How To Sell Network Intrusion Prevention System Appliances

Transcription

1 Magic Quadrant for Network Intrusion Prevention System Appliances, 2H06 Gartner RAS Core Research Note G , Greg Young, John Pescatore, 22 December 2006 R The network intrusion prevention system appliance market is in a period of maturity and consolidation. A smaller group of vendors are getting an increasing percentage of the market, but the evolving threat means that those that fail to maintain innovation ahead of market demands will be left behind. WHAT YOU NEED TO KNOW Network intrusion prevention systems (IPSs) can detect and block attacks and act as a pre-patch shield for systems and applications. The market for network IPS appliances is entering a phase of maturity and consolidation, but since attacks are evolving, the products need to evolve as well. The significant benefits of an in-line attack-blocking technology can be realized only with a product that fits your security processes and is sized appropriately. STRATEGIC PLANNING ASSUMPTION(S) Sales of stand-alone IPS appliances will be less than 10% of overall next-generation firewall revenue by the end of 2008 (0.7 probability). MAGIC QUADRANT Market Overview The network IPS market has its roots in the improvement and often replacement of intrusion detection systems (IDSs). IPS contains all the detection features of IDS, with two critical areas of improvement: 1) Intrusion prevention moves beyond simple attack signature detection to add vulnerabilitybased signatures as well as anomaly detection capabilities; and 2) network IPS sensors operate at wire speeds to enable in-line automated blocking or handling of attacks. Essentially, network IPS adds block attacks and let everything else through security enforcement to the deny everything except that what is explicitly allowed policy enforcement provided by the first-generation of firewalls. While the market for separate network IPS and firewall devices will continue through at least 2008, most nextgeneration firewalls will use common processing engines to support both functions in one product. The network IPS market for stand-alone appliances was approximately $246 million in 2004 (including product and maintenance but not services) and will increase to more than $700 million by the end of This is a crowded market with several dozen vendors providing network IPS products, with a few large players and many with very small installed bases. Consolidation will continue as a result of the increasing consistency of shortlists of vendors, particularly in larger enterprises. Vendor lineage is stereotyped in the products: IPS from broad security companies tends to be strong on security function and less impressive on network performance, which is the opposite of companies in which security is not their primary business (for example, network infrastructure vendors and startups). These differences will be reduced in the medium term and, in the long term, will become almost irrelevant as the next-generation firewall market increases. On average, solutions remain priced at approximately $50,000 per Gbps of deep inspection (this is an average, and many products provide less than 1- Gbps capability). Most vendors provide more than five models, with some entry-level products offered for less than $15,000. Maintenance fees vary considerably. Signature update fees also vary but are included with maintenance for most products. Most products include a local-management console, with dedicated management appliances resulting in an additional cost. The total cost of ownership and system management capabilities of network IPS products should be key evaluation criteria when comparing competing products.

2 Figure 1. Magic Quadrant for Network Intrusion Prevention Systems Appliances, 2H06 challengers leaders vulnerability approach as IPS vendors to signatures, and this leaves the infrastructure vendors with less direct control over signature quality than competitors. ability to execute Cisco Systems 3Com (TippingPoint) Sourcefire Juniper Networks IBM McAfee Top Layer Networks Radware NFR Security Reflex Security One constant in security is that attacks never stay still. Gartner projects that targeted attacks that use unique malicious executables that do not always look to exploit known vulnerabilities will cause the majority of enterprise damage by Network intrusion prevention solutions need to evolve more detection and blocking capabilities for these types of attacks. niche players Source: Gartner DeepNines NitroSecurity StillSecure visionaries completeness of vision Reliability and availability are also key criteria for any in-line device. Bypass unit modules allowing failopen for copper ports are included in the base price for almost all vendors. Several infrastructure vendors have obtained signatures from antivirus companies, rather than have their own R&D capability. Examples include the partnerships between Cisco Systems and Trend Micro, Juniper and Symantec, and Nortel and Symantec. Antivirus vendors do not have the same As of December 2006 Market Definition/Description The network IPS appliance market is composed of in-line devices that perform full-stream assembly of network traffic, and they provide detection using several methods including signatures, protocol anomaly detection, and behavioral or heuristics. Network IPS is also provided within a next-generation firewall for small and midsize businesses (SMBs), which is the integration of an enterprise-class network firewall and network IPS. This Magic Quadrant is exclusively for stand-alone network IPS appliances, and does include nextgeneration firewall (NGFW). Many vendors offer IPS appliances that include a basic stateful firewall, minimal intrusion detection and prevention functions, and antivirus functions. Performances (both security capability and throughput) are typically suitable only for small enterprises or branch offices with basic security needs, with lower-speed Internet connections. The Magic Quadrant is copyrighted December 2006 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the Leaders quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner s research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice. 2

