Key Issue Which vendor solutions and approaches will be most successful in the next five years? Strategic Planning Assumption Through 2009, Internet VPNs will not be as reliable, secure or consistent as WANs (0.8 probability). But the Internet will be good enough for all business-to-consumer traffic, 70 percent of business-to-business traffic, more than half of corporate WAN traffic, and cell-quality voice over Internet Protocol (VoIP) through 2009 (0.8 probability). Related Research "The Internet: The Only Real Global Carrier." "Hype Cycle for Networking and Communications, 2004." "An Introduction to IP VPNs."

More and more firms are replacing WANs with less-expensive, IP-based virtual private networks. Here we categorize vendors whose products are generally the safest choices, though not necessarily the best for you.

Overview

Organizations are continuing to take advantage of the cost benefits of Internet connections compared to private WAN networks. Some organizations choose managed virtual private network (VPN) services, but many are building their own, using VPN equipment and Internet services from different suppliers. This Magic Quadrant (see Figure 1) focuses on the VPN equipment that companies buy to build their own IPsec VPNs. Managed service providers use this equipment to offer end users encrypted IPsec VPN services based on customer premises equipment (CPE). Companies that have decided to adopt a CPE-based encrypted IPsec VPN for site-to-site connectivity can use the Magic Quadrant to select the appropriate IPsec VPN equipment.

Figure 1
Magic Quadrant for IPsec VPN Equipment, 2004

Source: Gartner Research (September 2004)

Besides evaluating IPsec VPN security features with a focus on secure site-to-site connectivity, Gartner considered WAN features like routing protocols, multicast Internet Protocol (IP) support and quality of service (QOS) facilities. To qualify as a market leader, a vendor needs to have a product and worldwide service story that extends from high-performance concentrators to low-cost appliances for small broadband-connected sites. Features, performance, resilience, manageability and ease of deployment are all important product evaluation criteria. The Magic Quadrant takes the level of support for individual remote users using Point-to-Point Tunneling Protocol (PPTP), IPsec and Layer Two Tunneling Protocol (L2TP) into consideration, but does not include Secure Sockets Layer (SSL) VPNs because they are a separate buying center and are covered by a separate Magic Quadrant. This Magic Quadrant is concerned only with VPNs that derive their privacy from encryption. It does not evaluate or comment on VPNs that are based on switching-layer privacy, such as frame relay or Multiprotocol Label Switching (MPLS).

Leaders

Check Point Software Technologies
Check Point's firewall and VPN software requires a separate hardware platform to provide a complete solution. Check Point's largest platform provider, Nokia, has been evaluated separately. Gartner's rating for Check Point is based on the company's own appliances, and on third-party platforms other than those provided by Nokia.

Check Point achieved the highest score for its VPN security vision, particularly in authentication and remote client support, which was enhanced by Check Point's acquisition of Zone Labs. Check Point is one of only two vendors in this Magic Quadrant that have achieved ICSA Labs 1.0D IPsec certification. The company's well-established Open Platform for Security (OPSEC) alliance program has resulted in the availability of a wide range of gateway antivirus and other third-party security applications. Check Point SmartDefense provides adequate intrusion management.

The primary shortfall of Check Point's solution is its incomplete hardware product range. The company offers its own hardware and software solutions for small and midsize sites, but large sites require third-party hardware platforms. Check Point's SecureXL Turbocard, in a standard Intel or AMD platform, yields a competitively priced, high-performance (with 2.4-Gbps 3DES) VPN concentrator for companies that are happy to integrate hardware and software themselves. Check Point's routing features, which include IP multicast support and optional FloodGate-1 for QOS management, are good. However, the company's solutions lack WAN interfaces. As a result, most organizations will need broadband modems for small sites and WAN routers for large sites. This, along with the need for third-party platforms, makes deploying site-to-site VPNs more complex than with Cisco VPN routers.

Cisco Systems
The overall market leader, Cisco Systems, offers well-featured IPsec VPN support across a number of product ranges – including almost all of the company's routers, where wire-speed encryption requires an optional hardware module (except on small- or home-office models). Besides the VPN routers, Cisco offers a dedicated VPN range (VPN 3000), which is focused on remote access, but also supports site-to-site VPN connectivity. Optional hardware-accelerated IPsec VPN is available for Cisco's PIX Firewalls and Catalyst 6500 switches.

The complex choice of products is one of the few shortcomings of Cisco's VPN solutions. Its security vision is more than adequate, but its authentication is not as capable as that of Check Point Software Technologies, and Gartner rates Juniper Networks' (NetScreen Technologies') intrusion prevention as more visionary than that of Cisco. Performance, networking features and resilience capabilities are excellent in most cases, but features vary across the different ranges. Cisco's VPN routers offer the best solution for site-to-site VPN connectivity, ranging from small-site models with optional broadband modem, through to central-site models with multiple Optical Carrier Level 3 (OC-3) and High-Speed Serial Interfaces (HSSIs). For very large sites, the Catalyst 6500 can provide up to 14 Gbps of 3DES throughput.

Cisco has concentrated on secure WAN connectivity, and the VPN routers (but not the VPN 3000 range) include firewall capabilities, but lack antivirus or spam protection. Cisco achieved the highest share of the worldwide enterprise VPN equipment market in 2003. Gartner views Cisco as the leading VPN vendor for large networks, especially those that are replacing private circuits. However, companies should expect to pay a price premium (particularly for the VPN 3000 range) for Cisco solutions in comparison with those of smaller vendors.

