What Are Network Security Platforms?

Transcription

1 Markets, J. Pescatore, M. Easley, R. Stiennon Research Note 7 November 2002 Network Security Platforms Will Transform Security Markets An integrated network security platform approach will increase network security and reduce the cost of ownership for perimeter security, while preserving best-of-breed options. Core Topic Security and Privacy: Security Tools, Technologies and Tactics Key Issues How will network-based applications become safe for mission-critical businesses during the next five years? Which technology and business factors will enterprises use to structure network-based security strategies? Strategic Planning Assumption By 2006, 60 percent of firewall and intrusion detection functionality will be delivered via network security platforms (0.6 probability). In the past, best-of-breed security solutions have been the mosteffective choices for securing enterprise networks. However, this approach has resulted in the deployment of a disparate set of point products for firewall, intrusion detection, antivirus blocking, vulnerability analysis and other network-centric security functions. This has led to gaps in protection and a high cost of ownership because of the need for multiple management consoles and a lack of integration. Gartner believes that the rise of network security platforms will enable best-of-breed security solutions to blur the lines between firewalls, network-based intrusion detection and vulnerability scanning, as well as other network-centric security technologies. What Are Network Security Platforms? Network security platforms are network-attached devices that can apply multiple security functions (at a minimum, firewall, intrusion detection and vulnerability scanning) at wire speeds. They provide environmental inputs (power, cooling and console) for the security capabilities, a common backplane for communications, and a control structure for communications between and to control across to security processing functions. Network security platforms use a variety of algorithms and techniques to inspect incoming and outgoing network traffic to determine if connections and payloads are dangerous to enterprises. The platforms decide whether to raise an alert regarding suspected malicious activity or to take specific actions such as block connections, drop packets or terminate sessions when malicious activity is detected. These platforms perform functions that currently are performed by firewall (network- and application-level), intrusion detection, vulnerability assessment, gateway antivirus and URL blocking products. Many network security platforms will include virtual private network Gartner Entire contents 2002 Gartner, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.

2 capabilities; however, we believe that these capabilities will not be long-term platform requirements, except for site-to-site connections. Network security platforms must run at wire speeds; for most enterprises, these will be in the 100 Mbps to 1 Gbps range for single connections, and much higher for multiple networks. For "in the cloud" security applications, with which telecom and Internet service providers provide security processing in the network, throughput of 2 Gbps or higher will be required. These requirements will drive most network security platforms to be based on custom, application-specific, integrated circuits or network-security processors to support complex processing at high data rates. However, the platforms will need to support software-based updates, customization and scripting, similar to software-based systems. Hardware-based stack and protocol processing will be required to perform deep packet inspection without introducing unacceptable network latency. Software processing that runs on generic computing platforms will be sufficient where the network security platform primarily will be used for detection, not prevention; applications are simple or repetitive; or network data rates are low enough (see Figure 1). Firewall Detection Vulnerability Assessment Gateway Antivirus Figure 1 Network Security Management Through 2006 Network Security Platforms Gbps or more 100 Mbps or less In the Cloud Security Services Enterprise Prevention Prevention Appliances Source: Gartner Research 2006 Types of Network Security Platforms There are four primary types of network security platforms: Closed integrated platforms The network security platform vendor implements all security functions in a proprietary environment and can integrate processing across functions, which enables security functions to make processing decisions based on the results of other processing functions. Vendors in this category include Tipping Point Technologies, 7 November

3 NetScreen Technologies, BlueCoat Systems and Array Networks. Closed separate platforms The vendor implements all security functions in a proprietary environment without supporting integration across functions. Vendors include Symantec, with its initial Gateway Security product, and Cisco Systems, with its blade approach. Open integrated platforms The vendor licenses security functions from other vendors (or supports open source) or partners with multiple security vendors that port their applications to the network security platform. Vendors include Nortel/Alteon, CloudShield and Ingrian Networks. Open separate platforms The vendor licenses security functions from other vendors (or supports open source) or partners with multiple security vendors that port their applications to the platform; however, integrated processing across functions isn't supported. Vendors include Crossbeam Systems, Blade Fusion and OmniCluster Technologies. Closed integrated platforms offer more-effective security via tighter integration between functions, but they require that enterprises abandon the best-of-breed approach to individual functions. Open integrated platforms enable enterprises to stay with best-of-breed options and preserve investments in network security products, as well as reduce the need to migrate security policies to new products. Both types of separate platforms will be interim offerings until fully integrated capabilities are available. Meaningful integration across functions is a complex issue. Gartner believes that this integration will not provide reliable results until 2H04. Within these types of platforms, different performance/price points will emerge: Carrier class Products that run at OC24 and higher rates, and that allow network service providers to offer "in the cloud" security services, which eliminate the need for customer premises equipment and enable low-cost managed service offerings. Enterprise class Platforms that can process multiple 100 Mbps networks that are used by Global 2000-class enterprises as enterprise intrusion prevention systems. Small and midsize enterprise class Products that offer limited flexibility or operate at 100 Mbps or lower rates at low price points. Types of Network Security Platform Vendors 7 November

