Magic Quadrant for SSL
VPN, North America, 3Q05
8 December
2005
John Girard
Source: Gartner
Note
Number: G00131856
Secure
Sockets Layer virtual private networks are established as an alternative and a
complementary technology to IPsec VPN for remote access. Consolidation of
vendors and competition on end-user security and usability make SSL VPNs
appealing.
Secure Sockets Layer (SSL) virtual private networks (VPNs) have become a standard fixture in many companies. SSL VPNs have superseded IPsec as the easiest choice for casual and ad hoc employee VPN access requests and also for business partners, external maintenance providers and retired associates. They are regularly viewed as a viable replacement, even for incumbent IPsec remote access. Remote LAN access performance via SSL is approaching IPsec's performance, and latency-sensitive applications, such as voice over Internet Protocol (VoIP), are becoming feasible — or to put it bluntly, Gartner clients no longer ask about new IPsec remote-access installations or expanding legacy IPsec remote access. Gartner ranks vendors in the Magic Quadrant based on performance for calendar year 2004 through the end of June 2005, and additional road map and client review during the third quarter of 2005. Our Magic Quadrant considers which vendors likely will dominate sales and influence technology directions through 2006, as well as which vendors are most visible among clients, generate the greatest number of requests for information and contract review, and account for the most new and ongoing installations in Gartner's client base.
By 2008, Secure Sockets Layer virtual private networks will be the primary remote-access method for more than two-thirds of business teleworking employees, more than three-quarters of contractors and more than 90 percent of casual employee access (0.7 probability).
Figure 1.
Magic Quadrant for
SSL VPN, North America, 3Q05
Source: Gartner (December 2005)
SSL is both a market for new VPN remote access and a replacement market for legacy IPsec remote access. SSL is the most widely deployed virtual privacy system in the industry because it is integral to every browser and independent of platforms and operating systems (OSs). It is the ultimate VPN in terms of portability. It is also the best-known VPN method, because every user knows the browser and HTTP applications used throughout the Internet, on LANs, and within IPsec VPN tunnels. Gartner clients — ranging from small to large global enterprises — generate a steady, daily stream of inquiries for advice. In 2005, SSL VPNs are primarily sold for desktop/laptop/workstation access. Vendors in this market increasingly support PDAs and smartphones, but revenue and sales will be limited until high-value horizontal applications drive demand for on-demand VPN access across smaller platforms.
SSL VPN is a small market, but growth has been significant, particularly in North America, where many large global purchase decisions are made. Gartner estimates that less than 3 million concurrent enterprise SSL VPN remote-access user seats were activated during the last three years, generating less than $400 million in revenue. These numbers represent only a small percentage of the market for business teleworking employees. By 2008, 41 million corporate employees globally will spend at least one day a week teleworking, and 100 million will work from home at least one day a month. By 2008, SSL VPNs will be the primary remote-access method for more than two-thirds of business teleworking employees, more than three-quarters of contractors and more than 90 percent of casual employee access (0.7 probability). SSL VPNs also will eventually replace millions of simpler SSL sessions in business-to-consumer (B2C) portals. Growth potential is sufficient to attract every major network player as well as to sustain a sizable population of smaller incumbents, startups and investors.
SSL VPNs and IPsec VPNs can appeal to different access needs. SSL VPNs have long been able to emulate IPsec, and SSL VPN LAN connection speeds are improving. Some Gartner clients have ceased to provision new IPsec remote-access accounts, and others have replaced IPsec with SSL, citing the benefits of a simpler, roaming and more-stable VPN session. SSL VPN vendors are preparing for high-performance applications, such as VoIP, but their abilities are unproved. IPsec served by a high-quality WAN connection remains a good choice for users with managed workstations who need persistent, high-speed remote-access connections to a corporate LAN, and who need to run applications with high-performance, low latency demands.
Advantages to SSL VPNs include:
Challenges to SSL VPNs include:
Reasons to continue to use IPsec VPNs include:
Challenges to IPsec VPNs include:
For more details on the comparison of IPsec and SSL VPNs, see "Weigh Pros and Cons Before Choosing IPsec or SSL Remote-Access VPNs."
