Magic Quadrant for
Network Intrusion Prevention System Appliances, 2H05
30 November 2005
Greg Young John Pescatore
Source: Gartner
Note
Number: G00133189
The
network intrusion prevention system appliance market is in a period of maturity
and consolidation. A smaller group of vendors are getting an increasing
percentage of the market, but the evolving threat means that those that fail to
maintain innovation ahead of market demands will be left behind.
Network intrusion prevention system (IPS) can detect and block attacks, such as worms, and act as a pre-patch shield for systems and applications. The Sasser and Zotob worms have driven network IPS to be ready for enterprise use. The market for network IPS appliances is entering a phase of maturity and consolidation. The significant benefits of an in-line attack-blocking technology can only be realized with a product that fits your security processes and is sized appropriately. The Magic Quadrant for Network Intrusion Prevention System Appliances is illustrated in Figure 1.
Strategic Planning Assumption(s)
Sales of stand-alone IPS appliances will be less than 10 percent of overall next-generation firewall revenue by the end of 2008 (0.7 probability). Through 2007, in-house testing will have been done for 90 percent of new acquisitions of network IPS in appliances and next-generation firewalls (0.8 probability).
Figure 1.
Magic Quadrant for
Network Intrusion Prevention Systems Appliances, 1H05
Source: Gartner (November 2005)
The network IPS market has its roots in the improvement and often replacement of intrusion detection systems (IDSs). IPS contains all the detection features of IDS, with two critical areas of improvement: (1) Intrusion prevention moves beyond simple attack signature detection to add vulnerability-based signatures as well as anomaly detection capabilities; and (2) network IPS sensors have high processing rates to support in-line automated blocking or handling of attacks. Essentially, network IPS adds "block attacks and let everything else through" security enforcement to the "deny everything except that what is explicitly allowed" policy enforcement provided by the first generation of firewalls. By the end of 2006, most next-generation firewalls will likely use common processing engines to support both functions in one product.
The network IPS market for stand-alone appliances was approximately $246 million in 2004 (including product and maintenance but not services) and will increase to more than $400 million by the end of 2005. McAfee had the largest IPS market share of revenue, followed closely by TippingPoint and Internet Security Systems (ISS). This is a crowded market with several dozen vendors providing network IPS products, many with very small installed bases. Consolidation will likely continue because there already is increasing consistency of shortlists of vendors, particularly in larger enterprises. For more on this subject, see "The Network IPS Market Will Consolidate in 2005."
Vendor lineage is stereotyped in the products: IPS from security companies tends to be strong on security function and less impressive on network performance, which is the opposite of companies in which security is not their primary business (for example, network infrastructure vendors and startups). These differences will be reduced in the midterm and, in the long term, will become almost irrelevant as the next-generation firewall market increases (see "Network Security Platforms Evolving Into Single-Appliance Solutions.")
On average, solutions are priced to $50,000 per Gbps of deep inspection (this is an average, and many products provide less than 1-Gbps capability). Most vendors provide more than five models, with some entry-level products offered for less than $15,000. Maintenance fees vary considerably. Signature update fees also vary but are included with maintenance for most products. Most products include a local-management console, with dedicated management appliances resulting in an additional cost. The total cost of ownership and system management capabilities of network IPS products should be key evaluation criteria when comparing competing products.
Reliability and availability are also key criteria for any in-line device. Bypass unit modules allowing fail-open for copper ports are an additional charge for Reflex, Radware (except the DefensePro 3020), and Check Point Software Technologies (for the 410 and 610 products only). With other vendors, this is included in the base price for units in recognition that this is the standard deployment mode for most.
The network IPS market includes in-line devices that perform full-stream assembly of network traffic, and they provide detection, using several methods including signatures, protocol anomaly detection, and behavioral or other techniques.
Network IPS is also provided within a next-generation firewall, which is the integration of an enterprise-class network firewall and network IPS. The next-generation firewall market will subsume the stand-alone network IPS appliance market (which is the subject of this Magic Quadrant) at the enterprise edge. However, this will not occur immediately because of the following factors:
The network IPS market is already in the first stage of consolidation, with Gartner seeing a more consistent list of vendors on our customers’ shortlists. With fewer companies receiving a larger share of the revenue, there are opportunities for the acquisition of companies providing quality products, but there are risks for buyers of products if the buyers are not increasing their installed base.
Inclusion and Exclusion Criteria
Only products that met the following criteria were included:
Products and vendors were excluded if:
The Ability to Execute criteria include:
Source: Gartner
The Completeness of Vision criteria include:
Source: Gartner
Leaders demonstrate balanced progress and effort on all execution and vision categories. Their actions raise the competitive bar for all products in the market, and they can change the course of the industry. To remain in the Leaders quadrant, these vendors must have demonstrated a track record of delivering successfully in enterprise IPS deployments and winning in competitive assessments. Leaders produce products that provide high signature quality, offer low latency, and have a range of models. Leaders consistently win selections and have been consistently visible on enterprise shortlists.
