Magic Quadrant for Network Intrusion Prevention Systems Gartner RAS Core Research Note G00208628, Greg Young, John Pescatore, 06 Dec 2010, R3524 12082011 Deep inspection network-based intrusion prevention continues to be a due-diligence security control. The near-term future of the intrusion prevention system market will be determined by the pace of innovation of another market: next-generation firewalls. WHAT YOU NEED TO KNOW Network intrusion prevention systems (IPSs) can detect and block attacks, and can act as prepatch shields for systems and applications. IPSs include intrusion detection and have long since eclipsed the detection-only market (see Figure 1). MAGIC QUADRANT Market Overview The network IPS market subsumed the intrusion detection system (IDS) market several years ago. IPS contains all the detection features of IDS, with two critical areas of improvement: Intrusion prevention moves beyond simple attack signature detection to add vulnerabilitybased signatures and nonsignature detection capabilities. Network IPS sensors operate in line at wire speeds to enable automated blocking and mitigation of attacks. Essentially, network IPS adds block attacks and let everything else through security enforcement to the deny everything except that which is explicitly allowed policy enforcement that first-generation firewalls provide. IPS Use Cases Network IPS performs in-line inspection of network traffic in a near-real-time manner. The inspection identifies attacks using known vulnerabilities of commonly used software products and protocols, as well as known attack patterns with unusual activity based on connection sequences or traffic volume. The primary placement point is at the Internet edge, with secondary placements in branch offices, the data center and, less often, the internal network. Gartner sees enterprises following three common use cases: 1. IPS is commonly deployed immediately in line in blocking mode as a prepatch shield to provide positive protection from attacks seeking to exploit known vulnerabilities until patches have been deployed and verified. Most IPS vendors issue vulnerability-facing signatures within 24 hours of a patch release, which is invariably faster than an enterprise s ability to patch systems in a measured manner. The reality is that not all vulnerable systems are patched, or new vulnerable systems join the network, and attackers continue to try to exploit vulnerabilities for which
2 patches have long been available. For this reason, IPS signatures never really go away, and the ability of IPS products to maintain data throughput with large signature lists is critical. Most IPS administrators do not go beyond the use of the vendor-recommended signatures and do not use advanced capabilities that may block advanced threats, but may also cause business interruption through erroneous blocking actions. This use case represents approximately 65% of new IPS deployments. 2. Many enterprises start out with IPS deployed in line, but being used in IDS mode blocking capabilities are not used at all until enterprises are confident there will be no business interruption. This represents about 25% of deployments. 3. Approximately 10% of enterprises make more-aggressive use of IPS, deploying in line in blocking mode and actively developing custom signatures and using behavior-based signatures to put in place proactive protection against targeted and Day Zero attacks. This portion of the market often uses more-advanced network security tools, such as network forensics and network behavior analysis, to support lean forward activities. IPS Market According to Gartner market research, the worldwide IPS market for stand-alone appliances grew approximately 5% to $939 million, whereas, overall, the network security equipment market fell by 6.3% in 2009. The rate of growth in 2008 was 11.7%, representing the continuing flattening of the market from a relative growth perspective. The total enterprise spending on stand-alone IPS (also includes support and software-only products) for 2009 was approximately $1.2 billion. Data collected from vendors for this Magic Quadrant (independently from the market report cited above) validates this range. Gartner believes two factors drove the slow growth of the IPS market: 1. Economic conditions caused a slowdown in the refresh of network security equipment in general. The IPS growth of 5% bucked that trend and would have been much higher in a stronger economic environment. Figure 1. Magic Quadrant for Network Intrusion Prevention Systems ability to execute challengers niche players Source: Gartner (December 2010) Cisco IBM 2. Next-generation firewalls are starting to impact the stand-alone IPS market. Considering the above factors, Gartner projects that the total 2010 IPS market will be approximately $1.4 billion in revenue, a growth of approximately 20% over 2009, while the appliance-only IPS portion will grow to $1.1 billion, a 10% growth over 2009. IPS Platform Evolution leaders HP visionaries completeness of vision McAfee Sourcefire Juniper Networks Stonesoft Top Layer Security NitroSecurity Radware Check Point Software Technologies StillSecure DeepNines Enterasys Networks As of December 2010 IPS has two primary performance drivers: the handling of the network traffic at near wire speeds, and the deep inspection of the traffic based on the signatures, rules and policy. The load on both aspects is increasing radically. Enterprise network traffic is growing in bandwidth, complexity of connections and protocols, 2010 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity on its website, http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp
and connections per second. Inspection load is increasing as new signatures are introduced and old ones do not go away. These loads have driven IPS toward increasingly purpose-built appliances. Although many IPS products use network processing units, how they are implemented and the software to use them are key competitive differentiators. The use of general-purpose servers for network IPS is very rare and usually only seen in small or midsize businesses (SMBs). Although some vendors have versions of products that can be installed within virtualized servers, use of these software versions has and will remain niche, with exceptions being tactical deployment for a single high-risk server, or use by hosting companies. Most vendors with virtualized installation options estimate that sales are single-digit percentages or less, mostly in response to the performance reality and concern over using a nonkernalized host of the virtual machine (VM) or hypervisor as the wrapper around the IPS. However, as data center virtualization increases, running a software IPS image within the VM may often be the only option. While there are performance limitations, Gartner believes that an IPS vendor s ability to have soft appliance capability, in addition to high-performance standalone appliances, will be a key market requirement. Gartner has projected slow growth for cloud-based firewalling and IPS. Carriers and ISPs are slow to invest in the required infrastructure, because they make money from increasing bandwidth, rather than removing traffic. While traffic can be redirected to third parties for deep inspection and filtering, the investment in capacity that a third party has to make to keep latency down is a barrier to entry. Latency and processing load impact is currently keeping Web antivirus inspection out of the IPS and in Secure Web Gateways, at least through 2012. When Will Firewall Improvements Plateau in the IPS Market? Next-generation firewalls (NGFWs) use common engines for implementing both stateful firewall port/protocol enforcement, as well as deep packet inspection and IPS. NGFWs can be used to meet the needs of 90% of IPS deployments as defined in use cases (1) and (2) above. However, the replacement of IPSs by NGFWs has been slowed by two factors, both of which are decreasing: 1. Separate refresh cycles of firewall and IPS deployments have caused separate decision making to persist. However, tougher economic times and the box reduction pressure of data center virtualization are rapidly eroding this obstacle. 2. The absence of quality and integrated IPSs available within firewalls has been a larger factor. In many cases, the IPS that is part of an NGFW has been markedly inferior to the capabilities of stand-alone IPS products. Until IPS is widely available within NGFWs that can compete with stand-alone IPS competitors, the IPS market will not plateau and will continue at current growth trends. Inquiry demand from Gartner customers looking to move to a single firewall-ips appliance in the form of an NGFW has increased consistently; however, fewer than 10% of shortlists today are resolved with the selection of an NGFW. Where the IPS is not aggressively managed, some enterprises are opting to push out the refresh cycle of IPS appliances into the future as they wait to see whether firewall vendors can deliver competitive deep inspection. Through 2011, more than 75% of enterprises looking for best-in-class deep inspection will still buy stand-alone IPSs to maintain a high level of protection, and some internal-to-the-network placements will continue to support an IPS market. However, by 2015, we believe more than 50% of IPS deployments will be as part of an NGFW. Recent independent testing has demonstrated that the security effectiveness and performance of the IPS portion of an NGFW can match that of stand-alone IPS devices. Given that a typical NGFW device can be deployed in line with the firewall disabled (effectively making it a dedicated IPS device), it is likely that the above objections will be eliminated more rapidly than originally thought. Signature Quality and False Positives False positive (false alarms) rates remain low in most deployments, because most use cases deploy high-confidence signatures only. Overall, IPS signature quality has improved as leading vendors compete on timeliness and accuracy of new signatures. Other vendors have been challenged to engage in the competition at this level and find themselves serving a narrowing niche of customers looking for value over protection. As the time window between vulnerability discovery and signature creation narrows, the ability for significant protection improvements narrows as well. Bringing in information from outside the IPS extra-ips intelligence will provide the greatest protection leverage. Although false positive rates due to poor IPS signatures remain generally low, self-inflicted false positives are still of concern. Increased IPS and network traffic complexity makes IPS configuration more specialized and less forgiving. Default configurations are by their nature problematic, in that well-tuned configurations among enterprises are significantly different. These default configurations are a starting point. Extra-IPS Intelligence An IPS embedded within an NGFW will have the best opportunities for interaction through tightly coupled operation, rather than as separate products. As vulnerability