Products in the SSL VPN market provide secure and private connections for individuals to reach company gateways via the Internet using VPN from a workstation, such as a desktop, laptop or a smaller end-user computing device, such as a PDA or smartphone. This Research Note evaluates SSL VPN products sold for purchase and use within enterprises. The primary focus of this document is midsize to large enterprises in North America, for which the United States provides the largest single-border worldwide growth market. Global market presence is regarded as a contributing factor to execution and vision. Services built from the products and offered by third parties are considered additive to the product vendor ranking but do not drive the evaluation. SSL VPN products combine browser security enhancement software with a VPN gateway that may be delivered either as a stand-alone appliance or as software to be installed on a user-supplied server. The market is dominated by appliances; pure software products have proved to be less competitive than drop-in, plug-and-play solutions. Menu-driven, "point and click" browser access to programs and resources characterize the default interface for an SSL VPN; however, several companies offer non-browser clients to more closely imitate an IPsec VPN, and a few companies omit the menu interface altogether. SSL VPNs support strong authentication and logging desired for VPN protection and application access audits, and also support roaming required for mobile users. End-user security features are a visionary competitive differentiator that drives vendors to provide on-demand protection mechanisms — either embedded or bundled — that block malicious code, clean up data, enforce firewall settings, even on completely unmanaged workstations.
Inclusion and Exclusion Criteria
Inclusion Criteria
SSL VPN companies that meet the market definition and description were considered for the document under the following conditions:
Exclusion Criteria
SSL VPN companies that were not included in the document might have been excluded for one or more of the following conditions:
Caymas Systems is a startup whose products began shipping in 2004.
Check Point Software Technologies' long-anticipated products based on the Connectra product line began shipping in 2004.
Juniper Networks acquired NetScreen Technologies, which had acquired the Neoteris SSL VPN product.
Netilla Networks merged with AEP Systems to form AEP Networks.
NetScaler was acquired by Citrix Systems.
NetScreen Technologies was acquired by Juniper, whereby the SSL product lines continue.
NetSilica was omitted because there has been insufficient inquiry demand to promote tracking.
Symantec has been removed from the document for two reasons. First, Symantec's SSL VPN sells primarily to small enterprises below the threshold for Gartner inquiries. Second, Symantec has advised Gartner that it will no longer pursue leadership in this market following its acquisitions of Sygate and WholeSecurity. Symantec has advised Gartner that it intends to remove competitive sales conflicts with other SSL VPN vendors to build on Sygate's original equipment manufacturer business for network access controls and endpoint security.
Execution considers factors related to getting products sold, installed, supported and in users' hands. Companies that execute strongly generate pervasive awareness and loyalty among Gartner clients and generate a steady stream of inquiries to Gartner analysts. Execution is not primarily about company size; the ongoing race between leaders Juniper and Aventail is evidence; nor is it primarily about sales, although in a growth market, sales are an important indicator.
Product/Service compares the completeness and appropriateness of core SSL VPN products sold for use in the enterprise remote-access market. The SSL VPN market defined in this document is product-focused, but related service areas may contribute, including consulting services and managed service resellers, and so on. This factor is critical to demonstrating that the vendor can generate market awareness.
Overall Viability considers company history and demonstrated commitment in the SSL VPN market, and the difference between a company's stated goals for the evaluation period vs. the company's actual performance compared with the rest of the market. Growth of the customer base and revenue derived from sales are also considered. All vendors were asked to disclose comparable market data, such as SSL revenue, number of unique companies under contract, and information about seats sold year by year (defined as concurrent active license seats deployed on sold products). "Boxes shipped" is not a measure of execution. Instead, we consider concurrent seats sold, licensed and usable to the buyer. Vendors are asked to convert to the concurrent seat formula as necessary, and the actual numbers reported are treated as guidance rather than as hard facts. Seat shares are mentioned in the company discussions that follow, but the fact that share alone doesn't define leadership will be apparent.
Sales Execution/Pricing compares the strength of sales and distribution operations in the vendors as well as discounted list pricing for systems supporting as little as 50 concurrent users to more than 10,000 concurrent users. Pricing was compared in terms of first-year cost-per-concurrent active license seats, including cost of all hardware and support. Low pricing will not guarantee high execution or client interest, and the market did not move to commodity status in 2005. Buyers want good results more than they want bargains, and they respond more strongly to sales techniques led by case studies and return on investment (ROI) projections. In any case, the benefits of a well-implemented SSL VPN can outweigh initial costs.
Market Responsiveness and Track Record, and Marketing Execution rate competitive visibility as the key factor, including which vendors are most commonly considered top competitive threats generally during the request for proposal (RFP) process and also, which are considered top threats by each other. In addition to buyer and analyst feedback, this ranking considers which vendors consider each other to be direct competitive threats. Strong ratings mean that a company has demonstrated to Gartner analysts that it can get in RFPs early and ultimately win a large percentage in competition with other vendors.
Customer Experience is subjectively rated from client feedback to analysts, opinions of Gartner analysts in security, network and platform research groups, and from vendor-supplied references, where needed. Intense interest in SSL VPNs from Gartner clients provided a year's worth of ample feedback to frame the market.
