Upload
wilvarel
View
48
Download
2
Embed Size (px)
DESCRIPTION
Magic Quadrant for Enterprise Network Firewalls
Citation preview
MagicQuadrantforEnterpriseNetworkFirewalls22April2015ID:G00263955
Analyst(s):AdamHils,GregYoung,JeremyD'Hoinne
VIEWSUMMARY
"Nextgeneration"capabilityhasbeenachievedbytheleadingproductsinthenetworkfirewallmarket,andcompetitorsareworkingtokeepthegapfromwidening.Buyersmustconsidertheiroperationalrealities,theburdenofswitching,andthetradeoffsbetween"bestofbreed"functionandcosts.
MarketDefinition/DescriptionTheenterprisenetworkfirewallmarketrepresentedbythisMagicQuadrantiscomposedprimarilyofpurposebuiltappliancesforsecuringenterprisecorporatenetworks.Productsmustbeabletosupportsingleenterprisefirewalldeploymentsandlargeand/orcomplexdeployments,includingbranchoffices,multitiereddemilitarizedzones(DMZs)and,increasingly,theoptiontoincludevirtualversions,oftenwithinthedatacenter.Theseproductsareaccompaniedbyhighlyscalable(andgranular)managementandreportingconsoles,andthereisarangeofofferingstosupportthenetworkedge,thedatacenter,branchofficesanddeploymentswithinvirtualizedservers.
Thecompaniesthatservethismarketareidentifiablyfocusedonenterprisesasdemonstratedbytheproportionoftheirsalesintheenterpriseasdeliveredwiththeirsupport,salesteamsandchannelsbutalsoasdemonstratedbythefeaturesdedicatedtosolveenterpriserequirementsandserveenterpriseusecases.
Asthefirewallmarketcontinuestoevolve,NGFWsaddnewfeaturestobetterenforcepolicy(applicationandusercontrol)ordetectnewthreats(intrusionpreventionsystems[IPSs],sandboxingandthreatintelligencefeeds).ThestandaloneSecureSocketsLayer(SSL)VPNmarkethaslargelybeenabsorbedbythefirewallmarket.Eventually,theNGFWwillcontinuetosubsumemoreofthestandalonenetworkIPSappliancemarketattheenterpriseedge.Thisishappeningnowhowever,someenterpriseswillcontinuetochoosetohavebestofbreedIPSsembodiedinnextgenerationIPSs(NGIPSs).Morerecently,enterpriseshavebegunlookingtofirewallvendorstoprovidecloudbasedmalwaredetectioninstancestoaidthemintheiradvancedthreatefforts,asacosteffectivealternativetostandalonesandboxingsolutions(see"MarketGuideforNetworkSandboxing").
However,nextgenerationfirewallswillnotsubsumeallnetworksecurityfunctions.Allinoneorunifiedthreatmanagement(UTM)approachesaresuitableforsmallormidsizebusinesses(SMBs),butnotfortheenterprise(see"NextGenerationFirewallsandUnifiedThreatManagementAreDistinctProductsandMarkets").
Theneedsforbranchofficefirewallsarebecomingspecialized,andtheyaredivergingfrom,ratherthanconvergingwith,UTMproducts.Aspartofincreasingtheeffectivenessandefficiencyoffirewalls,theywillneedtotrulyintegratemoregranularblockingcapabilityaspartofthebaseproduct,gobeyondport/protocolidentificationandmovetowardanintegratedserviceviewoftraffic,ratherthanmerelyperforming"sheetmetalintegration"ofpointproducts.
MagicQuadrant
Figure1.MagicQuadrantforEnterpriseNetworkFirewalls
ADDITIONALPERSPECTIVES
Geography:AsiaPacific
STRATEGICPLANNINGASSUMPTIONS
Virtualizedversionsofenterprisenetworksafeguardswillnotexceed10%ofmarketrevenuesbyyearend2018,upfromlessthan5%today.
Lessthan40%ofenterpriseInternetconnectionstodayaresecuredusingnextgenerationfirewalls(NGFWs).Byyearend2018,thiswillrisetoatleast85%oftheinstalledbase,with90%ofnewenterpriseedgepurchasesbeingNGFWsasmoreenterprisesrealizethebenefitsofapplicationandusercontrol.
By2018,85%ofnewdealsfornetworksandboxingfunctionalitywillbepackagedwithnetworkfirewallandcontentsecurityplatforms.
Fewerthan2%ofdeployedenterprisefirewallswillhaveWebantivirusactivelyenabledonthemthrough2016,althoughmorethan10%ofenterpriseswillhavepaidforit.
ACRONYMKEYANDGLOSSARYTERMS
ADC applicationdeliverycontroller
AFM AdvancedFirewallManager
ASA AdaptiveSecurityAppliance
ATA advancedtargetedattack
ATD advancedthreatdetection
AWS AmazonWebServices
DDoS distributeddenialofservice
DMZ demilitarizedzone
FIPS U.S.FederalInformationProcessingStandards
FPM firewallpolicymanagement
GUI graphicaluserinterface
IP InternetProtocol
IPS intrusionpreventionsystem
IPv6 InternetProtocolversion6
MSSP managedsecurityserviceprovider
NGFW nextgenerationfirewall
NGIPS nextgenerationIPS
P2P peertopeer
SMB smallormidsizebusiness
SSL SecureSocketsLayer
UTM unifiedthreatmanagement
VE VirtualEdition
VPN virtualprivatenetwork
WAF Webapplicationfirewall
EVIDENCE
Source:Gartner(April2015)
VendorStrengthsandCautionsAhnLabSouthKoreabasedAhnLabisalongestablishedsecurityvendor.Knownmostlyforantivirussoftware,AhnLab'snetworksecurityofferingsincludefirewalls,IPSsandadvancedthreatsolutions.AhnLabbeganofferingafirewallproductundertheTrusGuardbrandin2007,andnowthereare10models.ThefirewallisCommonCriteriacertifiedEAL4,butdoesnothaveotherthirdpartyevaluations(suchasICSALabs,NSSLabsorFIPSPUB1402).
AhnLabisassessedasaNichePlayerforenterprises,becausemostofitswinsarewithinaspecificgeographySouthKoreaand/orareassociatedwithanexpansionoftheendpointsecuritybusiness,notbecausethevendorcompetesonbestofbreedenterprisefirewallfeatures.
Strengths
SouthKoreaclientsshouldconsiderAhnLabfortheirfirewallshortlists,givenitssignificantlocalmarketshareandsupportpresence.Themodelrangeisverybroadtheenginewasdesignedtominimizedistributeddenialofservice,includingfeaturesoptimizedforhandlingsmallerpacketsizes.AhnLab'sendpointproductcustomerscanhavethesamevendorprovidethemwiththeirnetworkfirewallsolution,reducingvendormanagementchallenges.
Cautions
TheTrusGuardfirewallisnotoftenseeninenterpriseselectionsintheGartnerclientbase.AhnLabwasnotlistedbyanyvendorwesurveyedasasignificantenterprisecompetitivethreat.AhnLabdoesnotoffervirtualfirewallmodels,andhasnotyetintegrateditsMalwareDefenseSystem(MDS)malwaredetectionappliancewithitsfirewall.AhnLabdoesnotallowmultipleadministratorstomakerulechangessimultaneously,placingitatadisadvantageinlargeenterprises.
BarracudaNetworksCampbell,CaliforniabasedBarracudaNetworkshasbeenfocusedprimarilyonsellingawiderangeofsecuritystorage,andinfrastructureappliancesandcloudservicestomidsizebusinessesandsmallenterprisemarketsatlowprices.TheBarracudaenterprisefirewallofferingistheNGFirewall,whereastheBarracudaFirewallseriestargetsSMBs.TheNGFirewallhasapplicationcontrolandreputationservices,whiletheBarracudaNGFirewallVxisavirtualversion,andthereisaMicrosoftAzureinstance.AnadvancedthreatoptionhasbeenaddedwiththeBarracudaadvancedthreatdetection(ATD)option,repackagedfromATDvendorLastline,providingacompetitivechoiceversuscompetingfirewalls.
ThisMagicQuadrantwasconductedinaccordancewithGartner'swelldefinedmethodology.TheanalysisinthisresearchwasbasedprimarilyoninterviewsandinteractionsduringfirewallinquirieswithGartnerclientssincethe2014"MagicQuadrantforEnterpriseNetworkFirewalls."Wealsoconsideredsurveyscompletedbyvendors,vendorbriefingsconductedattherequestofvendorsthroughouttheyear,interviewswithreferencesprovidedbyvendors,andsupportingGartnerquantitativeresearchonmarketshare.
Guidelinesforrespondingtothefullsurveywereprovidedatthetimeofissue.Responseswere,nevertheless,ofvariablequality.Responsesthatwerelowerquality(forexample,respondentsignoredthequestion,theyusedpoorgrammar,theywereunabletoexplainkeyconcepts,theywereunabletoprovidehighqualityexplanationsofusecases,ortheywereunabletogobeyondtechnicalcapabilitiesanddemonstrateanunderstandingofthebusinessenvironment),orthatdidnotmeettheguidelines,generallytendedtoscorelower.VendorsthatdeclinedtoprovideasurveyresponsewereassessedbyGartnerastowhattheirlikelyreplywouldhavebeen(usually,thiswasinrelationtospecificrevenuebreakdowns).Somevendorsdeclinedtoanswercertainquestionsduetomarketrestrictions,and,therefore,didnotfareaswellundersomeofthescoringcriteria.
Weaskedforaspecificnumberofreferencesfromeachvendor(n=95,total),andeachreferencecustomerwassuppliedwithastructuredsurvey.Referenceswerescoredonthebasisoftheirqualityandwhattheytoldus.Foreachvendor,wetookintoaccountthecommentsfromthatvendor'sreferencesaswellaswhatothervendors'customerssaidaboutthatparticularvendor.Vendorscouldbenotablyaffectedbytheinabilitytohaveasufficientnumberofreferencecustomersprovidinginput.
NOTE1TYPEA,BANDCENTERPRISES
Enterprisesvaryintheiraggressionandrisktakingcharacteristics.TypeAenterprisesseekthenewestsecuritytechnologiesandconcepts,tolerateprocurementfailure,andarewillingtoinvestforinnovationthatmightdeliverleadtimeagainsttheircompetitionthisisthe"leanforward"oraggressivesecurityposture.ForTypeAenterprises,technologyiscrucialtobusinesssuccess.
TypeBenterprisesare"middleoftheroad."Theyareneitherthefirstnorthelasttobringinanewtechnologyorconcept.ForTypeBenterprises,technologyisimportanttothebusiness.
TypeCenterprisesareriskaversetoprocurement,perhapsinvestmentchallengedandwillingtocedeinnovationtoothers.Theywait,letothersworkoutthenuancesandthenleveragethelessonslearnedthisisthe"leanback"securityposturethatismoreaccustomedtomonitoringratherthanblocking.ForTypeCenterprises,technologyiscriticaltothebusinessandisclearlyasupportingfunction.
NOTE2BUYERS'CONFUSIONCONCERNINGWAFS
TheadventofapplicationcontrolinfirewallshasledtosomenaturalconfusionbetweentheNGFWandWAFmarketsinthemindsofbuyers.Today,thesemarketsremainverydistinct.Thecriticaldifferenceisofdirection:ApplicationcontrolinNGFWsisconcernedprimarilywithapplicationsthatareexternaltotheenterprise(forexample,P2PandFacebook),whereasWAFsareconcernedwithprotectingcustomWebapplicationsonserversthatareinternaltotheenterprise.AlthoughafewfirewallsofferoptionalWAFmodules,thesearerarelyenabled.Instead,weseeWAFsdeployedasastandaloneproduct(suchasfromImperva),anoffpremisesservice(suchasfromAkamai)orwithinanADC(suchasfromF5).
NOTE3FPMTOOLS
ThirdpartyFPMvendors(suchasAlgoSec,FireMonandTufin)continuetoexploittheabsenceoffirewallconsolestooptimize,visualize,andreducefirewallrulesandpolicies.AlthoughtheFPMmarketisstillsomewhatsmall,it'sgrowingfast,andthecustomers
BarracudaisassessedasaNichePlayerforenterprisesbecauseBarracudadoesnoteffectivelysellitsenterprisecapableproducttoenterprisesotherthaninWesternandCentralEuropeandincertainpublicclouddeployments.
Strengths
TheBarracudaNGFirewallisagoodoptionforcustomersthatalreadyhaveotherBarracudaproductsorarelocatedinWesternorCentralEurope.TheBarracudamanagementconsolescoreswellinselectionsforsimpledeployments.TheNGFirewalltiedforthehighestscoreinasurveytoreferencesforIPSfunction.TheBarracudaNGFirewallisastrongcompetitorinsituationswherepriceishighlyweightedintheselection.TheNGFirewallshowedastrongcorrelationforselectionsinasurveyforhighavailabilityandclustering.GartnerhasobservedaconsiderableincreaseinNGFirewallsalessincethepreviouseditionoftheMagicQuadrant.
