The company on Monday plans to unveil a major upgrade across a number of product lines, moving to unify its perimeter, internal and Web security offerings with a common code base. The new NGX platform upgrades the core technology in its VPN, firewall and management software products.
But Check Point, a pioneer in firewalls and virtual private networks, faces vulnerabilities of its own. It has been slow to roll out new products, analysts say, and only recently has started to show signs of a willingness to change. The competitive landscape is looking harsher, too, with the looming presence of networking heavyweights such as Cisco Systems and Juniper Networks and software giants like Microsoft.
Check Point is upgrading across a number of product lines, in an effort to unify its security offerings with a common code base.
The upgrades may not be enough to draw in new customers for the security specialist, which faces a double whammy of lackluster licensing and customer complaints about fees.
At the same time, there's a cloud over a key source of revenue--licensing dollars--even as some customers are grumbling about increasing fees.
"They're slowly falling behind the ball," said Gene Munster, an analyst with Piper Jaffray. "Check Point says that Cisco has been in their market for years and hasn't affected it, but all you have to do is look at their licensing revenue."
During the quarter just ended and for the first time in Check Point's 12-year history, the company's licensing revenue represented less than half of its total revenue. Check Point generated $137.7 million in first-quarter revenue, of which $65.5 million came from licenses.
License growth is generally a concern to companies and investors because it's the engine that drives the train. New license revenue leads to future subscription, support and maintenance revenue over the long haul.
Check Point is not the only software company facing this issue. It's a matter of concern for a number of large software vendors, fromto , which are increasingly becoming services-oriented businesses that supply support and software subscriptions.
Users of Check Point's products, meanwhile, are balking at the fees confronting them. The SmartDefense automatic update and advisory service, launched in 2002, is a bright spot in the Check Point product lineup, customers say, but they're not so thrilled about having to pay yet another annual subscription fee.
"Customers are concerned that these ongoing fees are significant," said Barry Stiefel, founder and president of CPUG, the Check Point User Group, which has 360 members on its mailing list. "There is the annual software subscription fee, the annual support contract fee, and the SmartDefense fee caused some surprise among the members."
Currently 16 Check Point products are compatible with NGX, and a total of 21 will be ready by May 30 when the software upgrade ships. Customers of Check Point's new Secure Platform Pro will pay a minimum of $1,500 per gateway for NGX, which will be free to other Check Point customers through their enterprise software subscription.
NGX will later become available as an appliance through Check Point's hardware partners in June and July.
Check Point says the new offerings will deliver competitive advantages over Cisco's latest appliance.
"We'll have a much more unified platform for the network," said Dave Burton, Check Point's product marketing director. "We'll have a common code base for inside and outside the network and end-point devices."
NGX will allow IT administrators to manage internal and Web security policies from a single console. For example, Check Point's Connectra Web security product and InterSpect internal security technology will let administrators centrally manage all Check Point security devices via the NGX upgrade. That feature will mirror ones already available with its perimeter products like Check Point's firewall and VPN.
The new product line is also meant to improve security for voice over Internet Protocol applications, providing protection against denial-of-service attacks on major Net telephony protocols, as well as guard against call hijacking.
In addition, Check Point's upgrade will include dynamic routing for VPN tunnels. This technology will simplify network management for companies with a number of offices by extending the routing protocols to remote VPN locations. The software will also allow multicast and unicast traffic to be routed securely.
"Our dynamic routing will be just as competitive as Cisco's and Juniper's," Burton said. "But our customers will also have the flexibility of what platform to use."
Earlier this month, Cisco, which combines up to 18 separate security and management functions into a single device. Previously they were only sold as separate products.
"Cisco has always said that security is part of the network, but now they come out with a standalone product," Burton said. "That validates the need for standalone security."
CPUG founder Stiefel gives a thumbs-up to the technology that Check Point provides, noting, for instance, that Cisco, because of its numerous acquisitions, can't rival Check Point's user interface.
"Cisco is soup to nuts, but the soup isn't talking to the nuts," Stiefel said.
But analysts questioned just how far the NGX upgrade will carry Check Point, the smallest among the top five security hardware and software vendors. Symantec heads the list, followed by Cisco, McAfee and Computer Associates International, based on 2003 revenue, according to the most currently available data from research firm IDC. Recent history, analysts say, suggests that there won't be an immediate bump in new license sales.
"Refreshing products doesn't necessarily kick-start their business," Piper Jaffray's Munster said. "Just increasing the core functionality doesn't change the game. It may get them a step ahead, but doesn't substantially improve demand. You need new products and new markets to make that statement."
Last February, Check Point indicated it expected "exciting growth opportunities that will be starting in 2005, but none of them came to fruition," Munster said. "We were hoping to see some licensing growth from the products that came out at the end of 2004."
For its part, Check Point views the annuities it receives from its subscriptions as the long-term strength of its business, Jerry Ungerman, the company's vice chairman, said in an interview shortly after the company's first-quarter earnings announcement. License revenue for the quarter was up 4 percent from the same period a year earlier.
analyst, Piper Jaffray
Nonetheless, analysts say that view has cost the company some market share.
"Check Point missed the move toward a self-contained appliance and was under attack by more aggressive and nimble competitors. They were focused on harvesting revenue from existing businesses and a bit complacent in their outlook," said Ed Maguire, a Merrill Lynch analyst. "But in the past year or so, Check Point has gotten better at defending their market share."
The company is largely a software specialist, relying on hardware makers such as Nokia and Hewlett-Packard to bundle its applications in their equipment and handle the sale. Recently, however, it has started selling its own line of appliances in certain markets.
"Check Point used to say we sell the software and our partner Nokia sells the hardware, and that allowed Check Point to keep its profit margins high. But it was confusing to the customer," said John Pescatore, a Gartner analyst. "Whereas, if Cisco sold you an appliance, it just worked. So Check Point has had to move away from the 'meet in the channel' approach."
Check Point receives the bulk of its revenue from appliance-related sales, either appliances it sells directly or partners' gear on which its software is loaded, such as Nokia's firewall-VPN appliance.
Historically, Check Point has been slow to roll out new product lines, remaining largely dependent on its existing customers to renew their subscriptions every year, analysts say. They say the company's desire to maintain its high profit margins have impeded its willingness to take on risks, thereby affecting its ability to be first to market with new products, and that same desire keeps a lid on its spending for research and development.
Check Point has been a "fast follower, rather than an early leader," Merrill Lynch's Maguire said. "That approach has prevented them from taking an early lead and market share, but it has also minimized their risk and provided customers with a measure of comfort that their development and expansion was deliberate."
Check Point executives disagree. The company considers itself a leader in combining firewalls and VPN into a single software product in 1998 and in creating a constantly updated network security subscription service in 2002.
Gil Shwed, Check Point's chief executive, noted in an interview after the company's first-quarter results that the company's research and development expenditures are appropriate.
In the first quarter, Check Point's research and development costs represented 9 percent of the company's total revenue, compared with 14 percent for Symantec and 15 percent for McAfee.
"We believe we spend as much as we need to," Shwed said. "Our R&D budget is more efficient since most of our development is in Israel, where the costs are lower, and we have a unified architecture, so there are efficiencies in the way our software is developed."
Efficiencies are a good thing, but are they enough to carry the company?
"The ultimate risk for the company is at some point they need product growth," said Munster of Piper Jaffray. "They have a phenomenal brand and their core users aren't going anywhere, but they can't find a way to get more money out of their existing customers...They've got to give their customers something new to purchase."