Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RichardNZ
Participant
Jump to solution

Affordable Appliance Needed for Home Office Users on Gigabit Ethernet

I've used small Checkpoint appliances to secure my home networks & home office for the last 7 years and currently run a Checkpoint 750 (Model L-71W) appliance.

I had upgraded to this device to get better performance out of my 50 Mbit VDSL copper internet connection and enable stricter security settings.

I recently upgraded to gigabit fibre internet. This means my Checkpoint firewall is now very much the network performance bottle neck.

From what I can see, the Checkpoint appliances that would allow me to maximise the utility of my home internet connection ( eg for remote backups, exporting security system data to offsite storage ) are relatively very expensive because and they are assumed to be for business use.

I would like for there to be a more affordable option for home users with fast internet connections.

This could be EITHER an upgraded appliance with more processing power and robust SSD storage OR a software license that can be installed on industry standard hardware.

0 Kudos
1 Solution

Accepted Solutions
RichardNZ
Participant

I have just found that Sophos provides a solution for home users to install an advanced firewall on Intel-based hardware of their choosing - limited to 4 cores. It seems like a promising fit for my needs.

Thanks for your responses.

View solution in original post

16 Replies
G_W_Albrecht
Legend Legend
Legend

There is even more:

1. the new 1600/1800:

The 1600 has 1GbE copper or fiber options for the WAN and DMZ. The 1800 has a 1GbE Management port, 2.5GbE options for the LAN and a 10GbE copper or fiber option for the DMZ.

2. CloudGuard Edge (SMB image for different SD-WAN platforms)

3.CP SW  OpenServer licenses

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_Atkinson
Employee Employee
Employee

Are you comparing with these models or something else?

Note with R81.10.00 (sk179004) you also have Smart Accel to help on the performance front.

small-business-security-1530-1800-appliance-specs-table.png

CCSM R77/R80/ELITE
0 Kudos
RichardNZ
Participant

Thanks for the replies guys.

The key issue I am raising is that of price performance / relevance of hardware specifications to actual security processing workloads / affordability of the SMB appliance products.

The Checkpoint 750 appliance I bought a few years ago has been rebuilt to overcome corruption of the internal database (likely due to a storage fault) and the 2-core CPU appliance is easily saturated by the processing load associated with routine use and its exposure to external internet traffic it is blocking.

If I turned on SSL inspection (which I really should), it would absolutely struggle to provide good levels of data throughput and user experience. When I inspect or query the logs or monitor the firewall I routinely get messages saying that connection has been lost with the firewall (due to CPU saturation).

I have just used the low-quality firewall/router supplied by my internet service provider as a front end to my Checkpoint 750 appliance to shield the Checkpoint 750 from the internet and the processing demands associated with direct exposure to the internet. This is something of an oxymoron 🙂

So, yes I look at the better specified firewall appliances available from Checkpoint but when I check the pricing it does not fit with a home user on a non-business budget.

I'd love if there was an option for a home user to buy a decent quality PC with 6+ cores, an NVME SSD and 32 GB of RAM and be able to install an affordable Checkpoint software license.

 

 

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Remember, the 750 is hardware from before Feb 2016 - more than 6 years old ! And as always - people want a mercedes at the price of a VW, and that is impossible. There are a lot of alternatives that may not have the CP functionality or quality but a lower price  tag 😉 OpenSource FWs like pfsense do cost nothing but the hardware...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
RichardNZ
Participant

The 750 appliance might be 6 years old but it was still being sold ~2.5 years ago when I bought it brand new from an official Checkpoint reseller.

The freeware firewalls like OPNSense & PFSense suffer from lack of operating system hardening; lack competitive modern features of the leading commercial firewalls like Checkpoint and generally don't come with rapid updates to exploit protections.

 

The pricing data in the Screen Shot on a post below shows how pricing ramps up dramatically as device bandwidth and user count increases - this is clearly a business pricing model coupled to more employees requiring more bandwidth to generate more revenue.

A home user / SOHO user is really quite a distinctly different market segment and includes people with a wide range of skillsets.

Checkpoint addresses this market with simple easy to use appliances built using quite low end hardware that is mismatched to the capacity of modern domestic fibre internet connections.

I think this is an issue because I want to be able to securely use all my internet bandwidth ( movies, gaming, offsite backups, security camera feeds, downloads ).

One should note that a home firewall can take a real hammering across a gigabit fibre connection if someone with a botnet decides to be a nuisance or tries to break.

Instead of always selling a home user relatively low powered appliances plus software, perhaps Checkpoint should offer a software only option so a home user can buy suitable industry standard hardware that will handle their workload and throughput expectations.

The benefit of this model is Checkpoint gets more software revenue (much higher margin) and the user is liberated to get a compatible robust high performing hardware platform while enjoying great security. Borrowing your metaphor, the Mercedes firewall software can be run on hardware from VW or BMW or Bugatti.