3 The network IPS market is entering the early maturity phase where consolidation inevitably occurs. Gartner sees a more consistent and more limited list of vendors on our customers shortlists. With fewer companies getting more share of revenue, there is increased risk for buyers of niche products, but all providers on the Magic Quadrant are viable suppliers. However, enterprises should use the Magic Quadrant to align potential vendors with both near-term and longer-term enterprise security needs. Inclusion and Exclusion Criteria Only products that met the following criteria were included: Products that meet Gartner s definition of network IPS Operate as an in-line network device that runs at wire speeds Perform packet normalization, assembly and inspection Apply rules based on several methodologies to packet streams, including (at a minimum) protocol anomaly analysis, signature analysis and behavior analysis Drop malicious sessions don t simply reset connections Have achieved significant network IPS product sales in the last year within a customer segment that is visible Products and vendors were excluded if: They provide only a NGFW, which is covered in the Magic Quadrant for Network Firewalls, 2H04. We should note that NGFW vendors, which provide an IPS appliance, have that appliance included in this Magic Quadrant. They are in other product classes or markets, such as: Network behavior assessment (NBA) products. These products are not in-line IPSs, but instead focus on networkwide detection of anomalies. IPS vendors are beginning to implement feeds from network anomaly detection as one means of having intelligence from across the network, which can be used to prioritize blocking. Network access control (NAC) products. These are not IPSs and are covered in other Gartner Research. Host IPSs. Software is on servers and workstations rather than an in-line device on the network. Added Enterasys Longtime IDS vendor Enterasys has moved to producing in-line IPS products. Its first customers are primarily managed security system provider (MSSP) customers who report a high degree of satisfaction with Enterasys support with the IDS products and are converting over as customer demand shifts. The Enterasys IPS product is not yet placed on the quadrant because most deployments are incumbent Enterasys IDS deployments moving over to in-line deployment, and Enterasys has yet to emerge into significant competition with other IPS companies. Enterasys emphasis on IPS will likely increase product visibility. Force10 Networks Earlier this year, fast Ethernet switch maker Force10 Networks acquired IDS maker MetaNetworks. MetaNetworks had been active in providing IDS to some areas of the government vertical. Force10 Networks lists a 10-Gbps IPS throughput, although as a new product, there is no independent third-party tests to confirm this. Force10 Networks is new to the security and to the IPS market via this acquisition, and in the short term, they will be challenged in competing with established IPS players beyond replacing IDS in their established customer base. Force10 Networks will likely produce a high-speed switch-based IPS because it already has both products in separate platforms, and to increase IPS placements via the Force10 Networks sales channels. Force10 Networks has yet to emerge into significant competition with other IPS companies and is not placed on the Magic Quadrant. Dropped Symantec Symantec recently announced that it was exiting the network firewall and IPS market. Symantec subsequently announced that it would be partnering with Juniper; however, this partnership will essentially lead to Juniper transitioning Symantec customers to Juniper products. 3

