Download Provider-1 MSP Technical Brief

Managed Security Services
Profitable Opportunities
November 1998
MSP MARKET BRIEF
I.
EXECUTIVE SUMMARY .................................................................................................................. 3
II. THE MANAGED SECURITY SERVICES MARKET OPPORTUNITY ...................................... 3
MUTUAL CUSTOMER-MSP BENEFITS ........................................................................................................... 3
AN EXPANDING MARKET ............................................................................................................................. 4
SECURITY SERVICES – ON THE ROAD TO E-COMMERCE ................................................................................ 4
AN OVERVIEW ............................................................................................................................................. 4
A PLATFORM FOR GROWTH.......................................................................................................................... 6
STRONG FIREWALL PROTECTION ................................................................................................................. 6
MANAGEMENT EASE IMPERATIVE ............................................................................................................... 6
MULTIPLE OFFERINGS ................................................................................................................................. 7
III.
CHECK POINT OVERVIEW AND KEY BENEFITS................................................................. 7
FIREWALL-1, THE MARKET LEADER ............................................................................................................ 7
FIREWALL-1 ARCHITECTURE ...................................................................................................................... 7
VIRTUAL PRIVATE NETWORKS .................................................................................................................... 8
TRAFFIC CONTROL....................................................................................................................................... 8
ADDING THE BENEFITS OF PROVIDER-1 ....................................................................................................... 9
OPSEC: STANDARDS-BASED EXTENSIBILITY AND INVESTMENT PROTECTION ............................................10
III.
CONCLUSION ................................................................................................................................11
© 1998 Check Point Software Technologies Ltd. All Rights Reserved.
Check Point, the Check Point logo, ConnectControl, FireWall-1, FloodGate-1, INSPECT, Meta IP, Open
Security Manager OPSEC, RemoteLink, SecuRemote, VPN-1, UAM and IQ Engine are trademarks or registered
trademarks of Check Point Software Technologies Ltd. All other product names mentioned herein are trademarks of
their respective owners.
2
MSP MARKET BRIEF
I.
Executive Summary
As corporate demand for secure Internet solutions continues to rise, so does the opportunity for Internet
Service Providers (ISPs) to increase revenues and profitability by providing managed security services.
This category, Managed Service Provider (MSP), which International Data Corporation (IDC) forecasts
will grow from $100 million in 1997 to $3.3 billion in 2000, is the cornerstone of numerous high-growth
offerings. Today these services include secured Internet connectivity and virtual private networks. In the
longer-term, opportunities will emerge for the outsourced hosting of commerce, community and packaged
applications.
Check Point Software Technologies offers prospective MSPs an exceptionally cost-effective platform for
gaining entry into the lucrative managed security services market. In addition to secured Internet access,
Check Point's market-leading Secure Enterprise Networking product platform can be used to deliver a
variety of managed security services, including dedicated and dial-up virtual private networks, intrusion
detection, traffic management, IP address space management and reporting. Also of keen interest to an
MSP is the wide variety of supported hardware platforms, from appliances to enterprise class servers.
For MSPs considering new ways to differentiate themselves and expand business in the corporate target
market, Check Point delivers strong brand equity and investment protection--and a new, value-added way
to acquire and retain customers.
II.
The Managed Security Services Market Opportunity
In tandem with the exponential growth in the size and complexity of corporate Internetworking, business
users are quickly adopting outsourcing strategies to handle even what were once considered core activities.
However, these activities remain essential to a company’s operations and their reliability is defined through
Service Level Agreements (SLAs).
Managed services, such as Internet access security, virtual private networks, and traffic management
present a significant opportunity for MSPs and are complementary to existing services such as connectivity
and web hosting. Companies are now recognizing the importance of both security and traffic management
either through direct (and sometimes disastrous) experience or through greater public awareness. Further,
they have discerned the amount of investment in expertise and resources required to maintain 24x7
vigilance over the corporate network.
Mutual customer-MSP benefits
Managed security services therefore provide benefits for both customer and provider. The customer
receives the traditional benefits of outsourcing arrangements:

Expertise

Accountability

Cost-effective solution
While the MSP can:

Generate profits by delivering economies of scale for new services, such as secure Internet access,
virtual private networks (VPNs) and traffic management

Open new markets by replacing traditional leased-line networks with an Internet-based solution

