19
Magic Quadrant for Enterprise Network Firewalls 22 April 2015 ID:G00263955 Analyst(s): Adam Hils, Greg Young, Jeremy D'Hoinne VIEW SUMMARY "Nextgeneration" capability has been achieved by the leading products in the network firewall market, and competitors are working to keep the gap from widening. Buyers must consider their operational realities, the burden of switching, and the tradeoffs between "bestofbreed" function and costs. Market Definition/Description The enterprise network firewall market represented by this Magic Quadrant is composed primarily of purposebuilt appliances for securing enterprise corporate networks. Products must be able to support singleenterprise firewall deployments and large and/or complex deployments, including branch offices, multitiered demilitarized zones (DMZs) and, increasingly, the option to include virtual versions, often within the data center. These products are accompanied by highly scalable (and granular) management and reporting consoles, and there is a range of offerings to support the network edge, the data center, branch offices and deployments within virtualized servers. The companies that serve this market are identifiably focused on enterprises — as demonstrated by the proportion of their sales in the enterprise; as delivered with their support, sales teams and channels; but also as demonstrated by the features dedicated to solve enterprise requirements and serve enterprise use cases. As the firewall market continues to evolve, NGFWs add new features to better enforce policy (application and user control) or detect new threats (intrusion prevention systems [IPSs], sandboxing and threat intelligence feeds). The standalone Secure Sockets Layer (SSL) VPN market has largely been absorbed by the firewall market. Eventually, the NGFW will continue to subsume more of the standalone network IPS appliance market at the enterprise edge. This is happening now; however, some enterprises will continue to choose to have bestofbreed IPSs embodied in nextgeneration IPSs (NGIPSs). More recently, enterprises have begun looking to firewall vendors to provide cloudbased malwaredetection instances to aid them in their advanced threat efforts, as a costeffective alternative to standalone sandboxing solutions (see "Market Guide for Network Sandboxing"). However, nextgeneration firewalls will not subsume all network security functions. Allinone or unified threat management (UTM) approaches are suitable for small or midsize businesses (SMBs), but not for the enterprise (see "NextGeneration Firewalls and Unified Threat Management Are Distinct Products and Markets"). The needs for branchoffice firewalls are becoming specialized, and they are diverging from, rather than converging with, UTM products. As part of increasing the effectiveness and efficiency of firewalls, they will need to truly integrate moregranular blocking capability as part of the base product, go beyond port/protocol identification and move toward an integrated service view of traffic, rather than merely performing "sheet metal integration" of point products. Magic Quadrant Figure 1. Magic Quadrant for Enterprise Network Firewalls ADDITIONAL PERSPECTIVES Geography: AsiaPacific STRATEGIC PLANNING ASSUMPTIONS Virtualized versions of enterprise network safeguards will not exceed 10% of market revenues by yearend 2018, up from less than 5% today. Less than 40% of enterprise Internet connections today are secured using nextgeneration firewalls (NGFWs). By yearend 2018, this will rise to at least 85% of the installed base, with 90% of new enterpriseedge purchases being NGFWs as more enterprises realize the benefits of application and user control. By 2018, 85% of new deals for network sandboxing functionality will be packaged with network firewall and content security platforms. Fewer than 2% of deployed enterprise firewalls will have Web antivirus actively enabled on them through 2016, although more than 10% of enterprises will have paid for it. ACRONYM KEY AND GLOSSARY TERMS ADC application delivery controller AFM Advanced Firewall Manager ASA Adaptive Security Appliance ATA advanced targeted attack ATD advanced threat detection AWS Amazon Web Services DDoS distributed denial of service DMZ demilitarized zone FIPS U.S. Federal Information Processing Standards FPM firewall policy management GUI graphical user interface IP Internet Protocol IPS intrusion prevention system IPv6 Internet Protocol version 6 MSSP managed security service provider NGFW nextgeneration firewall NGIPS nextgeneration IPS P2P peertopeer SMB small or midsize business SSL Secure Sockets Layer UTM unified threat management VE Virtual Edition VPN virtual private network WAF Web application firewall EVIDENCE

Magic Quadrant for Enterprise Network Firewalls

Embed Size (px)

DESCRIPTION

Magic Quadrant for Enterprise Network Firewalls

Citation preview

  • MagicQuadrantforEnterpriseNetworkFirewalls22April2015ID:G00263955

    Analyst(s):AdamHils,GregYoung,JeremyD'Hoinne

    VIEWSUMMARY

    "Nextgeneration"capabilityhasbeenachievedbytheleadingproductsinthenetworkfirewallmarket,andcompetitorsareworkingtokeepthegapfromwidening.Buyersmustconsidertheiroperationalrealities,theburdenofswitching,andthetradeoffsbetween"bestofbreed"functionandcosts.

