What is our primary use case?
Our primary use case of Check Point Application Control is to filter which application categories we want to allow our organization members to have access to so that they are secured. For example, we don't allow access to malicious applications and some categories that could be threats. We only allow organization members to access secure applications and applications that are aligned with the company's strategy.
It also enables us to save internet bandwidth by filtering applications that are not work-related.
How has it helped my organization?
Check Point enables us to save internet bandwidth. The administration offers good guidance. We don't want the employees to access social networking on work computers because it will distract them from their jobs, so we can block that. It also helps us to implement changes very quickly and to get people to be more focused on the job.
We can block employees from downloading illegal content that would harm the company image with our IPS. If an employee downloads torrents with movies that should be paid for, they can detect that it's our company's IP. We could be fined and it could be good damage to the company image. So we block those kinds of applications.
What is most valuable?
The features are very granular. You can block Facebook Chat but allow Facebook itself. The big database and the easy configuration are also valuable features.
What needs improvement?
I think Check Point Application Control is one of Check Point's most complete solutions. It has had a lot of years for improvement. I don't see anything that we need to be improved. It does everything that we would need. It always applies new applications. It does what we need it to do. We don't need to select a specific application if we don't need it, it can be selected by category. The solution is very complete.
For how long have I used the solution?
I have been using Check Point Application Control for eight years.
What do I think about the stability of the solution?
The solution is stable. We didn't have any specific issues.
What do I think about the scalability of the solution?
It's scalable in a way that you can use the same application and filter objects on all the gateways that you have under managers. You can define one profile applied to all firewalls.
There are around 1,000 users in our company who are affected by Application Control.
Four network security engineers are responsible for the maintenance.
We deployed only on the perimeter firewalls. If we need to add some more perimeter firewalls, we will deploy to that as well.
Which solution did I use previously and why did I switch?
We specifically chose Check Point because we needed to filter internet access. It was already in place in some firewalls when I came to my company. My colleague implemented it on some other firewalls. It was already placed in one or two firewalls.
How was the initial setup?
The initial setup was straightforward. We generally use the blacklist method for Application Control. That is where you select which application categories and specific applications you don't want to be accessed and then you allow everything else. This method is easier than what we did in the past where we tried to do it the other way. We would only allow specific applications for a specific project and then deny everything else. But then there was always something missing because the machine would need to update and we would need to have a new application. There was always something being blocked that shouldn't.
It took us about one week to define the strategy and then two to go through the list of categories that were available to define which we would deny. We would also discuss with the GRC team and get guidance from the administration.
What was our ROI?
Our ROI Speaker is that it adds another security measure that doesn't allow employees to access websites and applications that can harm our company, and by keeping the company's IPS reputation clean. It also blocks categories like social networking and gambling. Those kinds of categories also increase productivity and decrease internet link usage for things that don't interest the business.
What's my experience with pricing, setup cost, and licensing?
Pricing is in line with the competition. Licensing is not complicated. The license application is straightforward and it functions well. There are no additional costs that I'm aware of.
What other advice do I have?
My advice would be to deploy Application Control with a blacklist approach. In which you select which application categories to block and accept others. Otherwise, from our experience, it's a mess. It's much more easy and efficient than doing the whitelist approach, in which you would select what you would allow and block off the rest. It can forget to add a category or an application that is needed and so you will always need to be adding them on a request basis.
The whitelisting approach should only be on very specific applications. In which only a server should access a certain application and nothing else. If you miss something, you will have to always be investigating why it doesn't have access or why an application is not working.
We tried to do a whitelist approach on a specific environment, but we gave up because it was starting to get to be a bit messy. Some servers only need it to go to the internet to do some updates on some applications. They shouldn't access any other categories. That was always something that was not working because some application was categorized as technology and it was also categorized as, for example, social networking.
The biggest lesson is that it's very important to have Application Control on the company's internet access. A previous company I worked at, got a court letter saying that our IP downloaded two movies from torrents. The company got a final warning that if our IP would be caught downloading illegal stuff again we would have problems and so the company implemented Application Control. It's very important for the company's IP reputation and also for employees to be focused on their job. You can block malicious applications which gives you another level of protection and also reduces internet link usage.
I would rate Check Point Application Control a ten out of ten.
Which deployment model are you using for this solution?
Which version of this solution are you currently using?