Cautions
BarracudacustomersareprimarilySMBs,andthevendordoesnotyethavewellestablishedenterprisenetworksecuritychannelsorsupportoutsideofWesternandCentralEurope.AlthoughhavingdifferentiatedproductsforenterprisesandSMBsisgoodandreflectstheirdifferentneeds,Barracuda'sproductnamingisconfusingforenterpriseclients.TheBarracudaFirewallseriestargetsSMBs,whiletheBarracudaNGFirewallseriestargetsenterprises.NovendorwesurveyedlistedBarracudaasasignificantenterprisecompetitivethreat.AlthoughweseeBarracudaFirewallinSMBdeals,BarracudaisnotvisibleonthefirewallshortlistsofGartnerenterprisecustomers,exceptinsomeregions,notablyGermanyandAustria.MostinteresthascomefromincumbentcustomersthathaveotherBarracudaproducts.
CheckPointSoftwareTechnologiesCheckPointSoftwareTechnologiesiscoheadquarteredinTelAviv,Israel,andSanCarlos,California.Itsportfolioincludesnextgenerationfirewalls,threatprevention,Websecurity,endpoint,mobilesecurity,cloudsecurityanddistributeddenialofservice(DDoS)solutions.CheckPoint'senterprisefirewallproductlineincludes17appliancesandtwochassisforhardwareblades,scalingupto400Gbps.Itcanalsobedeliveredasavirtualappliance,deployedonVMware,AmazonWebServices(AWS),OpenStackandMicrosoftAzure,ordeliveredassoftware.CheckPointfirewallcapabilitiescanbeexpandedbypredefinedpackagesofadditionalsoftwareblades.CustomerscansupplementCheckPoint'sfirewallwithanadvancedthreatoffering(CheckPointThreatCloud),andcanaddadditionalthreatintelligencefeedsfromthirdparties(CheckPointIntellistore)andintegrateCheckPoint'sfirewallwithitsMobileSecuritysuitetoenforcesecuritypolicyformobileusers(usingCheckPointCapsule).
GartnerassessesCheckPointSoftwareasaLeaderforenterprisefirewallsbecauseagoodscoreduringtechnicalevaluationcontinuallydrivesnewclientwinsandcontributestoretainingalargeportionofitsexistingcustomerbase.CheckPointalsoshowsstrongexecutiononitsenterprisefocusedroadmaptodeliverfeaturestargetingthevariousfirewallplacementusecasesforenterprises.
Strengths
CheckPointhasoneofthelargestexistingenterpriseclientbasesandcontinuestoappearfrequentlyonfinalshortlistsforenterprisefirewallselection.Itisabletosupporttheseclientsgloballywithastrongchannelpresenceandasignificantinternalteamdevotedtofirewallfeaturedevelopment.ItscomprehensiveproductportfolioallowsCheckPointtobedeployedinavarietyofenterpriseusecases.ThenewchassissolutionsfurtherexpandCheckPoint'sabilitytoscaletothelargestdatacentersandtoadapttotheirfuturegrowthrequirements.CheckPointfirewallsconsistentlygethighscoresfromclientsonsecurityandeaseofmanagementincomplexenvironments.Itcontinuestoinvestinitsmanagementsuite,withseveralfeaturesintheR80versionintendedtoimprovetheauditabilityandmanageabilityofthesecuritypolicy,andithasfinallymergedthenetworkandapplicationcomponentsinaunifiedpolicy.GartnerbelievesthatCheckPoint'sstrategytosupportVMwareNSX,OpenStackandCiscoApplicationCentricInfrastructure(ACI)isagoodsignalforclientsconsideringCheckPointsecuritysolutionswhentheyevaluatesoftwaredefinednetwork(SDN)projects.
Cautions
PriceisthemostcommonfactorinvokedbyGartnerclientstointroducecompetitionforCheckPointsolutionsatrenewaltimeorasareasontofavorcompetitionduringshortlists.Gartneranalystsnoticedthathardwareplatformssubmittedinresellerproposalstendtobemoretightlysized,andseeitasatactictocontroltotalcosts.Inafewreportedclientsituations,undersizingwasaclearreasonforperformanceissues,andcausedunnecessarybackandforthdiscussiontogettheadequatemodel.In2014,GartnerobservedahigherthanusualnumberofclientsreportingstabilityissueswithCheckPointsolutions,andunexpectedlongresolutiontime.Thispeakedin2Q14,thenplateauedatalowerleverduringthesecondhalfoftheyear.GartneranalystsobservedthatmanyoftheseincidentsinvolvedclustersofnewhardwareplatformsrunningthefirstversionsoftheunifiedGAiAOS,withthesituationimprovingasCheckPointsimplifiedthenumberofsupportedlegacyversions.CheckPointcustomersareoftenslowtoadoptnewsoftwareoptionslikeitsthreatemulationsoftwareblade.Gartnerbelievesthatreasonsincludeinsufficientresultsofmarketingoperationstosupportthelaunchoftheseoptions,aswellasthefactthatCheckPointclientsarenotwillingtosubscribetoadditionalsoftwareoptionsaftertheinitialsizing,infearofperformanceissues.Thisincreasesthetimeforthesenewoptionstobecomemature,astheybenefitfromaloweramountof
requiringhelpwithcomplexityaretheverylargest.Additionally,verylargeenterprisesmayhavefirewallproductsfromdifferentvendorssometimesbyaccidentviaacquisitionratherthanthroughchoice,becauseasinglevendorsolutionisusuallythebestchoice.Inothercases,anenterprisemaybeinthemidstofamultistagerolloutofanewplatform.AllFPMvendorssupportmultiplefirewallproducts,whereasnofirewallvendorwilleffectivelymanageacompetingproduct.Inaddition,FPMvendorsareexpandingintomanagingothernetworksecuritydevices,suchasIPSs.
EVALUATIONCRITERIADEFINITIONS
AbilitytoExecuteProduct/Service:Coregoodsandservicesofferedbythevendorforthedefinedmarket.Thisincludescurrentproduct/servicecapabilities,quality,featuresets,skillsandsoon,whetherofferednativelyorthroughOEMagreements/partnershipsasdefinedinthemarketdefinitionanddetailedinthesubcriteria.
OverallViability:Viabilityincludesanassessmentoftheoverallorganization'sfinancialhealth,thefinancialandpracticalsuccessofthebusinessunit,andthelikelihoodthattheindividualbusinessunitwillcontinueinvestingintheproduct,willcontinueofferingtheproductandwilladvancethestateoftheartwithintheorganization'sportfolioofproducts.
SalesExecution/Pricing:Thevendor'scapabilitiesinallpresalesactivitiesandthestructurethatsupportsthem.Thisincludesdealmanagement,pricingandnegotiation,presalessupport,andtheoveralleffectivenessofthesaleschannel.
MarketResponsiveness/Record:Abilitytorespond,changedirection,beflexibleandachievecompetitivesuccessasopportunitiesdevelop,competitorsact,customerneedsevolveandmarketdynamicschange.Thiscriterionalsoconsidersthevendor'shistoryofresponsiveness.
MarketingExecution:Theclarity,quality,creativityandefficacyofprogramsdesignedtodelivertheorganization'smessagetoinfluencethemarket,promotethebrandandbusiness,increaseawarenessoftheproducts,andestablishapositiveidentificationwiththeproduct/brandandorganizationinthemindsofbuyers.This"mindshare"canbedrivenbyacombinationofpublicity,promotionalinitiatives,thoughtleadership,wordofmouthandsalesactivities.
CustomerExperience:Relationships,productsandservices/programsthatenableclientstobesuccessfulwiththeproductsevaluated.Specifically,thisincludesthewayscustomersreceivetechnicalsupportoraccountsupport.Thiscanalsoincludeancillarytools,customersupportprograms(andthequalitythereof),availabilityofusergroups,servicelevelagreementsandsoon.
Operations:Theabilityoftheorganizationtomeetitsgoalsandcommitments.Factorsincludethequalityoftheorganizationalstructure,includingskills,experiences,programs,systemsandothervehiclesthatenabletheorganizationtooperateeffectivelyandefficientlyonanongoingbasis.CompletenessofVisionMarketUnderstanding:Abilityofthevendortounderstandbuyers'wantsandneedsandtotranslatethoseintoproductsandservices.Vendorsthatshowthehighestdegreeofvisionlistentoandunderstandbuyers'wantsandneeds,andcanshapeorenhancethosewiththeiraddedvision.
MarketingStrategy:Aclear,differentiatedsetofmessagesconsistentlycommunicatedthroughouttheorganizationandexternalizedthroughthewebsite,advertising,customerprogramsandpositioningstatements.
SalesStrategy:Thestrategyforsellingproductsthatusestheappropriatenetworkofdirectandindirectsales,marketing,service,andcommunicationaffiliatesthatextendthescopeanddepthofmarketreach,skills,expertise,technologies,servicesandthecustomerbase.
Offering(Product)Strategy:Thevendor'sapproachtoproductdevelopmentanddeliverythatemphasizesdifferentiation,functionality,methodologyandfeaturesetsastheymaptocurrentandfuturerequirements.
BusinessModel:Thesoundnessandlogicofthevendor'sunderlyingbusinessproposition.
Vertical/IndustryStrategy:Thevendor'sstrategy
clientfeedback.
CiscoSanJose,CaliforniabasedCiscohasabroadnetworksecurityproductportfolioacrossfirewall/IPS,Websecurityandemailsecuritytiers.ThefirewallofferingisprimarilyviatheAdaptiveSecurityAppliance(ASA)brandthatincludesanIPSreleasedin2014.ASAwithFirePOWERservicesistheASAwiththeSourcefireIPSAdvancedMalwareProtection(AMP)andapplicationvisibilityandcontroladdedin.Cisco'svirtualfirewallinglines,theASAvandtheVSG,requirethepresenceoftheNexus1000vvirtualswitch.
Forawhile,Ciscowillhavetwoprimaryconsoleofferings.First,theAdaptiveSecurityDeviceManager(ASDM)canfunctionasanonthedevicesingleinstancemanager.Inaddition,thecombinationofFireSIGHTwhichmanagestheIPSfunctionforASAwithFirePOWERservicesandCiscoSecurityManagerwhichmanagestheASAfirewallisthealternativeforASAwithFirePOWERservices.GartnerexpectsthatCiscowillunitetheCiscomanagementconsoleintheshortterm.
BeforetheintroductionofASAwithFirePOWERservices,GartnersawCiscowinningfirewallprocurementsmostlythroughsales/channelexecutionoraggressivediscountingforlargeCisconetworkscustomers.WiththeintroductionofASAwithFirePOWERservicesinSeptember2014,CiscobecamemoreabletocompeteintheNGFWfield
CiscoisassessedasaChallengerforenterprises.GartnerdidnotseeitdisplacingLeadersbasedonvisionorfeatures,andwerarelysawCiscoreleasefirewallinnovationsthatcausedLeaderstoreact.
Strengths
TheEnterpriseLicenseAgreement(ELA)forsecuritysoftwareandhardwareaddsvalueforCiscosecuritycustomersthatareundertakingmultiyeardeploymentsandwishtomaintainatimetableandproductflexibility.GartnerclientsconsistentlyratetheCiscosupportnetworkasexcellent,anditisthemostoftencitedreasonforloyaltytoCiscosecurityproducts.Thevendorhasstrongchannels,broadgeographicsupportandwideavailabilityofothersecurityproducts.SurveyedCiscofirewallclientsconsistentlyrankedtheavailabilityandpresenceofotherproductsfromCiscowithintheirnetworksasthemostimportantfactorintheirselectionofthevendor.Ciscooffersawidechoiceinfirewallplatforms.TheprimaryofferingisthestandalonefirewallASA,butfirewallsarealsoavailableviatheFirewallServicesModulebladefor6500and7600seriesswitches,onCisco'sASAforvirtualdatacenterandcloudenvironments,andonCisco'sInternetworkOperatingSystem(IOS)basedIntegratedServicesRouter.GartnerviewsthePlatformExchangeGrid(pxGrid)initiativetoallowthirdpartycomponentsontotheASAasthemostpromisingdevelopmentintheCiscofirewallroadmap.TheintegrationofreputationfeaturesacrossCiscosecurityproductsisastrength.TherichcontextprovidedbytheFirePOWERservicesintegrationaddstothisadvantage.TheinclusionofSourcefireIPSwithinASAhasimprovedthequalityoftheASAIPSandapplicationcontrol.
Cautions
GartnerclientsselectCiscofirewallproductsmoreoftenwhensecurityofferingsareaddedtoaCiscoinfrastructure,ratherthanwhenthereisashortlistwithcompetingfirewallappliances.Inthesurveysenttovendors,Cisco'sproductwasthesecondmostfrequentlylistedastheonevendorsclaimedtoreplacethemosthowever,itwasalsolistedthisyearasNo.2inthevendorlistofperceivedcompetitivethreats.Cisco'ssecurityconsoleofferingsconsistentlyscorelowversuscompetitorsinassessmentsconductedbyGartnerclients.However,GartnerbelievesthatmovingcompletelytotheSourcefireFireSIGHTwillbringimprovements.CiscoscoredlowerthanmostcompetitorsinaGartnersurveyofusersforoverallclientsatisfaction.CiscoASAhasafirewallconsoleintegrationofalocalsandboxbasedadvancedtargetedattack(ATA)cloudinstanceorappliancethroughAdvancedMalwareProtection(AMP)however,GartnerclientschooseAMPnotforitsundifferentiatedsandboxingcapability,butforotherATAdetectionstrengths.CiscocanimproveitsATAassociatedsandboxingifitintegratesits2014acquisitionofThreatGRID.
