Key Issues Who are the leading providers of security infrastructure products and services, and what are their strategies, key offerings and business practices? What are the most-effective technologies and best practices to protect networks, systems, applications and data? Strategic Planning Assumptions By 2Q07, 90 percent of Global 2000 enterprises will have deployed deep packet inspection firewalls (0.9 probability). Through 2006, 80 percent of enterprises that purchase Web defense products will buy stand-alone appliances (0.8 probability). Although firewall vendors are adding intrusion prevention and application defenses, network- and application-level defenses will not converge fully until year-end 2006 (0.8 probability).

The enterprise firewall vendor landscape is changing as major network vendors introduce intrusion prevention capabilities. Merger activity will increase, as illustrated by Juniper Networks' acquisition of NetScreen Technologies.

Network Security Trends

During the second half of 2003, enterprises were attacked by mass-propagating worms and viruses that caused widespread network outages and fueled new investments in technologies to combat these threats. In response, firewall vendors have begun to incorporate defenses based on signature and protocol anomaly detection into their products. Also, several vendors are targeting Extensible Markup Language (XML) firewalling. Parsing XML and checking for protocol anomalies at wire speeds is a daunting task. In theory, the schema could be different for every message. A greater challenge will be performing full XML parsing and filtering. In addition, decryption, checking digital signatures and blocking malicious code will drive innovation, but will require investment in hardware acceleration.

"Four Paths to True Network Security" analyzed four network security approaches with a common goal: a deep packet inspection firewall that enforces security policy based on payload content, as well as traditional packet-header analysis. Many network security vendors appear on the Enterprise Firewall Magic Quadrant. Layer 4-7 switch vendors are developing application defenses; application-specific firewall vendors are adding network firewall capabilities; and intrusion prevention system vendors are adding firewalls and application-specific defenses. Although firewall vendors are adding intrusion prevention and application defenses, network- and application-level defenses will not converge fully until year-end 2006 (0.8 probability).

Enterprises are deploying security devices in their trusted networks that filter out "bad stuff" while letting "good stuff" through. These intrusion prevention devices do not require the exhaustive creation of granular security policies, such as routers or firewalls do. They require simpler decisions, such as "block MSBlast traffic." Intrusion prevention devices are gaining traction in universities and government agencies, as well as in enterprises that have open internal network architectures. NetScreen Technologies (acquired by Juniper Networks), Check Point Software Technologies, TippingPoint Technologies, Network Associates and Top Layer Networks offer stand-alone intrusion prevention devices.

The Magic Quadrant

The Magic Quadrant for Enterprise Firewalls, 2H03 (see Figure 1) identifies the vendors that introduce new protection technologies on an extremely short production cycle – such as in-line antivirus scans, instant messaging proxies, and Domain Name System (DNS), sendmail and File Transfer Protocol (FTP) defenses – as those that best leverage the strength of their investments in processing power. Highly weighted is the ability to decrypt Secure Sockets Layer (SSL) sessions, perform inspection and filtering, and re-establish the SSL sessions. (See "Magic Quadrant for Enterprise Firewalls, 1H03" for other evaluation criteria.)

Figure 1
Magic Quadrant for Enterprise Firewalls, 2H03

Source: Gartner Research (April 2004)

To be considered leaders, challengers or visionaries in future iterations of this Magic Quadrant, vendors must integrate network-level and application-level firewall capabilities into their products. Vendors that offer only one capability will be considered niche players.

Leaders

Check Point Software Technologies moved toward a deep packet inspection firewall by introducing Application Intelligence. In January 2004, it launched a line of intrusion prevention appliances. Although these efforts do not give Check Point the same ability to inspect traffic and block malicious sessions as pure intrusion prevention products, Check Point customers can block many known types of attacks, such as MSBlast, that continue to affect enterprises. Check Point must continue to develop relationships with hardware platform vendors, or it risks losing the performance race to hardware based appliances.

Juniper Networks (NetScreen Technologies) added intrusion prevention capabilities to its platforms via a flash upgrade in October 2003. We believe NetScreen's acquisition by Juniper Networks (finalized 16 April 2004) is a positive event for NetScreen's customers, but only if rapid product changes do not cause too many disruptions based on version churn. It also supports our contention that networking is undergoing a painful transition from the "traffic light" mentality of "the packets must get through" to a value-added service model that deletes malicious traffic in transit. The underlying drivers of this transition are concerns about spam and worms, which comprise 30 percent of network traffic in some carrier backbones. Thus, more merger activity in the network security area likely will occur. For example, strong network and application-switching hardware vendors likely will acquire visionary software security companies.