Lower customer switching costs by creating stronger, more technically complex customer relationships
3
MSP MARKET BRIEF

Differentiate itself from other service providers by offering managed security services in the crowded
commodity-shaped ISP market.
An expanding market
All industry indicators point to managed services' increased role in the Internet service industry. IDC sized
the total 1997 market for Internet service at $4.6 billion, of which business access and value-added services
accounted for $2.3 billion, or approximately half. By the year 2000, IDC predicts that the total Internet
service market will expand to $18.3 billion, with the corporate share rising to nearly two-thirds of the total,
or $11.8 billion.
First looked at as a cost-effective way to connect remote workers, VPNs are growing to support branch
offices and the burgeoning e-commerce business partner connections. The consulting firm Infonetics
Research Inc. expects the worldwide VPN market to grow from $1.08 billion in 1998 to as large as $10
billion by 2001.
As a means of building revenues and customer relationships, managed security services present a
significant opportunity for MSPs. In the fast-changing managed service arena, this new service category is
quickly becoming a "checklist requirement" on RFPs. Like Web server co-location services, managed
security offerings will soon become a necessary qualification in acquiring and retaining lucrative corporate
accounts.
Security services – on the road to e-commerce
In its report, "Hosting: The Next Generation," Forrester Research says, "…the business of hosting Web
servers is poised to take an evolutionary step--running discrete business applications."
The report predicts that corporate users will soon be offloading select applications to third-party service
providers “that have mastered and productized corporate application servers.” Outsourced application
hosting will gain acceptance beyond simple Web sites when user populations are distributed across the
wide area network (WAN). Examples include: 1) Web add-ons such as commerce and communication
servers, 2) community applications such as push content distributors and collaboration tools, and 3)
packaged applications that support customer asset management or remote supply chain servers.
Strong security is integral to the delivery of all these services, underscoring the importance that MSPs
seize, today, the relationship-building opportunities presented by managed security services.
III.
Managed Services Offering
An overview
The typical managed security services configuration has the enforcement point residing on the customer’s
premise with management activities taking place at the MSP's network operations center (NOC).
Management is typically performed by linking events and alarms into the MSP’s central monitoring system
and by having management NOC personnel remotely connected to an enforcement point at managed
customer sites using a GUI-inspection point architecture.
4
MSP MARKET BRIEF
PREMISES-BASED MANAGED FIREWALL SERVICE
Managed security service offerings usually include one or more of the following services: access control
and protection from malicious attacks, VPN capabilities, network address translation (NAT), intrusion
detection and protective response, demilitarized zone (DMZ) service, 24x7 monitoring, management, realtime reporting and a defined escalation procedure.
For the MSP, delivering managed security services entails a range of valued-added activities, which in
themselves offer interesting packaging opportunities such as optional value-added services or high-end
bundles. These activities include:

Development of a site survey

Sale or lease of hardware and software (router, hardware server and firewall software)

Installation, including software, policy and hardware

Rule database management

Monitoring and reporting

Technical and administrative support

Policy and user database backup

User database management

Network design (security, LAN, WAN and/or enterprise)
The managed security services opportunity is further enhanced by the breadth of the market; with the
widespread embrace of the Internet, security is no longer limited to financial and military organizations.
Every corporate Internet connection should be viewed as a potential customer.
Requirements for the product platform upon which to build managed security services are, at a minimum,
the following:

Extensible  A platform capable of supporting multiple services

Peformance – enforcement of the policy at wire-line speeds

Manageable – A cost-effective management system that can easily integrate into an existing system
management structure
5
MSP MARKET BRIEF

Scalable – Both in terms of price/performance (e.g., small customer to large enterprise) and
management (hundreds of customers with thousands of enforcement points)