DellSonicWALLDell,whichisheadquarteredinRoundRock,Texas,sellsenterprisenetworkfirewallsundertheDellSonicWALLname.ThemajorityofDellSonicWALL'sbusinesshadbeensellingUTMtomidsizeenterprises,withtheSuperMassivelineaimedatenterprises,andatcompetitiveprice/performancepoints.OtherDellSonicWALLsecurityproductsincludeSSLVPNs,emailsecuritygateways,cleanwirelessofferings,dataencryptionofferings,identitymanagementofferings,managedsecurityserviceprovider(MSSP)offeringsundertheSecureWorksbrand,andbackup/recoveryofferings.Thecompany'sfirewallofferingsareinfourbrandedlines:SuperMassive,EClassNetworkSecurityAppliance(NSA),NSAandTZ.GartnerobservesastrongcorrelationbetweenSonicWALLpurchasesandincumbentDellcustomers.
DellSonicWALLisassessedasaNichePlayerforenterprises,inpartbecauseithasn'tbroughtinnovativesecurityfeaturestomarketinatimelymanner,anditssaleschannelsandmarketingprogramshaven'teffectivelyreachedenterprisebuyers.
Strengths
DellSonicWALL'sbroadmodelrangeisagoodoptionfordistributedenterpriseswithmanyremoteofficedeploymentsrequiringmanysmallerdevices,suchasinretailorfranchiseoutlets,orwithTypeCenterprises(seeNote1).GartnerhasobservedthattheDellSonicWALLchannelhasmigratedthecorefirewallbusinessintomoremidsizeorganizationsorintoorganizationsthat
todirectresources,skillsandofferingstomeetthespecificneedsofindividualmarketsegments,includingverticalmarkets.
Innovation:Direct,related,complementaryandsynergisticlayoutsofresources,expertiseorcapitalforinvestment,consolidation,defensiveorpreemptivepurposes.
GeographicStrategy:Thevendor'sstrategytodirectresources,skillsandofferingstomeetthespecificneedsofgeographiesoutsidethe"home"ornativegeography,eitherdirectlyorthroughpartners,channelsandsubsidiariesasappropriateforthatgeographyandmarket.
alreadyhadastrongDellSonicWALLrelationship.ForcurrentDellcustomersthatwanttohavefewersecurityvendors,DellSonicWALLisagoodchoicebecauseofitswiderangeofproductsandavailableSMBorientedfeatureset.TheSuperMassivelinehasachievedmarkettractioninhighthroughputfirewalldeployments,suchascarriersandserviceproviders,inwhichfirewallthroughput,lowlatencyandpriceperprotectedmegabitspersecondareforemostinasurveytousers,customersrankedthroughputandspeedastheforemostselectioncriterionsupportingthisassessment.
Cautions
AsreportedbyGartnerclients,DellSonicWALLisnotyetwidelyviewedasanenterprisestrategicsecurityplayerrather,itisperceivedasamidsizebrandassociatedwiththegreaterDellbrand.GartnerrarelyseesDellSonicWALLinmostTypeAandTypeBenterprisefirewallselectionshowever,thisisnota"Caution"forotherorganizations.DellSecureWorkspresentsapotentialchannelconflictforsalestootherMSSPs,whichcanviewDellSonicWALLaspartofacompetitor.GartneranalystshaveobservedcompetitorsusingthisargumenttogatherchannelpartnersfromDellSonicWALL.DellSonicWALLscoredlowasasignificantenterprisecompetitivethreatbythevendorswesurveyed,andscoredpoorlyinasurveytousersinregardtofalsepositivesforIPSinthefirewall.TheproductlinesTZandNSAareaging.DellSonicWALLprospectsshouldasktoseeroadmapsforevidenceoffutureinnovationplans.
F5F5,basedinSeattle,isaleadingdatacenterapplicationdeliveryvendor.Inadditiontothetrafficmanagementmodules(GTMandLTM)thatarethecoreofF5'sApplicationDeliveryController(ADC)offering,securitymodulesincludeApplicationSecurityManager(ASM),itsWebapplicationfirewall,andtheAdvancedFirewallManager(AFM),anetworkfirewall.ItsfirewallproductofferingreliesontheBigIPappliances(14models,from5Gbpsupto80Gbps)andViprionchassis(fourmodels,upto640Gbps)hardwareplatforms,runningtheF5TrafficManagementOperatingSystem(TMOS).F5alsooffersvirtualappliances(F5VE)andcentralizedmanagement(BigIQ)foritsBigIPsolutions.GartnerviewsF5assuccessfullyusingsecurityasacompetitivefeatureintheADCmarketratherthanbeingapureplayinthefirewallmarket.
F5isassessedasaNichePlayerfortheenterprisefirewallmarket,becauseitsfirewallofferingisvisibleonlyinalimitednumberofusecases,mostlysoldasanaddonofotherfeaturestoexistingF5customers.
Strengths
F5'ssoftwareisoptimizedfordatacenterandISPinfrastructureprotectionusecases.ItincludesIPv6compatibility,robustroutingoptimizationandSDNfeatures.GartneralsoexpectsF5toaddintegrationwithitsfirewallanditsSilverlineDDoSprotectionoffering.F5'scustomergivegoodscorestoitshardwareplatformforitsabilitytoscale.Thisincludeshardwareaccelerationand40Gbpsnetworkinterfaces,butalsostrongSSLoptimizationcapabilities,whichareoftenaweakspotofotherfirewallplatforms.F5dedicatessignificanteffortstosecurityfeaturesandshowsitscustomersacommitmenttoconsidersecurityasacentraltopicofitsroadmap.Thisisapositivesignfortheseclientsthatcanaddafirewallcomponenttotheirexistingdatacenterdeploymentatafractionofthecostrequiredbytheacquisitionofadedicatedappliance.GartnerexpectsF5tocompeteindatacenteronlydealswhenarchitecturecomplexityislowGartnerhasalreadyseenF5competewellinfirewallplacementsforhostingproviders.
Cautions
F5doesnotappearonGartnerclientcompetitiveshortlistsforenterprisefirewallselection,exceptwhencustomersalreadyownF5ADCandevaluateF5'supgradeoptions.F5isnotseenyetasacompetitivethreatbyotherfirewallvendorsevaluatedinthismarket.F5ismissingthecriticalcompetitivecomponentofastandaloneInternetfacingfirewalltoprotectusersandserverswhereanADCisnotrequired,andlacksentrylevelappliancesrequiredforbranchesandsmallheadquarters.F5lacksanIPSmoduleandonlyrecentlyintroducedsecureWebgateway(SWG)services.TheapplicationcontrolfeatureislimitedtowhatusersgetfromSWGandWebapplicationfirewall(WAF)modules,buthasyettobecoveredbyaunifiedsoftwarecomponent.GartnerbelievesthatF5'seffortstocoverabroadfeaturesetcouldhurtitsabilitytoprovidesufficientdepthforthecorefeaturesusedinenterprisefirewallusecases.AsF5'sfirewallmodulesarelikelytobeusedasadatacentersupplementtoaperimeterfirewall,F5'sintegrationwithonlyonefirewallpolicymanagementsoftware(FireMon)limitssecuritybuyeroptions.
FortinetSunnyvale,CaliforniabasedFortinethaslongfocusedonusingpurposebuilthardwaretoproduceenterprisefirewallandUTMapplianceswithawiderangeoffeaturesatstrongprice/performancepoints.Itoffersabroadsecurityportfolioandhassomepresenceinnetworkinfrastructure.ThefirewallfeaturesinFortinet'senterprisefirewallproductscannowmeetmostoftheneedsoffirewallfocusedlargeenterprisebuyers.
FortinetcontinuestomakeprogresswithintheGartnercustomerbase,especiallyinbranchofficeorretaildeployments,butincreasinglyinmorewidespreadenterpriseusecases.Inaddition,itisverycompetitive
indatacenterevaluationsinwhichhighperformance,lowlatencystatefulfirewallsaretheprimaryneed.Fortinetisasignificantthreattocompetitorsinthismarketbecauseofitshardwareexpertise,competitivepricingandacceleratingrevenuegrowth.Itisaviableshortlistcontenderformostenterprisefirewallusecases.
FortinetisassessedasaChallenger,mostlybecauseweseeitdisplacingcompetitorsonvalueandperformance,butstrugglingagainstLeadersinmainstreamenterpriseselectionsbasedonfeaturesandvision.FortinetdoesnotoftenreleasefeaturesthatcauseLeaderstoreact.
Strengths
FortinethasalargehardwareR&Dteamandusesittogotomarketquicklywithhigherperformancechipsets.Fortinetcontinuallydeliversnewfunctionsintheapplicationspecificintegratedcircuitandoperatingsystem,providingextensivepressureoncompetitorsandpleasingthechannel.Fortinetoffersagoodprice/performanceratioandawidemodelrange,includingbladedappliancesforlargeenterprisesandcarriers,aswellasSMBandbranchofficesolutions.InadditiontoenterpriseNGFWdeployments,Fortinetiswellsuitedtodeploymentsincarriers,datacenters,serviceprovidersanddistributedenterprises(forexample,retailandfranchises).Fortinethasawellarticulatedstrategyregardingvirtualization,publiccloudandSDN,andhasapromisingpartnershipwithVMwareNSX.
Cautions
Despitesomeimprovementsin2014,managementcapabilitycomparedwiththecompetitionremainsthereasonmostoftenlistedbyGartnerclientsasthereasonwhyFortinetwasshortlistedbutnotselectedbyenterprises.However,wheremultiplefirewallssharethesamepolicy,theFortinetconsoleismorecompetitive.Althoughit'sreducedthenumberofappliancesinitsoverallFortigateproductline,Fortinetstillsupportsmoreversionsandmodels(withoftenoverlappingspecifications)thanmanyofitscompetitors.Gartnerbelievesthatthenumberofappliancesandsoftwareversionsimpactscustomersupport.GartnerbelievesthatFortinet'sFeatureSelect,whichprovidespresetinitialconfigurationoptionsorbundlesoffeatures,doesn'teffectivelycommunicatethesupportofthevaryingusecasesofmanyenterprisesorcanconveytocustomersthattheNGFWisjustasubsetofthefullUTMsuiteratherthana"madeforenterprise"solution.WhileFortinet'smarketingmixbecamemuchmoreenterprisefocusedin2014,previousUTMorientedmarketinghascreatedalingeringbranddisadvantagewithsomeenterprisesecuritybuyers.
HillstoneNetworksBasedinBeijingandSunnyvale,California,HillstoneNetworksisapureplayfirewallvendor.Itsfirewallportfolioiscomposedofthreeproductlines,theTSeries(3models),theESeries(13models)andtheXSeries(twochassis),withfirewallthroughputrangingfrom1Gbpsto360Gbps.Hillstonehasaddednetworkbehavioranomalydetectionintoitsfirewall,andoffersvirtualversionsinitsvirtualElasticFirewallArchitecture(vEFA).
Althoughitisaggressivelymovingtoincreasesalesinmoreregionsbyexpandingitsworldwidepartnerecosystem,HillstoneisassessedasaNichePlayerbecauseitisvisibletoGartneronlyinoneregion,withamajorityofitssalesinChina.
Strengths
HillstonehasastrongpresenceinChina,andoffersdedicatedfirewallmodelsforthismarket.SurveyedcustomersinChinagivegoodscorestodirectvendorsupport.Hillstone'srecentreleaseofafirewallwithbehaviorbasedpolicy(namedIntelligentNextGenerationFirewall)indicatesamotivationtobringfurtherinnovationtotheenterprisefirewallmarket.HillstoneintegrateswithFireMonandAlgoSecpolicymanagementsoftware,whichcanfacilitatepurchasedecisionforinternationalcompanieswillingtousealocalvendorintheAsia/Pacificregion.
Cautions
HillstoneNetworks'firewallsarenotyetseeninenterpriseselectionsamongtheGartnerclientbaseoutsideofAsia/Pacific.GartneralsoobservesincreasingcompetitionforHillstoneinChinafromlocalandregionalvendors.Surveyedcustomersindicatethatperformancedegradationwhenenablingintrusionpreventionishigherthantheleadingvendorsevaluatedinthismarket.Surveyedcustomersfrequentlycitemanagementinterfaceasanareathatrequiresimprovement.
HPPaloAlto,CaliforniaheadquarteredHPhastwolinesoffirewalls.ThefirstisthenewTippingPointNextGenerationFirewall(NGFW)linethesecondlineiscomposedofF5000andF1000,formerlyofH3CTechnologiesinChina.Thesetwolinesareondistinctcodebases,areunderdifferentconsolesandaresupportedbydifferentgroupswithinHP.ThenewTippingPointNGFW(x86compatible)istheredesignoftheolderTippingPointIPS,whichisbasedoncustomapplicationspecificintegratedcircuits(ASICs).Assuch,thereisnodirecthardwareupgradepathfromtheIPStotheNGFW.However,bothcontinuetobesold.TherearesixmodelsofNGFW,allbearingthe"S"prefix.HPisaddinganadvancedthreatsandboxsolutionviaalocalappliancebasedonTrendMicro'sDeepDiscoveryInspector,whichwillworkwithHP'sNGFWandIPSviatheintegrationwiththeHPTippingPointSecurityManagementSystemconsole.
HPisassessedasaNichePlayer,mostlybecauseGartnerhasnotyetseenthenewfirewallproductonshortlists(see"VendorRating:HP"formoreinformation)orasfullyfeaturedasmostChallengersandLeaders.HPhasthepotentialtobeadisruptiveinfluenceandamarketchallengerthroughcontinuedproductadvancementandutilizationoftheHPchannel.