4 Network security product vendors will migrate to offering security platforms, while other network performance management vendors also will provide these platforms. Network-securityfocused vendors (such as firewall, intrusion detection and gateway antivirus companies) will begin to offer security platforms to meet the challenges of blended and application-level attacks, and to address market demand to lower total cost of ownership. By 2006, 60 percent of firewall and intrusion detection functionality will be delivered via network security platforms (0.6 probability). Content-switching and load-balancing vendors will add security functionality to their platforms, which already offer high-speed processing and deep packet inspection for making caching/load balancing type decisions. These vendors see security as a new revenue stream from their installed base, and as a way to avoid the threat of network security platform vendors that are adding switching and load-balancing functions to their platforms. Although content-switching/load-balancing vendors have extensive experience in wire-speed traffic processing, they don't have deep security expertise. This will prompt network performance vendors to acquire network security technology companies that specialize in deep packet processing. Network Security Platform Market Road Map In 2002, firewall vendors such as Check Point Software Technologies, Symantec and NetScreen took steps toward becoming network security platform vendors. Check Point announced Smart Defense, which integrates intrusion detection capabilities onto Firewall-1. Symantec's Gateway Security product combines firewall, intrusion detection, gateway antivirus and URL blocking functions into one appliance. NetScreen's implementation of simple, signature-based filtering and its acquisition of OneSecure were strong moves in the platform direction. However, these first-generation efforts provide minimal integration between functions, and they generally don't add vulnerability assessment capabilities. Newer market entrants such as TippingPoint provide tighter integration of the required functions, but in a closed architecture that will require enterprise testing to determine the effectiveness of the individual firewall, intrusion detection and antivirus functions, as well as integrated capabilities (see "Firewall 2H02 Magic Quadrant"). Gartner believes that products that fully integrated network security functions that can operate at wire speeds will not affect the firewall and intrusion detection markets until 2H04. After 2H04, intrusion detection vendors that do not offer network 7 November

5 security platforms will begin to exit the market through acquisition by network security platform players or loss of market share. The initial product focus between 2004 and 2006 will be at the enterprise level, with price points in the $25,000 to $75,000 range. If the telecom market recovers from the economic downturn before 2006, mainstream telecom and Internet service providers will begin to offer managed security services that will drive the development of higher-speed, lower-priced offerings and use-based pricing models. Gartner believes that aggressive telecom providers will offer some in-the-cloud services by late The low-end, small-and-midsize-enterprise-class network security platform will not be a market factor until 2007, when platforms with limited functionality and processing speeds will be available at price points of less than $10,000. Managing Multiple Security Devices Most enterprises have deployed numerous firewalls, and many also have deployed one or more intrusion detection products. Network security platforms will be viable enterprise solutions by 2006, and they will transform today's disparate network security market. Until that occurs, enterprises that have deployed firewalls and intrusion detection systems can use security device management products to gain a preliminary level of integration between network security products (see "The Emerging IT Security Management Market"). These products support alarm/alert normalization, aggregation, data reduction and a degree of correlation to greatly reduce the false alarm rate and the operational burden of monitoring security devices. Although the loose integration that is provided by these products doesn't support the speed of response necessary to implement intrusion prevention, security management products enable enterprises to extend their investments in security products and provide a management structure for incorporating advanced security products. Security management price points will have to drop below the six-figures of current offerings to reach the broad market. Outsourcing the monitoring and management of perimeter network security devices is another option for enterprises that are looking to avoid investing in early-stage technology or limited security staffing levels. Bottom Line: Tighter integration and common management across network security controls is a panacea of Internet security. Network security platforms maintain best-of-breed security approaches while supporting improved attack blocking and lowering total cost of ownership. 7 November