Operations consider the ability of a vendor to pursue its goals in a manner that enhances and grows its influence in all execution categories.
Source: Gartner (December 2005)
Market Understanding and Marketing Strategy are assessed through direct observation of the degree to which a vendor's products, road maps and mission anticipate leading-edge thinking about buyers' wants and needs. Gartner makes this assessment subjectively by several means, including interaction with vendors in briefings, and by reading planning documents, marketing and sales literature, and press releases. Incumbent vendor market performance is reviewed year by year against specific recommendations that have been made to each vendor and against future trends identified in Gartner research. Vendors cannot merely state an aggressive future goal; they must put a plan in place, show that they are following their plan, and modify their plan as market directions change.
Sales Strategy examines the vendor’s strategy for selling products, including sales messages, techniques, marketing, distribution and channels. This ranking factor is the bridge between marketing execution and product strategy.
Offering (Product) Strategy is ranked through an examination of the breadth of functions, platform and OS support for the SSL client, the VPN gateway system OS and features, and the investments made by the vendor to optimize and support applications accessed through the gateway. R&D investments are credited in this category.
Business Model takes into account a vendor’s underlying business objectives for its products and its ongoing ability to pursue R&D goals in a manner that enhances all vision categories.
Vertical/Industry Strategy considers a vendor’s ability to communicate a vision that appeals to specific industries and verticals. Good performance in selected markets improves a vendor’s ability to communicate its reputation and vision generally.
Innovation takes into consideration the degree to which vendors invest in core requirements for successful use of their products. Criteria include both a vendor's internal investments in value-added security tools and technology road maps, and external efforts to expand interoperability, alliances and partnerships with companies in related security markets. Vendors with strong vision create communities with other companies, and this, in turn, helps other companies, as well as buyers, view the SSL VPN vendor as a necessary component of larger business solutions.
Geographic Strategy takes into account a vendor’s strategy to direct resources, skills, products and services outside North American markets. However, all vendors are ranked in this Magic Quadrant primarily for their performance in North America.
Source: Gartner (December 2005)
Leaders demonstrate balanced progress and effort on all execution and vision categories. Their actions raise the competitive bar for all products in the market, and they can change the course of the industry. To remain in the Leaders quadrant, these vendors must excel in mobile access and protection and dominate in sales. A leading vendor is not a default choice for every buyer, and clients are warned not to assume that they should buy only from the Leaders quadrant. Juniper and Aventail held on to leading positions for 2005. Nortel was re-evaluated as a challenger. Some clients may actually feel that leaders are spreading efforts too thinly and not pursuing their special needs.
Challengers have solid products that address the typical needs of the market with strong sales, visibility and clout that add up to higher execution than niche players. Challengers are good at winning contracts, but they do so by competing on basic functions rather than on advanced features. Challengers are efficient and expedient choices to narrowly defined access problems. Many clients consider challengers to be the conservative safe alternative to niche players.
Visionaries invest in the leading/"bleeding"-edge features that will be significant in the next generation of products and will give buyers early access to improved security and management. Visionaries can affect the course of technological developments in the market, but they lack the execution influence to outmaneuver challengers and leaders. Clients pick visionaries for best-of-breed features, and in the case of small vendors, they may enjoy more personal attention.
Niche players offer viable, dependable solutions that meet the typical needs of buyers. Niche players are less likely to appear on shortlists but fare well when given a chance. While they generally lack the clout to change the course of the market, they should not be regarded as merely following the leaders. Niche players may address subsets of the overall market, and often they can do so more efficiently than the leaders. Clients tend to pick visionaries when stability and focus on a few important functions and features are more important than a wide and long road map.
AEP Networks holds a 7 percent share of cumulative three-year concurrent seats deployed in the 2005 report, spread in a relatively small ratio across a large customer base of 2,000 clients. AEP is stronger in Europe, where it was founded. Acquisitions of V-One and Netilla will be used to grow visibility in North America. The company is in the midst of integrating its business activities, and its challenges include pricing models and building U.S. market visibility, especially among Gartner clients. The V-One acquisition provided an identity-based technology that AEP will need to develop as part of a coherent product strategy. The merged company's deployed concurrent user seats, combined with stronger overall market competition, merit AEP a niche ranking.
Array Networks has a cumulative three-year concurrent seat share of 9 percent, built on a small client base (173 companies under contract). General visibility and "mind share" are low: Array is rarely recognized by Gartner enterprise clients, and buyers report low visibility as a procurement challenge. Array, as with F5, has markets in SSL acceleration and load balancing that can attract sales: Typical buyers cite gateway performance as a top concern. High performance is opening new opportunities with ISPs that will lead to managed services revenue. Higher-execution ratings require that Array be seen frequently winning contracts in direct competition with market leaders. Higher-vision rankings require that Array develop more and deeper relationships in related and integrative security markets.