Strengths
TheprovenTippingPointIPSenginebringsaverygoodqualityofIPStothenewNGFWline,whichisofinteresttoincumbentTippingPointIPSdeploymentsthatarelookingtoreplaceafirewall,ortothosedeploymentsinwhichIPSneedsaremorehighlyrankedthanotherfirewallfeatures.InaGartnersurvey,themostmentionedreasonforbuyingtheHPfirewallwasalreadyhavingotherHPsecurityproducts.Inasurveyoffirewallusers,HPNGFWscoredhighestforusersatisfactionregardingqualityofIPSrelatingtofalsenegativesandpositives.Thereisagoodrangeofmodelsinthenewfirewallline,meaningnewadoptersarelesslikelytohavetowaitfornewmodelstoconsiderdeployments.TheTippingPointNGFWandIPSaremanagedundertheHPTippingPointSMSconsole,whichwillalreadybefamiliartoHPIPScustomers.
Cautions
Enterprisefirewallbuyersareoftenhesitanttoinvestinsomethingthatdoesn'thaveaproventrackrecordinthismarket.HPhasbeenslowtoexecuteonaroadmapandaddnewfeaturestoitsfirewalltoallowittocompeteforgeneralenterprisebusinessbybeing"RFPready."However,incumbentHPcustomersmaystillfindthistobeashortlistoption.GartnerclientsrarelyincludedHPfirewallsintheshortlistsweobserved.Asisoftenthecasewithnewproducts,thesurveyedHPusersmostoftencitedthattheSMSconsoleneedsimprovementinmanagingthenewfirewallingcapabilities,andsupportwasnotratedhighly.BasedonconversationswithGartnerclientswhoarealsoHPTippingPoint'sprospectsandcustomers,GartnerviewsHPastrendingtowardreemphasizingstandaloneIPSsoverfirewalls,astheyarechallengedingainingshareinthefirewallmarket.HPNGFWprospectsandcustomersshouldevaluateHP'sNGFWreleasecadenceandfeaturequality,aswellasthetimelydeliveryofroadmapcapabilitiestodeterminecontinuedinvestmentandpriority.
HuaweiShenzhen,ChinabasedHuaweihasbeenshippingfirewallproductsformorethanadecade(formoreinformation,see"VendorRating:Huawei"),andoffavarietyofothernetworksecurityappliances,includingantiDDoSandIPSs.Therangeoffirewallappliancesandmodelsisextensive,especiallyforhigherthroughputoptions,andforcustomersthatalreadyhaveHuaweiproductsandwishtoexpandthatbusinesstofirewalls.UnifiedSecurityGateway(USG)istheprimaryenterpriseline,andEudemonisthelineforcarriersandserviceproviders.MoreHuaweifirewallrevenueisderivedfromcarriers,ISPsandcloudandserviceprovidersthanfromenterprisesandSMBs.
HuaweiisassessedasaNichePlayerforenterprisesovertheevaluationperiod,mostlybecauseweseeitmostlyinanarrowgeographicsegment,andbecausewedidnotseeitfrequentlydisplacingLeadersorChallengersbasedonvisionorfeature.
Strengths
GartnerassessesHuaweiashavingaverygoodoverallnetworksecuritystrategyandalargesecurityresearchteam.CustomerswhosenetworksarebasedprimarilyonHuaweiinfrastructureproductscanincludeHuaweifirewalls.UsersreporttoGartnerthatHuaweiappliancesperformasexpectedunderload.ThetopendoftheHuaweifirewalllinehasaveryhighthroughputandisagoodshortlistcandidateforcarriers.MostdeploymentsGartnerobservesarehigherthroughputdeployments.HuaweideliveredandimprovedsomeapplicationcontrolandotherNGFWfeaturesin2014,largelytargetedtoenterprisecustomers.Itsupcomingroadmapaddressesenterpriseorientedfeatures.
Cautions
HuaweihaslimitedcompetitivevisibilityoutsidetheAsia/Pacificregionhowever,thereissomeincreasingcompetitivepresenceandgrowthinEMEA.InterviewedusersreportedthattheywouldliketoseebetterfeaturesintheWebgraphicaluserinterface(GUI)console,andconsistentlyaskedforbetterreporting.Huaweilagsthecompetitioninpartneringwithfirewallpolicymanagementvendors,preventingitfromfullyfulfillingsomeenterprisecomplianceandsecurityneeds.HuaweihastakenconsiderablestepstoaddressconcernsaboutrelyingontechnologydevelopedinChinahowever,thisconcerncontinuestobeasecuritysaleschallengeinsomemarkets,especiallyNorthAmerica.
IntelSecurity(McAfee)IntelfirewallsaresoldundertheMcAfeebrand.McAfee,whichisnowpartofIntelSecurity(basedinSantaClara,California),sellssecuritycontrolsattheendpoint,serverandnetworklayers.Intel(McAfee)networksecurityisbestknownforNetworkSecurityPlatform(NSP),itsnetworkIPSproductline.IntelSecurityobtaineditsnetworkfirewallin2013fromFinlandbasedStonesoft,whoseproductisnowcalledtheMcAfeeNextGenerationFirewall(NGFW).TheMcAfeeNGFWhasagoodrangeofmodels(scalingupto120Gbps),includingavirtualizedversion,andhasperformedwellinthirdpartytesting.(IntelSecurity
hasanadvancedthreatoffering[ATD]thatbecomesmoreeffectivethemoreIntelMcAfeesafeguardsareinplace.)
Gartnerbelievesthat,inthenearfuture,IntelSecuritywillhaveasinglehardwareplatformsupportingtheMcAfeeNGFWandNSP,whichistheIPSproduct.
IntelSecurityisassessedasaNichePlayerforenterprisesbecauseitprimarilysellsalongsideotherIntelandMcAfeesecurityproductsratherthanbeatingLeadersinshortlists.
Strengths
ThebreadthoftheIntelSecuritythreatintelligenceandreputationfeedsisapositivequalityelementandleveragestheIntelSecurityfootprintonendpoints,secureWebgateways,emailsecuritygatewaysandIPSs.TheMcAfeeNGFWfirewalllinehaslongbeenaleaderinhighavailabilitytechnology,andithasveryreliableclusteringandactive/activeconfiguration.Itfocusedearlyonantievasiontechnology,andprotectedcustomerswellasattacksevolvedtoincludefirewallanddeepinspectionevasiveness.ThevisibilityofePolicyOrchestrator(ePO)hostinformationwithinthefirewallreportingandconsoletoolsisofinteresttocurrentIntelSecurityePOcustomers.InaGartnersurveyofclients,theMcAfeeNGFWscoredveryhighinoverallclientsatisfaction.
Cautions
GartnerbelievesthathavingtheMcAfeenetworksecurityunitwithinaprimarilyhostbasedsecuritycompanywhichisitselfwithinalargeendpointfocusedchipmanufacturerremainsasignificantchallenge.IntelSecuritywasnotlistedbyanyvendorwesurveyedasasignificantenterprisecompetitivethreat,andIntelisnotestablishedasbeingastrongbrandinnetworksecurity.IntelSecuritycurrentlyhastwodifferentnetworkIPSenginesacrosstheMcAfeeNGFWandNSP(IPS)products.Rationalizingandcentrallyadministeringthesefromonemanagementconsolewillpresentchallenges.IntelSecurityisrarelyseenonGartnerclientnetworkfirewallshortlists,andGartnerestimatesthatthemarketshareissmallatlessthan5%.
JuniperNetworksThefirewallofferingsofSunnyvale,CaliforniabasedJuniperNetworksareinmultiplemodellines:SRXSSG,NS,ISGandthevirtualizedversionofSRX(vSRX).TheJuniperSRXSecurityServiceGatewayoffersroutingasabasicfirewallelement,andrunsthesameJunosoperatingsystemasotherJuniperinfrastructurecomponents.Gartnerconsidersroutinginthefirewallasbeingofinteresttoalimitedsegmentofcustomers.JuniperhasAppSecureforapplicationcontrolandvisibilityintegratedIPSandthreatintelligencefeeds.Juniper'sJunosSpaceSecurityDesignisthecurrentsecuritymanagementplatform.
JuniperisassessedasaNichePlayerforenterprises,mostlybecauseweseeitselectedinconcertwithotherJuniperofferings,ratherthandisplacingcompetitorsbasedonitsvisionorfeatures,andweseeitbeingreplacedinenterpriseenvironmentsmoreoftenthanweseeitselected.Juniperis,however,shortlistedand/orselectedinmobileserviceproviderdeploymentsandlargeenterprisedatacenterdeployments,primarilybecauseofpriceandhighthroughputonitslargestappliances.
Strengths
CustomerswhosenetworksarealreadystandardizedonJuniper'sJunosbasedinfrastructureproductscanbenefitfromtheSpaceSecurityDesignconsolebecauseitispartoftheJunosSpacenetworkmanagementplatform.Interviewedusersoftenselectedthefirewalls,withthroughputweightedhighlyintheirselection.Goodoptionsexistforhighthroughput,purposebuiltappliances,especiallyinthehigherendSRXmodels,becauseGartnerseesJunipermostlydeployedinlargedatacenters.Juniperhasastrongrangeofbranchofficefirewallscomplementingtheenterpriseproducts.ThesebranchofficefirewallsincludeWANandcellularbackuptechnologies.JuniperSRXisagoodshortlistcandidateindeploymentsforserviceprovidersorhosterswherestatefulfirewallthroughputisvaluedforemostandpriceisweightedhighly.Juniperoffersathreatintelligenceplatformsupportingthirdpartyfeedsandenablingdeploymenttoenforcementpoints.Thiscapabilitywillappealtoenterprisesthatusemultiplethirdpartythreatintelligencefeeds.
Cautions
GartnerdoesnotassessJuniperascurrentlyhavingacompellingordifferentiatedsecurityvision,oronethatiswellknowntononJunipercustomers.In2014,JuniperreleaseditsfirstNGFWfeatureset,wellbehindmostofthefirewallvendorsevaluatedinthisresearch.SomeGartnerclientshavecitedaneedforsupportandplatformstabilityimprovements.UsersthatGartnersurveyedreporthardwarefailuresoverthepast12months.Gartnerbelievesthatmostenterpriseswantanoperatingsystemintheirsecurityproductsthatdiffersfromtheoneininfrastructurecomponents.Juniperhascontinuedlosingsecuritymarketshareinthepastyear,andhasexperienceddecliningyearoveryearrevenueinagrowingmarket.Thecompanymustaddressfundamentalsalesandmarketingchallengesanddemonstratethatitcanwinbackcustomersandmarketsharewithitsnewercapabilities.
PaloAltoNetworksPaloAltoNetworksisaCaliforniabasedpureplaynetworksecuritycompanythathasbeenshippingenterprisefirewallssince2007.PaloAltoNetworksisknownmostlyforitsinnovationsinapplicationcontrolandforimprovingintegratedIPSinfirewalls.Thefirewallproductlineincludes18models,withamaximumthroughputof120GbpsforthePA7050,releasedin2014.WiththeacquisitionofCyvera(rebrandedasTraps),PaloAltoNetworksnowoffersasecondendpointproduct,inadditiontotheexistingGlobalProtect.PaloAlto'scloudbasednetworksandboxservice,WildFire,sawhighattachratesfornewandexistingcustomersin2014.PaloAlto'sworkwithVMwareNSXhasprovidedcustomersanotheroptionforplacingPaloAltoproductsinvirtualizeddatacenters.
PaloAltoNetworksisassessedasaLeader,mostlybecauseofitsNGFWfocus,andbecauseofitsconsistentvisibilityinGartnershortlistsforadvancedfirewallsusecases,frequentlybeatingcompetitiononfeaturequality.
Strengths
GartnerclientsconsistentlyratethePaloAltoNetworksAppIDandIPShigherthancompetitors'offeringsforeaseofuseandquality.ThefirewallandIPSarecloselyintegrated,withAppIDimplementedwithinthefirewallandthroughouttheinspectionstream.This"singlepass"isassessedasadesignadvantagebyGartnerclients,asopposedtotheunnecessaryinspectionthatcanoccurincompetingproductsthatprocesstrafficinserialorder.PaloAltoNetworkswasconsistentlyonmostNGFWcompetitiveshortlistsseenbyGartner,andinthesurveytovendors,itwasmostmentionedasthestrongestcompetitorwithwhichthesevendorscompete.TheroadmapfocusonVMwareNSXdisplaysstrongleadershiptowardsolvingclients'futureproblems.PaloAltoshiftedfocuscorrectlytoeastwestsegmentationratherthanwholedatacenterfirewallvirtualization.TheWildFireadvancedthreatapplianceandcloudservicearepopularaddonswithnewandincumbentPaloAltoNetworksfirewallcustomers,givingthemanoptionversusthirdpartyadvancedthreatappliancesolutions.
