Vendor Landscape: IT Security Appliances [SMB]

About this research note: Selection Advice notes offer clear guidance in effectively managing, optimizing, and expediting the product and service procurement process. Vendor Landscape: IT Security Appliances [SMB] Publish Date: December 2009 All businesses have data of value, regardless of their size or the industry in which they operate. Firewalls and anti-virus software have evolved into multi-function Unified Threat Management (UTM) solutions; and the top vendors in the SMB security market understand that the best IT security solutions have high-quality features, offer strong support, and are easy to install and simple to operate. This research report evaluates the top five UTM solutions available in Canada. 1998-2009 Info-Tech Research Group

Table of Contents 1. Executive Summary 3 2. Security Overview 4 3. Industry Trends 7 4. Process Map 8 i. Key Selection Criteria 9 ii. Qualifying Criteria 9 iii. Model/product checklist 11 5. Vendor Evaluation 12 i. The Scorecard 12 ii. Champion Landscape 13 iii. Contender Landscape 16 iv. Vanguard Landscape 19 6. Key Takeaways 21 7. Recommendations 22 8. Bottom Line 23 Selection Advice 2

Executive Summary Small to mid-sized businesses (SMBs) face the same security threats as their enterprise level counterparts. Thus, modern security appliances for the mid-market have evolved to offer enterprisecaliber security. Quite often, the only difference between models is capacity. Another major change in this industry is the integration of security appliances. Firewalls and anti-virus programs have fused to become Unified Threat Management (UTM) systems holistic solutions that offer multiple appliances within a single product. Info-Tech Research Group has identified five vendors that SMB customers should keep top-of-mind when considering the purchase of a security solution: Cisco and the Adaptive Security Appliance (ASA) Series. Fortinet and the FortiGate Series. IBM and the ISS Proventia Series. SonicWALL and the Network Security Appliance (NSA) Series. WatchGuard and the Firebox Series. These UTM vendors have been evaluated across five key criteria and grouped into four categories: Champions, Contenders, Old Guard and the Vanguard. These are not rankings. Rather, the groupings articulate how well suited each vendor and product is to servicing the target market of small and midsized organizations. Selection Advice 3

Security Overview What is Security? IT security is the process by which companies protect their information and internal systems from unauthorized use, theft, deletion and unauthorized changes. Security is not about eliminating risks, it is about mitigating these risks to acceptable levels. IT security is often overlooked and misunderstood. Many small companies mistakenly feel that they do not have hardware, software or data valuable enough to need protection and therefore downplay the importance of IT security within the organization. But every business has employee personal information on file, insurance records, or other sensitive data. Computing resources for bot nets are increasingly desirable and thus make every computer a target of attack, whether it hosts valuable data or not. Having proper IT security policies and equipment in place is vital to any business. UTM: All-in-One Security Unified Threat Management (UTM) is the newest concept in the security industry. Identified by the International Data Corporation (IDC), UTM is a new category of security server appliances that accounts for 12% of the security market. The widespread adoption of these products can be attributed to the following four factors: Functionality: all-in-one security platform that seamlessly integrates its various modules. Ease of implementation: plug it in and configure it once. Low operating costs: limited maintenance. Minimal investment: UTM systems cost significantly less than buying each security appliance on its own. UTM appliances unify and integrate multiple security features onto a single hardware platform. Qualification as a UTM appliance requires a network firewall, plus one or more of the following capabilities: gateway anti-virus, anti-malware protection, intrusion detection and prevention and content filtering. Not all solutions will have all capabilities. Selection Advice 4

Is a Unified Approach the Best Approach? Yes, UTM is the right answer for an SMB or a branch office. The appliance provides multiple functions on a single platform. It is also cheaper than buying individual security appliances and trying to make them work together. One caveat is that UTM systems suffer from a single point of failure. If the UTM appliance goes down, you will automatically get cut off from the internet to prevent exposure to hackers, viruses, worms and Trojans. However, IT managers of larger organizations would be dead wrong to put UTM on equal footing with a multi-layered network security approach. Examples of bad UTM candidates: a company that requires constant connectivity (Scotiabank) or deals with very sensitive data (the RCMP). The Basic Technical Components of a Security System Multiple tools are required to ensure that an enterprise s resources are properly protected from internal and external threats (see Figure 1). Figure 1. Basic Components of a Security System Source: Info-Tech User Group Firewall. This is an enterprise s first line of defense and the most basic security requirement. It regulates and restricts traffic to and from an enterprise s network based on a set of rules which are specified by the company s security policy. Without the proper rule settings, a firewall can be useless. Selection Advice 5