 

Hopefully someone from product development / marketing will pick this idea up !

0 Kudos
the_rock
Legend
Legend

These CP smb appliances are good for home use, but I can tell you I know lots of people who use Fortinet 40F series and they work great as well. It really depends what you are looking for and price you are willing to spend 🙂

0 Kudos
PhoneBoy
Admin
Admin

Check Point branded hardware and software is geared at Enterprise/SMB customers.
For home/SOHO users, we use the ZoneAlarm brand.

Keep in mind that the vast majority of traffic these days is encrypted.
Without setting up HTTPS Inspection or similar technology, that limits what perimeter security can accomplish.
The complexity of a typical perimeter firewall--even a relatively simple one--is not something the average person will understand, much less want to configure. 
And while there are a few use cases where a perimeter firewall will be superior to an Endpoint-based solution, an Endpoint solution will always follow the asset(s) that need protection, regardless of the physical network they are attached to.

What we offer under ZoneAlarm currently are Endpoint solutions for both PCs and Mobile phones.
They are basically the same products we offer on the Enterprise side without central management capabilities.
The pricing is also more in line with similar offerings from other companies.

Given the above, I don't see a lot of call for a consumer-grade network firewall that would provide meaningful security in a simple way.
That is, of course, merely my opinion and can't say Check Point will never address this market in the future, either directly or through a partnership with someone else. 

In terms of software, we have always offered our enterprise (non SMB) software which can be installed on hardware specified in our Hardware Compatibility List.
It can also be installed in common virtualization environments (e.g. VMware, KVM, Hyper-V).
The pricing is not exactly SOHO friendly, but you can certainly generate 30-day evaluation licenses for it easily enough: https://community.checkpoint.com/t5/General-Topics/How-to-Request-an-Evaluation-License-for-Security... 

More recently, we began offering a software version of the SMB appliances under the name Quantum Edge.
More details here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
I have not checked the pricing on this solution, but this is another option.

0 Kudos
RichardNZ
Participant

For example: Suite-S4 could actually use all of my home fibre bandwidth but it's far too expensive (NZD) for a SOHO user.

This pricing data clearly shows however just how badly "overrun" the low end Checkpoint appliance hardware is by advancing home broadband connection speeds.

0 Kudos
MikeB
Advisor

I believe these SUITE-N options come with other Check Point products in addition to the Quantum Spark Appliance (Harmony Endpoint + Harmony Email + Harmony Mobile).

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Mike's correct you should discuss appliance only options / requirements with your Check Point reseller or local office representative.

CCSM R77/R80/ELITE
0 Kudos
RichardNZ
Participant

I have just found that Sophos provides a solution for home users to install an advanced firewall on Intel-based hardware of their choosing - limited to 4 cores. It seems like a promising fit for my needs.

Thanks for your responses.

the_rock
Legend
Legend

Thats awesome! I also heard of people using those for home use and no complaints. I agree with you 100%, it sounds like a good fit for what you are after and like all of us, why spend more money if you dont have to : - )

0 Kudos
Sal_Previtera
Contributor

In my opinion, Checkpoint should stay completely out of the Home Market appliances, as an administrators, we cannot deal with 1000 + or 2000 plus home users, where junior is downloading God knows what and their parents are trying to VPN into their office job....

Meanwhile the parents are creating filters on the appliance,  without complete understanding or knowledge of what they doing.

Then all of sudden a link included on the work email is not working and they blame the VPN.

How many hours have been wasted on similar issues?

The only way , I will support a CP remote appliance and connection, if they can dedicate the circuit and appliance to remote work only, centrally managed. Not shared with anything else.

If you cannot afford this solution, then get your rear end in the office and work from there.

0 Kudos
the_rock
Legend
Legend

 I get your points, but arguments can be made both ways. I think @RichardNZ was more referring to use only for him, not 1000+ users : -). Either way, truth is and this is also 100% fact, EVERY vendor out there will tell you their boxes can do wonders and then you put them to the test and find out the reality. At the end of the day, I personally find its best to all put them up to the challenge and see which one performs the best...numbers dont lie.

Just as a side note, though no one ever probably reads fine print, but I do (sometimes...:-), numbers you see for the specs on any firewall are valid in simply one scenario...everything default and rule any any allow. So, take that for what its worth...

0 Kudos
RichardNZ
Participant

And as security threats grow one needs more CPU / RAM / storage & performance to handle the workload one should be running in the firewall.

0 Kudos
RichardNZ
Participant

I already use an SMB appliance at home and its performance is problematic.

I would like an better performing affordable SMB appliance or software image to install on gutsy industry standard hardware that will enable me to really use my Gigabit fibre data link.

Ubiquitous gigabit fibre renders many of the low end price performance points in the SMB appliances obsolete.


PS …. The Sophos solution is looking to be very good. An unexpected outcome.

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events