research has improved, the gap between vulnerability exploitation and IPS signatures to protect that vulnerability has closed. Future protection improvements of significance will come from bringing intelligence into the IPS from external sources instead points the IPS does not normally have visibility within. Examples include vulnerability management data, reputation data or known external sources of malware, directories and firewalls. Vulnerability management allows for blocking to be done with knowledge of the target (for example, no need to block an attack that the server has been patched for). Reputation feeds can provide intelligence to the IPS in terms of the source (for example, only malware has ever come from that location). Most extra-ips intelligence today is provided to operators and is not made use of automatically within the IPS decision engine. Future IPS improvements will see better correlation through more-active use of this intelligence. 3
4 Detecting Advanced Attacks Increasingly, the most damaging threats are not simply attacking missing patches. Targeted threats, such as botnet attacks, often use social-engineering techniques and targeted spam attacks to compromise user PCs with malicious payloads that later download targeted executables to launch attacks from the inside of the network. The current generation of IPS products provides some features for detecting and blocking such advanced threats, but in general, are not proving effective. Innovative smaller vendors, such as Damballa, FireEye, NeuralIQ and others, are pioneering new techniques that are proving much more effective. Gartner expects to see some of these vendors acquired by leading NGFW or IPS vendors, and some of them begin to attack the IPS market directly. Market Definition/Description The network IPS appliance market is composed of in-line devices that perform full-stream assembly of network traffic, providing detection using several methods, including signatures, protocol anomaly detection, and behavior or heuristics. This Magic Quadrant is for stand-alone network IPS appliances. Network IPS is also provided within an NGFW, which is the integration of an enterpriseclass network firewall and network IPS. NGFW capability and products not for the enterprise are the subject of other research. Inclusion and Exclusion Criteria Only products that met the following criteria were included: Meet Gartner s definition of a network IPS: Operate as in-line network devices that run at wire speeds. Perform packet normalization, assembly and inspection. Apply rules based on several methodologies to packet streams, including (at a minimum) protocol anomaly analysis, signature analysis and behavior analysis. Added Added or Changed Through the acquisition of 3Com and broader security integration announced by HP, 3Com/Tipping Point has been renamed HP. The McAfee label will continue to be used because the announced acquisition of McAfee by Intel has not been completed, and the stated intention is to maintain McAfee at arm s length. Gartner analyzes NSFocus; however, it did not yet meet the inclusion criteria for consideration. Gartner customers considering NSFocus should not necessarily exclude it from consideration on this basis. Dropped No vendors were dropped. Evaluation Criteria Ability to Execute The ability to execute criteria include: Product service and customer satisfaction in deployments. Performance in competitive assessments and having best-inclass detection and signature quality are highly rated. Competing effectively to succeed in a variety of customer placements. Overall business viability, including overall financial health and prospects for continuing operations. Sales execution and pricing, including dollars per Gbps, revenue, average deal size, installed base and use by managed security service providers (MSSPs). Drop malicious sessions don t simply reset connections. The drop must not be a block of all subsequent user traffic. Market responsiveness and track record. Delivering on planned new features. Have achieved network IPS product sales in the last year of more than $8 million within a customer segment that is visible to Gartner, and have at least 250 devices deployed under paid support with customers. Are sold primarily as a stand-alone IPSs Products and vendors were excluded if: Market execution, including delivering on features and performance, customer satisfaction with those features, and those features winning out over competitors in selections. Delivering products that are low latency and multi-gbps, have solid internal security, behave well under attack, have high availability, and are available ports that meet demands is rated highly. The speed of vulnerability-based signature production, signature quality and dedicating internal resources to vulnerability discovery are highly rated. They are in other product classes or markets, such as network behavior assessment products and network access control (NAC) products, that are not IPSs and are covered in other Gartner research. They are host IPSs, such as software on servers and workstations, rather than an in-line device on the network. Customer experience and operations, including management experience and track record, and depth of staff experience, specifically in the security marketplace. Also important is low latency, rapid signature updates, overall low false positive and negative rates, and how the product fared in attack events. Post-deployment customer satisfaction where the IPS is actively managed is a key criteria.