4 Lucid Security Lucid Security recently was acquired by AmbironTrustWave. The former Lucid ipangel will not be sold as a product but instead will become part of Ambiron Trustwave Payment Card Industry (PCI) compliance services so it will not be included in this Magic Quadrant. Check Point Software Technologies The unsuccessful attempt to acquire Sourcefire in 2005 and the announcement to acquire NFR in December 2006 were the significant IPS market events for Check Point. Check Point had not expressed any clear IPS strategy post-sourcefire other than continuing to lead with its Smart Defense product as an add-on service to its firewall product. After the NFR acquisition is complete, however, Check Point has a path for re-entry into the IPS market and will likely lead with the stand-alone NFR product followed by a longer-term integration of the NFR technology into Smart Defense and InterSpect. Check Point InterSpect is not a successful IPS market contender and is instead a NAC enforcement point. The Smart Defense offering, as with other NGFW products, is covered in Magic Quadrant for Enterprise Network Firewalls, 1H06. When the NFR acquisition has been completed, and Check Point has committed to an integration and NFR talent retention strategy, Gartner will reassess Check Point/NFR s standing in the Magic Quadrant. Check Point has an opportunity with NFR to cause disruption to competitors based on their security market sales reach as long as they deliver enterprise-class platforms and expand their vulnerability and IPS signature development team. V-Secure V-Secure now appears under the Radware entry (Radware acquired V-Secure in early 2006). Evaluation Criteria Ability to Execute The Ability to Execute criteria include: Product service and customer satisfaction in deployments. Overall business viability, including overall financial health and prospects for continuing operations. Sales execution and pricing including dollars per Gbps, revenue, average deal size, installed base and use by MSSPs. Market responsiveness and track record. Delivering on new features, such as receiving and acting on feeds from outside the IPS, rate shaping and quality of service, and solid multidevice management. Market execution, including delivering on features and performance, such as product vision, customer satisfaction with those features, and those features winning out over competitors in selections. Delivering products that are low latency and multi-gbps, have solid internal security, behave well under attack, have high availability, and are available ports that meet demands, is rated highly. Speed of vulnerabilitybased signature production was highly rated. Customer experience and operations, including management experience and track record, and depth of staff experience, specifically in the security marketplace. Also important is low latency, rapid signature updates, overall low false positive and negative rates, and how the product fared in attack events. Completeness of Vision The Completeness of Vision criteria include: Market understanding and strategy. This includes providing the correct blend of detection and blocking technologies that meet the requirements for IPS, innovation, having vulnerability rather than exploit product focus, and integration with other security solutions. Also included is understanding and commitment to the security market and, more specifically, the network security market. Vendors that rely on third-party sources for signatures or have weak or shortcut detection technologies, such as overreliance on expression matching, score lower. Sales strategy includes pre- and post-product support, value for pricing, and providing clear explanations and recommendations for detection events. Offering strategy, with emphasis on product road map, signature quality, NGFW integration and performance. Successfully completing third-party testing, such as the NSS Group IPS tests and 4

5 Table 1. Ability to Execute Evaluation Criteria Evaluation Criteria Product/Service Overall Viability (Business Unit, Financial, Strategy, Organization) Sales Execution/Pricing Market Responsiveness and Track Record Marketing Execution Customer Experience Operations Source: Gartner Weighting Table 2. Completeness of Vision Evaluation Criteria Evaluation Criteria Market Understanding Marketing Strategy Sales Strategy Offering (Product) Strategy Business Model Vertical/Industry Strategy Innovation Geographic Strategy Source: Gartner Weighting low low Common Criteria evaluations, is important. Vendors that reissue signatures, are overreliant on behavioral detection, and are slow to issue quality signatures do not score well. The business model includes the process and success rate for developing new features and innovation and R&D spending. Vertical, industry and geographic strategy includes the ability and commitment to service geographies and vertical markets (for example, MSSP and the financial sector). Innovation, including R&D, and quality differentiators, such as performance, management interface and clarity of reporting. The road map should include moving IPS into new placement points and better-performing devices. Leaders Leaders demonstrate balanced progress and effort on all execution and vision categories. Their actions raise the competitive bar for all products in the market, and they can change the course of the industry. To remain in the Leaders quadrant, these vendors must have demonstrated a track record of delivering successfully in enterprise IPS deployments and winning in competitive assessments. Leaders produce products that provide high signature quality, offer low latency, are innovating with or ahead of customer challenges (such as using endpoint intelligence to make more-efficient detection), and have a range of models. Leaders consistently win selections and have been consistently visible on enterprise shortlists. A leading vendor is not a default choice for every buyer, and clients are warned not to assume that they should buy only from the Leaders quadrant. Challengers Challengers have products that address the typical needs of the market with strong sales, visibility and clout that add up to higher execution than niche players. Challengers often succeed in established customer bases but do not yet fare well in competitive selections. Visionaries Visionaries invest in the leading/bleeding-edge features that will be significant in next generation of products and give buyers early access to improved security and management. Visionaries can affect the course of technological developments in the market, but they lack the execution skills to outmaneuver challengers and leaders. 5