Reliable – A strong reputation in the market place

Standards-based  Allow the MSP to deliver services based on “best of breed” products from top
providers
A platform for growth
The product platform must offer a proven solution, have a strong market presence and be a well-recognized
brand -- brand equity is imperative and a powerful differentiator in the value-added services arena. The
platform technology provider must also be stable and well respected in the market. A positive reputation is
essential instilling customer confidence in the long-term viability and extensibility of the managed security
services purchased from an MSP.
Technically, the platform must offer the high performance necessary to support thousands of concurrent
connections. Seamless scalability is required to accommodate growth. The platform must also be built on
an extensible architecture and provide interoperability with leading security and internetworking products.
A product platform must be able to cost-effectively start out supporting a single service with a startup
number of customers and then scale to support both the increase in customer size and the expansion of the
customer base. The platform must be able deliver economies of scale for additional services such as
authentication, network address translation, user authentication, user authorization, strong authentication,
authorization, data encryption, key management, remote access, traffic control and IP address-to-user
mapping. These services make up the necessary foundation for e-commerce services.
Strong firewall protection
Access control via a firewall is at the heart of a managed security services offering and will remain the
foundation for an MSP’s future managed services as well. To provide the strength, flexibility and
scalability necessary to meet these requirements, the firewall must:

Be market proven and widely trusted

Deliver high performance to ensure fast, secure business communications

Support IPSEC-compliantVPN services

Be able to secure all existing network applications, i.e. FTP, SMTP, HTTP and emerging applications
such as SQLNet, NetMeeting and RealAudio

Offer strong and exportable encryption

Provide network address translation

Offer separate user management

Support management integration for a wide variety of complementary third-party applications, such as
URL filtering, virus scanning and strong authentication
Management ease imperative
Multiplied across potentially thousands of customers, security service management becomes a significant
issue, both logistically and from a cost perspective. In order for MSPs to effectively implement large-scale
managed security services, the management component must:

6
Be a cost-effective solution that scales seamlessly to hundreds or thousands of service customers,
minimizing hardware investment and personnel requirements without sacrificing manageability
MSP MARKET BRIEF

Be flexible and fully manage all firewall functionality, including authentication, encryption, logging
and reporting, as well as support the ability to easily add new services

Offer robust distributed management capabilities, including centralized and secure remote
management

Easily integrate with complementary tools for encryption key management, router ACL management,
user management, etc.
Multiple offerings
The product platform must be open In order to allow flexibility in designing services for customers. In
order to achieve reasonable economies of scale, a product platform must support an API-level of
integration for additional service regardless of the supplier. An open platform delivers choices to a MSP.
API-integration delivers the performance, reliability and management simplicity necessary to reach service
pricing and profit goals.
IV.
Check Point Overview and Key Benefits
Check Point Software Technologies has developed its Secure Enterprise Networking product platform to
better address the business, management and technical needs of managed service providers who want to
offer managed security services to customers interested in outsourcing their network security. The product
platform integrates the market-leading, award-winning technology of Check Point's FireWall-1, VPN-1,
Floodgate-1 and Meta IP products with centralized multi-customer management capabilities specifically
created for the MSP market.
FireWall-1, the market leader
Check Point FireWall-1 is a scalable Secure Enterprise Networking component that integrates Internet,
intranet/extranet access control with authentication, network address translation and content screening.
FireWall-1was designed to meet the demands of organizations large and small.
With 60,000 units shipped as of the end of 3Q 1998 and an installed base several times that of its nearest
competitor, Check Point is the worldwide firewall market leader and preferred solution among managed
security services providers. More than 20 large MSPs offer FireWall-1 based managed security service
around the world today.
The technological advantage of FireWall-1 is Check Point's patented Stateful Inspection technology, which
intercepts, analyzes and takes action on all communications before they enter the operating system of the
network's gateway machine. This ensures high performance and full network security and integrity. Under
Stateful Inspection, cumulative data from the communication and application states, network configuration
and security rules are used to enforce the enterprise security policy.
The continued technical excellence of FireWall-1 has received wide spread recognition in independent
analyses and product comparisons by leading trade publications and organizations. In 1998 alone,
FireWall-1 was the recipient of awards from Network World, Network Computing, Data Communications
Magazine (including four straight “Tester’s Choice” awards”), PC Magazine, and BYTE magazine.
Further, it was honored with the Computing Award for Excellence in the United Kingdom.
To view the more than 40 prestigious awards FireWall-1 has earned since it first shipped in 1994, please
visit http://www.checkpoint.com/awards
FireWall-1 Architecture
First, as a customer-managed product, the architecture of FireWall-1 provides cost-effective network
security management for a customer with any number of firewalls at any number of sites. Effective remote
management is made possible by the Check Point three-tier client/server architecture. The first tier,
7
MSP MARKET BRIEF
located at the network interconnection points is the FireWall-1 policy inspection module. The inspection
module does the actual packet inspection, decision processing, enforcement and logging. The second tier is
the central Management Console that manages multiple enforcement points. The Management Console is
the repository for the policy, user and object databases. The Management Console is, in turn, accessed by
one or more of the third tier GUI clients. As with the Management Console-to-enforcement module
connection, the GUI-to-Management is encrypted and authenticated thereby allowing policy and user
management from a NOC or other valid location. FireWall-1 is the only network security solution on the
market with a robust, central management console through which the security administrator creates,
manages and securely distributes the enterprise security policy, the enterprise user database and other
enterprise properties.
In its simplest implementation, the enforcement module, the management console and the GUI can run
concurrently as three processes on the same hardware server or appliance. If multiple enforcement modules
are deployed, one central Enterprise Management Console is required. With standard FireWall-1, a
hardware server can run only one installation of the Enterprise Management Console, that is, it can only
manage a small number of policies.
Another benefit of note to the MSP community is the availability of Check Point architecture on a wide
range of hardware platforms, from the easily deployed appliance to the large-scale server. Operating
system platforms include: Sun Solaris, HP’s HP/UX, IBM’s AIX, Microsoft’s Windows NT, and all of
their supported hardware servers. In addition, the product platform is available on Nortel/Bay’s BN and
Contivity series of routers, Nokia’s IP400 routers and Check Point’s RemoteLink. This range of offerings
give MSPs a matrix of options for their services in terms of pricing and target customers.
Virtual Private Networks
Check Point VPN-1 is a fully integrated enterprise-wide security solution that provides secure bidirectional communication to the Internet and transparent encryption for full data integrity and
confidentiality when establishing Virtual Private Networks.
Check Point VPN-1 addresses all the security needs of an enterprise, ensuring:

privacy — no eavesdropping on communications

authenticity — no impersonation of network computers

integrity — no tampering with data as it passes through the network
Check Point FireWall-1 employs a single integrated Security Policy to establish enterprise-wide security,
authenticate clients and encrypt communications. Offering multiple encryption schemes and integrated key
management, Check Point VPN-1 enables an enterprise to make full use of the Internet for all its business
and connectivity needs.
Traffic control
Check Point solves the network congestion problem with FloodGate-1, a policy-based enterprise-wide
traffic management solution. FloodGate-1 intelligently manages finite bandwidth resources, to deliver
reliable performance for important Internet applications while ensuring the necessary bandwidth for
mission-critical applications
Leveraging Check Point’s patented Stateful Inspection technology and its innovative Intelligent Queuing
(IQ) Engine, FloodGate-1 precisely controls the bi-directional flow of all IP-based traffic. Total traffic
management is achieved by controlling the bandwidth usage for entire classes of traffic. FloodGate-1 also
provides powerful real time traffic monitoring capabilities to diagnose the source of network congestion.
Organizations can now define and implement traffic management policies that allocate resources to
mission-critical and high priority applications and eliminate the burst-and-delay effect inherent in most
Internet traffic.
8
MSP MARKET BRIEF
FloodGate-1 precisely controls the flow of inbound and outbound Internet traffic based on a user defined,
enterprise-wide traffic management policy. The policy defines how an organization’s limited bandwidth
should be allocated. A single FloodGate-1 traffic policy can be defined for the enterprise, automatically
distributed to all Internet and Intranet access points, and centrally managed from a single management
console.
The traffic management policy consists of traffic rules and is defined in the intuitive graphical user
interface (GUI) of FloodGate-1. With each traffic rule, the network administrator can define the traffic
privileges granted to a specific class of traffic. For maximum flexibility, each traffic rule can have multiple
sub-rules that further define the division of bandwidth resources.
Adding the benefits of Provider-1
In an managed service environment, using standard FireWall-1 components for managed service offerings
may become burdensome for large-scale operations due to several issues:
1.
No consolidated view at the NOC of multiple managed customers.
2.
Management complexity, especially remote access and policy and user backup issues, induced by
installing the management console on the enforcement servers.
3.
Each policy (i.e., each customer) requires a dedicated Management Console which requires its own
hardware server.
The standard Check Point suite is a cost-effective starting point at which to roll out a managed service.
With its three-tier architecture, Check Point can provide cost-effective management to more than
customers. Once the MSP’s service is implemented, marketing programs start to generate demand, and the
customer count starts to skyrocket. Check Point is ready to meet the challenge with its carrier-class, MSPspecific management tool, Provider-1.
Provider-1™ is a comprehensive, carrier-class management solution for MSPs. Unlike the management
capability of other access control solutions, Provider-1 lowers service delivery costs by providing the
ability to manage multiple security policies from a single point. Provider-1 supports both premise-based or
POP-based Check Point enforcement deployments. With Provider-1, each customer’s unique policy for
access control, authentication, virtual private networks (VPNs), network address translation, content
security and auditing can be managed to the end user level.
Deploying Provider-1 at the NOC enables MSPs to economically scale their managed service offerings to
hundreds or thousands of customers. With Provider-1, MSPs can bring the management consoles for all
their customers back to the NOC without incurring a major hardware or software investment penalty. The
new multi-domain user interface was designed to consolidate critical information for all the managed
services customers, while allowing easy drill down into any particular customer’s management console for