Intrusion, Detection and Prevention (IDP) Sensor. This basically functions as an alarm system. As IDP security is increased, more and more valid traffic will be mistakenly perceived as intrusions. There are two types of IDP systems: Intrusion Detection System (IDS) This system will inform the IT administrator of perceived intrusions but will not prevent them. IDS will tend to generate more false positives - perceiving valid traffic as malicious as security is heightened. Intrusion Prevention System (IPS) This system will stop any perceived intrusions from occurring but will not notify the IT administrator of the issue. IPS will tend to generate more false negatives - blocking valid traffic as security is heightened. IDS is more popular than IPS; however, there are some integrity issues with this since an IDS does not stop malicious traffic, it just alerts IT administrators to the traffic. Antivirus Software. This software protects the data in an enterprise s computers. Its main responsibility is to mitigate the risk of malware and files by deleting, quarantining or repairing infected files. Antivirus software actively scans files for known threats and monitors programs for suspicious behavior which may indicate the presence of a threat. Antivirus software is able to detect all forms of malware, including the following: Viruses Worms Trojan Horses Rootkits Spyware Crimeware Selection Advice 6

Industry Trends The IT security industry is one that is mature, where both feature and market consolidation is rampant. It is nearly impossible nowadays to buy a stand-alone firewall. Firewalls are now considered to be Unified Threat Management (UTM) appliances through the inclusion of security features such as anti-malware, intrusion prevention and detection, and content filtering. The change from regular firewalls to UTM appliances has forced vendors to keep adding more features to their products to remain competitive. One ramification of this is the high number of acquisitions in the industry (such as IBM s 2006 acquisition of ISS for $1.3billion). Bundling multiple security features with a firewall results in smoother communication and interaction between all of the applications. This increases the levels of security beyond what would be present in an environment with distinct solutions. The advent of UTM means that security products will become less expensive - but they will only be useful when under a support agreement that provides constant updates. In fact, software-based firewalls targeted at small-to-mid-size businesses are being offered for "free," based on the idea that they will generate revenue through support and subscription fees. IT Security for the SMB Market Procuring the proper IT security equipment and creating appropriate security policies is vital for businesses of all sizes. And though faced with the same threats as their large enterprise counterparts, small-and-mid-sized businesses have several unique needs. SMB managers do not have technology expertise, and rely on security appliance vendors and resellers for support. They also appreciate a product that is easy to set-up and run. Finally, it is important for vendors to develop a strong reseller channel. SMB customers regularly interact with resellers, viewing them as trusted advisors since SMB customers do not have the time or resources to educate themselves. Selection Advice 7

Process Map This vendor landscape reviews five of the best of breed unified threat management solutions available for small to mid-sized companies. The categories are defined as follows: The Champions. These vendors have significant presence in the market. They invest regularly in research and development to be trend setters for the rest of the industry. Champions offer excellent value-for-performance. This can mean the strongest features, highest quality support, most competitive pricing or a combination of these. The Contenders. These vendors often compete on price for performance and support their product with regular updates. Contenders have a more limited market presence, but have the potential to become future industry Champions if they fix the missing links in their value chain. The Old Guard. These vendors are usually incumbents who no longer offer the best value. Customers may keep buying from these vendors due to an existent installed base, unwilling to evaluate newer options. The market presence of supporters is in decline. The Vanguard. These vendors service niche segments of the market, or are rising stars in the industry. They have identified certain core strengths, or product innovations, that act as their competitive advantage. These vendors are poised to emerge as Contenders or Champions. *Note that a vendor landscape does not necessarily include all categories. Selection Advice 8