Completeness of Vision The completeness of vision criteria include: Market understanding and strategy. This includes providing the correct blend of detection and blocking technologies that meet and are ahead of the requirements for IPS. Innovation, forecasting customer requirements, having a vulnerability focus rather than exploiting product focus, being ahead of competitors on new features, and integration with other security solutions are highly rated. Also included are understanding and commitment to the security market and, more specifically, the network security market. Vendors that rely on third-party sources for signatures or have weak or shortcut detection technologies score lower. Sales strategy, including pre- and post-product support, value for pricing, and providing clear explanations and recommendations for detection events. Offering strategy, with emphasis on product road map, signature quality, next-generation firewall integration and performance. Successfully completing third-party testing, such as the NSS Group IPS tests and Common Criteria evaluations, is important. Vendors that reissue signatures, are overreliant on behavioral detection and are slow to issue quality signatures do not score well. The business model includes the process and success rate for developing new features, innovation and R&D spending. Vertical, industry and geographic strategy, including the ability and commitment to service geographies and vertical markets (for example, MSSP and the financial sector). Innovation, including R&D, and quality differentiators, such as performance, management interface and clarity of reporting. Features that are aligned with the realities of network operators, such as those that reduce gray lists (e.g., reputation, correlation) are rated important. The road map should include moving IPS into new placement points and better-performing devices. Leaders Leaders demonstrate balanced progress and effort in all execution and vision categories. Their actions raise the competitive bar for all products in the market, and they can change the course of the industry. To remain Leaders, vendors must demonstrate a track record of delivering successfully in enterprise IPS deployments and in winning competitive assessments. Leaders produce products that provide high signature quality and low latency, are innovating with or ahead of customer challenges (such as using endpoint intelligence to make more-efficient detections) and have a range of models. Leaders continually win selections and are consistently visible on enterprise shortlists. However, a leading vendor is not a default choice for every buyer, and clients should not assume that they must buy only from vendors in the Leaders quadrant. Challengers Challengers have products that address the typical needs of the market, with strong sales, large market share, visibility and clout that add up to higher execution than Niche Players. Challengers often succeed in established customer bases, but do not yet fare well in competitive selections. Visionaries Visionaries invest in leading/bleeding-edge features that will be significant in next-generation products and that give buyers early access to improved security and management. Visionaries can affect the course of technological developments in the market, but they lack the execution skills to outmaneuver Challengers and Leaders. Niche Players Niche Players offer viable solutions that meet the needs of some buyers. Niche Players are less likely to appear on shortlists, but they fare well when given the right opportunities. Although they 5 Table 1. Ability to Execute Evaluation Criteria Evaluation Criteria Product/Service Overall Viability (Business Unit, Financial, Strategy, Organization) Sales Execution/Pricing Market Responsiveness and Track Record Marketing Execution Customer Experience Operations Source: Gartner (December 2010) Weighting High High High Table 2. Completeness of Vision Evaluation Criteria Evaluation Criteria Weighting Market Understanding Marketing Strategy Low Sales Strategy Offering (Product) Strategy High Business Model Vertical/Industry Strategy Low Innovation High Geographic Strategy Source: Gartner (December 2010)
