Key Issue Who are the leading providers of security infrastructure products and services, and what are their strategies, key offerings and business practices?

Enterprises increasingly are deploying Secure Sockets Layer virtual private networks as alternatives to IPsec. The vendors ranked in the Magic Quadrant have strengthened, and competition is getting tougher.

Enterprises are shifting their attention from Internet Protocol Security (IPsec) to Secure Sockets Layer (SSL) virtual private networks (VPNs) for newly provisioned, upgraded, individual remote-access connections. The flexibility of SSL is so compelling that it overrides startup cost considerations. Vendors in the SSL VPN market experienced growth in 2003. Several acquisitions have strengthened the ability of incumbent leading network vendors to compete in the market, and validate the case for SSL.

SSL VPNs solve an "80-20" problem for enterprise remote access: 80 percent of users who want remote access will use less than 20 percent of IT resources and applications through a remote-access connection. However, if these users are given a full VPN, they will generate more than 20 percent of help desk remote-access calls. Most users primarily are interested in checking their e-mail and using several key applications that are tied to online services, such as employee benefits information, project/order status and corporate news. The menu and application orientation of an SSL portal is intuitive for users with simple needs, and it restricts and tracks the resources accessed by remote users. If users require direct access to enterprise file systems, SSL VPNs can emulate IPsec via an on-demand redirector.

SSL VPNs will not completely replace demand for IPsec VPNs. IPsec was designed, and is the best choice, for site-to-site VPNs, alone or in conjunction with Layer 2 Tunneling Protocol. Also, users may prefer IPsec clients when they must open long-term, strongly encrypted remote-node connections for fat-client applications.

Vendor Landscape and Ranking Process

Sixteen vendors are ranked on the Magic Quadrant for SSL VPNs, 1H04 (see Figure 1). At the end of 2003, Gartner sent surveys to 19 vendors, based on survey history, analyst choices, client feedback and general industry visibility. The survey requested information about company size, distribution channels, financials, unit sales and product features (see "Magic Quadrant Evaluation Criteria for SSL VPNs, 1H04"). Information obtained since the survey was completed also was considered, but did not change the vendors' rankings.

Figure 1
Magic Quadrant for SSL VPNs, 1H04

Source: Gartner Research (April 2004)

Most vendors on the SSL VPN Magic Quadrant are appliance gateway providers. Pure software products have proved to be less competitive than drop-in, plug-and-play solutions. Also, most vendors have dropped out of the managed service business – instead, they resell their SSL VPN products to managed service providers, such as carriers and service brokers. NetSilica and Permeo Technologies offer their products as software, although NetSilica also has an appliance that comprises only a small part of its business. PortWise offers an appliance and a managed service, which is priced monthly per user. Aventail is no longer adding end-to-end managed service customers, although it expects to grow its managed SSL VPN business by distributing its appliance through service providers.

Leaders

Leaders demonstrate balanced progress and effort on all execution and vision categories. To remain in the Leaders quadrant, these vendors must excel in mobile access and protection, as well as maintain or increase sales.

NetScreen Technologies (which acquired Neoteris, and is being acquired by Juniper Networks) and Aventail have strengthened their market positions through concerted efforts to deliver a broad, scalable range of mobility features, independently and through leveraged partnerships. NetScreen's sales growth was the best in the market during 2003. Aventail's sales grew with the release of improved appliance models, and it has succeeded in attracting carriers to adopt its platform. Aventail also is investing heavily in mobile client alternatives. Aventail and NetScreen aggressively cultivate relationships with leading third-party security and policy vendors that enterprises often use for standard system images.

Nortel Networks jumped from niche player to the edge of the Leaders quadrant through its work to downsize Alteon into an affordable enterprise solution that includes a wide range of features for security, management and roaming, and by migrating IPsec users to SSL. Nortel's new model sold well for its short time on the market. It is fully compatible with the larger Alteon and Shasta systems. In 2005, the Magic Quadrant will be recalibrated to heavily weight managed security and roaming for SSL endpoint users.