    MarketDefinition/DescriptionTheenterprisenetworkfirewallmarketrepresentedbythisMagicQuadrantiscomposedprimarilyofpurposebuiltappliancesforsecuringenterprisecorporatenetworks.Productsmustbeabletosupportsingleenterprisefirewalldeploymentsandlargeand/orcomplexdeployments,includingbranchoffices,multitiereddemilitarizedzones(DMZs)and,increasingly,theoptiontoincludevirtualversions,oftenwithinthedatacenter.Theseproductsareaccompaniedbyhighlyscalable(andgranular)managementandreportingconsoles,andthereisarangeofofferingstosupportthenetworkedge,thedatacenter,branchofficesanddeploymentswithinvirtualizedservers.

    Thecompaniesthatservethismarketareidentifiablyfocusedonenterprisesasdemonstratedbytheproportionoftheirsalesintheenterpriseasdeliveredwiththeirsupport,salesteamsandchannelsbutalsoasdemonstratedbythefeaturesdedicatedtosolveenterpriserequirementsandserveenterpriseusecases.

    Asthefirewallmarketcontinuestoevolve,NGFWsaddnewfeaturestobetterenforcepolicy(applicationandusercontrol)ordetectnewthreats(intrusionpreventionsystems[IPSs],sandboxingandthreatintelligencefeeds).ThestandaloneSecureSocketsLayer(SSL)VPNmarkethaslargelybeenabsorbedbythefirewallmarket.Eventually,theNGFWwillcontinuetosubsumemoreofthestandalonenetworkIPSappliancemarketattheenterpriseedge.Thisishappeningnowhowever,someenterpriseswillcontinuetochoosetohavebestofbreedIPSsembodiedinnextgenerationIPSs(NGIPSs).Morerecently,enterpriseshavebegunlookingtofirewallvendorstoprovidecloudbasedmalwaredetectioninstancestoaidthemintheiradvancedthreatefforts,asacosteffectivealternativetostandalonesandboxingsolutions(see"MarketGuideforNetworkSandboxing").

    However,nextgenerationfirewallswillnotsubsumeallnetworksecurityfunctions.Allinoneorunifiedthreatmanagement(UTM)approachesaresuitableforsmallormidsizebusinesses(SMBs),butnotfortheenterprise(see"NextGenerationFirewallsandUnifiedThreatManagementAreDistinctProductsandMarkets").

    Theneedsforbranchofficefirewallsarebecomingspecialized,andtheyaredivergingfrom,ratherthanconvergingwith,UTMproducts.Aspartofincreasingtheeffectivenessandefficiencyoffirewalls,theywillneedtotrulyintegratemoregranularblockingcapabilityaspartofthebaseproduct,gobeyondport/protocolidentificationandmovetowardanintegratedserviceviewoftraffic,ratherthanmerelyperforming"sheetmetalintegration"ofpointproducts.

    MagicQuadrant

    Figure1.MagicQuadrantforEnterpriseNetworkFirewalls

    ADDITIONALPERSPECTIVES

    Geography:AsiaPacific

    STRATEGICPLANNINGASSUMPTIONS

    Virtualizedversionsofenterprisenetworksafeguardswillnotexceed10%ofmarketrevenuesbyyearend2018,upfromlessthan5%today.

    Lessthan40%ofenterpriseInternetconnectionstodayaresecuredusingnextgenerationfirewalls(NGFWs).Byyearend2018,thiswillrisetoatleast85%oftheinstalledbase,with90%ofnewenterpriseedgepurchasesbeingNGFWsasmoreenterprisesrealizethebenefitsofapplicationandusercontrol.

    By2018,85%ofnewdealsfornetworksandboxingfunctionalitywillbepackagedwithnetworkfirewallandcontentsecurityplatforms.

    Fewerthan2%ofdeployedenterprisefirewallswillhaveWebantivirusactivelyenabledonthemthrough2016,althoughmorethan10%ofenterpriseswillhavepaidforit.