6 generally lack the clout to change the course of the market, they should not be regarded as merely following the Leaders. Niche Players may address subsets of the overall market (for example, the SMB segment or a vertical market), and they often do so more efficiently than leaders. Niche Players frequently are smaller enterprises, produce only software appliances and/or do not yet have the resources to meet all enterprise requirements. Vendor and Check Point Software Technologies Headquartered in Israel, Check Point is a well-established security vendor with a wide range of firewall, Web security, e-mail security and other network security products. This analysis applies to the stand-alone Check Point IPS-1. IPS-1 is available on appliances or software that range from 50 Mbps to 1 Gbps of throughput. IPS is also available within the IPS Software Blade of the Check Point firewall products, and is covered in the enterprise network firewall Magic Quadrant. Other OEM appliance options are also available through the IPS-1 Integrated Appliance Solution (IAS). IPS-1 can be managed under the Check Point SmartCenter console. Gartner believes that the Nokia security appliance acquisition provides a good future path for potential purpose-built IPS appliances, although no road map announcements have been made. IPS Blade has better capabilities than IPS-1. IPS-1 is rarely seen on Gartner customer shortlists and has a small market share. Signature quality is consistently reported as being low. Cisco Cisco is the dominant network infrastructure vendor, with a large security product portfolio. Cisco has stand-alone IPS available in the 4200 Series appliances, ranging from 80 Mbps to 4 Gbps, as well as the IDS Services Module 2 switch blade when loaded with its IPS Sensor Software. Cisco also has IPS available via add-in hardware modules for the Adaptive Security Appliances (ASA) 5500 Series firewalls, and software-based IPS within Internetwork Operating System (IOS)-based routers; however, this analysis is focused on the stand-alone devices. Through its previous acquisition of IronPoint, Cisco has Web and e-mail security products as part of its network security product line. Enterprises already using Cisco security products are familiar with the management and monitoring model. Cisco has wide international support, an extremely strong channel and broad geographic coverage. Enterprises that already have a significant investment in Cisco security products or that use Cisco Security Manager (CSM) are good shortlist candidates for Cisco IPS. The free IPS Manager Express (IME) was extended to manage up to 10 IPS devices. Cisco IPS includes a Risk Rating feature that can be set to adjust alerts based on factors, such as the sensitivity of the asset being protected, providing context for detection and blocking. Reputation correlation services are provided by the larger Cisco Security Intelligence Operations (SIO). Cisco had the greatest market share for specialized IPS appliance market share in 2009, according to Gartner. The Cisco IPS management consoles do not score well in shortlist competitions against most leading IPS products, and Gartner observes consistently low scores in customer evaluations. This is less of an issue where enterprises already use Cisco security products. The Risk Rating feature setting can result in inexperienced IPS administrators unintentionally reducing the protection provided by the IPS. DeepNines Dallas, Texas-based DeepNines is a pure-play security company. Beginning with IPS, it has expanded to provide other security products, including NAC. Formerly named Security Edge Platform (SEP), the IPS is embedded within the Secure Web Gateway product. The product is customized for the educational vertical market, and DeepNines understands the compliance requirements of multiple other vertical markets. DeepNines users like its bandwidth management and cache of frequently used content. Third-party signatures, such as Snort, can be imported. Low visibility in the market makes increasing share and channel penetration difficult. There is an absence of Common Criteria certification and independent lab testing. The product name can be confusing for IPS buyers, because Secure Web Gateway is another market. DeepNines is, however, moving toward unified threat management functionality in order to better serve its vertical strategy.