Key Selection Criteria To determine the Champions, Contenders, Old Guard and Vanguard in the IT security industry, Info- Tech compared vendor performance in these five areas: Key Criteria for Vendor Selection Features Affordability Company Strength Channel Strength Product Support The set of features offered, innovation, product quality, ease-of-use, and implementation. Product prices among the vendors. (MSRP) A higher rating means a less expensive product. A combination of vendor stability and presence in the small-to-mid-sized enterprise market. Ability to reach customers, strength of the distribution network, and programs that enable resellers to offer better service to end-users. Pre/post sales support through 24/7 software support and next business day hardware replacement. This category also considers a continued investment in R&D. Qualifying Criteria There are three additional technology criteria that are used to qualify the selection of UTM solutions. System Architecture Firewalls can be stateful, application layer, or both: Stateful firewall. This type of firewall keeps track of the traffic as it traverses the network gateway. Transmission information is checked and all packets that belong to a checked transmission are allowed to pass. Application-layer firewall/proxy firewall. This type of firewall scrutinizes each packet of a communication, examining not just the headers, but the packet contents. Once a packet has been checked, a copy is made to be forwarded to the intended destination while the original is discarded. Selection Advice 9

System Throughput Maximum firewall throughput. Firewall throughputs can range anywhere from under 100 Mbps to over 4 Gbps. Be sure to choose a firewall throughput that best serves your organization s current and future needs. Degraded Firewall Throughput. The effect of turning on integrated capabilities such as Virtual Private Networks (VPN), anti-virus software, and intrusion prevention systems (IPS) generally results in throughput degradation. System Management User interface. Two types of user interfaces are available; Graphic User Interfaces (GUI) or Command Line Interfaces (CLI). GUIs allow users to manipulate the firewall through a familiar Windows-like interface whereas CLIs allow users to manipulate the firewall using a specified command language in a text-only interface. It is common for firewalls to offer both CLI and GUI; however some have one or the other. Nature of console. There are three types of consoles that can be used with firewalls: o o o Device consoles. Supports the firewall only. Vendor consoles. Supports the firewall as well as other vendor systems. Third-party consoles. Vendor neutral management consoles such as HP Software, CA Unicentre, Altiris and Tivoli. Selection Advice 10

Model Checklist The following models were evaluated in this landscape (see figure 2). The only difference between each model is the number of simultaneous users and throughput that the box can support. The models span from 50 to 1000 connections. Figure 2. Solutions evaluated in the Vendor Landscape Source: Info-Tech User Group Vendor Series Models Cisco ASA5500 series ASA5505 ASA5510 ASA5520 ASA5540 Fortinet FortiGate 200B 310B 620B 1240B IBM Proventia MX0804 MX1004 MX3006 MX4006 SonicWALL TZ and NSA Series TZ210 NSA240 NSA2400 NSA3500 WatchGuard Firebox Core 550e 750e 1250e Selection Advice 11

Vendor Evaluation The Scorecard Features and Quality Affordability Company Strength Channel Reach Product Support Vendor Ranking Cisco ASA 5500 Fortinet FortiGate IBM Proventia SonicWALL NSA Series WatchGuard Firebox * * *** *** ** Contender *** ** * ** * Contender *** ** *** * *** Champion ** *** ** ** *** Champion ** *** * *** * Vanguard * between 1 33% ** between 34 66% *** between 67 100% Note: Rankings in the scorecard go from one star (lowest) to three stars (highest). Selection Advice 12

Champion Landscape SonicWALL Products Solution Overview SonicWALL TZ and NSA Series TZ 210; NSA 240 ; NSA 2400 ; NSA3500 Vendor s vision of an infinitely scalable architecture combines high performance hardware along with cutting edge software to provide security without compromising network performance. Offices in 30 locations worldwide. Operates support centers in North America, Europe, Asia Pacific, and Japan with language support available in English, French, German, Italian, Spanish, Dutch, and Japanese. Recent product enhancements include Active UTM, multi WAN capabilities and route based VPN. Info-Tech Insights This vendor offers enterprise-caliber security with all of its models. The SonicWALL motto is: there is no such thing as a SMB virus viruses attack companies of all sizes with equal vehemence. With years of experience in the SMB space and an excellent grasp of their customer s needs, this vendor has established themselves as a Champion in this area. SonicWALL also offers premium support that gives customers direct access to a certified Security Engineer to serve as the primary point of contact. The TZ and NSA Series are targeted at a broadly horizontal range of industries, with a heavy marketing investment in education, retail (point-of-sale), credit card companies, local/state governments and healthcare. Customers will find that this product suitably meets their UTM needs at a reasonable cost. Pro Con Traditionally focused on the small to mid sized market. Low priced UTM product. Best in class virus scanning technology, intrusion prevention, and firewall application. 23% market share in the SMB space. Global support network with multi language support. Shifting resources to growing the large enterprise business, which may negatively impact their service to small businesses. Customers have to buy subscription licenses that add costs. Does not have a very strong distribution network in Canada, due to spread of resources globally. Selection Advice 13