Juniper Networks (NetScreen Technologies)
NetScreen's firewall and VPN products are well-featured, and Juniper is one of only two vendors in this Magic Quadrant that has achieved ICSA Labs 1.0D IPsec certification. As well as firewall and VPN, NetScreen's appliances include intrusion prevention capabilities, and some models include Trend Micro's antivirus technology. In addition, the company's networking features are good in most cases, and include IP multicast and QOS, as well as high-availability capabilities on larger models.

NetScreen pioneered dynamic VPN configuration, a feature that has become available from other vendors, including Cisco. The NetScreen range runs from small-site models with optional broadband modem, through to a model that is capable of 6-Gbps 3DES. NetScreen demonstrates good vision and understanding of enterprise site-to-site connectivity needs, except for the lack of integrated WAN interfaces. Most companies will need WAN routers for site-to-site connectivity, except for broadband or Ethernet WAN sites. NetScreen products are well-suited to large, high-performance networks, and Gartner expects to see further models with integrated WAN ports now that NetScreen is part of router vendor Juniper.

Gartner believes that NetScreen's acquisition by Juniper is a positive event for NetScreen's customers, as long as rapid product changes do not cause too many disruptions based on version churn. Juniper has become the most likely candidate to challenge Cisco's dominance of the enterprise site-to-site WAN equipment market successfully.

Nortel Networks
Nortel Networks' Contivity VPN product range is well established in the enterprise market, with a worldwide share of VPN equipment spending that is second only to Cisco. Nortel has long-established service provider and integration partners, but it has been losing "mind share" in the enterprise network equipment market because of its lack of marketing and lackluster efforts by its sales force.

Contivity is a good site-to-site VPN product with upward compatibility to the carrier-oriented Shasta line, but its only additional security feature is an uncertified firewall. Networking features are excellent, and include a wide range of WAN interfaces and a small-site model with integrated broadband modem. Contivity's resilience features are extensive. However, its IPsec performance is barely adequate at a maximum of 200 Mbps for 3DES.

Contivity has excellent customer references. However, with uncertainty over Nortel's recent financial performance, there continue to be doubts about the company's ability to execute. Contivity is in danger of falling out of the leaders' quadrant unless Nortel can improve the product range's encryption performance, and add firewall and intrusion management capabilities. It continues to be a sound choice in networks that are based on legacy WAN connections, particularly where Internet access is controlled at central sites rather than provisioned at each branch.

Challengers

Nokia
Nokia's IP Security Platform appliances are designed to support Check Point's security software. Gartner has rated Nokia with Check Point in the past, but has decided to rate the two companies separately in this Magic Quadrant. Gartner has taken this more conservative approach because it sees signs of a weakening of the relationship between the two vendors. Nokia appliances account for a substantial portion of Check Point's sales, but Check Point has introduced its own hardware platforms in competition with Nokia.

The combination of Nokia's reliable, high-performance platform (with up to 1.8-Gbps 3DES encryption) and Check Point's visionary software continues to be a sound solution for large VPNs. But the solution is in danger of falling behind the market leaders if there is any further weakening of the close relationship between the two companies.

Gartner has rated the capabilities of the complete Nokia and Check Point solution, which is sold through the two vendors' distribution channels, but has not credited Nokia for Check Point's potential for innovation or execution. Nokia has been credited for innovation and execution related to its hardware (which includes optional WAN interfaces), its hardened operating system and supporting (non-Check Point) security applications.

Bottom Line: Leaders and challengers offer the products with the lowest risk, but not necessarily at the lowest cost or with the most leading-edge features. Organizations' needs vary considerably. As a result, vendor and product choice should be based on a sound analysis of each organization's specific security, performance, resilience, wide-area connectivity and maintainability needs, as well as total cost of ownership.

Gartner RAS Core Research Note G00123466, A. Rolfe, J. Girard, 23 September 2004.

The enterprise firewall vendor landscape is changing as major network vendors introduce intrusion prevention capabilities. Merger activity will increase, as illustrated by Juniper Networks' acquisition of NetScreen Technologies.

This document and its content is for internal use only. External use requests must be reviewed and approved by Gartner Vendor Relations via email at quote.requests@gartner.com

The Magic Quadrant is copyrighted 2004 by Gartner, Inc. and/or its Affiliates and is reused with permission, which permission should not be deemed to be an endorsement of any company or product depicted in the quadrant. The Magic Quadrant is Gartner, Inc.'s opinion and is an analytical representation of a marketplace at and for a specific time period. It measures vendors against Gartner defined criteria for a marketplace. The positioning of vendors within a Magic Quadrant is based on the complex interplay of many factors. Gartner does not advise enterprises to select only those firms in the "Leaders" quadrant. In some situations, firms in the Visionary, Challenger, or Niche Player quadrants may be the right matches for an enterprise's requirements. Well-informed vendor selection decisions should rely on more than a Magic Quadrant. Gartner research is intended to be one of many information sources including other published information and direct analyst interaction. Gartner, Inc. expressly disclaims all warranties, express or implied, of fitness of this research for a particular purpose.