Key Issue Who are the leading providers of security infrastructure products and services, and what are their strategies, key offerings and business practices?

Firewalls are a mature technology, but the technology landscape and evolving threats demand continuing improvements. Firewall buyers have choices, as illustrated by Gartner's latest Magic Quadrant for the network firewall market.

In this firewall Magic Quadrant for the second half of 2004, Gartner continues to examine a rapidly changing market. The change in the firewall space represented by new vendors, enhanced technologies and defenses against new threats demonstrates once again that the security space is different from other markets for IT products and services. The ever-evolving threat is the primary driver for change. Each new development in computing or networking brings with it new exposures that are exploited first for "fun" and later for profit. The most relied-on network safeguard to "keep the bad guys out" is still the firewall.

Next-generation firewalls (NGFWs), which incorporate deep packet inspection into the edge-of-enterprise stateful firewall, are moving into second-generation products. Netscreen paved the way in this area, closely followed by Check Point Software Technologies. Fortinet and iPolicy were early in adding in-line antivirus, and they are now adding anti-spam and URL content blocking. As Gartner detailed in "Network Security Platforms Will Transform Security Markets," we believe next-generation firewall capabilities will be delivered in stand-alone appliances first and then in "in the cloud" implementations integrated in high-speed switches.

Web application firewall vendors are starting to combine forces with application-delivery/content-switching vendors. F5 purchased the startup MagniFire. Teros announced a partnership with NetScaler. NetContinuum announced XML firewalling through its partnership with Forum, and is popular for its Secure Sockets Layer (SSL) and load-balancing capabilities. F5, Teros, Imperva and NetContinuum, as a multivendor consortium, recently developed baseline test criteria for application firewalls, which they are submitting to the International Computer Security Association (ICSA). Gartner believes that Web application-specific protection will migrate into such content delivery network products, while deep packet inspection intrusion prevention system (IPS) technologies and network stateful firewall technologies will be delivered in NGFWs.

In this look at firewall appliances, Gartner used the following criteria.

Ability-to-execute key criteria have not changed significantly. They include:

• An ongoing history of success in the traditional firewall market
• Financial strength - increasing revenue, size of investor investment, number of people
• Partnerships and channels - including partnerships with high-speed processing platforms and content inspection leaders
• "Mind share" and visibility in the space
• Breadth of product line

• Wide ability to recognize and block attacks
• Ability to recognize the needs of the enterprise and build them into the product
• Investment in specialized network processing hardware - application-specific integrated circuits (ASICs) - or off-the-shelf content and security processors to do stateful and deep packet inspection at wire speeds
• Central management of many remote devices, including bidirectional communications
• Ability to load balance or configure in a highly available mode
• Logging and reporting
• Fast-paced rollout of new application defenses

To be considered a leader, a vendor must have network-level firewall capabilities and deep packet inspection in an integrated product, and be continuously providing new features to answer new threats.

Figure 1
Magic Quadrant for Network Firewalls, 4Q04

Source: Gartner Research (December 2004)

Leaders

Check Point Software is addressing market challenges on many other fronts. It is meeting the SSL virtual private network (VPN) challenge with its SSL termination devices (Connectra). It is addressing remote device security through the acquisition of ZoneLabs. Web application defense is being addressed by the (Web Intelligence) feature set. Check Point will not be best-of-breed in all of these areas, but its technology will serve its customers' immediate needs and is available on an impressive array of original equipment manufacturer (OEM) platforms, including blades and network switches. Check Point has capitalized on the inactivity from Cisco Systems and Juniper to continue to provide enhancements. Gartner clients are reporting that competitors' prices for similar offerings are lower, and up-and-comers such as Fortinet are taking advantage of this. Notwithstanding, Check Point has responded by offering its own appliances and the Secure Platform version for Intel processors.