Cautions
GartnerclientsreportPaloAltoNetworks'directsalesandresellersbeingoverlyoptimisticabouttheperformanceimpactofturningonantivirus(thatis,Webantimalware),andconflatingantiviruswithIPSand/orotherfeatures,orclaiminga0%performanceimpactwhenenablingtheantivirus(AV)function,whichisnotcrediblewithcustomers.GartnerbelievesthatthisapproachhaserodedcustomertrustinthePaloAltoNetworksbrand.GartnerdoesnotseePaloAltoreproducingitsfirewallsuccessinitsattempttoentertheendpointmarket.GartnerconsidersPaloAlto'sentryintotheendpointmarketasahighriskmovethatcoulddilutecompanyattentionintoanonadjacentmarketandcouldalienatethenetworksecuritybuyingcenter.Theendpointshouldbeaddressedthroughathirdpartyecosystemorpushedstrongerasanindependenteffort.Thecompanymustdevelopabetterthirdpartyproductsupportecosystem.Likeothervendorswithleadingproducts,PaloAltoNetworksischallengedtowinselectionsinwhichpriceisweightedmorethansecurityfeatures,asinTypeCenterprises(seeNote1).Italsodoesnotofferthesmallerappliancesthatcompetitorspositionindistributedenterprisedeals.Theclientsweinterviewedwouldliketoseebetterloghandlingatscale.Also,theclientcomplaintswereceiveregardingPaloAltoNetworksusuallyrelatetomanagementconsoleissuesatscale,oranecdotesofchannelpartnershortcomings.
SangforHeadquarteredinShenzhen,China,andfoundedin2000,SangforprovidesWANoptimization,accessmanagementandnetworksecuritysolutions,includingfirewall,SSLVPNandInternetaccessmanagement.Sangforstartedshippingitsenterprisefirewallproductline(NextGenerationApplicationFirewall)in2011.Itnowfeatures16models,forafirewallthroughputofupto80Gbps.Sangfordoesnotofferavirtualappliance.
SangforisevaluatedasaNichePlayerforenterprisefirewallbecauseitservesanarrowedsegmentofthemarketandoperatesmostlyinChina.
Strengths
Sangforclientsliketheeaseofinstallation,reportingonsecurityandhighperformance.Theyalsocitecompetitivepriceasareasonforselectingthesolution.CloudbasedsandboxingandactivevulnerabilityscanningareavailableonSangfor'sfirewallatnoadditionalcharge.
Cautions
GartnerdoesnotseeSangforfirewallsbeingshortlistedoutsideofChina.InternationalizationoftheSangforfirewallproductlineisstillanongoingprocess.PotentialcustomersoutsideofChinashouldfirstverifytheavailabilityofvendorsupportandproductdocumentationfortheirusecase,andrequestreferencesfororganizationsinthesameregion.Surveyedcustomersshowedamajorityofuppermidsize/smallenterpriseusecases,withalimitednumberoffirewallsforasinglecustomer.Sangfor'senterprisefirewallisnewcomparedwithmostofitscompetitors,andseveralfeaturesarestillunproven,withaquicklygrowingnumberofdeploymentsbutalimitedexistence.
SophosSophosisasecuritycompanyheadquarteredinOxford,U.K.,thatisprimarilyknownforitsendpointsecuritysolution.Itsenterprisefirewallportfoliomainlyconsistsoftwoproductlines,theSGseries(14models,from1.5Gbpsto60Gbps)andtheNGproductline,resultingfromtheacquisitionofIndiabasedCyberoam(19models,from400Mbpsto160Gbps).ThetworemoteEthernetdevice(RED)modelsallowremoteVPNconnectionsforsmallbranches.SophosfirewallsarealsoavailableinvirtualapplianceformatandcanrunonAWS.SophosalsosellssecureWebgatewaysandsecureemailgatewaysinadditiontoitsendpointsecurityandmobilesecuritysolutions.
Sophos'NichePlayerpositioninthisMagicQuadrantreflectsitsfocusonuppermidmarketandsmallerenterpriseneeds,whichisshown,too,inthelimitedvisibilityforSophosfirewallsondatacenterandlargerenterprises'shortlists.
Strengths
AgrowingnumberofSophosendpointcustomersshortlistSophosasapotentialfirewall,citingeaseofuse,potentialproductsynergiesandsimplifiedprocurementasthemainreasonsforselectingthevendor.TheSophosCloudmanagementofferingcombinesmobile,endpointandnetworkmanagement,andappealstovastlydistributedenterprisesandorganizationswithalargemobileworkforce.TheSophosroadmapshowsagoodunderstandingoftheneedsofmidsizeandsmallerenterprisesclients,theirtargetmarket,andhowtheyplantoaddressoverlapsbetweentheirtwofirewallproductlines,increasecrosssynergiesacrosstheirsolutions,andfilltheremaininggapsintheirsecurityportfolio.SophosleadsthemarketinAWSfeaturesandmarketpenetration,andisagoodchoiceforAWSonlyplacements.
Cautions
Sophos'visibilityonGartnerenterpriseclientshortlistsremainslow,andisalmostexclusivelyfromexistingSophoscustomers.Sophosstillmaintainstwofirewallproductlines,andwillbedeliveringitsunifiednextgenerationproductinmid2015.CustomersmustensuretheirSophosappliancescanreceivethefirmwareupgradeinordertotakeadvantageofthenewplatform.Gartnerbelievesthatmidmarketandlargeenterprisehavedifferentneedsandexpectationsforcentralizedmanagementandreportingsolutions.Sophos'currentmanagementandreportingofferingsareorientedtowardUTMuseanddistributedorganizations,andgetlowerscoresincompetitiveevaluationswherecomplexpolicyandstringentworkflowrequirementsarehighlyweightedhowever,Sophosisagoodchoiceforuppermidmarketcustomers,smallerenterprisesandTypeCenterprises.
StormshieldStormshield(formerlyArkoon+Netasq),headquarteredinFrance,hasbeenapureplaynetworksecurityvendorformorethan15years,sellingUTMsystemsandenterprisefirewallswithintegratedIPSsandvulnerabilitymanagement.In2012,AirbusDefenceandSpaceCyberSecurity(formerlyCassidianCyberSecurity,asubsidiaryofEADSGroup)acquiredNetasq.InApril2013,itacquiredArkoon,anotherFrenchsecuritycompanywithfirewallsandendpointprotectionplatforms.ThetwogroupshaveunitedundertheStormshieldbrand,andhaveintroducedtheStormshieldNetworkSecurityline.Theseproductsarecomposedofnineappliances,rangingfrom400Mbpsto80Gbps.
VirtualversionsarealsoavailablewiththeVseries,andattheAWSMarketplace.
StormshieldisassessedasaNichePlayerforenterprises,mostlybecauseitbestservesmidsizebusinessesandgovernmentagenciesinWesternandCentralEurope.
Strengths
StormshieldisaEuropeanvendorandbenefitsfromlocalcertifications,suchasthe"EURestricted"orspecificassessmentfromtheFrenchgovernment,whichisofinteresttoEUgovernmentsandagencieslookingforsimplerprocurementoralocalprovider.Itsownership(Airbus)addscredibilitytoFrenchgovernmentanddefensecustomers.Stormshieldhasquicklyexecutedonaplantoproduceanewproductline,givingaclearchoicetoprospectsandexistingclientsfromtheformercompanieswhenconsideringafirewallrefresh.StormshieldhasawiderangeofvirtualappliancesandAWSbasedinstances,makingitagoodcandidatetoprotecthybridnetworks.CustomersciteIPSqualityasamainreasontheyselectStormshieldastheirnetworkfirewall.
Cautions
ThemajorityofStormshield'spenetration,visibilityandchannelisfocusedonEMEA,especiallyFrance.ThevendorhasnotbeenpartofNGFWselectionsthatGartnerhasseen.Theburdenofmaintainingsoftwaresupportfor36modelsmaystressStormshield'sR&Dresourcesanditsabilitytoexecuteonitstechnologyroadmaps.Stormshieldlackstheabilitytoapplyqualityofservice(QoS)rulesbasedonapplicationdetection.
WatchGuardWatchGuardisaSeattlebasednetworksecuritycompanythathasprimarilyseensuccessinsellingUTMproductstomidsizeenterprises.ItsXTMseriesofproductsspansperformanceandfeatureranges
demandedbylargeenterpriseshowever,WatchGuard'sbranding,channelsupportandmanagementcapabilitiestendtobemoreorientedtowardSMBs.WatchGuardalsohasproductsthatincludeSSLVPN,emailandWebsecurityproductlines.
TheXTMbrandedfirewallmodelsfallintotwocategories:TheXTM2SeriesandXTM5SeriesareUTM,whiletheXTM8SeriesandtheXTM1520andabovearetargetedattheenterprise.SinceWatchGuard'sintroductionofthe"NGFWBundle"optionforappliancesin2011andthe2014releaseofAPTBlocker,WatchGuard'scloudbasedmalwaredetectionofferingbasedonLastlinetechnology,thecompanyhassolutionsthatbettersuitprospectiveenterprisebuyersthantheUTMonlyapproach,thoughwehavenotseenmuchenterprisetractionyet.
WatchGuardisassessedasaNichePlayerforenterprises,mostlybecauseitservesSMBsanddistributedenterprises.However,wedonotoftenseeitdisplacingLeadersfortheedgefirewallusecasebasedonfeatures.Moreover,itisnotpresentondatacentershortlists.
Strengths
WatchGuard'sstrongprice/performancepointshaveenabledittowinpricesensitivecompetitionsacrossretail,branchoffice,remoteofficeandTypeCdistributedenterprisedeployments.WatchGuardcontinuestoinvestinenterpriseusecases,withenhancedIPv6andbettertrafficmanagementreleasedin2014,alongwithAPTBlocker.UsersreporthighsatisfactionwiththeWatchGuardmanagementconsole.EnterprisemodelsarecorrectlytargetedatNGFWsratherthanUTMfunctionality.ThecloudbasedreportingsolutionWatchGuardDimension,withitsexecutivedashboardandtrafficheatmaps,hasproventobeagoodadditiontothesetoffeaturesthatistargetingareaswheremanyfirewallswillbedeployed,suchasinfranchisesorretailstores,orviaanMSSP.Theinteractiveheatmapview(FireWatch)isusefultoquicklyidentifynetworkissuescreatedbyaspecificuserorapplication.
Cautions
GartnerrarelyseesWatchGuardinmostTypeAandTypeBenterprisefirewallselections.EnterpriseclasschannelsandsupportwillneedtobeexpandedifWatchGuardwishestocompeteinabroadersegmentofenterprises.Forexample,WatchGuarddoesnothavetheoptionforlargeenterprisestodeployaWatchGuardresidentengineer,arequirementforsomeenterprisedeployments.WatchGuardscoredlowasasignificantenterprisecompetitivethreatbythevendorswesurveyed,andithaslowvisibilityinGartner'scustomerbase.WatchGuardlagsbehindtheLeadersinarticulatingacomprehensivedatacenterstrategy,andinincludingSDNinitsroadmap.
VendorsAddedandDroppedWereviewandadjustourinclusioncriteriaforMagicQuadrantsandMarketScopesasmarketschange.Asaresultoftheseadjustments,themixofvendorsinanyMagicQuadrantorMarketScopemaychangeovertime.Avendor'sappearanceinaMagicQuadrantorMarketScopeoneyearandnotthenextdoesnotnecessarilyindicatethatwehavechangedouropinionofthatvendor.Itmaybeareflectionofachangeinthemarketand,therefore,changedevaluationcriteria,orofachangeoffocusbythatvendor.
AddedSangforwasaddedtotheMagicQuadrant.Arkoon+NetasqwasrenamedStormshield,whichnowappearsintheMagicQuadrant.
DroppedNovendorsweredropped.
InclusionandExclusionCriteriaInclusionCriteriaNetworkfirewallcompaniesthatmeetthemarketdefinitionanddescriptionwereconsideredforthisresearchunderthefollowingconditions:
Gartneranalystshaveassessedthatthecompanyhastheabilitytoeffectivelycompeteintheenterprisefirewallmarket.Thecompanyregularlyappearsonshortlistsforselectionandpurchases.Thecompanydemonstratesacompetitivepresenceinenterprisesandsales.Gartneranalystsconsiderthataspectsofthecompany'sproductexecutionandvisionmeritinclusion.Thevendorhasachievedenterprisefirewallproductsales(notincludingmaintenance)inthepastcalendaryearofmorethan$10million,andwithinacustomersegmentthatisvisibletoGartner.
ExclusionCriteriaNetworkfirewallcompaniesmayhavebeenexcludedfromthisresearchforoneormoreofthefollowingreasons:
ThecompanyhasminimalornegligibleapparentmarketshareamongGartnerclients,oritisnotactivelyshippingproducts.
Thecompanyisnottheoriginalmanufacturerofthefirewallproduct.ThisincludeshardwareOEMs,resellersthatrepackageproductsthatwouldqualifyfromtheiroriginalmanufacturers,aswellascarriersandISPsthatprovidemanagedservices.WeassessthebreadthofOEMpartnersaspartoftheevaluationofthefirewall,andwedonotrateplatformprovidersseparately.Thecompany'sproductssellasnetworkfirewalls,butdonothavethecapabilities,scalabilityandabilitytodirectlycompetewiththelargerfirewallproduct/functionview.ProductsthataresuitedforSMBs(suchasUTMfirewalls,orthoseforsmalloffice/homeofficeplacements)arenottargetedatthemarketthisMagicQuadrantcovers(enterprises)andareexcluded.ThecompanyprimarilyhasanetworkIPSwithanonenterpriseclassfirewall.
Thecompanyhaspersonalfirewalls,hostbasedfirewalls,hostbasedIPSsandWAFs(seeNote2)allofwhicharedistinctlyseparatemarkets.