Aventail expanded client security features and IPsec emulation efficiency throughout 2004 and put new effort into delivering solutions for small mobile platforms, even though the small-device market does not yet bear profit. Aventail is the third most-often-cited company by peer vendors as a competitive threat and is a well-known brand name, in that it appears in most of Gartner clients' shortlists. Concurrent seat licenses deployed to a client base of 900 companies earn a third place (10 percent) in direct sales in the survey for a three-year period; PortWise (another visionary) holds second place, but Aventail has the more balanced global brand presence as well as indirect managed service sales. Aventail won further vision and execution worth by selling its legacy managed services business to Netifice. The sale to Netifice created new growth demand for Aventail products and removed the last vestiges of channel conflict with service resellers. Aventail is the leading global supplier of SSL VPN equipment to ISPs and carriers, with deals in place for AT&T, Sprint, MCI, BT Infonet, Netifice and others.
Caymas Systems is a startup with custom chip designs to develop high-performance acceleration, with a low entry cost and all features available at all price points. Caymas supports a variety of deep inspection access control and intrusion prevention features. In its first year, Caymas earned a concurrent seat share of 5 percent that put it in the running with incumbent niche and visionary vendors. Caymas has a good mix of high-performance hardware and client-side features. Aggressive and clear marketing can raise its execution ranking in 2006.
Check Point Software Technologies
Check Point Software Technologies' SSL VPN appeared in 2004 as a stand-alone appliance and as an enhancement to existing product lines. Check Point would not disclose revenue and market share data; however, its ranking can be inferred from consistent Gartner client and analyst feedback indicating that buyers do not perceive it as a priority candidate, despite considerable global presence. Its appearance in the market did not have an effect similar to Cisco Systems (Cisco caused many companies to halt their procurement plans to view the new products), even though Check Point possesses a broad set of on-demand security tools built from its Zone Labs acquisition. Ranking could improve in 2006 if we see aggressive pursuit of marketing and sales led by case studies and ROI, overwhelming evidence of competitive wins, and improved Gartner client awareness and feedback.
Cisco Systems was re-evaluated as a visionary for 2005. Cisco had strong challenger values in 2004 because it caused many companies to halt their procurement plans to view the new Cisco products. However, the strong entry did not disrupt the market for the long term. Consistent Gartner client feedback indicates that buyers are still more likely to select other vendors, and Cisco did not provide a source of market share data to indicate otherwise. Cisco vision improved most notably because of expanded endpoint security features offered at no charge in its product, combined with some of the most aggressive pricing in the market. Its visionary ranking demonstrates that buyers respond more to track record and case studies than to vendor size. Indeed, execution was downgraded largely because the products do not seem to be selling, even when the published prices are the lowest in the survey and the client features are so attractive. To be considered a leader, Cisco must be seen on more shortlists, must unseat incumbent vendors and must become the competitive threat that defines Juniper's success, especially given Cisco's low price and global reputation.
Citrix Systems has transformed internally more than any other company since the last survey because of a series of powerful acquisitions. Expertcity brought Citrix personal remote control and Web conferencing tools; Net6 brought a powerful, low-cost SSL entry platform with a leading VoIP softphone, and NetScaler delivered a mid-to-high-end hardware platform featuring high availability and acceleration. Citrix also kept pace with client-side security and has background projects under way for small mobile platforms. If Citrix successfully integrates all of these acquisitions into a compatible range of platforms using core technology from Citrix Access Gateway, it will push other vendors to the left. Its visionary position recognizes three points:
To gain a leader ranking, Citrix must be seen as a competitive threat in direct challenge to other vendors in the market, not just an add-on for Citrix Presentation Server buyers.
F5 gained substantial end-user client mind share since the last survey. F5 is also more visible to its market peers, which cite it as the No. 2 competitive threat. Firepass seat sales for enterprise remote access are still relatively low in the market landscape (1,500 Firepass customers under contract with 5 percent of cumulative seats in the market), but growth rates for 2005 are promising and indicate a healthy growth potential. F5's presence in related businesses (including SSL acceleration) has not yet increased its competitive win rate to the degree necessary to demonstrate leader-level execution for this market. There should be opportunity to sell upward in these accounts. F5 makes additional sales for SSL served through its BIG-IP gateway for the B2C market, which was not counted for market share in this document.