Juniper has completed its acquisition of Netscreen. With this distraction now largely behind it, Juniper has the component products to do firewalling, switching, routing and intrusion prevention in a single platform. Enhancing the platform and integrating with Layer 2-4 capabilities would represent the next generation of network and security devices, representing larger competition for Cisco and Check Point. Gartner clients conducting product selections have been giving Netscreen high marks for its management capabilities and interface.

Challengers

Cisco has been slow to fully develop deep packet inspection within its PIX firewall products to counter new network-based threats. Because Cisco is not a pure-play security vendor, it tends to reactively, rather than proactively, increase security features and function. In either case, its installed base is impressive and, clearly, "good enough" security is just that for many enterprises that value a single vendor relationship. Better management interfaces that scale to hundreds or even thousands of devices are being introduced by competitors. Cisco has also been making changes across all of its firewall platforms (blades in Cisco switches, integrated services routers) that focus on network devices working to implement network security, a task more challenging than that of updating a single firewall appliance product.

Microsoft significantly upgraded its Web application firewall (ISA Server) product with its 2004 release. In addition to expanding the security feature set in the 2004 release, ISA Server has bridged some of the host/network gap by including network quarantine functions. Small and midsize businesses (SMBs), the traditional stronghold of Microsoft products, are, however, purchasing competing application firewalls more often than ISA Server. Microsoft needs to provide more OEM hardware choices if it is to provide a competitive Web application firewall in a market where software-only solutions are limiting.

Visionaries

MagniFire was one of the newest vendors in the application-specific firewall space, and, in a trend-setting move, it was acquired by F5. This has significantly enhanced its position on the Ability to Execute axis. The application switch and firewall markets appear to be converging. This acquisition and the announced partnership between Teros and NetScaler, as well as the combined capabilities of NetContinuum, support this observation.

Fortinet, buoyed by the success of Netscreen in contending for the Leaders quadrant, has begun to encroach into the enterprise space. With the momentum it has built for SMB solutions that include a stateful firewall, IPS, VPN and antivirus (its own engine), its challenge is to leverage its solution into internal network deployments, and to get onto shortlists for big deals. Fortinet's interface and management set a high bar for competitors.

iPolicy is one of the most visionary firewall vendors in the firewall Magic Quadrant. Its architecture of a central session-processing engine and multiple content blades that are able to block based on signatures, rules and so on is the closest to the network security ideal. Deployments in network carriers demonstrate the granularity of iPolicy's management interface and the high throughput of which its appliances are capable.

NetContinuum has taken the application-specific firewall path. The NC-1000 is designed to terminate SSL sessions, inspect Web traffic and apply a positive security model to Web application access. NetContinuum includes an ICSA-certified stateful network firewall and is beginning to offer protection for the other protocols usually present in the transaction zone. Its partnership with Forum Systems to provide XML security services and its recognition of the role of purpose-built hardware demonstrate that it has earned its visionary position in the application firewall pack.

Teros is targeting the application-specific firewall space. Although Gartner contends that the firewall space will always be driven by throughput (thus, the need for hardware), there is an advantage to having a speedy software-only solution in that it allows a vendor such as Teros to quickly adapt new technologies coming from the security processor industry. Teros will also be able to partner with infrastructure vendors such as the recently announced agreement with NetScaler.

Although Whale Communications is a pioneer in Web application firewall technology, it has leveraged SSL VPN capabilities to enter the remote-access market. The firewall foundations of the product position Whale well for protecting remote access to critical applications.

Niche Players

CyberGuard's hybrid firewall has been broadened and has integrated content filtering, anti-spam and antivirus. Although CyberGuard is providing improved Layer 7 defenses with its TSP line, this is not yet an NGFW capability.

Kavado is focusing on Web application firewalling. Its challenge is to partner with gateway firewall vendors and the newer intrusion prevention vendors to offer a complete protection for the transaction zone.