EvaluationCriteriaAbilitytoExecute
Productorservice:Thisincludesserviceandcustomersatisfactioninenterprisefirewalldeployments.Executionconsidersfactorsrelatedtogettingproductssold,installed,supportedandinusers'hands.StrongexecutionmeansthatacompanyhasdemonstratedtoGartneranalyststhatproductsaresuccessfullyandcontinuallydeployedinenterprises,andthatthecompanywinsalargepercentageincompetitionwithothervendors.CompaniesthatexecutestronglygeneratepervasiveawarenessandloyaltyamongGartnerclients,andalsogenerateasteadystreamofinquiriestoGartneranalysts.Executionisnotprimarilyaboutcompanysizeormarketshare,althoughthosefactorscanaffectacompany'sAbilitytoExecute.Salesareafactorhowever,winningincompetitiveenvironmentsthroughinnovationandqualityofproductandserviceismoreimportantthanrevenue.Keyfeaturesareweightedheavily,suchasfoundationfirewallfunctions,consolequality,lowlatency,rangeofmodels,secondaryproductcapabilities(logging,eventmanagement,compliance,ruleoptimizationandworkflow),andtheabilitytosupportcomplexdeploymentsandmodernDMZs.Havingalowrateofvulnerabilitiesinthefirewallisimportant.Thelogisticalcapabilitiesformanagingappliancedelivery,productserviceandportdensitymatter.Supportisratedonthequality,breadthandvalueofofferingsthroughthespecificlensofenterpriseneeds.Overallviability:Thisincludesoverallfinancialhealth,prospectsforcontinuingoperations,companyhistory,anddemonstratedcommitmentinthefirewallandsecuritymarkets.Growthofthecustomerbaseandrevenuederivedfromsalesarealsoconsidered.Allvendorswererequiredtodisclosecomparablemarketdata,suchasfirewallrevenue,competitivewinsversuskeycompetitors(whicharecomparedwithGartnerdataonsuchcompetitionsheldbyourclients)anddevicesindeployment.Thenumberoffirewallsshippedorthemarketshareisnotthekeymeasureofexecution.Rather,weconsidertheuseofthesefirewallstoprotectthekeybusinesssystemsofenterpriseclients,andthosebeingconsideredoncompetitiveshortlists.Salesexecution/pricing:Weevaluatethecompany'spricing,dealsize,installedbase,andusebyenterprises,carriersandMSSPs.Thisincludesthestrengthofthevendor'ssalesanddistributionoperations.Presalesandpostsalessupportisevaluated.Pricingiscomparedintermsofatypicalenterpriseclassdeployment,andincludesthecostofallhardware,support,maintenanceandinstallation.Lowpricingwillnotguaranteehighexecutionorclientinterest.Buyerswantgoodresultsmorethantheywantbargains,andthinkintermsofvalueoversheerlowcost.Costofownershipoveratypicalfirewalllifecycle(threetofiveyears)isassessed,asisthepricingmodelforconductingarefreshwhilestayingwiththesameproductandreplacingacompetingproductwithoutintolerablecostsorinterruptions.Therobustnessoftheenterprisechannelandthirdpartyecosystemisimportant.Marketresponsiveness/record:Thisevaluatesthevendor'sabilitytorespondtochangesinthethreatenvironment,andtopresentsolutionsthatmeetcustomerprotectionneedsratherthanpackagingupfear,uncertaintyanddoubt.Thiscriterionalsoconsiderstheprovider'shistoryofresponsivenesstochangesindemandfornewfeaturesandformfactorsinthefirewallmarket,andhowenterprisesdeploynetworksecurity.Marketingexecution:CompetitivevisibilityisakeyfactoritincludeswhichvendorsaremostcommonlyconsideredtohavetopcompetitivesolutionsduringtheRFPandselectionprocess,andwhichareconsideredtopthreatsbytheothers.Inadditiontobuyerandanalystfeedback,thisrankinglooksatwhichvendorsconsidertheotherstobedirectcompetitivethreats,suchasbydrivingthemarketoninnovativefeaturescopackagedwithinthefirewall,orbyofferinginnovativepricingorsupportofferings.AnNGFWcapabilityisheavilyweighted,asareenterpriseclasscapabilities,suchasmultidevicemanagement,virtualization,adaptabilityofconfigurationandsupportforenterpriseenvironments.Unacceptabledevicefailurerates,vulnerabilities,poorperformance,andaproduct'sinabilitytosurvivetotheendofatypicalfirewalllifespanareassessedaccordingly.Significantweightingisgiventodeliveringnewplatformsforscalableperformanceinordertomaintaininvestment,andtotherangeofmodelstosupportvariousdeploymentarchitectures.Customerexperienceandoperations:Theseincludemanagementexperienceandtrackrecord,aswellasthedepthofstaffexperiencespecificallyinthesecuritymarketplace.Thegreatestfactorinthesecategoriesiscustomersatisfactionthroughoutthesalesandproductlifecycles.Lowlatency,throughputoftheIPScapabilityandhowthefirewallfaredunderattackconditionsarealsoimportant.Succeedingincomplexnetworkswithlittleintervention(forexample,oneoffpatches)ishighlyconsidered.
Table1.AbilitytoExecuteEvaluationCriteria
EvaluationCriteria Weighting
ProductorService High
OverallViability Medium
SalesExecution/Pricing Medium
MarketResponsiveness/Record High
MarketingExecution Medium
CustomerExperience High
Operations Medium
Source:Gartner(April2015)
CompletenessofVisionMarketunderstandingandmarketingstrategy:Thisincludesprovidingatrackrecordofdeliveringoninnovationthatprecedescustomerdemand,ratherthanan"us,too"roadmap.Wealsoevaluatethevendor'soverallunderstandingofandcommitmenttothesecurityandnetworksecuritymarkets.Gartnermakesthisassessmentsubjectivelybyseveralmeans,includinginteractionwithvendorsinbriefingsandfeedbackfromGartnercustomersoninformationtheyreceiveconcerningroadmaps.Incumbentvendormarketperformanceisreviewedyearbyyearagainstspecificrecommendationsthathavebeenmadetoeachvendor,andagainstfuturetrendsidentifiedinGartnerresearch.Vendorscannotmerelystateaggressivefuturegoalstheymustputplansinplace,showthattheyarefollowingtheirplans,andmodifythoseplansastheyforecasthowmarketdirectionswillchange.Understandinganddeliveringonenterprisefirewallrealitiesandneedsareimportant,andhavingaviableandprogressiveroadmapandcontinuingdeliveryofNGFWfeaturesisweightedveryhighly.TheNGFWcapabilitiesareexpectedtobeintegratedtoachievecorrelationimprovementandfunctionalimprovement.Salesstrategy:Thisincludespreproductandpostproductsupport,valueforpricing,andprovidingclearexplanationsandrecommendationsfordetectingevents,includingzerodayevents.Buildingloyaltythroughcredibilitywithafulltimeenterprisefirewallstaffdemonstratestheabilitytoassessthenextgenerationofrequirements.Vendorsneedtoaddressthenetworksecuritybuyingcentercorrectly,andtheymustdosoinatechnicallydirectmanner,ratherthansellingjustfearornextgenerationhype.Channelandthirdpartysecurityproductecosystemstrategiesmatterinsofarastheyarefocusedonenterprises.Offering(product)strategy:Thiscriterionfocusesonavendor'sproductroadmap,currentfeatures,NGFWintegrationandenhancement,virtualizationandperformance.Credible,independentthirdpartycertificationsincludetheCommonCriteriaforInformationTechnologySecurityEvaluation.Integrationwithothersecuritycomponentsisalsoweighted,aswellasproductintegrationwithotherITsystems.Wealsoevaluatehowthevendorunderstandsandservestheenterprisebranchofficeanddatacenter.Innovation,suchasintroducingpracticalnewformsofintelligencetowhichthefirewallcanapplypolicy,ishighlyrated.Anarticulated,viablestrategyforaddressingthechallengesinSDNdeploymentsisimportant.Businessmodel:ThisincludestheprocessandsuccessratefordevelopingnewfeaturesandinnovationitalsoincludesR&Dspending.Vertical/industrystrategyandgeographicstrategy:Theseincludetheabilityandcommitmenttoservicegeographiesandverticalmarkets,suchascomplexenterprisemultinationaldeployments,MSSPs,carriersorgovernments.Innovation:ThisincludesR&Dandqualitydifferentiators,suchas:
Performance,whichincludeslowlatency,newfirewallmechanisms,andachievinghighIPSthroughputandlowappliancelatency.Firewallvirtualizationandsecuringvirtualizedenvironments.Integrationwithothersecurityproducts.Managementinterfaceandclarityofreportingthatis,themoreaproductmirrorstheworkflowoftheenterpriseoperationscenario,thebetterthevision."Givingbacktime"tofirewalladministratorsbyinnovatingtomakecomplextaskseasier,ratherthanaddingmorealertsandcomplexity.
Productsthatarenotintuitiveindeployment,oroperationsthataredifficulttoconfigureorhavelimitedreporting,arescoredaccordingly.Solvingcustomerproblemsisakeyelementofthiscriterion.Reducingtherulebase,offeringinterproductsupportandleadingcompetitorsonfeaturesareforemost.
Table2.CompletenessofVisionEvaluationCriteria
EvaluationCriteria Weighting
MarketUnderstanding High
MarketingStrategy Medium
SalesStrategy Medium
Offering(Product)Strategy High
BusinessModel Medium
Vertical/IndustryStrategy Medium
Innovation High
GeographicStrategy Low
Source:Gartner(April2015)
QuadrantDescriptionsLeadersTheLeadersquadrantcontainsvendorsthatbuildproductsthatfulfillenterpriserequirements.Theserequirementsincludeawiderangeofmodels,supportforvirtualizationandvirtualLANs,andamanagementandreportingcapabilitythatisdesignedforcomplexandhighvolumeenvironments,suchasmultitieradministrationandrule/policyminimization.AsolidNGFWcapabilityisanimportantelementasenterprisescontinuetomoveawayfromhavingdedicatedIPSappliancesattheirperimeterandremotelocations.Vendorsinthisquadrantleadthemarketinofferingnewsafeguardingfeatures,providingexpertcapabilityratherthantreatingthefirewallasacommodity,andhavingagoodtrackrecordofavoidingvulnerabilitiesintheirsecurityproducts.Commoncharacteristicsincludehandlingthehighestthroughputwithminimalperformancelossandofferingoptionsforhardwareacceleration.
ChallengersTheChallengersquadrantcontainsvendorsthathaveachievedasoundcustomerbase,buttheyarenotconsistentlyleadingwithdifferentiatednextgenerationcapabilities.ManyChallengersareslowtoworktowardastrongNGFWcapabilityortheyhaveothersecurityproductsthataresuccessfulintheenterpriseandarecountingontherelationship,ratherthantheproduct,towindeals.Challengers'productsareoftenwellpriced,and,becauseoftheirstrengthinexecution,thesevendorscanoffereconomicalsecurityproductbundlesthatotherscannot.ManyChallengersholdthemselvesbackfrombecomingLeadersbecausetheyareobligatedtoplacesecurityorfirewallproductsatalowerpriorityintheiroverallproductsets.FirewallmarketChallengerswilloftenhavesignificantmarketshare,buttrailsmallermarketshareLeadersinthereleaseoffeatures.
VisionariesVisionarieshavetherightdesignsandfeaturesfortheenterprise,buttheylackthesalesbase,strategyorfinancialmeanstocompeteconsistentlywithLeadersandChallengers.MostVisionaries'productshavegoodNGFWcapabilities,butlackinperformancecapabilityandsupportnetwork.Savingsandhightouchsupportcanbeachievedfororganizationsthatarewillingtoupdateproductsmorefrequentlyandswitchvendorsifrequired.Iffirewallingisacompetitiveelementforanenterprise,thenVisionariesaregoodshortlistcandidates.VendorsthatdonothavestrongNGFWcapabilitiesaresupplementingtheminadefensivemove,whilevendorsthathavestrongNGFWofferingsarefocusedonmanageabilityandusability.Gartnerexpectsthenextwaveofinnovationinthismarkettofocusonbetteridentificationofmaliciousprotocolsatmultigigabitpersecondrates.
NichePlayersMostvendorsintheNichePlayersquadrantaresmallervendorsofenterprisefirewalls,makersofmultifunctionfirewallsforSMBs,orbranchofficeonlyproductmakersthatareattemptingtobreakintotheenterprisemarket.ManyNichePlayersaremakinglargerSMBproductswiththemistakenhopethatthiswillsatisfyenterprises.SomeenterprisesthathavethefirewallneedsofanSMB(forexample,someTypeC"riskaverse"enterprises)mayconsiderproductsfromNichePlayers,althoughothermodelsfromLeadersandChallengersmaybemoresuitable.Iflocalgeographicsupportisacriticalfactor,thenNichePlayerscanbeshortlisted.
ContextTheenterprisefirewallmarketisoneofthelargestandmostmaturesecuritymarkets.Itispopulatedwithmaturevendorsandsomemorerecententrants.Changesinthreats,aswellasincreasedenterprisedemandformobility,virtualizationanduseofthecloud,haveincreaseddemandfornewfirewallfeaturesandcapabilities.Organizations'finalproductselectiondecisionsmustbedrivenbytheirspecificrequirements,especiallyintherelativeimportanceofmanagementcapabilities,easeandspeedofthedeployment,acquisitioncosts,ITorganizationsupportcapabilities,andintegrationwiththeestablishedsecurityandnetworkinfrastructure.