Juniper Networks holds a leading position by maintaining, year after year, a balance of highly effective sales, marketing and support, features and road maps. Juniper is on more than three quarters of preliminary and final shortlists presented by Gartner clients and is considered the No. 1 competitive threat by its market peers. Juniper’s share of three-year cumulative seats deployed is 32 percent, while no other company exceeded 13 percent. Juniper continues to invest well in messaging, timely features and future wants and needs, not only for end-user buyers, but also in preparation for a serious foray into carrier services. Gartner credits continuing leadership in SSL VPN to the fact that Juniper, as with NetScreen before it, has fostered the Neoteris team and has gone further to embrace the fundamentals of the SSL VPN to transform other Juniper product lines than any other incumbent networking vendor.
Nokia declared an aggressive goal in 2004 to become a leader in SSL VPN but has not made progress toward that goal. Nokia is rarely on client shortlists and is only occasionally recognized by clients as a market player. Some confusion persists regarding its legacy relationship with Check Point. Its SSL product has to compete with a Nokia mobile IPsec product of similar capabilities. Nokia’s sales in the SSL VPN market were the second lowest reported by any vendor in the survey (concurrent user seats deployed are 2 percent of the market for the reporting vendors). Nokia’s client security features and marketing efforts need to be expanded, and the company must remove the requirement for client administrator rights for several endpoint security checks.
Nortel's 2005 challenger rating reflects an adequate but unassertive investment in product strategy endpoint features, value-added application support and interoperability and partnerships with companies in related application and security markets. Nortel retains a high execution ranking with third-place share (10 percent) of seat deployments and some very large contracts signed (such as Sabre worldwide) and a large embedded base to which it sells upgrades. Nortel's gateways are well-designed and good performers, and the list prices, comparable to Cisco's, are among the lowest per concurrent user seat in the market. To increase vision for 2006, Nortel needs to project a more compelling enterprise sales story. It could acquire/build a broader set endpoint security solution — as did Cisco, Check Point, F5 or PortWise — or better capitalize on partners — as do Juniper, Aventail, F5 and Whale Communications. It also could pursue endorsements from business application independent software vendors (ISVs).
Permeo Technologies has the lowest market share of concurrent user seats sold among vendors surveyed (1 percent) and the second-lowest reported revenue in SSL, comparable to newcomer Caymas. Its product has an attractive mix of client security and Windows Explorer features to serve buyers who want a straight replacement of IPsec, without the portal features assumed in other SSL VPNs. Relative sales in the market must increase to maintain an execution ranking sufficient to be included in next year’s document. Permeo's lack of a menu-driven portal makes it a good niche choice for IPsec replacement but limits its vision in the broader market.
PortWise retains a visionary ranking as a company with richly featured mobile-oriented products that are still barely known in North America. Execution is ranked below midpoint because efforts to grow visibility in North American markets resulted in only about $300,000 of U.S. revenue. North American clients are interested in the products but want more validation of market presence and track record. PortWise ranked strongly on the Visionaries axis because it is the only vendor in the survey that owns its strong authentication technology, and it has the most complete platform for small mobile devices. However, its SSL VPN concurrent seat share should have been greater than 13 percent of reporting companies, given it has sold millions of seats for authentication products. Aggressive marketing, sales and support, and more case studies to prove success in North American markets with high-value mobile applications might raise its execution in 2006.
Whale Communications holds a visionary rating because it has gone further than other vendors in developing special optimizations for high-value applications, including SharePoint, Domino and Outlook Web Access. Also, it has more leveraged partner relationships in related security and premium ISV markets than any other company surveyed. The community of partner relationships facilitates sales to buyers who place a priority on application firewalls. Whale has restructured its list pricing so that a concurrent user session costs less than a third compared with its 2004 report, or less than half the current pricing of Juniper and Aventail. However, lower competitive visibility and overall seat share of 5 percent fall short of leadership.
Evaluation Criteria Definitions
Product/Service: Core goods and services offered by the vendor that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets, skills, etc., whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.
Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood of the individual business unit to continue investing in the product, to continue offering the product and to advance the state of the art within the organization's portfolio of products.
Sales Execution/Pricing: The vendor’s capabilities in all pre-sales activities and the structure that supports them. This includes deal management, pricing and negotiation, pre-sales support and the overall effectiveness of the sales channel.
Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message in order to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional, thought leadership, word-of-mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements, etc.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.
Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen and understand buyers' wants and needs, and can shape or enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the Web site, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling product that uses the appropriate network of direct and indirect sales, marketing, service and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature set as they map to current and future requirements.
Business Model: The soundness and logic of the vendor's underlying business proposition.
Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including verticals.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.