Challengers

Cisco Systems made an extraordinary effort to bring SSL VPN into its 3000-series VPN platform in 2003. Cisco also developed a good user interface, although its heritage is back-end systems. The result is an excellent first-edition product that can be activated on legacy equipment via a firmware upgrade. Cisco's market clout was more than sufficient to delay many enterprises' VPN projects following its November 2003 product launch announcement. We give Cisco credit for taking a strong execution position to support the SSL VPN market. However, clients report that the scalability of users per gateway is less than anticipated. As expected with a first release, the product's basic features and interoperability with third-party systems can be improved. In particular, Cisco promoted the idea of running SSL and IPsec simultaneously in an appliance, but could not overcome the competing resource demands of the two VPNs. To reach leadership, Cisco must continue to invest in the development of its WebVPN platform.

Visionaries

Citrix Systems has moved from niche player to visionary by clarifying the role of its gateway as suited to general SSL VPNs, not just as an add-on to MetaFrame. Citrix earns vision points by bringing its extensive expertise with thin clients on multiple platforms to the SSL market, and adding value to the MetaFrame family. However, it faces the challenge to deliver MetaFrame sessions on small-screen personal digital assistants and mobile devices. Cixtrix's execution is good, but its sales are only to MetaFrame customers. To be considered for leadership, Citrix must sell strongly outside of the MetaFrame client base, and must adjust its entry price to compete without MetaFrame. Citrix also would benefit from building or acquiring an appliance to facilitate entry-level sales.

Nokia entered the SSL VPN market in July 2003 and, at the same time, strengthened its IPsec end-user product. These moves eliminate the need to associate Nokia with Check Point Software Technologies – previously, Nokia's presence in the firewall and VPN markets was mostly due to its reseller and original equipment manufacturer relationships with Check Point. Nokia's management features and client integrity checker are excellent examples of the policy management direction of SSL VPNs. To reach leadership, Nokia must grow sales and improve its general visibility to enterprises. It should increase the enterprise appeal of its mobile platforms as endpoints to use its SSL VPN.

Permeo Technologies' software SSL VPN is new to the Magic Quadrant. An offshoot of NEC, Permeo has a large installed base but little visibility. Similar to Whale Communications, Permeo promotes its product for access to applications. It has made progress in creating user interface designs that promote a smooth transition for users accustomed to an IPsec VPN.

PortWise (formerly Lemon Planet) offers a complete mobile platform for authentication, policy and SSL VPN, and it has the most experience with small mobile devices among the ranked vendors. Its managed service is attractively priced, and its execution in limited European markets is as pervasive as the global execution of other vendors. Its appliance pricing is competitive with other vendors. PortWise is well-funded and is trying to understand the buying patterns and cultures of other world markets. Its fastest path to leadership would be through acquisition of global sales channels.

Whale Communications moved from niche player to visionary by concentrating on its core selling point, which is enabling access to popular applications. Its execution improved by appealing more to the end user than to security managers (technical sales). Its vision improved as it clarified and strengthened endpoint security and data cleanup methods. Whale thus remains a steady, reliable vendor in the market, with growth potential. Gartner believes that Whale's fastest course to leadership would be by being acquired by a larger company or by acquiring a company with established distribution channels.

Niche Players

AEP Systems is new to the Magic Quadrant. Limited visibility, basic features and good scalability earn it a niche player ranking. Unlike most other vendors in this Magic Quadrant, AEP pursues the small and midsize business (SMB) market. It has succeeded with smaller-scale wins.

Array Networks retained a niche ranking for 2004, but rose in the Niche Players quadrant because of its improved sales, good pricing and manageability.

F5 Networks' 2003 acquisition of URoam was an early example of a vendor of back-end SSL stepping into the foreground of the SSL VPN market. F5's financial strength has improved URoam's execution standing. F5 is investing in more development, sales efforts and interoperability partnerships. It has the potential to move higher on vision and execution.

Netilla Networks improved in general execution and has become a stronger niche player, with expanded commitment to security partnerships.

NetScaler, a competitor to F5, discovered that its user base was reconfiguring its product for use as an SSL VPN. New to the VPN market, NetScaler has substantial talent in Web application performance and security-related features, particularly involving ActiveX. Similar to F5, NetScaler can improve its execution scores by growing sales, and can improve its vision scores by incrementally expanding client and management features.

NetSilica has the lowest priced products among the ranked software SSL VPN products and a good discount progression. Because the prevailing market demand is for appliances, this architecture merits a niche ranking. Gartner clients are generating sufficient interest in NetSilica to assure its continued tracking in the Magic Quadrant.