MarketOverviewAsthefirstlineofdefensebetweenexternalthreatsandenterprisenetworks,firewallsneedtocontinuallyevolvetomaintaineffectiveness,respondingtochangesinthreatsaswellaschangesinenterprisenetworkspeedandcomplexity.Thefirewallmarketishighlypenetratedinthelargermarkets(NorthAmerica,WesternEuropeandmatureAsia/Pacific),whichmeansthat,toprotecttheirinstalledbase,incumbentsmustaddimprovedcapabilitiesandincreaseperformance,orfaceeitherreplacementbyinnovativemarketentrantsorcommoditizationbylowcostproviders.Firewallpolicymanagement(FPM)productsareincreasinglybeingusedtomanagecomplexity(seeNote3).
NextGenerationFirewallsOnekeyareaoffirewallevolutionthathasbeensupportediswhatGartner(in2009)called"NGFWfeatures"namely,integrateddeeppacketinspectionintrusiondetection,applicationidentificationandgranularcontrol.ThekeydifferentiatorsintheseareasareIPSeffectiveness,asdemonstratedthroughthirdpartytestingunderrealisticthreatandnetworkloadconditions,andfinegrainedpolicyenforcementinapproximatelythetop40businessapplications.Identitybasedpolicyenforcement,ortheabilitytoenforcepolicyonthousandsofapplications,hasbeenhighlytoutedbutusedinfrequently.
Becauseitishighlypenetrated,thefirewallmarketisdrivenbyrefreshcycles.WehaveseensomecommonpatternsinthefirewallmarketasenterpriseswiththreetofiveyearoldfirewallsandIPSsevaluatereplacement:
EnterprisesnotcurrentlyusinganyIPSsmigratetoNGFWswithminimaluseofadvancedfeatures.EnterpriseswithfirewallsandstandaloneIPSsthatareemployedprimarilyindetectionmode(thatis,usingminimalsignaturesets)migratetoNGFWsusingthebuiltinIPScapabilities.EnterpriseswithfirewallsandstandaloneIPSsthatareusedforactiveprevention,withlargesignaturesetsandsomecustomsignatures,migratetoNGFWsforthefirewallwithapplicationcontrolandusercontext,butcontinueusingstandaloneIPSs.HighsecurityenvironmentsupgradetoNGFWsforthefirewall,andupgradeIPSstoNGIPSs(see"DefiningNextGenerationNetworkIntrusionPrevention").Organizationsarelookingtoextendtheironpremisesfirewallvendorintoinfrastructureasaservice(IaaS)cloudproviders.
UTMCan'tCompeteWithNGFWsinEnterprisesHistorically,UTMvendorstargetedSMBclients.However,inthepastfewyears,thelargeUTMvendorshavetriedtoexpandbeyondtheirtraditionalusecase.TheynowtrytosellUTMtoenterpriseclientsthatscorepricecompetitivenesshigherthansecurity.GartnerseessomelimitedsuccessforTypeCenterprises,butitisrestrictedtotwousecases:distributedTypeCenterprises(mostlyintheretailindustry),andstatefulfirewallfornetworksegmentationatlowcost.However,theUTMapproachfailstoconvinceTypeAandTypeBenterprisesthatrequireNGFWcapabilitiesanddonotconsolidateWebantivirusontheInternetfacingfirewall(see"NextGenerationFirewallsandUnifiedThreatManagementAreDistinctProductsandMarkets").
UTMvendorsalsofacedifficultiesinbuildingastrongsalesandsupportchannelforenterprises(similarly,enterprisefirewallvendorswouldunderestimatetheworkofbuildinganSMBchannel).MostenterprisebuyersarealsowaryofshortlistingaUTMvendorbecauseofitsprimaryfocusonSMBsandlimitedbrandawareness.
VirtualizedFirewalls:HypeOutrunsDemandAsdatacentervirtualizationhascontinued,demandforvirtualappliancesupporthasgrown.Performanceandtheabilitytomanagefirewallpolicythroughasingleintegratedmanagementconsoleforstandaloneappliancesorvirtualappliancesarekeydifferentiators.Gartnerhasnotseenthefirewallfeaturesofvirtualizationplatforms(suchasthoseofferedwithVMware)asamajorcompetitortomainstreamfirewallvendorsbecausetheneedforseparationofdutiesdrivesclientstodoubttheinfrastructure'sabilitytoprotectitself.GartnercoversvirtualonlyfirewallvendorssuchasvArmourandIllumio,buthasnotseensignificantadoption.EarlyVMwareworkwithPaloAltoNetworks,andnowCheckPointandFortinet,hascreatedsomebuzzforvirtualizingdatacentersandnetworksandeastwestsegmentation,butfewcustomershaveadoptedthese,thoughadoptionisgrowingquickly.AsothervirtualizationplatformssuchasXenandHyperVgaintraction,managingheterogeneousvirtualizedfirewallsfromexistingphysicalfirewallvendors,virtualizationplatformvendorsandvirtualonlyfirewallswillpresentachallenge.Performanceremainsabarriertowiderdeployment:Almostallnetworkfirewallstodayaredeliveredonpurposebuiltappliancesbecauseofthepoorerperformanceofrunningfirewallsongeneralpurposeservers.Almostalloperatingsystemswithinfirewallappliancesareuniquelyhardened,subjecttostringentthirdpartysecurityevaluations.Securitymindedenterprisesarealsorightlyskepticalofrunningfirewallswithinahypervisorthatisbetweenthethreatandthefirewall.
Gartnermarketdataindicatesthat,in2014,thenumberofvirtualversionsoffirewallssoldremainedflatatlessthan2%.Amongthe95referencecustomerssurveyedforthisMagicQuadrant,0%listed"virtualversionavailable"asatopthreereasontheyselectedtheircurrentvendor,whereas53%selected"throughput/speed"asatopthreereason,andapproximately30%ofrespondentsselected"price"(34%),"managementconsole/reporting"(32%),"IPS"(32%),"applicationcontrol"(29%),and"highavailability/clustering"(27%).
Nodynamicshifttowardvirtualapplianceswilloccuruntilafundamentalchangetothecurrentnetworksecurityvirtualizationmarketismadeanddemanddrivesvendorinnovation.
TheFirewallMarketSlowsDownonAcquisitions,butRemainsDynamicAcquisitionsinthefirewallspacesloweddownin2014from2013'sbreakneckpace,butgrowthremainedrobust.
Duringtheevaluationperiod,thefirewallmarketgrew9.5%to$9.5billion.For2015,Gartnerestimatesthefirewallmarketwillgrowapproximately10%toreach$10.5billionin2015.Wealsoforecastthatthismarketwillreachacompoundannualgrowthrateof10%through2017,andwillbeelevatedbytheadditionoffirewalladdonssuchasIPSsandadvancedthreatdefenses.Gartnerbelievesthatthefirewallmarketis"atcapacity":Althoughthegrowthrateisjustaround10%,thisisthelargestsecurityproductmarket(fastapproaching$10billion),andincrementalmarketgrowthissignificant.Firewallrefreshesremainconstantatafiveyearaverage,soevenifgreatnewproductsemerge,incumbentfirewallsarerarelyrefreshedbeforetheyreachmaturity.Thisrefreshdynamicresultsinthemarketbeinglinear,ratherthanhavingmacrorefreshcyclesor"bumps"ofrefreshes,asinothermarkets.
HaveSomeAdvancedThreatDetectionWithThatFirewallAdvancedthreatdetectionusinganetworksandbox,pioneeredbyFireEye,hasbecomearapidlygrowingmarket.Asadvancedthreatdefense/detectionfurtherpenetratesthemainstreammarket,firewallvendorshaveintroducedsolutionsoverthepastthreeyears.Thesefirewallattachedsandboxesaredeliveredmostlyascloudbasedsandboxespricedassubscriptionbasedservices.Mostofthefirewall
vendorsevaluatedhereeitherdeliveranetworksandboxtoday,orhaveitontheirshorttermroadmaps.Someofthesearebuiltbythefirewallvendors,othersaredeliveredthroughthirdpartypartnerships.
Thusfar,we'veseenfirewallconnectedsandboxesappealmostlytobudgetconstrainedTypeBenterprisesthatwouldrathermaintainsingleconsolecontrolovertheirfirewallthandeployaseparateplatform.Asthedesiretodefendagainsttheadvancedthreatmorefullypermeatesthemainstreammarket,weexpectthatcustomerswillincreasinglyturntotheirfirewallvendorsfortheirnetworksandboxingneeds(see"MarketGuideforNetworkSandboxing").
ConfusingUseof"Application"and"Firewall"inThreeDistinctProductsOverlappingterminologyandunclearmarketingcanleadtoconfusionamongthethreedistinctissuesofapplicationcontrol,WAFsandfirewallsonapplicationdeliverycontrollers(ADCs).ThefirewallapplicationcontrolapproachesusedbymostNGFWvendors(suchasCheckPoint,DellSonicWALL,FortinetandPaloAltoNetworks)aremostlyaboutcontrollingaccesstoexternalapplications,suchasFacebookandpeertopeer(P2P)filesharing.
WAFsaredifferent:TheyareplacedprimarilyinfrontofWebserversinthedatacenters.PureplayWAFcompanies(suchasImperva)ordatacenterinfrastructurevendorsthatprovideWAFtechnologywithintheirADCsareconcernedwithprotectingcustominternalWebapplications.
WhilesomeADCvendors(suchasF5)arenowofferingnetworkfirewallingwithintheirADCsaswell,GartnerdoesnotseeNGFWandWAFtechnologiesconvergingbecausetheyarefordifferenttasksatdifferentplacements.MosttraffictoenterpriseWebserversremainsencrypteduntilitreachestheADC,meaningtheownersoffirewallsandIPSsfacethedifficultdecisionofwhethertoengageSSLinspection,whichinvolvesaterminationandreencryptionofthesesessions(see"SecurityLeadersMustAddressThreatsFromRisingSSLTraffic"and"WebApplicationFirewallsAreWorththeInvestmentforEnterprises").
AsGartneradvisesclients,mostenterpriseshaveasinglebrandofnetworkfirewallforallplacements,includingInternetfacing,virtualized,datacenterandbranch(see"OneBrandofFirewallIsaBestPracticeforMostEnterprises").Thesedatacenterfirewallswillbechallengedtogainanynoteworthyshareuntiltheycanprovidecompetitivefirewallingforallenterpriseplacements.Theycan,however,serveaspecializednicheofplacements,suchasincaseswherethedatacenterisaseparatebusinesswithitsownfirewalloperationsstaff.
AsiaPacificContext22April2015
Analyst(s):CraigLawson,AdamHils,MatthewCheung
TheAsia/Pacificregionwillrepresentjustover11%ofthetotalenterprisenetworkfirewallmarketin2015.ItsdiverseculturesanddifferencesinmarketmaturitycreatespecificexpectationsandrequirementswhenAsia/Pacificenterprisesevaluatefirewallvendors.
MarketDifferentiatorsFirewalltechnologycontinuestobeafundamentalelementofnetworksecuritystrategyforAsia/Pacificorganizations.Thisregionhasadifferentcompetitivelandscapetoothergeographiesduetoitssizeandgeopoliticalalignments.TheAsia/Pacificmarketisforecasttomakeup$926millionofthetotal$8.346billionspentonenterprisefirewalls(11%oftheglobalmarket)in2015.Thisoverallmarketisexpectedtogrowto$9.745billionby2017,withAsia/Pacificaccountingfor$1.12billion,or11%.
TherearetwousageprofilesinAsia/Pacificconcerningfirewallacquisitionanddeployedfeatures:TechnologicallymoreadvancedAsia/Pacificcountries(suchasJapan,SingaporeandAustralia)haveasimilarfeatureadoptionratetotheU.S.andEurope,embracingmorerecenttrendssuchascloudbasedsandboxingmeanwhile,emergingAsia/Pacificcountries(China,Indonesiaandothers)arestillmovingthroughearlierphasesofnextgenerationfirewall(NGFW)featureadoption.
TheAsia/Pacificregion'sdiversityintermsofgeography,culture,industryandeconomicmodelsmeanstherearevaryinglevelsofITorganizationmaturityandprocurementpolicies.ThisisdifferentinmakeupcomparedwiththeNorthAmericanandEuropeanmarketsthatpredominantlyoperateundersimilarsetsoflegislativerequirementsandalimitednumberofcurrencies.Asia/Pacific'sdiversitymeansthatvendorsmustsupportthesenuancesandthecostofdeliveryburdenswithinalargeregioncomposedofmanylargeandsmallcountries,eachwithitsownlegislative,cultureandcurrencyrequirements.InAsia/Pacific,anumberofvendorsdealwiththiscomplexitybyleveragingatieredvalueaddeddistributor/valueaddedreseller(VAR)model.
Theeffectsonnetworksecurityvendors'salesandmarketshareinlightoftheU.S.surveillancerevelationsstartingin2013areyettobefullyseeninAsia/Pacific.WhileGartnerdoesnotexpectthistochangethesizeofthefirewallmarket,itislikelytochangethemarketshareofvendorsasnonU.S.customersmoveawayslightlyfromU.S.providers.ThiswillfavorAsia/Pacificnativesecurityprovidersthatwillbenefitfroma"builthere"sentimentthatisstronginsomebutnotallpartsofAsia/Pacific(see"TheSnowdenEffect:DataLocationMatters").