Challengers

Cisco Systems, the network hardware juggernaut, has been frustratingly quiet about its plans to embrace the market trend toward deep packet inspection. Cisco intends to purchase Riverhead Networks, thus acquiring a denial-of-service defense product line and anomaly detection services that can work with Cisco switches and firewalls to detect and block worms inside networks. As enterprises look for more protection for their critical assets, Cisco will address new security threats by investing in host-based security (see "Cisco to Buy Okena, Try to Compete in Security Software"). Host-based solutions are extremely effective at protecting critical assets; however, they are not a complete solution.

Microsoft maintains that its ISA Server was a response to customers' demands for a security solution optimized to help protect Microsoft applications, such as Exchange, Internet Information Server and SharePoint. However, network security is about network processing, and servers – with their operating system overhead, standard components, reliance on disk swap space and poor reliability records – should not be used as network gateways. Microsoft should devote its security development resources to creating secure applications and improving operating system security.

Radware is an application switch and load-balancing vendor that leads similar vendors in understanding the importance of security to its customers. Radware recognized that a Layer 4-7 device, such as a content switch, is an excellent place to inspect traffic and apply security policies, and introduced the DefensePro line of intrusion prevention appliances.

Visionaries

Fortinet experienced tremendous growth in 2003. It has built momentum with small and midsize business (SMB) solutions that include firewalls, virtual private networks (VPNs) and antivirus tools. Fortinet has begun to encroach on NetScreen, Check Point and Cisco in the traditional firewall market. Its challenge is to continue to deploy application and deep packet defenses in its appliances.

iPolicy Networks moved into the Visionaries quadrant with an architecture of a central session processing engine and multiple content blades that can block traffic based on signatures, rules and other content. iPolicy must gain market recognition for its stand-alone firewall, as well as for its technology-leading application defense and intrusion prevention solution.

MagniFire WebSystems is a startup in the application-specific firewall area that takes a different approach to enforcing a "positive security model": MagniFire enforces a security policy of "deny everything except that which is explicitly allowed." Building that policy is the challenge for application-specific firewalls. MagniFire's product "crawls" the Web application site, and thus can inspect dynamic scripts and protect the application from parameter tampering and attacks against the logic embedded in those active elements. MagniFire must develop a hardware acceleration road map.

NetContinuum has taken the application-specific firewall path to network security. Its NC-1000 is designed to terminate SSL sessions and inspect Web traffic, as well as apply a positive security model to Web application access. NetContinuum moved toward firewalls by introducing an ICSA-Labs-certified firewall capability. It is beginning to offer protection for other protocols that usually are in the transaction zone, notably FTP.

Network Associates has experienced fast market acceptance of its IntruShield product line, which it acquired from IntruVert. Network Associates is leading the market in pure-play intrusion prevention installations. Its challenge is to add full firewalling capability to its IntruShield products.

Teros is targeting the application-specific firewall area and has introduced XML parsing and filtering. Although Gartner contends that the firewall space will always be driven by throughput – and thus will always need hardware – the advantage to having a well-architected software-based solution is that it enables vendors such as Teros to quickly adapt new technologies that emerge from the security processor industry. Teros' challenge is to introduce additional hardware-accelerated capabilities within its "hardened" appliances to help it win competitive bids.

TippingPoint Technologies is obtaining industry recognition with a high-throughput, low-latency intrusion prevention appliance. With stellar performance results from an independent test lab for its intrusion prevention system functions and traffic-shaping capability, TippingPoint is gaining early penetration into universities, as well as Type A (early technology adopter) enterprises. Its successful visit to public markets for additional funding demonstrates its execution strength.

Top Layer Networks moved into the Visionaries quadrant by adding a full, stateful, deep packet inspection firewall to its network appliances, which originally were designed to defend against denial-of-service and HTTP worm attacks. Top Layer's ASIC-based appliance, which has multiprocessing engines, can block protocol anomalies and signature-based attacks at high speed and with low latency.