specific management actions.
The central goal of Provider-1 is to reduce the cost of delivering managed security services. This benefit is
realized through significantly-enhanced global manageability. Provider-1 delivers consolidated
management and alert views, allowing a single security manager to monitor dozens of service customers.
The MDG delivers the capability as well to easily navigate, view and modify an individual customer’s
policies, users and objects. MSPs reap the benefits of significant economies of scale and will experience a
dramatic reduction in hardware and operating personnel costs as compared to an implementation without
Provider-1.
9
MSP MARKET BRIEF
MANAGED SECURITY SERVICE USING FIREWALL-1 AND NOC-BASED PROVIDER-1
OPSEC: Standards-based extensibility and investment protection
The growth of Internet-based networks has been nearly matched by the proliferation of specialized security
products. Internet users can choose from a vast array of products to better authenticate users, screen out
viruses, stop malicious Java applets, detect intruders, identify suspicious network activity, prevent access to
undesirable Web sites. While serving an important business need, these specialized products also raise the
network management challenge to new levels of complexity.
Check Point has taken a leadership role in addressing this networking complexity challenge by launching
OPSEC (Open Platform for Secure Enterprise Connectivity) Alliance in 1996. This industry-wide initiative
provides a unified environment to integrate and manage all aspects of network security through an open,
extensible, management framework. Today, more than 160 partners are members of the OPSEC Alliance
with membership continuing to grow. OPSEC partners are delivering products and services that are
secured by, or seamlessly integrated with the Check Point Secure Enterprise Networking product platform
including FireWall-1 and can be managed from a central security policy.
With OPSEC, MSPs using the Check Point product platform to deliver managed security services have
many options for incremental service revenue or service differentiation. They can select best-of-breed
complementary applications and be assured of compatibility and management integration through the
OPSEC Certified solutions program. OPSEC further validates the choice of Check Point technology as the
foundation for offering managed security services offerings.
For an overview of OPSEC Certified products, please visit http://www.checkpoint.com/opsec
10
MSP MARKET BRIEF
V.
Conclusion
Service providers are searching for new revenue and profit opportunities now that connectivity is becoming
a commodity item. As corporations around the world continue to expand their reliance on the Internet,
managed security services present a strong revenue opportunity for MSPs in both the short- and long-term.
Corporate customers are already outsourcing essential activities such as firewall security, a market that is
projected to quickly grow and expand by the year 2000. Service providers are in an ideal position to take
advantage of these market force connects.
To build a profitable service, an MSP requires a product platform that is scalable, extensible and
manageable. The Check Point product platform, combined with all of the OPSEC partner capabilities,
gives a managed service provider the bedrock foundation on which to build a solid set of managed services.
Check Point’s flexibility and scalability allows the MSP to make an appropriate initial investment, but
furnishes the MSP with growth potential in multiple dimensions while reducing the escalating delivery
costs. The Secure Enterprise Networking product platform offers state-of-the art VPN service, supports
hundreds of protocols and applications, and includes a cost-effective management architecture. With
scalability to handle hundreds of customers with thousands of enforcement points, the platform can be
customized to meet changing market requirements. Check Point also delivers to MSPs strong brand equity
and investment protection  the foundation of a new, value-added platform for customer acquisition and
retention in the rapidly expanding, highly-competitive corporate segment.
By choosing the Check Point product platform, an MSP can conquer new markets, build long term business
relationships with its customer and most importantly generate revenue and profits.
11