ConsiderationsforTechnologyandServiceSelectionClientsinAsia/Pacificshowapreferenceforprovidersthathavealocalpresence,atleastforsalesandpresalessupport.Asia/Pacificorganizationsexpectsupportforlocallanguagesinboththeproductmanagementinterface,documentation(withreportingataminimum)andfortechnicalsupport.
WiththesteadytransitiontoapplicationandidentitybasednetworksecuritydeliveredbyNGFWs,vendorsalsoneedtosupportsocialnetworkingandbrowserapplicationsthatareheavilyusedinAsia/Pacific,althoughnotprevalentintheinaproduct'shomecountryofdevelopment.ExamplesincludeTencent(QQ,WeChat,QQBrowser)Weibo,Line,KakaoTalk,ViberandPPSEntertainment.DeepunderstandingofthisapplicationecosystemandsubsequentabilitytofilterisaproductdifferentiatorintheAsia/Pacificmarket.
IntheemergingAsia/Pacificcountrieswithmorematureeconomies,priceisastrongdriver,andthemarketiscontinuingtoshowthatproductsdeliveringamajorityof"goodenough"featuresatapalatablepricewillcontinuetoholdandinsomecasestakesharefrommoreprominentbrands.Additionally,largescalethroughputisalsoanimportantfactorinthetelco/ISPverticalintheAsia/Pacific'sheavilypopulatedcountries.
InsidematureAsia/Pacific(suchasJapan,Singapore,Australia,NewZealandandHongKong),NGFWfeaturessuchassecurityefficacy,advancedmanagementandrobustsupportareallvaluedbycustomers,asiscompetitivepricing.GartnerisalsoseeinghighlevelsofinterestinmaturecountiesintheregionforintegratedadvancedthreatdetectioncapabilitiesleadingtoincreasedattachrateinNGFWsales.Vendorsthatofferthis"feature"toadvancedAsia/Pacificcustomersaspartoftheiroverallarchitecturewillbemoresuccessfulthanpointproductvendors(seePredicts2015:InfrastructureProtection).
NotableVendorsVendorsincludedinthisMagicQuadrantPerspectivehavecustomersthataresuccessfullyusingtheirproductsandservices.SelectionsarebasedonanalystopinionandreferencesthatvalidateITproviderclaimshowever,thisisnotanexhaustivelistoranalysisofvendorsinthismarket.Usethisperspectiveasaresourceforevaluations,butexplorethemarketfurthertogaugetheabilityofeachvendortoaddressyouruniquebusinessproblemsandtechnicalconcerns.ConsiderthisresearchaspartofyourduediligenceandinconjunctionwithdiscussionswithGartneranalystsandotherresources.
CheckPointSoftwareTechnologies
CheckPointhasasignificantexistingclientbaseinAsia/Pacificandhasconsistentlyoutsoldallcompetitorsintheregion'sfirewallmarket,whichvaluessecurityfeaturesandmanagingcomplexityaswellascompetitive,butnotthelowest,pricing.Thevendorhasstrongbrandrecognition,marketleadingfeatures,alargechannelandextensivecountrylevelcoverageinAsia/Pacific.WithNGFWadoptionratesinemergingAsia/PacificlaggingthoseinmatureAsia/Pacificandotherregions,thereisalargepotentialtomoveexistingandnewclientsontoitsNGFWplatform,inadditiontofeaturedrivencompetitivedisplacement.CheckPointhasalsoaddedadvancedthreatcapabilitiesviasandboxingtotheplatform,whichisanimportantbuyingfactorinAsia/Pacific.
CheckPointshouldbeconsideredbysecurityconsciousorganizationswithintheAsia/Pacificregionforitsbreadthofsecuritycontent,regionalchannelsupportandrangeofappliances.
Cisco
Ciscohasasignificantshareofthesecuritymarketintheregionandhasleverageditsnetworkingheritageverysuccessfullyoveralongperiodoftimeinsalesofitsfirewallplatform.ItcontinuestobeaformidablevendorinthismarketdueprimarilytoitslargechannelandcrosssellingopportunityforAsia/Pacificpartnersandclients.Cisco'sintrusionpreventionandadvancedthreatdetectioncapabilitiesviatheSourcefireacquisitionareincludedwithintheASAwithFirePOWERproductsandcomplementedbythebroaderportfolioofWeb,emailandidentityproducts.ThisenablesCiscotocontinuetocompeteforpricesensitiveAPACbuyerswhileallowingforupgradesforclientsthatalsorequireadvancedsecurityfeatures.However,latelyCisco'ssalesinChinahavetakenadownturnbasedonrecentpublicfinancialannouncements,whichweattributetogeopoliticalmachinationsstemmingfromthe2013NationalSecurityAgency(NSA)disclosures.
Ciscoshouldbeconsideredformidsizeandlargeenterprisesthatvalueasinglevendorfornetworkingandsecuritysolutions,Asia/Pacificwidefieldcoverageandchannelsupport.
DellSonicWALL
DellSonicWALLlagsbehindmanyenterprisefirewallsinregionalmarketpresence.Itispricecompetitive,however,withregionalvendors,buttodatehasnotdevelopedaneffectiveAsia/Pacificsaleschannel.SonicWALLcouldbenefitfromDell'srecentcommitmentofresourcestotheregion,particularlyChina.DellSonicWALL'srangeofapplianceshavelocalizedlanguagesupporttotargetorganizationsinChina,SouthKoreaandJapan,andwillhelpitappealtoorganizationsthatdemandalocallanguageexperience.
SonicWALLshouldbeconsideredforAsia/PacificclientsthatarealreadyrunningDellinfrastructure,andasacompetitiveoptionforpriceconsciousmidmarketbuyersanddistributedenterpriseusecasesduetoitslargerangeofappliances.
Fortinet
Asia/PacificandJapanespeciallyrepresentahealthypercentageofFortinet'sworldwiderevenueshare,puttingitaheadofanumberofextraregionalcompetitorsintheregion.InmanyAsia/Pacificmarkets,Fortinetisthesecondlargestnetworksecurityvendor.FortinethasalsoinvestedinAsia/PacificwithR&DinBeijing,athreatresearchcenterinSingaporeandasupportcenterinMalaysia.Thisfostersitslocalpresenceaswellasitsproductlocalizationefforts.
Fortinet'sfocusonlowercost,highthroughputfirewallapplicationspecificintegratedcircuit(ASIC)basedtechnologies,incombinationwithacompetitivesecurityfeaturesetandadvancedthreatcapabilities,has
givenitmarketappealintheregion,wherecost,rangeofappliancesandperformancearekeyrequirementsforusecasesthatconvergemultipletechnologiesonasingleappliance.
FortinetshouldbeconsideredbyallmidmarketandlargeclientsduetoitsrangeofproductsandsupportoftheAsia/Pacificregion.
HillstoneNetworks
HillstoneNetworksisafirewallvendorheadquarteredbothinChinaandtheU.S.withanambitiontoexpandfurthergloballybyincreasingitspresenceintheU.S.andotherregions.Since2014,Hillstonehassetupoperationsanddistributors/resellersnetworksinmostregionsgloballynow,includingSoutheastAsia.Hillstonehasabroadportfolioofnetworksecurityproducts,butamajorityofrevenuecomesfromfirewall,targetingbothcarriersandenterprises.Hillstone'scustomerbaseismostlyinChina.
AlthoughHillstonefocusedoriginallyondeliveringcommonfirewallfeaturesandfunctions,ithasmarketeditsiNGFWcapabilities("i"forintelligent)andasoftwaredefinednetwork(SDN)strategyinitsproductportfolio.ThesefeaturesdifferentiateHillstonefrommostofthecommodityfirewallvendorsfromChina.Hillstonelookstocompetewithglobalplayerswiththesefeatures.
Hillstoneisalsoperceivedasapricecompetitivelocalprovider,anditshighperformanceandstabilityarecitedbycustomers.
Huawei
HuaweiisoneofthefewChinesenetworksecuritycompaniesthathasexpandeditsfootholdoutsidetheregion.MorethanhalfofHuawei'sfirewallrevenuecomesfromoutsideofChina,buttherestofAsia/PacificisrelativelyasmallmarketinHuawei'soverallrevenuesplit.Huawei'ssecurityproductsaresoldwidelytobothenterprisesandtelecomoperators.
Huawei'skeydifferentiatorsareitsintegrationwithitsnetworkingbusiness,competitivepricingandrelationshipwithtelecomoperators.AlthoughHuaweisecurityispartofitsnetworkingandsecuritydivision,Huaweisecurityhasitsownsecuritysalesteamanddedicatedchannelpartners.
Huaweisecuritysolutionsshouldbeconsideredbyclientsvaluingthesamenetworkandsecurityvendor,prospectswithinChina,andadditionallywherepriceisaprimarybuyingconsideration.
JuniperNetworks
JuniperNetworksdoesagreaterpercentageofitsfirewallbusinessinAsia/Pacificthanmostglobalvendors,continuingitslongtimelegacyofservingregionalcustomers'firewallneeds.JuniperNetworkshasaprovennetworkingchannelintheregion,andithasleveragedtosellitsSRXproductline.JuniperNetworksalsoseessuccesswithmanagedsecurityserviceprovider(MSSP)partnersthatoftensellitsfirewalls(physicalorvirtual)asthedefaultoption,whichisduetocostandperformance.
AsJuniperincreasinglyshiftsitssecurityemphasistohigherendcloudprovidersandtelecommunicationsareas,Asia/Pacificenterprisesshouldaskforroadmapcommitmenttocontinuedenterpriseclassproductdevelopmentandsupport.
PaloAltoNetworks
PaloAltoNetworksisseenasaninnovatorinfirewallsduetoitsearlytomarketnextgenerationfirewallfeatures.Asaconsequence,ithasmanywinsamongcustomersinAsia/PacificwithmorematureITadoptionprofiles.ThecompanyhasinvestedinAsia/Pacificandhasestablishedaviablepresence,butcustomeradoptionofPaloAltoNetworks'technologyisnotasstrongonarelativebasiswhencomparedwithNorthAmericaandEurope.Thisisduetoconsiderablecompetitionfromregionallystrongplayers(Huawei,Hillstone),thestrengthinAsia/Pacificofentrenchedglobalplayers(Cisco,CheckPoint,Fortinet)andtherelativesizeofPaloAltoNetworks'Asia/Pacificstaffingandchannel.
Advancedfeaturescontinuetomakeitaworthyshortlistcandidatefor"leanforward"Asia/PacificorganizationswiththeskillsandbudgetnecessarytoleveragePaloAltoNetworks'"nextgeneration"featuresandsecuritycontent.GartnerexpectsitsintegratedadvancedthreatpreventionarchitecturetobeastrongfeaturedifferentiatorintheAsia/PacificNGFWmarket.
LeanforwardorganizationswithintheAsia/PacificregionwithasecurityovercostpreferenceshouldconsiderPaloAltoNetworksfortheirshortlists.
Sophos
NottraditionallyalargeplayerintheAsia/Pacificenterprise,Sophos,withitsFebruary2014acquisitionofIndiabasedCyberoam,hasbolstereditspresenceintheregion,especiallySouthAsia.Cyberoam'sproductlinehasexcelledatuseridentitycontrolandhasembeddedreportingitscustomerslike.Inaddition,Cyberoamhasaddedfeaturestoappealtoindustrialenterpriseusecases.SophosisintheprocessofintegratingdifferentiatedfeaturesofthelegacySophosandCyberoamproductlines,buttheCyberoamappliancesremainavailable.Clientsshouldassesstheoutcomesoftheproductlinesmergingtoensurethisprocessstillalignswithtacticalandstrategicproductchoices.
SouthAsianorganizationslookingforalowcostregionaloptionwithadvancedidentitybasedcontrolsshouldevaluateSophosasashortlistcandidate.
WatchGuard
WatchGuard'sregionalpresenceintermsofthenumberofitsAsia/Pacificcustomermixisaboutonparwithitsextraregionalcompetitors.Overthepastseveralyears,WatchGuardhasgrownitspresencein
theregionwithadditionalstaff.IthasasimilargotomarketapproachwithitstechnologyasvendorslikeFortinet,offeringagoodrangeandfeaturesofNGFWandunifiedthreatmanagement(UTM)appliancesatcompetitivepricing.Thissuitssmaller,midmarketAsia/Pacificclients.WatchGuardhasalsopartneredtodeliverpayloadadvancedpersistentthreat(APT)detectionfunctionality,whichisincreasinglybecomingatablestakescomponentofperimeterarchitecturesinAsia/Pacific.
WatchGuardshouldbeconsideredbymidmarketandgeographicallydispersedAsia/Pacificbusinessesthatrequireamixofsecurityfeaturesatacompetitiveprice.
Wins
WinsisheadquarteredinSouthKorea,whereitalreadyhasadomesticallysuccessfulnetworkintrusionpreventionsystem(IPS)offering.ItsNGFWincludesthesameIPSengine.ThecompanycompetesprimarilyinSouthKoreaandJapan.AlthoughWinsisexpandingintoIndonesia,Malaysia,SingaporeandotherpartsofSoutheastAsia,GartnerhasseenitsproductsmostlyinWins'corenations.KoreanandJapanesecustomersshouldconsiderthisvendorforinclusiononfirewallshortlists.
WinsshouldbeconsideredbyclientsinWin