IBM Products and Models Solution Overview IBM Internet Security Systems: Proventia Multi-Function Security (MFS) Appliances MX0804 ; MX1004 ; MX3006 ; MX4006 Strong security and broad scope of threats mitigated by the IBM solutions allows customers to easily meet 10 out of 12 PCI requirements. Major software upgrades are released approximately once a year. Minor maintenance patches are usually released three months after a major upgrade, and then released as needed. All support sold for this product is serviced directly from IBM, giving customers a singlepoint of contact for assistance. Info-Tech Insights The IBM solution differentiates itself in that it blocks vulnerabilities as opposed to specific attacks. Security modules of the ISS Proventia are built from the ground up - making each module as good as the stand-alone product while allowing easy integration. IBM offers the most upgradable UTM product on the market. Even hardware made back in 2003 can efficiently run the latest software upgrades. Another strong point is IBM s Managed Security Services, which gives customers with limited in-house expertise improved incident management response, cuts costs, and manages the IT security aspect so that critical resources can have a more business driven focus. Though it has an excellent security product and has a well-established history, IBM lacks presence in the SMB market. This vendor does not have a well developed small-to-mid-sized business sales channel, and is not good at targeting this market. As a standard corporate practice, IBM does not spend a lot of effort marketing its specific products which means SMB are never educated about IBM offerings targeted at this market segment. However, this is slowly changing with funding specifically created to increase awareness of solutions for the small enterprise. Though ranked as a Champion, IBM must significantly expand its market presence to become a more established force in the SMB security space. Selection Advice 14

IBM (continued) Pro Acquisition of ISS resulted in strong security products that provide enterprise grade protection. Easy to deploy, does not require much tuning. Established company. Con Inexperience in the SMB space. Poor ability to target customers; limited marketing for specific products. Expensive relative to other vendors. Award winning support; over 3500 trained Security Professionals deployed worldwide. Selection Advice 15

Contender Landscape Fortinet Products Solution Overview FortiGate Series 200B ; 310B ; 620B ; 1240B Very strong in retail and manufacturing sectors, thanks to the ability to deploy across multiple remote locations while centralizing management. Good solution for the telecommunication industry as well due to high performance and virtualization capabilities. Major software upgrades occur annually, minor firmware updates every six months and major firmware is released every couple of years. The more leads generated by each reseller for Fortinet, the greater the level of support the reseller receives. Info-Tech Insights The Fortinet solution is expensive, but it provides many networking functions (application control, data loss protection, dynamic routing, WAN optimization) while offering the same core security technology as other UTM vendors. The channel partner program is another strong point for Fortinet. Marketing support, good incentives, and a willingness to address partner needs are additional pillars in the vendor s strategy. This results in a strong channel capable of supporting the needs of small-to-mid-sized businesses. This vendor s strength lies in servicing the larger firms. However, Fortinet is slowly but successfully moving into the SMB space. Despite their strength in continually offering added functionality, their price point is high for a SMB offering. Selection Advice 16