Enterasys Networks Headquartered in the northeast U.S., Enterasys Networks is a networking infrastructure company that is an arm of the Siemens Enterprise Communications company, with security products that include IPS, NAC and security information and event management (SIEM). The Enterasys Intrusion Prevention System (also known as the Dragon IPS) has in-line sensors that range from 100 Mbps to 1 Gbps of throughput. Enterasys also has host sensors and an event flow manager used to consolidate event information from large numbers of Enterasys Sensors. Enterasys does not have its own firewall, Web security or e-mail security products. The Enterasys IPS is well-suited for internal deployments. Management features include log compression, integration with the Enterasys SIEM and net flow collection. Customers rate technical and overall support highly. Many customers who Gartner speaks with use the Dragon product in tap (that is, nonblocking or out-of-band) blocking mode. Its unusually large signature library is indicative of low-fidelity or threat (versus vulnerability-facing) signatures. Gartner rarely sees Enterasys on IPS shortlists. HP HP is a large, global, broad-based IT and service vendor. The HP networking business unit includes network security products. HP completed the acquisition of 3Com, which included TippingPoint in 2010. HP has retained the TippingPoint brand name from the hardware IPS product line; however, it also refers to it as the HP S Intrusion Prevention System Series. The software version is the HP TippingPoint Secure Virtualization Framework. HP has strong channel support and is visible on Gartner customer shortlists. The TippingPoint IPS products have a broad model range of purpose-built appliances and are known for low latency and high throughput. A good virtualization road map has been developed. Customers often cite ease of installation as a positive in product evaluations, especially for deployments with many devices. The product line includes Core Controller, which load-balances multiple appliances. An independent lab test has been critical of the security effectiveness of HP IPS. HP hasn t expressed a clear strategy for network security beyond IPS in particular, details of its NGFW strategy or means for adding extra IPS intelligence with HP products. IBM IBM is one of the largest broad IT hardware, software and service vendors. IBM has removed both the Internet Security Systems (ISS) and Proventia brands from its intrusion prevention products, which are now known as IBM Security Network Intrusion Prevention System. IPS is available in appliances with the GX Series, with inspected throughput ranging from 200 Mbps to 8 Gbps. The virtual network security platform is a VMware-certified software version. IBM IPS is also available for use on a Crossbeam application blade. In early 2010, IBM moved the ISS business unit from its service organization to its Tivoli software business unit. IBM is benefiting from the early ISS leadership with the Protocol Analysis Module (PAM) deep inspection engine, which has more easily enabled the addition of new protocol inspection capabilities and a strong foundation for protection against emerging threats. IBM has a wide sales and distribution network, and access to customers that already have a strong relationship with IBM. IBM had the third-largest market share for specialized IPS appliances in 2009, according to Gartner. IBM ISS presence on IPS shortlists of Gartner customers has been continuously declining. IBM is not seen in the market as having network security as a core competence by network IPS buying centers. The shift continues from ISS s traditional pure-play focus on network security to more of a role enabling IBM as a system integrator. This will continue to lower the presence of IBM on best-of-breed shortlists and, instead, increase share within incumbent IBM customers. IBM was listed most often in the Magic Quadrant survey to vendors as the vendor they claim to most often replace. 7 HP had the fourth-greatest market share for specialized IPS appliances in 2009, according to Gartner.
8 Juniper Networks Juniper is a network infrastructure vendor, with a security product portfolio that includes firewall, IPS, Secure Sockets Layer (SSL) virtual private network (VPN) and NAC products. The Juniper Intrusion Detection and Prevention (IDP) IPS appliance line consists of models that range from 150 Mbps to 10 Gbps throughput. Juniper resells Q1 Labs technology as the Juniper Security Threat Response Manager for network security event collection, correlation and reporting. Juniper does not have its own Web security or e-mail security products. IPS is available as part of the Juniper firewall product lines, covered in the network firewall Magic Quadrant. Juniper Networks IDP supports a high number of virtual IPS instances and six third-party vulnerability assessment engines, has rate limiting, and integrates with Juniper SSL VPN products so that threat information can be linked to VPN sessions and user identity for action. Customers already using Network Security Manager for other Juniper security products can consider IDP IPS. During the past year, Juniper IPS has had less visibility in the market, which is likely due to Juniper having made advances in its SRX firewall products and positioning those instead with customers and partners, and focusing on competing primarily with Cisco, rather than with a broader security field. In 2009, Juniper was no longer one of the top five vendors for specialized IPS appliance market share. An independent lab test has been critical of Juniper IDP IPS coverage/security