6 Niche Players Niche players offer viable solutions that meet the needs of some buyers. Niche players are less likely to appear on shortlists, but they fare well when given the right opportunity. While they generally lack the clout to change the course of the market, they should not be regarded as merely following the leaders. Niche players may address subsets of the overall market (for example, the SMB segment or a vertical market), and often they can do so more efficiently than the leaders. Niche players are often smaller firms, produce only software appliances, and/or do not yet have the resources to meet all the enterprise requirements. Vendor Comments 3Com (TippingPoint) This year, 3Com introduced two new products. The X series includes a stateful firewall and is the 3Com entry into the SMB security multifunction appliance (MFA) market. The enterprise- and carrier-class M60 product supports up to 12 1-, 3- or 5-Gbps blades. The M60 has a maximum single channel capacity of 5 Gbps but a combined throughput of up to 60 Gbps and high-port density. 3Com will likely move features more into internal networks products as opposed to edge-of-network NGFW products because 3Com has switch technology, but it does not have an enterprise-class firewall. 3Com has been increasing its signature/vulnerability research team investments to remain competitive with ISS (now IBM), recognizing that enterprises are placing increasing weight on IPS signature quality and timeliness. Since the acquisition, TippingPoint product has benefited from the larger resources of 3Com but had some trouble penetrating accounts where 3Com is not viewed positively. Enterprises and carriers can consider 3Com IPS appliances where very low latency or high consolidated throughput is required. SMBs and branch offices with requirements that are heavy on IPS and lighter on the firewall can evaluate the X series products. Cisco Systems Cisco offers a wide choice of platforms for IPS, including: IDSM-2: Catalyst 6500 switch blade IOS device software load or a hardware module for the Cisco ISR routers 4200 series: stand-alone IPS appliances in 250- Mbps, 600-Mbps and 1-Gbps models In the ASA firewall appliance with the AIP module added Cisco has made improvements to the security management interface (CSM); however, a significant proportion of Gartner customers report that the IPS products are challenging to manage. IPS selection by enterprises favors signature quality and speed of release; the decision by Cisco to obtain some IPS signatures and vulnerability information from Trend has not been competing effectively vs. competitors who have increasingly significant signature research investments. Loading Cisco IPS for IOS can be a good total cost of ownership (TCO) decision for branch offices since a new appliance need not be deployed; recognize, however, that deep inspection represents a significant additional workload that cannot be added to devices already at capacity. Cisco has accrued a significant IPS market share by maintaining focus on the needs of Cisco customers and introducing IPS on so many platforms. Although not required, The Cisco MARS SIEM product is commonly co-deployed with Cisco network and host IPS products, and future improvements will likely allow more product interaction, such as changes in IPS inspection based on MARS observations. Cisco has many security products, and maintaining competitive innovation across all these products can be a challenge. Overall, Cisco has not followed up the level of IPS innovation of 2004 to 2005 in 2005 to 2006 and needs to improve IPS usability and features and deliver in-house signatures. All Cisco networks should consider Cisco IPS, particularly when the edge firewall is Cisco ASA or other Cisco security products are in wide use. 6

7 DeepNines The market focus for DeepNines is primarily regionally to the Southern United States, and vertically to education for K through 12. DeepNines BBX IPS product comes in two versions one for placements in front of the router and the other for traditional behind the router placements. DeepNines also offers IPS within its security edge platform (SEP), a software appliance close in functionality to an all-in-one appliance targeting the SMB market, as it also includes a firewall, gateway antivirus, antispyware and anti-phishing capability. DeepNines has recently been engaged in pursuing McAfee for alleged patent infringement, which is a distraction for the company s ability to compete on product capabilities. DeepNines also introduced infection-free networking (IFN), which provides a NAC addition. SEP can be considered by SMBs, especially those looking for a complementary NAC product with IFN. IBM IBM (ISS) continues to benefit from the leverage of the X-Force vulnerability research team, and is benefiting from the Protocol Analysis Module (PAM) through being able to add new protocol inspection without a product redesign. ISS also undertook an arrangement to be the OEM for the Arbor Networks Network Behavior Assessment (NBA) product under the Proventia ADS (Anomaly Detection System) name, which provides the advantage of sharing a single console (SiteProtector) with other ISS products but limited IPS-NBA interaction. ISS continues to have high-quality signatures and low time between vulnerabilities and the release of new signatures. ISS also offers host IPS, which can be managed by Siteprotector. ISS still needs to deliver on a higher-end platform to compete more effectively with the 5-or-more-Gbps solutions of competitors, such as 3Com. As with many competitors, the company s network IPS offerings still require integration into an enterprise network firewall for edge placements or switch integration to provide an internal network placement. ISS s standing in the network IPS market will be challenged by the acquisition by IBM. With IBM having a greater presence in the host rather than network buying center, Gartner believes that maintaining the current rate of innovation for ISS network security products will not continue in the long term. Juniper Networks The Juniper IDP stand-alone IPS product remains competitive, although Juniper has not been aggressive with product improvements or a road map. Juniper is well-positioned in the next-generation firewall market (the hardware-based ISG firewalls provide up to 2 Gbps of intrusion prevention throughput). Juniper s software-based IDP IPS appliance is well-suited to shortlists where other Juniper infrastructure equipment is present, although this is not a requirement. Juniper is well-positioned to use the ScreenOS to drive network IPS capability and performance, but its product management and engineering resources seem spread thinly across a wide range of network and security products. Juniper has focused resources in a significant expansion of its branch office firewall line, which include IPS, but has not been driving the market at the higher end. Juniper still hasn t made any announcements on carrier-class capabilities for IDP, which should be its strength, and instead has been positioning the ISG in this role. Juniper will gain some market share at the low end of the market by converting Symantec customers to Juniper products, but it s unlikely that there will be any longer-term benefit from the Juniper/Symantec partnership other than Symantec providing antivirus signatures to Juniper. McAfee Incumbent McAfee placements are often expanded; however, McAfee is less often seen in shortlists by Gartner and has a decreasing network IPS market share, according to Gartner. McAfee IntruShield continues to benefit from having a 2-Gbps appliance for the higher-end placements. McAfee has not been competitive with new features when compared with leading vendors. McAfee (as with all other leaders, excepting Juniper) has not recognized the requirement to incorporate an enterprise-class network firewall in its IPS. MCAfee instead has NAC 7