A leading vendor is not a default choice for every buyer, and clients are warned not to assume that they should buy only from the Leaders quadrant.
Challengers have products that address the typical needs of the market with strong sales, visibility and clout that add up to higher execution than niche players. Challengers often succeed in established customer bases but do not yet fare well in competitive selections.
Visionaries invest in the leading/bleeding edge features that will be significant in next generation of products and give buyers early access to improved security and management. Visionaries can affect the course of technological developments in the market, but they lack the execution skills to outmaneuver challengers and leaders. There are currently no IPS vendors that meet these criteria.
Niche players offer viable solutions that meet the needs of some buyers. Niche players are less likely to appear on shortlists, but they fare well when given the right opportunity. While they generally lack the clout to change the course of the market, they should not be regarded as merely following the leaders. Niche players may address subsets of the overall market (for example, the small and midsize business [SMB] segment or a vertical market), and often they can do so more efficiently than the leaders. Niche players are often smaller firms, produce only software appliances, and/or do not yet have the resources to meet all of the enterprise requirements.
Acquired by 3Com earlier this year, TippingPoint did not suffer any significant drop in performance from this change. As a pure-play IPS vendor and not having to convert an IDS product, TippingPoint had the advantage of designing its products to perform well in a network environment. With a 5-Gbps product, TippingPoint devices have been shown to be well-behaved in-line devices and often win product selections in which low latency is heavily weighted.
If 3Com executes correctly, TippingPoint will be able to move IPS onto a switch and also utilize 3Com channels for the SMB market when they introduce sub-11-Mbps products. 3Com showed its commitment to advancing IPS as a key product area by appointing Tippingpoint’s CTO as the 3Com CTO. TippingPoint does not offer a network firewall on its IPS and will need to do so in order to enter the next-generation firewall market.
Check Point Software Technologies
Check Point Software Technologies has not had a stand-alone IPS appliance for the enterprise edge. Check Point does provide a next-generation firewall in its Smart Defense offering, but it really has not had a purpose-built in-line sensor offering. Check Point InterSpect is its "internal IPS" offering, but this has had limited visibility in the network IPS appliance space, which is driven by edge requirements. To remedy this, Check Point announced its intention to acquire Sourcefire (the acquisition will be completed in the first quarter of 2006). This has the potential to provide a stronger deep-inspection engine across the Check Point platforms, particularly if Check Point integrates SourceFire RNA across its products. Check Point is financially strong, and its wide international support is important for deployments across the world.
Cisco Systems entered the IPS space this year with an offering across an impressive number of platforms. In addition to the IPS appliance, Cisco IPS software can also be run on IOS platforms, on ISR routers, on IDS/IPS blades in Cisco switches, within the ASA appliance, on access routers and on PIX firewalls.
Cisco’s IPS appliance is its former IDS platform with the software upgraded and reconfigured for placement in-line. Enterprises that are nearly “all Cisco” in infrastructure are good candidates for Cisco IPS, especially enterprises in which Cisco IDS is already in place. With the IPS products less than 1 year old, Cisco is not often winning in competitive product selections against other IPS.
DeepNines has pursued the "far edge" placement point with IPS offering a Layer 2 transparent (no IP address) in-front-of-the-router device. DeepNines expanded this line to include traditional IPS, which can be applied to a wider number of placement points. These software appliances are close in functionality to an all-in-one appliance and may be attractive to the SMB market because they include a firewall, gateway antivirus and some anti-spyware capability.
A security company with a strong history in IDS, Internet Security Systems has two significant assets outside its IPS appliance: its X-Force vulnerability research team and its MSSP business. Investing in vulnerability research has allowed ISS to be the leader in new signatures, and this capability has driven its product design around vulnerabilities rather than exploits, which is fundamental to good-performing IPS and sound signatures. ISS design investments in IPS have made it easier for it to add new protocols (for example, voice over Internet Protocol [VOIP]), for inspection within its Protocol Analysis Module (PAM). ISS has been successful in migrating its IDS customers to the Proventia G, but it is held back from greater success by not yet offering a high-performance purpose-built appliance. IPS management is integrated with other ISS products via the SiteProtector manager.
Netscreen was an early innovator with deep-packet inspection after its acquisition of OneSecure. With the Juniper acquisition now behind it, innovation and new product features are again showing up in its IPS products, with full-featured appliances up to 1 Gbps inspecting a large number of protocols. As with its firewall competitor Check Point, Juniper is well-positioned in the next-generation firewall market (the hardware-based ISG firewalls provide up to 2 Gbps of deep inspection), yet Juniper has not maintained high visibility in the IPS appliance space with its IDP IPS products. Juniper’s software-based hardware IDP IPS appliance is popular with enterprises that already own Juniper infrastructure equipment. The Juniper IDP product has a range of models and a strong management console.
McAfee, known more for antivirus software rather than network security, has had considerable success in the IPS field through acquisition and enhancement of the IntruShield product. McAfee is often seen on enterprise IPS short lists with its purpose-built IntruShield IPS and performs well in throughput testing. IntruShield includes Secure Sockets Layer (SSL) acceleration/inspection technology and has a 2-Gbps appliance. McAfee has been including customization for MSSPs in recognition of the growing market for customer premises and “in the cloud” managed services. For more information on this subject, see "'In the Cloud' Security Services Will Change Providers' Landscape."