effectiveness. McAfee McAfee had been a pure-play security vendor with a large product portfolio across network and desktop security. Intel announced the planned acquisition of McAfee in 2010, with indications that McAfee will be operated at arm s length. The McAfee Network Security Platform (NSP) is the stand-alone IPS model line, with models that range from 100 Mbps to 10 Gbps throughput. McAfee also has IPS within the McAfee Firewall Enterprise; however, this is primarily legacy IPS from Secure Computing and not within the scope of this Magic Quadrant. McAfee does not have a virtualized soft appliance IPS product. McAfee was the vendor listed most often in the survey to vendors as their greatest IPS competitor, more than three times more than the next-listed competitor. Its high throughput, low replacement rate and good scores in client performance testing are directly a result of the hardware investments in purpose-built appliances. Its IPS console scores well in competitive selections and independent tests. Gartner has observed an increase in the visibility of the McAfee NSP on shortlists. NSP can make a good shortlist contender for enterprises using other McAfee security products, such as NAC, vulnerability management, epolicy Orchestrator (epo) or host IPS. McAfee s wide range of network security products and its Global Threat Intelligence (GTI) reputation feed can provide external context for higher fidelity IPS. McAfee had the second-highest specialized IPS appliance market share in 2009, according to Gartner. The McAfee brand is known more for desktop security offerings and often isn t considered widely by enterprises and channel partners as a strong network security provider. The acquisition by Intel could disrupt the network security road map.if the arm s length relationship is maintained, in the short term, McAfee could be spared the disruptions that have happened in most acquisitions of IPS companies by broad IT companies. NitroSecurity NitroSecurity is a U.S.-based pure-play security vendor offering SIEM, log management, database monitoring and application data monitoring, in addition to the NitroGuard IPS products. NitroGuard IPS consists of models that range from 50 Mbps to greater than 5 Gbps of throughput. NitroGuard also supports collecting and forwarding net flow information to the NitroView ESM SIEM (a virtual machine version is included with the IPS product). NitroSecurity does not have its own firewall, Web security or e-mail security products. Federal Information Processing (FIPS) 140-2 Level 2 and Evaluated Assurance Level EAL3+ Common Criteria certifications are of interest to federal government customers, and demonstrate commitment to the security of their products. The NitroView console is rated very highly by users, has good correlation, handles large numbers of events and conducts realtime updating, even during pivot views. Users generally report a high level of satisfaction with NitroSecurity support responses.
NitroGuard IPS visibility within the Gartner customer base is low. NitroView ESM and ArcSight is supported; however, other explicit third-party SIEM support for NitroGuard is limited. Radware Headquartered in Israel, Radware is a data center infrastructure vendor offering IPS products as part of the DefensePro model line, supporting throughput up to 12 Gbps. Radware does not have its own firewall, Web security or e-mail security products. Its focus on behavioral assessment is unique in the IPS market. When combined with traditional detection mechanisms, this puts Radware in a strong position to address emerging threats. Its use of application-specific integrated circuits (ASICs) and network processors in a purpose-built appliance has shown low latency and high performance in deployments. Radware offers low product and maintenance costs compared with most competitors. The IPS console is limited in graphical user interfaces (GUIs) when compared with leading products; however, the newest version has closed the gap. Radware has low visibility on IPS shortlists. Gartner has seen most sales go to customers that already have Radware products. Sourcefire Headquartered in Maryland, pure-play security vendor Sourcefire has IPS as its primary market, and is well-known for being the commercial manager for the Snort and ClamAV open-source security products. The Sourcefire 3D series of IPS appliances has models that range from 5 Mbps to 10 Gbps throughput. Virtual IPS is available for the VMware and Xen platforms. Sourcefire does not currently have firewall, e-mail or Web security products. Sourcefire add-ons to its IPS products support passive vulnerability detection, and OS, network, device, application and user awareness, enabling IPS sensors to provide additional actions. Sourcefire has extended its appliance range, moving it into a better competitive position against other purpose-built IPS vendors. The company introduced an SSL Inspection Appliance as an option. Sourcefire runs the Snort open-source project, which gives it a significant competitive advantage over competitors that use the Snort detection engine or rules. Customers like the visibility of what is inside the rules and being able to customize the workflow, and support generally isn t tiered meaning quick access to advanced technical support. The Sourcefire IPS has deep customization capabilities, making it popular with expert users. Sourcefire s education and consulting services receive strong marks and enhance customer loyalty. The options in the Sourcefire interface can easily overwhelm newer and even technically skilled users. The user interface has improved greatly, but still requires