Symantec acquired SafeWeb in 2003. It has rebranded the product to sell alongside its IPsec VPN gateway, which has done well in SMB sales. In addition to a low entry price, Symantec brings a strong value proposition to the SSL VPN market because of the strength of its LiveUpdate service, and its history in antivirus software and personal firewalls. Symantec likely will move into the Visionaries quadrant when it releases thin-client/on-demand versions of its personal security products to bolster its SSL VPN.

Not on the Magic Quadrant

Three vendors did not reply to the survey, although they are still in business: OpenReach, Seagull Software Systems and Tarantella. These vendors have viable products that can be considered for future deployments.

Aspelle has gone out of business by the decision of its primary investor, Dresdner Bank. (Gartner will put enterprises that use Aspelle's products in touch with Aspelle's former developer on request.) Check Point was excluded because it withdrew its first SSL product from the market in 2002, and its new product will be released too late to be considered for this research.

Vendors that offer viable SSL VPN products, but were not contacted for this survey because a lack of client inquiries and market influence, include: Authentor Systems, Novell, Plumtree Software, Positive Networks, Rainbow Technologies, Sun Microsystems, TrueDisk and V-One.

Key Findings

Endpoint security is a primary selection driver for SSL VPNs. Although enterprises appreciate SSL's portability, they are alarmed at the risks of access from unmanaged, and unmanageable, endpoint systems. In 2004, partial integrated data cleanup and partnerships with early independent software vendors of on-demand firewalls is acceptable. However, in 2005, enterprise buyers will expect deeply integrated personal firewalls and support for 802.1x authentication.

Price was not a primary selection driver in 2003. The flexibility and ease of administering SSL VPN users has held greater appeal than product entry price. In 2004, buyers are starting to think of SSL VPN as a commodity feature. High prices for entry and per concurrent session can't be defended in the long term by dividing them against the anticipated number of users, because buyers are becoming more knowledgeable, and more skilled, in their spending patterns.

Gartner clients didn't cite benchmark scores as a major differentiator in their buying decisions in 2003. The few benchmark studies that were published were hotly contested and reinterpreted by each vendor. Vendors from the accelerator markets, such as NetScaler and F5, should cultivate an independent benchmarking method and agency that models enterprise user patterns.

SSL's role in mobile roaming access is misunderstood. SSL VPN sessions don't require an IP address for authentication, and don't require a mobile IP address to support roaming. Vendors have underestimated the importance of roaming. By 2005, demonstrations of good roaming solutions will be critical to win business.

Acronym Key SMB – small and midsize business SSL – Secure Sockets Layer VPN – virtual private network

Bottom Line: The simplicity and portability of Secure Sockets Layer virtual private networks can lower the cost to implement remote-user VPNs for corporate workstations, as well as access from noncorporate systems such as PCs. Where traditional VPNs are not required, expect immediate value from investments in SSL VPNs in the form of easier deployment and support.

Gartner RAS Core Research NoteM-22-5198, J. Girard, 13 April 2004.

The enterprise firewall vendor landscape is changing as major network vendors introduce intrusion prevention capabilities. Merger activity will increase, as illustrated by Juniper Networks' acquisition of NetScreen Technologies.

This document and its content is for internal use only. External use requests must be reviewed and approved by Gartner Vendor Relations via email at quote.requests@gartner.com

The Magic Quadrant is copyrighted 2004 by Gartner, Inc. and/or its Affiliates and is reused with permission, which permission should not be deemed to be an endorsement of any company or product depicted in the quadrant. The Magic Quadrant is Gartner, Inc.'s opinion and is an analytical representation of a marketplace at and for a specific time period. It measures vendors against Gartner defined criteria for a marketplace. The positioning of vendors within a Magic Quadrant is based on the complex interplay of many factors. Gartner does not advise enterprises to select only those firms in the "Leaders" quadrant. In some situations, firms in the Visionary, Challenger, or Niche Player quadrants may be the right matches for an enterprise's requirements. Well-informed vendor selection decisions should rely on more than a Magic Quadrant. Gartner research is intended to be one of many information sources including other published information and direct analyst interaction. Gartner, Inc. expressly disclaims all warranties, express or implied, of fitness of this research for a particular purpose.