Fortinet (continued) Pro Continues to improve low end product, adding functionality without increasing price. 13.3% market share in SMB, but much stronger market share in large enterprise market (21.4%). Con Focus is on enterprise market, leaving resellers to individually carry the message to the SMB marketplace. Solution is expensive for most small and midmarket customers. Rewards partners who provide better leads, giving them better margins so they can able to offer higher discounts to the end customer. Cisco Products Solution Overview ASA 5500 Series (*note that Cisco has a new Security Appliance (SA) line for the SMB market. The next iteration of this vendor landscape will focus on that product) ASA5505 ; ASA5510 ; ASA5520 ; ASA5540 Provides improved security by tight integration of security appliances, and lowering the total cost of ownership in procuring and maintaining these services. Unique multi processor architecture that allows it to retain high functionality, even when a large number of security appliances are simultaneously active. Cisco Technical Support Services are available for both customers and resellers. An online dynamic knowledge base (containing a support WIKI, a forum for SMB partners) allows their channel community to exchange ideas. Info-Tech Insights An established Champion in the networking and unified communications industries, Cisco has more recently moved into selling security solutions in the SMB market. Cisco brings decades of IT experience to bear in a multi-functional product that delivers flexible VPN, a range of network control and powerful stateful application firewalls. With this solution, Cisco offers multiple security options at the midrange price point. Selection Advice 17

Cisco (continued) Cisco s ASA solution has strong security features alone, but has many unique integration features that provide added benefits when deployed within Cisco infrastructure. However, an all-cisco environment is an expensive proposition and best-suited to growing enterprise that operate in industries that handle a lot of confidential information. Multi-branch banks, healthcare providers, and military agencies are good examples, though none are specifically targeted by Cisco in the SMB security space. Pro Knowledge centre for resellers is a key differentiating factor; resellers collaborate to share sales tactics and help each other. Established vendor with a long history and a strong financial position, customers can rest assured that support contracts will always be honored. Con High implementation and support costs makes this product good for the mid market, but not for small businesses. Some features cannot run concurrently on lower end models, forcing users to choose between applications they want turned on. Selection Advice 18

Vanguard Landscape WatchGuard Products Solution Overview Firebox Core Series 500e ; 750e ; 1250e 99.9% distribution company. Operates in two sales channels, using both direct resellers (Dell, PC connections) and value added resellers, to extend reach into the SMB market. Major upgrades for firewall products receive one or two updates a year. Minor maintenance patches are released every six to eight weeks. Newest product improvements feature e mail and IM security, as well as data loss prevention. Info-Tech Insights WatchGuard is named a Vanguard because it is a young player that has successfully implemented several innovations. First, their knowledge centre (containing whitepapers, tutorials, and other educational tools) is a valuable resource for IT managers in the SMB market, who often know very little about the proper implementation and operational management of a security appliance. Second, using direct resellers allows the vendor to reach customers despite having a weak traditional distribution network. Third, it is a cheaper product with fewer features, but it adequately addresses the needs of its SMB customers. The key will be adding greater functionality without adding significant cost. WatchGuard does not yet have the market presence to create a consistent marketing message around its products and relies on its resellers to round out their support to end-customers. In 2006, the company was taken over by two venture capitalists. The executive was replaced, and a renewed focus was placed on technology. WatchGuard recently acquired BorderWare (a messaging and content security provider) to extend their UTM solution to offer messaging security. In spite of the recession, over the past year, this vendor has recorded the strongest growth in the company s history. Selection Advice 19

WatchGuard (continued) Pro Uses a combination of direct market resellers (such as Dell) and traditional VARs to broaden reach. Great knowledge centre for customers. Specific outbound marketing campaigns, regional events and tradeshows for the SMB space. Con Multiple points of contact for support means that quality is inconsistent. Lacking marketing presence in the SMB space in North America. Does not have a proven track record when compared to vendors like Cisco and IBM. Selection Advice 20

Key Takeaways 1. IBM and SonicWALL are leading security solution providers for the SMB. IBM s strength lies in its excellent security modules, each designed to be as good as a stand-alone product but the vendor must find ways to increase its SMB market presence. SonicWALL is very experienced at serving the SMB market, has best in class firewall and virus scanning technology, and enjoys a global presence. 2. WatchGuard s knowledge centre is a valuable resource for IT managers just starting to dabble in UTM. This vendor can teach IT managers how to better choose, implement, and mange your security technology. As well, a direct market reseller network makes WatchGuard a more affordable choice. 3. Fortinet offers more capability but at a higher price. Customers will get many useful networking tools along with their security product. Fortinet is a great choice for an organization willing to spend a bit more on their UTM solution for the added breadth of functionality. 4. Cisco s solution is ideal for Cisco environments. This series offers multiple security options at the medium to high end of the pricing scale, and works best when combined with other Cisco systems. Organization will also often buy this solution based a prior favorable experience with other Cisco product, without pausing to consider if the solution matches their specific IT security needs. For example: while intrusion prevention and anti-malware are available in the ASA 5520 and 5540 models, they are not capable of running the features concurrently, forcing smaller firms to choose between the two. 5. SMB customers are asking for a security solution that offers more than just strong security features. Users will favor a vendor that offers excellent support. Customers in this market are also looking for a solution that is easy to implement, operate and maintain. Selection Advice 21