Secure Computing finds itself battling competition on many fronts. While the traditional stateful inspection firewalls have gained and maintained market dominance, the new breed of ASIC-based appliances challenges them on the low end. The Sidewinder G2 firewall is a hybrid (stateful inspection as well as application proxy) firewall. Secure Computing is a well-named company because its firewalls are popular with security/intelligence agencies.

Stonesoft is a well-established niche player in the firewall space. StoneGate is popular for its load balancing and high availability. Stonesoft is the dominant vendor of firewalls for IBM iSeries computers and a "made in Europe" choice for the European Union.

Symantec combined functionality and improved pricing in the Symantec Secure Gateway Appliance, which is helping Symantec to get a foothold in the remote-office market. Symantec has invested extensively in its 7100 series IPS offering, and its success will probably determine Symantec's future as a network security player. Symantec's planned acquisition of Veritas Software may remove attention from its play in the firewall market. Gartner clients are replacing Symantec firewalls more than acquiring them.

Sanctum, one of the first vendors in the Web application firewall space, was sold to Watchfire, a Canadian company looking to expand its product offerings into the application defense arena.

WatchGuard and SonicWALL continue to sell feature-rich products for remote branch offices, which has earned many thousands of sales in SMBs and as second sources for large companies with many distributed locations. New firewall/VPN/hub/Wi-Fi combination products fit well with retail operations, for example, and can be popular for managed network service providers that want to offer inexpensive universal edge routers.

Not on the Map

Imperva has made considerable headway in providing a contender application firewall product that includes a stateful firewall.

All network IPS products have been removed from the enterprise firewall Magic Quadrant because these products have emerged into a distinct market. New Gartner research on intrusion prevention vendors will position these vendors of IPS products. "The Network IPS Market Will Consolidate in 2005" provides a market assessment. Many IPS products now include stateful firewalls, substantiating the all-in-one security platform market dynamic.

All OEM implementations - Hardware OEM implementations of software products listed in this Magic Quadrant are not identified. There are many vendors that produce hardware support for Check Point firewalls (for example, Nokia and Crossbeam), and there are some new implementations of Microsoft ISA Server.

Acronym Key ASIC – application-specific integrated circuit ICSA – International Computer Security Association IPS – intrusion prevention system NGFW – next-generation firewall OEM – original equipment manufacturer SMB – small and midsize business SSL – Secure Sockets Layer VPN – virtual private network

All Web application firewalls will be removed in the next network firewall Magic Quadrant because these are now clearly a distinct product set and are not enterprise network firewalls.

Bottom Line: The network security market continues to transform to counter the evolving threats. Acquisitions of security companies by network infrastructure vendors have only just begun. There is still room for new companies with better technology to make significant inroads in the network firewall space.

Gartner RAS Core Research Note G00125075, G. Young, J. Pescatore, 14 February 2005.

The enterprise firewall vendor landscape is changing as major network vendors introduce intrusion prevention capabilities. Merger activity will increase, as illustrated by Juniper Networks' acquisition of NetScreen Technologies.

This document and its content is for internal use only. External use requests must be reviewed and approved by Gartner Vendor Relations via email at quote.requests@gartner.com

The Magic Quadrant is copyrighted 2004 by Gartner, Inc. and/or its Affiliates and is reused with permission, which permission should not be deemed to be an endorsement of any company or product depicted in the quadrant. The Magic Quadrant is Gartner, Inc.'s opinion and is an analytical representation of a marketplace at and for a specific time period. It measures vendors against Gartner defined criteria for a marketplace. The positioning of vendors within a Magic Quadrant is based on the complex interplay of many factors. Gartner does not advise enterprises to select only those firms in the "Leaders" quadrant. In some situations, firms in the Visionary, Challenger, or Niche Player quadrants may be the right matches for an enterprise's requirements. Well-informed vendor selection decisions should rely on more than a Magic Quadrant. Gartner research is intended to be one of many information sources including other published information and direct analyst interaction. Gartner, Inc. expressly disclaims all warranties, express or implied, of fitness of this research for a particular purpose.