Firewall tech pioneer Gil Shwed: Former teen sysadmin on today's infosec biz
Prince of State(ful) inspection 20 years on
Feature Twenty years after the technology behind FireWall-1 was first developed, the teenage coding prodigy who founded Check Point says that "IT security is [still] very hot".
Shwed, 44, is the co-founder, chief exec and chairman of Check Point, whose FireWall-1 software, according to the firm, is installed at every Fortune 100 company. Check Point claims FireWall-1 has never been breached.
At the tender age of 10, Shwed began taking weekly computer classes in his home town of Jerusalem and soon began showing up to the computer room every day, so he could learn on his own. By the age of 12, he had secured a summer job coding for a language-translation software company.
Shwed never went to university. While still at school at age 14, Shwed says he started an almost full-time job as a system administrator at Hebrew University in Jerusalem. From the age of 16, the university put him in charge of its computer systems for around two years until he began his national service in the army at age 18.
During his army service in the Israel Defense Forces, Shwed reportedly joined the IDF's Intelligence Corps (Unit 8200) where he put together military computer networks enabling certain users to access confidential materials blocked to other less privileged and trusted users. Shwed kept the idea in mind when he completed his military service in 1990.
After the army, Shwed joined the Israeli startup company Optrotech as a software developer, where he met Marius Nacht.
Shwed, Nacht and another friend, Shlomo Kramer, who had served with Shwed in the IDF, saw the potential of technology to filter and control traffic to separate computers on business networks from the wider internet. The idea that would eventually evolve into FireWall-1 was first developed in April 1993. The three friends started Check Point Software in July 1993, just a few months later.
The trio realised that businesses that connected themselves to the internet would need safeguards, creating a market for the port control protocol and blocking capabilities that were the main feature of early firewalls. The stateful inspection* technology Shwed developed and patented is still in use in modern firewalls, albeit in a highly revamped form.
It's hard to imagine now, but at the time few people knew what the internet was - much less that it posed a network security risk that needed guarding. The World Wide Web was a brand new concept, and browser software had not yet been invented.
Shwed, Kramer and Nacht - all in their early twenties at the time - worked in a relative’s apartment for a year, programming for 12-14 hours a day, before emerging with a product after a year's hard graft.
The team gave FireWall-1 first public debut at the 1994 NetWorld Interop show in Las Vegas. The trio reportedly shared a booth with another company, and brought no promotional items, just their product, FireWall-1. Despite their apparent lack of marketing savvy, FireWall-1 ended up winning the best-in-show award, helping to propel Check Point into the limelight.
In 1994 Check Point signed an OEM agreement with Sun Microsystems. It followed this up with a deal with HP a year later. The firm went public a year after that, in 1996.
Check Point's range of software products includes firewalls, UTM appliances, endpoint security (partly through the Zone Alarms acquisition), virtualisation security, and various products that integrate network management and security.
Shwed has been at the helm throughout. The 44-year-old comes across as an essentially a geek, albeit one with a shrewd business mind, who is proud of the company and the people it employs.
Shwed is a member of the board of trustees of Tel Aviv University and the chairman of the board of trustees of the Youth University of Tel Aviv University. He is also a member of the board of directors of Yeholot Association, which works to reduce dropout rates in high schools. Shwed is more than rich enough to retire or throw himself full time into charity work like Bill Gates but that would mean relinquishing his role at the company, which he obviously relishes. During the keynote for Check Point's European user conference, he spoke of the possibility of remaining at the helm for another 10 or even 20 years.
"I like it, so why should I do something else? The chances of founding another firm that's as interesting and successful aren't high," Shwed said, adding that everyone at the company was working to keep Check Point independent.
Shwed added that the attitude adopted by security vendors and experts has changed over the years from "don't do that it's dangerous" to an attitude more in tune with understanding business requirements, such as implementing secure links to branch offices and home workers using VPN (virtual private network) technology. Firewall technology has moved away from the perimeter and into the data centre, he said.
The Check Point boss reckons that IT security remains an exciting sector for budding entrepreneurs and technologists. "IT security is very hot," Shwed said during a press conference at the recent Check Point Experience user conference in Barcelona, Spain "It gets a lot of attention in the media.
"That said, information security is much more competitive; it's hard to develop something completely new. There are so many segments and sub segments, so you [have to] educate security distributors and the channel.
"But when I first started out I had to persuade people there was a market for the internet, so at least there's not that problem." ®
*A stateful firewall is programmed to keep tabs on the state of network connections (such as TCP streams or UDP communications) which move across it - a feature that made the technology more sophisticated than a simple packet filter.
The technology is designed to distinguish legitimate packets from different types of connections originating from rogue or hacker-generated traffic. Only packets matching a known active connection will be allowed to pass by the firewall; others will be rejected or blocked.
This compares with stateless inspection, which is pure packet filtering. Stateless means there is no memory of previous packets, which makes the firewall vulnerable to spoofing attacks as it has no way of knowing if any given packet is part of an existing connection, is a new connection, or is just a rogue packet.
Sponsored: Customer Identity and Access Management