FWTK created the firewall arena by offering proxy-based security. Not only was the proxy transparent to the user and the server, but the real advantage was that the user never connected to the server. Check Point took a different approach: It designed FireWall-1 so the product's stateful inspection keeps track of TCP and UDP connections throughout their duration. If a packet belongs to an existing connection, it's allowed to pass; otherwise, FireWall-1 checks to see if it will be allowed to pass, and then tracks the connection from beginning to end. Stateful inspection is faster than proxy-based but offers less security, because clients make direct connections to servers.

Check Point made FireWall-1, introduced in 1993, the firewall to beat. Although debates raged in the security community over which type of firewall--proxy- or stateful-inspection-based--was more effective, Check Point sidestepped the issue by adding an HTTP proxy to FireWall-1 in version 2.1, released in 1996. The choice was then up to the implementer. FireWall-1 led the market throughout the 1990s, providing access control at the perimeter of private networks. Check Point extended FireWall-1 to the desktop with SecureRemote in 1996, and it continued to add proxies, incorporating SMTP, FTP, rsh, telnet and rlogin in version 4.0.

Where FireWall-1 shines most brightly is in its breadth of integration with third-party software. Rather than building or buying content, e-mail and virus-scanning/filtering systems, Check Point developed OPSEC (Open Platform for Security), which integrated such systems with FireWall-1 enforcement modules. OPSEC's list of integrators has become a "who's who" of network security and includes such notables as Internet Security Systems, Netegrity, RSA Security, Trend Micro and WebTrends Corp.

Of course, work on Check Point's inspection module also continued unabated. New, dynamic protocols have been supported, starting with RealAudio in 1995. Six more protocols were added the following year, as were new platforms for FireWall-1's inspection module, such as Bay Networks' router gear. By the end of 1997, TimeStep's Permit and 3Com's NetBuilder platforms had joined the list of supported systems. Although these additions were aimed at answering analysts' cries for appliance-based firewalls, the actual implementations were limited, and most eventually slipped into the shadows.

Today, the FireWall-1 appliance need is filled by Nokia Corp., which implements FireWall-1 on its routing platform. Nokia's preinstallation of Check Point's firewall software eases start-up costs and reduces downtime for customers seeking a turnkey solution.

Check Point now faces wide-ranging competition. Management-software vendors with comprehensive product lines, such as Computer Associates and Network Associates, are taking aim at Check Point's integration strategy, while the firewall-appliance market is overrun with devices from the likes of NetScreen Technologies, SonicWall and WatchGuard Technologies. Check Point's partner strategy is still the major attraction for a sizable portion of the deployed market, so much so that detractors have attempted to shoot holes in it. The criticism usually centers on a programming library that isn't particularly easy to use and a certification program whose policies are overly strict. For a firewall, though, would you really want it any other way?