Jason Stamper talks to two of Check Point's founders about its latest platform launch, and what it is doing to keep the threats from the bad guys - and the competition - at bay.
What can one say about Check Point? The much-admired Israeli security firm has dominated the firewall market since it launched the first commercially available firewall, FireWall-1, way back in 1994. It has hardly missed a step since. Regarded the leader in both the firewall and virtual private network (VPN) spaces, there appear few chinks in its armour. But are cracks finally appearing?
Analysts say Cisco Systems and Juniper Networks in particular are offering far stiffer competition now, taking the stance that security starts with the network. On top of that, there are a host of smaller specialists in many of Check Point's market sectors. To top it all, some analysts have expressed dismay that Check Point's new licence sales are not showing the growth they had hoped for.
One of the most striking things about Check Point is its operating efficiency. When its founder, chairman and CEO, Gil Shwed, says that he has 'a preference for healthy companies', he is not joking. For its year ended 31 December 2004, it had a net profit margin of 48%. The closest net profit margins in the industry, from the likes of Adobe, Oracle and Microsoft, look paltry in comparison at 27%, 26,4% and 22,9% respectively, in their most recent financial years.
Gil Shwed, Check Point founder, chairman and CEO
It is not just the company's margins that look good. Its latest quarter saw sales of $137,7m, an increase of 19% year on year. Net income was $73,7m, up 76% on the first quarter of 2004. But despite these seemingly impressive results, some analysts have questioned the company's ability to drive new licence growth. Merrill Lynch analyst, Edward Maguire, said after the results that, "Check Point's 1Q05 results were mixed but nevertheless demonstrate overall resilience of the business. While licences lagged, subscriptions and cost efficiencies drove EPS upside. Despite a solid 2Q05 outlook, near term appreciation depends on improving licence traction."
To be precise, licence sales in the quarter were up 4%. Is that figure a cause for concern? CBR caught up with Check Point's founders last month: Gil Shwed, chairman and CEO, and Marius Nacht, vice-chairman and SVP. Before we asked them about their latest platform launch, we asked what they thought about the recent criticism of their 'lagging' licence growth. "We think we have a healthy business adding new customers," says Shwed.
Shwed - who founded the company in 1993 and with two co-founders wrote the first version of FireWall-1 - says that the company's licence sales growth looks artificially low, because the company moved to a subscriptions model. Instead of charging companies up-front licensing fees for software upgrades, they get the upgrades as part of their subscription. "I agree that it is important for any technology companies to find new customers. But we add two or three thousand new customers per quarter. So it is not that there are not new customers, but with 70 000 accounts there is also a huge emphasis on selling to existing customers," Shwed argues.
"I think also some analysts make the mistake of comparing us to a hardware company," he continues.
"With our subscriptions model customers get the latest version automatically. They do not throw away their old hardware and give us a whole new up-front payment when we come out with a new box, like a hardware company. And overall I think the subscriptions model is a good thing, because it means that financial analysts and investors can better predict the future."
Nacht, too points to subscription revenue (up 33% year on year in its latest quarter) as confusing the picture of new licence growth: "I think this is a misunderstanding of services. If something breaks, we fix it. But we do this under the subscription model. It is not extra services revenue. I think we have nothing to apologise for that customers subscribe to our services."
Check Point is not sitting on its laurels, however. The company has just launched a new platform, NGX, which it says it hopes will spur additional licence sales as well as impress its existing subscriber base.
NGX is said to be a unified security platform for perimeter, internal and Web security. It is basically an upgrade to the core technology underlying its VPN, firewall and management software. But there are new features in there too: unified perimeter, internal and Web security management that enables administrators to centrally define and manage security policies from a single console; expanded inspection technologies that secure more network and application types; and advanced VPN capabilities such as dynamic routing, which allows enterprises to manage large and complex networks more efficiently with fewer resources, according to the company.
Check Point says NGX also ensures that enterprise security systems can be easily extended to adapt to new and evolving threats. "This is the biggest announcement in four years for Check Point," says Shwed. "We have improved the platform all over. The biggest thing though is the unified security architecture, which makes protection of internal, the perimeter and the Web more consistent."
Nacht explains how he believes NGX differs from what the competition is offering: "A lot of other companies are box companies. They sell you a box for firewall, VPN, IDS, IPS, QoS, routing -it goes on and on. Then you need two of everything for redundancy. Also you need separate management consoles and you have to manually figure out your policy for all of those. They do not get the security they paid for, and they do not get their ROI. NGX is a unified platform for perimeter, the Web, and PC end-points. You can provision, monitor, deploy and analyse from a single, consistent interface."
But it is not quite so straightforward, because Check Point not only partners with numerous hardware vendors - such as Nokia, IBM and HP, who put its software onto devices to turn them into security appliances - but it has also recently begun selling its own security appliances at the lower end of the spectrum. But Shwed is ambivalent about the idea of security appliances: "Some customers do want an appliance, yes," he says. "But some want to run on Windows, some want to run on Linux. There is not one platform that suits everybody. We have our own secure platform. It is a single CD that can turn any Intel server into an appliance. It saves you buying the OS. It means you can take the lowest cost and highest spec hardware. This product is actually the fastest growing share for us. For other customers who want the appliance pre-installed, there are our channel partners - Nokia, HP, IBM and others. Three or four years ago this appliance market was growing strongest for us, but not now."