    ACRONYMKEYANDGLOSSARYTERMS

    ADC applicationdeliverycontroller

    AFM AdvancedFirewallManager

    ASA AdaptiveSecurityAppliance

    ATA advancedtargetedattack

    ATD advancedthreatdetection

    AWS AmazonWebServices

    DDoS distributeddenialofservice

    DMZ demilitarizedzone

    FIPS U.S.FederalInformationProcessingStandards

    FPM firewallpolicymanagement

    GUI graphicaluserinterface

    IP InternetProtocol

    IPS intrusionpreventionsystem

    IPv6 InternetProtocolversion6

    MSSP managedsecurityserviceprovider

    NGFW nextgenerationfirewall

    NGIPS nextgenerationIPS

    P2P peertopeer

    SMB smallormidsizebusiness

    SSL SecureSocketsLayer

    UTM unifiedthreatmanagement

    VE VirtualEdition

    VPN virtualprivatenetwork

    WAF Webapplicationfirewall

    EVIDENCE

  • Source:Gartner(April2015)

    VendorStrengthsandCautionsAhnLabSouthKoreabasedAhnLabisalongestablishedsecurityvendor.Knownmostlyforantivirussoftware,AhnLab'snetworksecurityofferingsincludefirewalls,IPSsandadvancedthreatsolutions.AhnLabbeganofferingafirewallproductundertheTrusGuardbrandin2007,andnowthereare10models.ThefirewallisCommonCriteriacertifiedEAL4,butdoesnothaveotherthirdpartyevaluations(suchasICSALabs,NSSLabsorFIPSPUB1402).

    AhnLabisassessedasaNichePlayerforenterprises,becausemostofitswinsarewithinaspecificgeographySouthKoreaand/orareassociatedwithanexpansionoftheendpointsecuritybusiness,notbecausethevendorcompetesonbestofbreedenterprisefirewallfeatures.

    Strengths

    SouthKoreaclientsshouldconsiderAhnLabfortheirfirewallshortlists,givenitssignificantlocalmarketshareandsupportpresence.Themodelrangeisverybroadtheenginewasdesignedtominimizedistributeddenialofservice,includingfeaturesoptimizedforhandlingsmallerpacketsizes.AhnLab'sendpointproductcustomerscanhavethesamevendorprovidethemwiththeirnetworkfirewallsolution,reducingvendormanagementchallenges.

    Cautions

    TheTrusGuardfirewallisnotoftenseeninenterpriseselectionsintheGartnerclientbase.AhnLabwasnotlistedbyanyvendorwesurveyedasasignificantenterprisecompetitivethreat.AhnLabdoesnotoffervirtualfirewallmodels,andhasnotyetintegrateditsMalwareDefenseSystem(MDS)malwaredetectionappliancewithitsfirewall.AhnLabdoesnotallowmultipleadministratorstomakerulechangessimultaneously,placingitatadisadvantageinlargeenterprises.

    BarracudaNetworksCampbell,CaliforniabasedBarracudaNetworkshasbeenfocusedprimarilyonsellingawiderangeofsecuritystorage,andinfrastructureappliancesandcloudservicestomidsizebusinessesandsmallenterprisemarketsatlowprices.TheBarracudaenterprisefirewallofferingistheNGFirewall,whereastheBarracudaFirewallseriestargetsSMBs.TheNGFirewallhasapplicationcontrolandreputationservices,whiletheBarracudaNGFirewallVxisavirtualversion,andthereisaMicrosoftAzureinstance.AnadvancedthreatoptionhasbeenaddedwiththeBarracudaadvancedthreatdetection(ATD)option,repackagedfromATDvendorLastline,providingacompetitivechoiceversuscompetingfirewalls.

    ThisMagicQuadrantwasconductedinaccordancewithGartner'swelldefinedmethodology.TheanalysisinthisresearchwasbasedprimarilyoninterviewsandinteractionsduringfirewallinquirieswithGartnerclientssincethe2014"MagicQuadrantforEnterpriseNetworkFirewalls."Wealsoconsideredsurveyscompletedbyvendors,vendorbriefingsconductedattherequestofvendorsthroughouttheyear,interviewswithreferencesprovidedbyvendors,andsupportingGartnerquantitativeresearchonmarketshare.

    Guidelinesforrespondingtothefullsurveywereprovidedatthetimeofissue.Responseswere,nevertheless,ofvariablequality.Responsesthatwerelowerquality(forexample,respondentsignoredthequestion,theyusedpoorgrammar,theywereunabletoexplainkeyconcepts,theywereunabletoprovidehighqualityexplanationsofusecases,ortheywereunabletogobeyondtechnicalcapabilitiesanddemonstrateanunderstandingofthebusinessenvironment),orthatdidnotmeettheguidelines,generallytendedtoscorelower.VendorsthatdeclinedtoprovideasurveyresponsewereassessedbyGartnerastowhattheirlikelyreplywouldhavebeen(usually,thiswasinrelationtospecificrevenuebreakdowns).Somevendorsdeclinedtoanswercertainquestionsduetomarketrestrictions,and,therefore,didnotfareaswellundersomeofthescoringcriteria.