To maintain this lead, McAfee must incorporate a strong network firewall with its IPS (for example, a next-generation firewall), and integrate IntruShield with its other products through a unifying management console capability.
NFR Security has leveraged its IDS lineage to move into the IPS space with its Sentivist product line. Although Sentivist IPS is a software appliance, NFR is seeing success at the enterprise and with the government deployments. With a separate management appliance as a mandatory, NFR is better suited to multiappliance deployments. Sentivist offers a good interface, good reporting, a minimum of configuration and is suited for sub-200-Mbps placement points. NFR recently released an Enterprise Series Sensor line for higher throughput placement points.
NitroSecurity takes a nontraditional approach to IPS with an emphasis on the custom database within its software appliance IPS and detection weighted toward correlation and quarantine rather than signatures. NitroSecurity offers a Layer 2 transparent mode IPS that is seeing success in healthcare and education verticals. NitroSecurity proposes some innovative features on its IPS road map but requires increased signature emphasis, better support and financial strength to move up to competing effectively in enterprise shortlists.
Radware offers purpose-built multigigabit IPS appliances up to 3 Gbps. Capitalizing on its network expertise, Radware DefensePro IPS includes solid in-line behavior, such as low latency and denial of service (DOS) features, including traffic shaping. Radware has increased its investment in vulnerability and IPS signature research but lags the leaders in proactive protection.
Reflex Security is a startup IPS firm offering a low-cost software appliance requiring a minimum of configuration designed for SMBs and Type C enterprises and the MSSPs servicing them. The Reflex product overlaps the all-in-one security appliance space as it includes firewall, gateway antivirus and anti-spyware; however, it is most often deployed for its IPS capabilities.
Sourcefire has leveraged its IDS lineage successfully into IPS. Sourcefire developed a purpose-built appliance this year, allowing it to compete more effectively at the enterprise.
Sourcefire IPS can now receive feeds from the Sourcefire RNA vulnerability assessment product to allow the IPS to make prioritized blocking decisions and have endpoint (clients and servers) visibility (see "Use Endpoint Intelligence to Improve Security Defenses". Although Sourcefire manages the open-source Snort IDS product, its IPS is full-featured and is not to be confused with in-line original equipment manufacturer (OEM) Snort implementations. Sourcefire IPS is also available via OEM through Nortel Networks and on the Crossbeam platform. Check Point announced it would be completing proposed acquisition of Sourcefire in the first quarter of 2006.
Strata Guard (renamed from BorderGuard) is a software appliance solution suited to sub-Gbps placement points. BorderGuard IPS is integrated with the StillSecure VAM vulnerability management product supporting the reality that IPS is part of a process of vulnerability remediation (see "Intrusion Prevention Process Consists of Seven Steps". Having the vulnerability management feed widens the network view for more-intelligent IPS alerting and blocking decisions.
Symantec’s SNS 7000 series appliance has low visibility in the enterprise market, but this is consistent with Symantec’s focus on the SMB multifunction network security appliance space, and that the product is very new to the market. The SNS is friendly for administrators, uses the familiar LiveUpdate for signature updates, has clear incident viewing, and includes innovative elements, such as FlowChaser, which allows for identifying the source of DOS attacks. SNS has not done well in competitive IPS "bake-offs," primarily from a network performance perspective, but it is popular with enterprises that have a large Symantec investment.
Top Layer Networks’ lineage is load balancing and edge-of-network DOS. This has translated well to IPS, with Top Layer offering purpose-built hardware in the multi-Gbps placement points with its 5500 appliance. Top Layer provides a balanced blend of safeguards and detection methods, including network firewall, DOS protection and traffic shaping. Top Layer lags other players in the proactive protection of narrow blocking signatures, but it does have multidevice management capabilities, low latency and good post-sales support.
V-Secure takes the approach that is weighted heavily toward behavioral detection in its software appliance. Signature detection was introduced in version 8.0 in recognition that signatures are a required detection technology. V-Secure signature release times are longer than the industry average.
Evaluation Criteria Definitions
Product/Service: Core goods and services offered by the vendor that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets, skills, etc., whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.
Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood of the individual business unit to continue investing in the product, to continue offering the product and to advance the state of the art within the organization's portfolio of products.
Sales Execution/Pricing: The vendor’s capabilities in all pre-sales activities and the structure that supports them. This includes deal management, pricing and negotiation, pre-sales support and the overall effectiveness of the sales channel.
Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message in order to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional, thought leadership, word-of-mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements, etc.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.
Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen and understand buyers' wants and needs, and can shape or enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the Web site, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling product that uses the appropriate network of direct and indirect sales, marketing, service and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature set as they map to current and future requirements.
Business Model: The soundness and logic of the vendor's underlying business proposition.
Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including verticals.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.
