 uses an Intel Pentium® III class CPU running in excess of 1Ghz, 256MB of RAM, and a 20GB HDD.

The FV940 also has five ethernet ports, which allow network administrators to segment their network. Three of these ports are 10/100 Mbps Ethernets, while the remaining two ports are 10/100/1000 Ethernet ports. They are all autosensing ports.

The Internet/Street price for the FV940 is approximately $2,000. A complete diagram showing all the Celestix firewalls interacting with a Checkpoint Firewall in an enterprise environment is as follows:

Return to the Beginning of This Document