higher skill levels when compared with competitive offerings. Despite having very competitive IPS products, Sourcefire has much less channel strength and visibility than major competitors, and is often left off shortlists as competitive pressures increase. The lack of a firewall capability prevents Sourcefire from competing when IPS is part of an NGFW competition. StillSecure Headquartered in Colorado, StillSecure is a pure-play security vendor with products in the IPS and NAC markets, and managed security services. Strata Guard IPS is a software and appliances line that supports throughput from 50 Mbps to 4 Gbps. Still Secure does not have its own firewall, Web security or e-mail security products. Strata Guard IPS is a low-cost, software-based product, making it a good choice for SMBs, sub-gbps placement points or where price is the most critical selection factor. Users like StillSecure s viewable rules content, and the integration with the VAM vulnerability management platform product provides a link between vulnerabilities and remediation. Users of other StillSecure products or the managed service offerings are good candidates to shortlist the Strata Guard IPS. The Strata Guard detection engine is based on Snort, and the majority of signatures are from third-party sources, such as Snort variants, and are highly exploit-based. This keeps the cost low, but does not fare well in selections where best-of-breed signatures are required. 9
10 StillSecure visibility in the enterprise marketplace is low. The Strata Guard does not have higher-end certifications, such as Common Criteria, which can be a barrier for federal government buying. Stonesoft Headquartered in Finland, Stonesoft is a pure-play security company with firewall, IPS and SSL VPN products. StoneGate IPS appliances support throughput from 200 Mbps to 13 Gbps. StoneGate IPS is available in software to run on the VMware ESX Server. The product offers high-availability features, and good results from recent independent testing. Clients report high satisfaction with pre- and post-sales technical and sales support. Current customers of other Stonesoft products can shortlist the IPS. It has certifications for the Russian market (FSTEK and GOST). Top Layer has managed its business well to profitability; however, it has not been able to break into the majority of shortlists and keep up with the leaders in terms of market share. Top Layer is a single-product company, which limits its ability to respond to broader customer security solution needs. Additional analysis provided by Bob Walder. Vendors Added or Dropped We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor. There is limited coverage outside Europe and North America. It is a newer entrant to the market. Top Layer Security Top Layer is a Boston-based pure-play IPS vendor. Top Layer s IPS models range from 300 Mbps to 4.4 Gbps of throughput, with new models introduced in 2010. Top Layer does not have its own firewall, Web security or e-mail security products. Top Layer also provides an MSSP service for its IPS products. It has a low entry point with its very competitive Free IPS Appliance Program, if maintenance and support are paid upfront for three years. Top Layer focuses on IPS, and good post-sales and technical support. The company offers Common Criteria EAL-4 certification and purpose-built appliances
11 Evaluation Criteria Definitions Ability to Execute Product/Service: Core goods and services offered by the vendor that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets, skills, etc., whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria. Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includes an assessment of the overall organization s financial health, the financial and practical success of the business unit, and the likelihood of the individual business unit to continue investing in the product, to continue offering the product and to advance the state of the art within the organization s portfolio of products. Sales Execution/Pricing: The vendor s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support and the overall effectiveness of the sales channel. Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor s history of responsiveness. Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization s message in order to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This mind share can be driven by a combination of publicity, promotional, thought leadership, word-of-mouth and sales activities. Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements, etc. Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Completeness of Vision Market Understanding: Ability of the vendor to understand buyers wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen and understand buyers wants and needs, and can shape or enhance those with their added vision. Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. Sales Strategy: The strategy for selling product that uses the appropriate network of direct and indirect sales, marketing, service and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Offering (Product) Strategy: The vendor s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature set as they map to current and future requirements. Business Model: The soundness and logic of the vendor s underlying business proposition. Vertical/Industry Strategy: The vendor s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including verticals. Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. Geographic Strategy: The vendor s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the home or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.