Firewall Market Trends

Transcription

1 Markets, R. Stiennon Research Note 19 June 2003 Magic Quadrant for Enterprise Firewalls, 1H03 Deep packet inspection technology is driving the firewall market to an inflection point that is characterized by rapid changes in product evolution and the vendor space. Core Topic Security and Privacy: Security Tools, Technologies and Tactics Key Issues Which vendors will emerge as leaders in the information security domain? Which product approaches and practices will help enterprises achieve higher levels of data integrity? Strategic Planning Assumption By fourth-quarter 2005, market-leading firewall vendors will offer deep packet inspection technologies for application defense (0.9 probability). Network-level firewalls have been commoditized. Enterprises must make security decisions based on deep packet inspection of application content, in addition to simple stateful protocol filtering. Gartner believes that firewalls must provide a wider range of intrusion prevention capabilities, or face extinction. We have updated our criteria for firewall market leadership to heavily weight ability to execute and vision in migrating to the next generation of firewalls. Firewall Market Trends Firewalls long have been able to enforce security policies based on who or what gets to connect to which service/machine. However, the content of the packets allowed through has been invisible to the firewall. Firewalls typically look only at header information; thus, they have limited ability to block attacks based on packet content. However, new worms, malicious code and cyberattacks have targeted application weaknesses, and more applications and protocols are tunneling through the firewall by connecting over port 80 and, in some cases, encapsulating in HTTP or S-HTTP formats. The greatest recent shakeup to the security area occurred on 18 September 2001, when "Nimda," a multiheaded worm, exploited a vulnerability in Microsoft IIS Web Server to infect hundreds of thousands of servers. This exploit was not detected by intrusion detection systems (IDSs), nor blocked by firewalls or antivirus software. Many enterprises experienced significant downtime and financial losses because of Nimda. In 2003, the "SQL Slammer" worm proved that although many enterprises had done a better job of patching Windows vulnerabilities, firewalls were still not providing useful protection at the application level. Gartner Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.

2 Most investments in security are still in response to "pain" that is, reactive vs. proactive planning and risk assessment. Nimda caused visceral pain that has spawned investments in dozens of new products that emerged to address application vulnerability. We recommend positioning these network devices in front of critical servers, typically in the transaction zone (see "The DMZ Is DOA: Transaction Zones Replace the DMZ"). These devices are in-line and apply security policies to protect the assets behind them. We believe that application and Web defense products are firewalls, although they are not marketed as such. Several products meet the criteria for an enterprise firewall, including central management, a good graphical user interface, logging and reporting. Others exhibit the security capabilities of a firewall, but are several generations away from becoming a network's sole defense. They lack only the addition of a network stateful inspection capability. Magic Quadrant Criteria In this fresh look at perimeter defenses, we modified the criteria used to determine positions on the Magic Quadrant for Enterprise Firewalls, 1H03 (see Figure 1). Ability to Execute History of success in the traditional firewall market Financial strength, such as increasing revenue, the size of investment, number of employees and other factors Partnerships and channels, including partnerships with highspeed processing platforms and content inspection leaders Completeness of Vision Recognizes and blocks attacks based on protocol anomalies, signatures of attacks, content inspection, behavior (usually based on history of use) and traffic volume Builds solutions that address enterprises' needs Invests in specialized network processing hardware application-specific integrated circuits (ASICs) to perform deep packet inspection at wire speeds Enables central management of many remote devices Able to load balance or configure in a "highly available" mode Provides logging and reporting functionality 19 June