8 integration plans for internal placements. McAfee offers host IPS products and does not plan to integrate these with its network IPS offerings under a unifying management console capability and signature update capability; however, 4.1 has the ability to import host IPS alert data for correlation and viewing. McAfee has a stronger presence in the host security market and the associated buying center, and as Symantec has done, McAfee needs to assess how competitive it wishes to remain in the network security space. McAfee intends to introduce increased internal IPS features, particularly NAC integration, including the use of the IPS as a NAC enforcement point. This integration will be most useful in agent-based NAC using the McAfee clientside software suite. NFR Security NFR Security has leveraged its IDS lineage to move into the IPS space with its Sentivist product line. The Sentivist IPS strengths include the N-Code language for signature modification, and strong reporting and console. Its support for IP v.6 may be of interest to some government and Asia/Pacific enterprises. NFR s Dynamic Shielding provides a strong capability for incorporating endpoint intelligence to optimize intrusion prevention configuration. Gartner believes that NFR has a 5-Gbps appliance in development as a product line expansion. NFR has been strong in the public sector and has good technology; however, an acquisition was required in order to be successful. In December 2006, Check Point announced a definitive agreement to acquire NFR, and approval of U.S. regulators, including the Committee on Foreign Investment in the United States (CFIUS), had been obtained. Integration of NFR Sentivist technology into Check Point s management consoles and other products should be comparatively rapid. The NFR position on the quadrant reflects the 2H06 status of NFR, where the acquisition has not yet been completed. Postacquisition Magic Quadrant placement change will mostly be driven by Check Point s ability to maintain a hold on shortlists, how tightly the NFR product is integrated across other Check Point products for cross-sales opportunities, and delivering on an increased competitive capability in vulnerability and signature research. NitroSecurity NitroSecurity s focus on its product s internal database performance within the IPS product has led it to produce an impressive interface for viewing and correlating large numbers of events in real time. The NitroSecurity software appliance IPS uses proprietary signatures with the SNORT signature language, but has not been competitive with the quality and timeliness of signatures. The product offers a Layer 2 transparent mode IPS that is seeing success in healthcare and education verticals. This year saw the inclusion of some network flow analysis (SFlow and Netflow) for some NBA-like behaviorbased detection. Radware The Radware DefensePro line offers purpose-built multigigabit IPS appliances up to 6 Gbps. Capitalizing on its network expertise, Radware DefensePro switch IPS includes solid in-line behavior, such as low latency and denial of service (DOS) features, including traffic shaping. Radware remains dependent on SNORT for much of its signature research, and the time between vulnerability announcement and new signature release is below the industry average. Radware IPS is best-suited to internal deployments where other Radware products are deployed rather than as the first line of defense at the network/internet edge. Radware has moved IPS into the APSoluteOS ADC products and is integrating some behavioral features from the acquisition of V-Secure. Reflex Security Reflex Security continues to focus on the midsize market with success and is expanding into new enterprise products. Reflex introduced a VMWarecompatible software version of its product, which can be added via a drag-and-drop interface into virtual machines. In October, it released a blade server platform listed as having 5-Gbps and 10-Gbps throughput (although this has not yet been tested by an independent lab), which is impressive considering large IPS vendors, such as ISS, Cisco and Sourcefire, have not yet done so. Reflex wins placements on price and the multi-device interface features. Reflex has delivered well on an aggressive road map and the VMWare product is well-suited to data center deployments. Reflex will need to expand 8

