Check Point reassures itself

Seeking to reassure anxious investors, Check Point Software today said it has expanded a two-year strategic agreement with Microsoft to provide policy-based management for Windows NT.

A Check Point press release today had Microsoft executive vice president Steve Ballmer emphasizing cooperation between the two companies, comments that markedly differed from those he made last month.

"If [Check Point executives] want to cooperate, to create products for our platforms, we will be happy to tell them our plans," Israel's Globes newspaper quoted Ballmer as saying April 21. "If they wish to compete, they are invited to compete with us." He also was quoted as saying Microsoft is developing software that would soon compete with Check Point software.

Ballmer's comments, which the software giant now says were taken out of context or misquoted, cost Check Point's stock as much as 7 points the next day as it dropped from 41 to 34. The stock still hasn't recovered, closing today at 27-5/8.

"There was no news then, no new product news," said Kevin Kean, group product manager for Microsoft's communication products. "Today, we have Check Point clarifying its intent to support NT 5.0 in a big way. Their success as a security vendor validates Windows NT."

"This shows our commitment to NT and the importance of NT as an enterprise security platform," Check Point spokeswoman Emily Cohen added. "As Microsoft adds more features in NT 5.0, we want to make sure we take advantage of those features."

Today's statement by Check Point announces the two companies will work to integrate Windows NT with Check Point's product line, including FireWall-1, bandwidth management software FloodGate-1, a management console, and MetaIP, its IP address allocating software.

"This was put out to indicate discussions with Microsoft are back on track," said Jim Balderston, an analyst at Zona Research, who thinks Ballmer's earlier comments sought to get Check Point back to the negotiating table.

"This release says, 'Everything's OK now; we're not adversaries.' It's supposed to mean there's no reason to expect Microsoft to move into Check Point territory," he added.

Just how long that will remain the case is uncertain, but Check Point and Microsoft said they will work to make their security components interoperable and to allow Check Point's management console to control additional Microsoft products.

Check Point has moved beyond the security market into network and bandwidth management, but the ability of its management console to handle software and hardware from other vendors remains a central goal. The ability to manage Microsoft applications addresses that issue.

Check Point's console can manage Microsoft's Routing and Remote Access Server (RRAS), described as a NT-based router.

Nonetheless, Microsoft's proxy server software already incorporates some features of a low-end firewall, a noteworthy factor for Check Point because more than half of its firewalls sold last quarter were for Windows NT. Microsoft intends to enhance firewall features to its proxy and VPN (virtual private network) software, potentially carving into the markets of VPN and firewall vendors.

The companies outlined cooperation in three areas:

Check Point will integrate its policy management offerings with Windows NT 5.0 features including NT log-on, NT domains, Microsoft LDAP-compliant Active Directory, and cooperation in the Directory-Enabled Networking initiative from Microsoft and Cisco Systems.

Make their security software interoperate by supporting IPSec (Internet Protocol Security) for VPNs and improving the way Microsoft's certificate server works with Check Point's VPN software.

Extend Check Point's policy-based management framework to include NT access control lists and other features from Microsoft's remote access server, RRAS.

Check Point began shipping software on Windows NT in 1996, and Microsoft has been a member of Check Point's OPSEC Alliance for over a year. (OPSEC is short for Open Platform for Secure Enterprise Connectivity.)