Whale Communications is focused on the SSL VPN market, although its technology can process and apply security policies to any payload traffic. Many customers are attracted to Whale Communications because of its positive security model.

Niche Players

CyberGuard offers a high-performance, EAL4-certified firewall that is based on a hybrid of application proxy and stateful inspection.

F5 Networks' Universal Inspection Engine could be the basis of security policy enforcement in front of critical Web assets. F5's challenge is to introduce a package of security capabilities in its Big IP product line.

KaVaDo is garnering investment from venture capitalists for its companion products: an application-specific firewall and an application scanner that builds the blocking policy for the firewall.

Sanctum was one of the first firewall vendors to focus on protecting Web applications. Recent market traction has favored its AppScan product, which identifies application vulnerabilities. Application vulnerability scanning likely will continue to be a growth area for Sanctum.

Secure Computing has fully integrated its Gauntlet acquisition and introduced the Sidewinder G2 Security Appliance family of products. Although essentially a software solution vendor, Secure Computing has done a good job of turning its products into appliances. Sidewinder G2's fundamental proxy architecture provides many application defenses that have done well against worms and application-layer attacks. Secure Computing's industry-leading software architecture, which includes parallel processing of packets, has enabled it to create a competitive platform.

SonicWALL has been slow to move into the application defense area with an offering to address Check Point's and NetScreen's moves. An investment in hardware-based network processing capabilities would enable SonicWALL to translate large enterprise solutions into products that SMBs require. Management turnover may impair SonicWALL's ability to innovate fast enough to keep pace with other vendors.

Symantec remains a niche player in the enterprise firewall market. The old Raptor technology in the Symantec Enterprise Firewall is being replaced more often than it is purchased. Alternatively, the Symantec Secure Gateway Appliance is new software that runs on an appliance that provides firewall, intrusion detection, content filtering, VPN and antivirus functions. This is a good solution for the SMB market, and perhaps for remote offices.

WatchGuard Technologies is profiting from its series of low-cost, easy-to-manage appliances. Integrating more security features in a low-cost appliance gives WatchGuard a highly competitive product for remote/branch offices. As application defenses become standard in high-end firewalls, SMBs will start to demand similar protection.

Not on the Magic Quadrant

Blue Coat Systems has been omitted from this iteration of the Magic Quadrant because it has focused on controlling Internet communications and content via a proxy. Its ProxySG appliance is the leading solution in that area.

Acronym Key DNS – Domain Name System FTP – File Transfer Protocol SMB – small and midsize business SSL – Secure Sockets Layer VPN – virtual private network XML – Extensible Markup Language

Bottom Line: As network traffic becomes predominantly malicious or unwanted due to worms, viruses, scans, spam and file sharing, network-traffic-handling devices must evolve from "stoplights" to "border checkpoints." The first devices to evolve beyond simple "pass/go" logic will be the firewalls offered by visionaries and leaders on the Magic Quadrant for Enterprise Firewalls, 2H03.

Gartner RAS Core Research Note M-22-5175, R. Stiennon, 20 April 2004.

The enterprise firewall vendor landscape is changing as major network vendors introduce intrusion prevention capabilities. Merger activity will increase, as illustrated by Juniper Networks' acquisition of NetScreen Technologies.

This document and its content is for internal use only. External use requests must be reviewed and approved by Gartner Vendor Relations via email at quote.requests@gartner.com

The Magic Quadrant is copyrighted 2004 by Gartner, Inc. and/or its Affiliates and is reused with permission, which permission should not be deemed to be an endorsement of any company or product depicted in the quadrant. The Magic Quadrant is Gartner, Inc.'s opinion and is an analytical representation of a marketplace at and for a specific time period. It measures vendors against Gartner defined criteria for a marketplace. The positioning of vendors within a Magic Quadrant is based on the complex interplay of many factors. Gartner does not advise enterprises to select only those firms in the "Leaders" quadrant. In some situations, firms in the Visionary, Challenger, or Niche Player quadrants may be the right matches for an enterprise's requirements. Well-informed vendor selection decisions should rely on more than a Magic Quadrant. Gartner research is intended to be one of many information sources including other published information and direct analyst interaction. Gartner, Inc. expressly disclaims all warranties, express or implied, of fitness of this research for a particular purpose.