3 Quickly rolls out new application defenses based on the ability to perform deep packet inspection Figure 1 Magic Quadrant for Enterprise Firewalls, 1H03 Challengers Leaders Cisco Systems Check Point Software Technologies NetScreen Technologies Ability to Execute Microsoft F5 Networks Mazu Networks Array Networks Radware SonicWALL Blue Coat Systems Symantec Secure Computing ipolicy Networks Teros Sanctum Top Layer Networks Network Associates (IntruVert) WatchGuard Technologies Whale Communications NetContinuum Fortinet TippingPoint Technologies Kavado As of June 2003 Niche Players Visionaries Source: Gartner Research (June 2003) Completeness of Vision Vendors that introduce new protection capabilities on an extremely short production cycle best leverage the strength of their investment in processing power for example, performing antivirus functions in-line, proxying instant messaging (IM), and providing Domain Name System and sendmail defenses. The greatest challenge will be to perform full Extensible Markup Language (XML) parsing and filtering. The ability to decrypt a Secure Sockets Layer (SSL) session, perform inspection and filtering, and re-establish the SSL session is also heavily weighted. 19 June

4 To be considered a challenger, visionary or leader, a vendor must combine network-level and application-level firewall capabilities in an integrated product. Vendors that have only one or the other will be niche players in the future. Leaders We believe that because of the trends described above, the enterprise firewall market is immature again. The established market share leaders will not necessarily dominate as they previously have done. Therefore, there are no leaders identified in the 1H03 Magic Quadrant, although we expect that several products will qualify for the Leaders quadrant in the next six months. Challengers Check Point Software Technologies has recognized that the market is moving from access control to application defense, and it has rolled out a SmartDefense subscription service in which customers can get pre-configured defenses against newly discovered attacks. It recently launched Application Intelligence to ease management of application defenses. Application Intelligence relies on a combination of Check Point's stateful inspection engine and "services," or software proxies. Gartner believes that this approach is not adequate for 100-percent deep packet inspection at wire speeds. Check Point will need to invest in silicon to compete. It likely will leverage its market-leading Firewall-1 product line's best-of-breed management and graphical user interface to develop the added security functions of a deep packet inspection product. Cisco Systems has changed its market-leading focus on network security and is now committed to end-point security, as evidenced by its purchase of Okena, a host protection company (see "Cisco to Buy Okena, Try to Compete in Security Software"). It may have recognized the need for integration because it has pulled together these elements into a single group. Cisco will need to combine separate products in intrusion detection and firewall with content inspection capabilities that it could derive from internal or external sources. NetScreen Technologies was the first major firewall vendor to recognize the importance of deep packet inspection by purchasing one of the first intrusion prevention vendors, OneSecure. Today, the NetScreen Intrusion Detection and Protection appliance must be deployed behind the firewall to obtain full application defense. NetScreen's challenge is to deliver on its promise to produce an appliance that incorporates stateful inspection firewall and intrusion prevention functionalities 19 June

5 by third-quarter The vendor also must show that it has the management capabilities to make this transition while continuing to grow. Radware is a content-switching appliance vendor that has added security features to its product line. Its application switches can block hundreds of attack signatures at wire speeds. Incorporating SSL termination and application defense, as well as stateful firewall capabilities, in the same appliance would make Radware a serious contender in this space. Visionaries Fortinet has demonstrated its investment in powerful network processing technology by filtering viruses in-line, which requires an unprecedented level of packet assembly and filtering. Fortinet has reached an impressive level of revenue in its first year of production because of its initial market penetration at the very low end of appliances. It will have to address the fact that many competitors in the Visionaries quadrant have concentrated on SSL termination vs. traditional IPsec, or Internet Protocol Security, virtual private networks (VPNs). NetContinuum is the only deep packet inspection vendor that has architected its appliance to protect the privacy of communication going through it. Its "split brain" solution provides for management and policy setting on a separate CPU from the packet assembly, as well as filtering functions that reside on an ASIC with extremely high-speed processing capabilities for SSL termination, packet assembly and filtering. This may prove to be a deciding factor in purchase decisions where that separation is important. Network Associates has purchased IntruVert Networks. As an early player in the intrusion prevention space, IntruVert has gained market traction for its products, which take IDSs a critical step forward to blocking attacks in-line. Network Associates must recognize that it has re-entered the firewall space, and provide R&D and customer support, to be a leader in next-generation firewalls. TippingPoint Technologies has most closely created a comprehensive network protection device, although it has been slow to gain customers because of its industry-leading marketing message of prevention vs. detection. Designed to be placed directly behind the firewall and provide protection across the spectrum of protocols, TippingPoint's product is poised to move to the gateway position with the addition of a complete set of network firewall filtering and reporting functions. 19 June