Recommendations 1. Establish policies and procedures along with purchasing the security solution. Strong policies ensure that there is never a doubt of how threats to data and systems are to be managed. Also, these are generally required if firms want to meet regulatory requirements (such as PCI for credit cards, or HIPAA for healthcare). Choose a solution with a stronger set of security features to make achieving compliance an easier task. 2. Select a vendor that provides added value beyond just the technology. SMB customers rarely have the security expertise of their large enterprise contacts. These users appreciate services like Cisco s online forum where customers and resellers can exchange ideas or IBM s Managed Security Services that provides 24x7x365 expert monitoring, management, incident response and support for a broad range of security offerings through a global network of state-of-the-art, certified and secure-redundant security operations centers (SOCs). 3. Cloud computing, virtualization, collaboration: upgrade your security solution to protect against the new threats presented by emerging technologies. Most IT managers simply reconfigure their existing security technology when implementing new technologies. This is not enough! SMB customers must ensure their UTM appliance is properly equipped to handle new threats. Watch the Champions and the Vanguard, as is it usually these vendors who demonstrate thought Championship with emerging technologies. 4. Consider the larger economic environment when selecting a security solution. A vendor with a proven track record for sustainability will be a safer choice in this recovering economy. A true nightmare would be a vendor that leaves the marketplace abruptly and thereby leaves their customers exposed to security threats almost immediately. 5. Determine if the organization s current setup is cost effective. Even if an IT manager discovers that a UTM security approach provides excess security, it still may be a cost effective solution. Here are some of costs associated with a non-integrated security solution: Buying expensive single function components. Maintaining disparate security point solutions. Configuring security logic across a variety of applications. Selection Advice 22

Bottom Line The most successful IT security vendors provide end-to-end protection. In a web 2.0 world, technologies such as cloud computing, virtualization and collaboration have given rise to new security threats. IBM has the strong product and global support network needed to protect customers against emerging threats. On the other hand, SonicWALL, with years of expertise and a strong channel, is better trusted by end-users and resellers alike in the SMB market. Customers with especially sensitive data (financial institutions, government agencies) should focus on a solution that performs the key security tasks extremely well, such as Cisco. Fortinet is great for organizations that support multiple offices. It offers remote management and added networking applications at a price point that is relatively high for UTM, but still much cheaper than customers having to buy security and networking separately. Meanwhile, WatchGuard provides a host of intangible benefits (knowledge centre, direct resellers) to managers who are just starting to implement IT security. All businesses have data of value, regardless of their size or the industry in which they operate. Firewalls and anti-virus software have evolved into multi-function Unified Threat Management solutions and the top vendors in the SMB security market understand that the best IT security solutions have high-quality features, offer strong support and are easy to install and simple to operate. Selection Advice 23

About Indaba Info-Tech gives you, as a leading technology provider, access to the most accurate and helpful information and advice available today. We provide a current view of the marketplace needs, as defined by the corporate IT community. Our products are based on direct input from thousands of IT buyers and end-users, providing the data and analysis you that you need to make better decisions and get your products to the market more efficiently and cost-effectively. Visit us online at: /indaba Info-Tech Research Group Indaba Division 43 Front Street East, Toronto ON Canada M5E 1B3 1.888.670.8889 ext. 3009 cbator@infotech.com Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. Our practical approach is designed to have a clear and measurable positive impact on your organization's bottom line. We serve over 21,000 clients at 8,000 organizations around the world. Since 1998, we have focused on making the work of IT professionals easier - and on helping them achieve greater personal and corporate success. More About Info-Tech Selection Advice 24