Check Point claims that it still sees security very much being delivered through software first and foremost, whereas competitors like Cisco and Juniper Networks believe in more of a hardware approach. "Security needs to be its own layer," says Shwed. "Are you going to throw out a $1m router because the security needs upgrading on it? Our customers do not want security to just work in the network. Security needs to be network topology independent. Cisco just launched a standalone product which is 12 different products in one box. Guess what - we do all of those and more except we take a software approach. So while I do not think they cannot sell in the space, their architecture is not anywhere close: the DNA of the company and how it works is very different."
The 'standalone product' Shwed is talking about is Cisco's Adaptive Security Appliance (ASA) family, launched early last month. It marked Cisco's first foray into multifunction rather than discrete appliances, offering private Internet exchange (PIX) firewall, network intrusion prevention systems (IPS), VPN and anti-virus/anti-spam functionality, with the last of these provided by strategic Cisco partner, Trend Micro. Cisco's ASA range is designed to span from small and medium sized businesses to large enterprises, and according to Cisco is purpose built for concurrent services scalability and unified management.
Earlier this year Cisco's CEO, John Chambers, took the opportunity to argue against point products, when he said: "You cannot approach this with point products that are loosely coupled together. It has to be a largely self-healing self defending environment... security will evolve with an integrated environment, integrated through each node in the network. Then you move from intrusion detection to how do we prevent, isolate and contain it."
Earlier a big appliance push came from Juniper Networks, which in February last year splashed out $3,5bn for firewall supplier NetScreen Technologies. Juniper CEO, Scott Kriens, told analysts it was a 'game-changing day' in the networking industry. He said the combined company will deliver security 'to the heart of the network centre'.
Since then Juniper has not stood still. Just last month it announced technology enabling its firewalls to become security policy enforcement points, with plans to extend the capability to its routers and IDS/IPS products in coming months. Anton Grashion, Juniper's security strategist for EMEA, said the idea is to have the same kind of security policies operating on carrier and corporate networks. He said that Juniper is splitting the functionality contained in its SSL VPN technology it acquired with NetScreen, enabling the same kind of policy enforcement it has already been offering in VPNs, but inside the corporate network as a whole. "The firewall will now become an internal control point, a trend we had already begun with security zone segmentation," he says.
Shwed, however, remains unconvinced, as you would perhaps expect: "We have been competing with Cisco for eight or nine years and Juniper for two or three years," he says. "Over the years we have kept our line and held our place. If you think about it, NetScreen is the third generation of competitors we have faced in our history, and the acquisition of NetScreen by Juniper shows we have gotten over that problem.
"We do not underestimate anyone, none of our competitors," he continues. "But we have survived pretty well. We keep our vision consistent. We have an integrated approach and real depth and breadth. It is hard for any hardware vendors to try and compete. Cisco is very broad - it has 12 disparate systems that are not built on the same technology."
Shwed also criticises the competition for putting their portfolios together via acquisition: "One of our strengths is we have not been hugely acquisitive," he says. "With other companies you end up with a whole series of acquired point products that are rarely well integrated. They often do not work well together. Apart from Zone Labs we have not really made acquisitions, so all of our technology is pretty much the same architecture. That fits well because it means we can use our R&D; more effectively [than the competition]. We do not have to deliver different roadmaps for five or six applications all with different architectures."
But Check Point has acquired - it bought Zone Labs for $205m in cash at the tail end of 2003. Zone Labs was perhaps best known for its free and paid-for versions of ZoneAlarm personal firewall software, which it offers to consumers and businesses. But before it had been acquired it had been touting heavily its Integrity enterprise endpoint security system, which is now a fundamental part of Check Point's NGX platform.
According to Nacht there is integration work with Zone Labs still to do: "NGX is a huge step forward but yes, we are going to embrace [Zone Labs] Integrity tighter into the suite. We are doing that this year. Already Eventia Analyser and Reporter can accept events from Integrity and start analysing them. We are going to roll that out further."
So does the acquisition of Zone Labs in 2003 suggest that Shwed is now more open to the idea of acquisitions? Again, he is ambivalent: "The right way to build a software architecture is to build most of it in-house. But the Zone Labs buy should not be thought of as an exclusive acquisition - quite the contrary," he says. "But the main focus is not just any acquisitions: they have to target the broad Check Point market, be able to be integrated into our platform, and fit our strategy. If they meet all of those then we will not hesitate." Before he adds: "I also have a strong preference for healthy companies." If they need to be quite as healthy as Check Point, he may have a long search ahead of him.
Check Point knows it faces increasingly stiff competition from Cisco, Juniper and plenty of others. But its strategy of sticking to its knitting, and building its platform in-house wherever possible, has kept it in rude health so far. It may not be seeing stellar new licence growth, but NGX should help to drive new customer wins, as well as keep its all-important installed base happy.