6 Niche Players Blue Coat Systems is the reincarnation of CacheFlow, the network proxy vendor. Similar to F5 Networks, Blue Coat has recognized that the position of its product in front of critical Web servers as well as its content switching ability are the elements needed to provide protection for Web servers. An example of the power of deep packet inspection is Blue Coat's recent quick development and introduction of an IM proxy solution that allows enterprises to apply security policies to IM traffic. Blue Coat is the product of choice for secure proxying of out-bound connections. F5 Networks has recognized that load balancing, SSL termination and content switching rely on the same processing capabilities that are needed for a security appliance. The recent introduction of network attack blocking is F5's first foray into the protection space. F5's challenge is to pick a technology partner (or make an acquisition) with security domain expertise that can help it leverage its hardware and installed base to be a significant player in the firewall market. Microsoft's Internet Security Acceleration Server is a powerful software proxy and is evolving into Microsoft's lead security product, with built-in application defense and access controls. Although the Internet Security Acceleration Server is good technology, it is trailing market expectations because most enterprises look for hardware gateway devices, not software running on general-purpose operating systems. Secure Computing has delivered on its promise to take the best of Gauntlet (acquired from Network Associates) and combine it with the best of Sidewinder, its own software firewall. The combined product, SidewinderG2, represents the freshest and most-advanced software proxy firewall, with central management and ease of deployment. Enterprises will continue to find positions in their networks for the specialized capabilities that are available from SidewinderG2. SonicWALL has been slow to move into the application defense space with an offering to address recent activity by Check Point and NetScreen. An investment in hardware-based network processing capabilities would give SonicWALL an opportunity to continue to translate large enterprise solutions into products that its small and midsize business customers demand. Symantec remains a niche player in the firewall space. The old Raptor technology in the Symantec Enterprise Firewall is being replaced more often than it is purchased a negative adoption rate. The Symantec Secure Gateway Appliance is new software running on an appliance that provides firewall, IDS, content 19 June

7 filtering VPN and antivirus functionalities. This is a good solution for the small and midsize business market, and perhaps for remote offices. WatchGuard Technologies is profiting from its series of lowcost, easy-to-manage appliances. Its RapidStream purchase gave it the technology for more-advanced application defenses, while supporting Check Point Firewall-1 and virtual local-area networks. Whale Communications is focusing on the SSL VPN space. Whale's technology can process any payload traffic and apply security policies to it. Array Networks, ipolicy Networks, Kavado, Magnifire, Mazu Networks, Sanctum, Teros and Top Layer Networks each combine hardware appliances with application defense capabilities to address various attacks. Not on the Magic Quadrant Some firewall vendors, such as BorderWare Technologies and CyberGuard, greatly rely on software proxies for application defense. However, they have matured considerably and added improvements, as well as management capabilities, to these proxies. Several vendors, such as DataPower Technology and Reactivity, are targeting XML firewall functionality. Parsing XML and checking for protocol anomalies at wire speeds are daunting tasks because in theory, the schema could be different for every message. Decrypting, checking digital signatures and blocking malicious code are other tasks that drive innovation in this arena. These tasks will require the most investment in hardware acceleration. Acronym Key ASIC IDS IM SSL VPN XML application-specific integrated circuit intrusion detection system instant messaging Secure Sockets Layer virtual private network Extensible Markup Language Bottom Line: The first major innovation in gateway security since stateful inspection is embodied in deep packet inspection firewalls. Leading vendors will offer the ability to assemble and inspect packet payloads at wire speeds. Enterprises should redirect intrusion detection system investments toward application defenses such as those offered by the thoughtleading firewall vendors in the Magic Quadrant for Enterprise Firewalls, 1H June