Stateful inspection allows a network administrator to track a user's efforts to pass through firewall security perimeters. It inspects all communications in and out of network, then stores that data in a database so it can be used to make security decisions when that user returns.
Other firewall techniques use "packet filtering," examining packets of data individually before letting them through the firewall, or "proxies" and "application gateways" that allow only particular applications to get through. Vendors using those techniques would not be affected directly by Check Point's new patent.
However, the patent could spell trouble for firewall vendors that say their software implements stateful inspection. Emily Cohen, a Check Point spokeswoman, identified Cisco, Ascend Communications, ON Technology, CyberGuard, and Seattle Software Labs among those using stateful inspection in their firewalls.
"We are evaluating our options," said Cohen. Those options could include negotiating licensing agreements or taking legal action to force rivals to stop using the technology Check Point has patented.
But Frank Roys, marketing director of the Cisco Internet appliances group, said his company won't license Check Point's technology because Cisco invented its own version, called "stateful security," for its PIX firewall.
"They patented their implementation of stateful inspection, not stateful inspection itself," said Roys. "We have felt for some time that the only two companies that offer stateful security were Check Point and Cisco. We think this is good for the marketplace, because it verifies that you need this level of security if you're gong to be serious."
Ted Julian, an influential firewall analyst with International Data Corporation, downplayed Check Point's news but said its impact on competitors will depend on the details of Check Point's patent and how Check Point and rivals have implemented it. He thinks firewall vendors stress their software architecture too much, missing points that interest customers more.
"For the bulk of customers, architecture is just one of many factors. I see it as much ado about nothing," Julian said. "Other things are more significant than the architecture."
Despite the patent announcement, Check Point's stock closed off 1-3/8 to 18-1/2.
The patent covers, among other things, Check Point's implementation of stateful inspection in its FireWall-1 package, which, according to a recent study from researcher Yankee Group, grabbed about 44 percent of the world's firewall market in the first half of 1996. CheckPoint says more than 16,000 sites use its firewall product.