9 investment in vulnerability and signature research to go head-to-head with Leaders quadrant members. Sourcefire Sourcefire has seen an increase in use of its IPS after it introduced its passive vulnerability and network discovery product (RNA). Under a single console, this provides visibility into the network vulnerabilities that the IPS can be tuned manually to protect. Despite the failed acquisition by Check Point Sourcefire, revenue has increased, it has gained additional private funding and is in a healthy financial position. Sourcefire filed with the Securities and Exchange Commission (SEC) to go public, which will likely occur in Sourcefire has addressed criticism of relying on SNORT signatures by increasing the team doing vulnerability research to the point that most signatures are now Sourcefire rather than SNORT originated. Sourcefire has announced a number of alliances with platforms, such as Nortel, that really have not resulted in strong appliance or security switch competition to 3Com or Cisco. Sourcefire IPS is available on the Crossbeam Systems X series appliances, and a significant new channel through Nokia. In November, Nokia released two appliances, a 200-Mbps and a 450-Mbps model, both running the Sourcefire IPS and Nokia IPSO operating system. StillSecure Strata Guard (renamed from BorderGuard) is a software appliance solution suited to sub-gbps placement points. StrataGuard IPS includes integration with the StillSecure VAM vulnerability management product, providing workflow supporting the reality that IPS is part of a process of vulnerability remediation. Having this vulnerability management feed widens the network view for moreintelligent IPS alerting and blocking decisions. New this year is the innovative step of offering a freeware version with limited functionality, Strata Guard Free. StillSecure plans to focus on using IPS as part of a post-connect NAC solution similar to other vendors that trigger quarantine actions off IPS alerts with Strata Guard IPS currently including integration with the StillSecure Safe Access NAC product. With many product features, but with limited market penetration, StillSecure joins Reflex Security and DeepNines as a good acquisition candidate for lateto-market security firms or network infrastructure companies looking to increase competition with Cisco. Top Layer Networks Pure-play IPS vendor Top Layer Networks primary offering is the purpose-built 5500 IPS appliance, which includes a multi-gbps high-end product. Top Layer provides a balanced blend of safeguards and detection methods, including network firewall, DOS protection and traffic shaping. Top Layer lags behind other players in the proactive protection of narrow blocking signatures, but it does have multidevice management capabilities, low latency and good postsales support. Top Layer is not seen by Gartner on many shortlists, with the exception of larger enterprises that have recently been the subject of a successful targeted attack, such as DOS extortion attempts. Top Layer underwent some cost reductions, including staff layoffs this year as part of maintaining profitability. Given its strength in hardware, Top Layer will likely produce a 10-Gbps solution. Vendors Added or Dropped We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor. 9

10 Evaluation Criteria Definitions Ability to Execute Product/Service: Core goods and services offered by the vendor that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets, skills, etc., whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria. Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includes an assessment of the overall organization s financial health, the financial and practical success of the business unit, and the likelihood of the individual business unit to continue investing in the product, to continue offering the product and to advance the state of the art within the organization s portfolio of products. Sales Execution/Pricing: The vendor s capabilities in all pre-sales activities and the structure that supports them. This includes deal management, pricing and negotiation, pre-sales support and the overall effectiveness of the sales channel. Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor s history of responsiveness. Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization s message in order to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This mind share can be driven by a combination of publicity, promotional, thought leadership, word-of-mouth and sales activities. Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements, etc. Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Completeness of Vision Market Understanding: Ability of the vendor to understand buyers wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen and understand buyers wants and needs, and can shape or enhance those with their added vision. Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the Web site, advertising, customer programs and positioning statements. Sales Strategy: The strategy for selling product that uses the appropriate network of direct and indirect sales, marketing, service and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Offering (Product) Strategy: The vendor s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature set as they map to current and future requirements. Business Model: The soundness and logic of the vendor s underlying business proposition. Vertical/Industry Strategy: The vendor s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including verticals. Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. Geographic Strategy: The vendor s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the home or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market. 10