What is our primary use case?
The primary use case for our organization is to protect against attacks targeting our network. As most of the attacks originate from the internet, protecting the organization requires us to be equipped and ready to mitigate this type of attack at the perimeter level. Hence, it becomes necessary to scan any traffic flowing North-South and vice versa.
The perimeter device should be equipped such that it is able to detect and mitigate attacks, as well as have basic anti-spam filters. Email gateways are not capable of protecting against the latest generation of attacks via email.
Similarly, basic URL filtering is not able to protect against web attacks. Consequently, protecting the organization against this type of sophisticated or targeted attack, we concluded that the next generation of perimeter security solutions is a must.
How has it helped my organization?
This product protects us against the most common and sophisticated attacks including phishing email, account takeover, protection against malicious files, malicious attachments, and malware.
It protects us against data leakage that can be caused by an aforementioned attack, which can result in financial loss or reputation damage to the organization.
It is able to detect any changes in our software, such as whenever new code or a new file are delivered via web or email. It accomplishes this using sandboxing to evaluate it for potential vulnerabilities before it is delivered to the endpoint.
It is able to quarantine zero-day threats using sandbox technology.
Sandboxing functions in a complementary fashion to your other security modules, products, and policies. It provides additional protection with modules such as IPS, anti-bot, antivirus, and antispam with the NGTX license.
What is most valuable?
The solution instantly cleans files that are downloaded via email or a web channel from risky elements. The sandbox is able to scan files without adding a delay or compromising productivity.
Threat emulation is carried out using AI/ML engineering techniques and it is able to detect and mitigate any unknown or Zero-Day attacks.
Threat extraction performs pre-emptive document sanitization across email and web channels. Whenever any file is sent, its behavior is examined by the AI/ML module after sending it to the sandbox. Other methods of cleaning are also performed, such as the case with Excel files. If macros are present in an Excel file then they are removed and the plain file is sent to the endpoint. Once the user has validated the file or the source, the actual file will be sent and made available.
Malicious or compromised websites and URLs that are received via email or web are scanned and action is taken according to the configured policy.
The Threat Cloud integration services provided by Check Point for dynamic threat Intelligence are helpful.
It offers good integration with SIEM and SOC Workflows.
Threat Extraction/Emulation is enabled on the same NGFW with an additional license and the sandbox can be hosted either on-premises or on the cloud.
Since it is a security module, it makes it virtually impossible for hackers to evade detection. It is also able to protect against attacks from the web, email, and network (IPS) on the same security gateway with a single management console and dashboard.
What needs improvement?
The file types that can be scanned are limited, which means that if the file type is not listed or enabled for the sandbox, they are bypassed and it can lead to a security issue.
The maximum number of files that can be scanned by the higher sandbox appliance (TE200X) on-premises is 5K per hour. Hence, a bigger organization needs to have multiple devices along with integration between them.
Enabling a module on the same NGFW firewall impacts performance, which adds delay/latency.
Encrypted and password-protected files are not getting detected, and are bypassed. Exceptions are for files that have a dictionary-based password.
Currently, this solution is supported only for Windows and Linux for Threat Emulation/Extraction.
What do I think about the stability of the solution?
This solution is very much stable.
What do I think about the scalability of the solution?
This product is scalable on on-premises by adding an appliance, whereas, for cloud-based deployment, it's the responsibility of the OEM.
How are customer service and technical support?
The Check Point technical support is excellent.
Which solution did I use previously and why did I switch?
We have been using the same solution for some time and did not use a similar solution beforehand.
How was the initial setup?
The initial setup involves enabling the module with the license and with cloud integration for Sandboxing. With this, it is complete and no additional devices are required.
What about the implementation team?
The implementation was completed by our in-house team with the assistance of the OEM.
What's my experience with pricing, setup cost, and licensing?
If you already have Check Point NGFW and it's underutilized and sized properly, there is a benefit both in terms of commercial/security and operation. This is because everything is available from a Single OEM on a Single Security gateway and Dashboard.
The cost is not significantly high and it can be negotiated during any purchase of NGFW.
Which other solutions did I evaluate?
We have evaluated solutions from Cisco and Trend Micro, which required dedicated a security appliance and sandbox appliance. However, since we were already using NGFW, we simply acquired a license for NGTX. This enabled sandboxing on the Check Point cloud.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Check Point does have an on prem Sandblast appliance. Check out the TE-2000-XN or TE250-XN.