    Weaskedforaspecificnumberofreferencesfromeachvendor(n=95,total),andeachreferencecustomerwassuppliedwithastructuredsurvey.Referenceswerescoredonthebasisoftheirqualityandwhattheytoldus.Foreachvendor,wetookintoaccountthecommentsfromthatvendor'sreferencesaswellaswhatothervendors'customerssaidaboutthatparticularvendor.Vendorscouldbenotablyaffectedbytheinabilitytohaveasufficientnumberofreferencecustomersprovidinginput.

    NOTE1TYPEA,BANDCENTERPRISES

    Enterprisesvaryintheiraggressionandrisktakingcharacteristics.TypeAenterprisesseekthenewestsecuritytechnologiesandconcepts,tolerateprocurementfailure,andarewillingtoinvestforinnovationthatmightdeliverleadtimeagainsttheircompetitionthisisthe"leanforward"oraggressivesecurityposture.ForTypeAenterprises,technologyiscrucialtobusinesssuccess.

    TypeBenterprisesare"middleoftheroad."Theyareneitherthefirstnorthelasttobringinanewtechnologyorconcept.ForTypeBenterprises,technologyisimportanttothebusiness.

    TypeCenterprisesareriskaversetoprocurement,perhapsinvestmentchallengedandwillingtocedeinnovationtoothers.Theywait,letothersworkoutthenuancesandthenleveragethelessonslearnedthisisthe"leanback"securityposturethatismoreaccustomedtomonitoringratherthanblocking.ForTypeCenterprises,technologyiscriticaltothebusinessandisclearlyasupportingfunction.

    NOTE2BUYERS'CONFUSIONCONCERNINGWAFS

    TheadventofapplicationcontrolinfirewallshasledtosomenaturalconfusionbetweentheNGFWandWAFmarketsinthemindsofbuyers.Today,thesemarketsremainverydistinct.Thecriticaldifferenceisofdirection:ApplicationcontrolinNGFWsisconcernedprimarilywithapplicationsthatareexternaltotheenterprise(forexample,P2PandFacebook),whereasWAFsareconcernedwithprotectingcustomWebapplicationsonserversthatareinternaltotheenterprise.AlthoughafewfirewallsofferoptionalWAFmodules,thesearerarelyenabled.Instead,weseeWAFsdeployedasastandaloneproduct(suchasfromImperva),anoffpremisesservice(suchasfromAkamai)orwithinanADC(suchasfromF5).

    NOTE3FPMTOOLS

    ThirdpartyFPMvendors(suchasAlgoSec,FireMonandTufin)continuetoexploittheabsenceoffirewallconsolestooptimize,visualize,andreducefirewallrulesandpolicies.AlthoughtheFPMmarketisstillsomewhatsmall,it'sgrowingfast,andthecustomers

  • BarracudaisassessedasaNichePlayerforenterprisesbecauseBarracudadoesnoteffectivelysellitsenterprisecapableproducttoenterprisesotherthaninWesternandCentralEuropeandincertainpublicclouddeployments.

    Strengths

    TheBarracudaNGFirewallisagoodoptionforcustomersthatalreadyhaveotherBarracudaproductsorarelocatedinWesternorCentralEurope.TheBarracudamanagementconsolescoreswellinselectionsforsimpledeployments.TheNGFirewalltiedforthehighestscoreinasurveytoreferencesforIPSfunction.TheBarracudaNGFirewallisastrongcompetitorinsituationswherepriceishighlyweightedintheselection.TheNGFirewallshowedastrongcorrelationforselectionsinasurveyforhighavailabilityandclustering.GartnerhasobservedaconsiderableincreaseinNGFirewallsalessincethepreviouseditionoftheMagicQuadrant.

    Cautions

    BarracudacustomersareprimarilySMBs,andthevendordoesnotyethavewellestablishedenterprisenetworksecuritychannelsorsupportoutsideofWesternandCentralEurope.AlthoughhavingdifferentiatedproductsforenterprisesandSMBsisgoodandreflectstheirdifferentneeds,Barracuda'sproductnamingisconfusingforenterpriseclients.TheBarracudaFirewallseriestargetsSMBs,whiletheBarracudaNGFirewallseriestargetsenterprises.NovendorwesurveyedlistedBarracudaasasignificantenterprisecompetitivethreat.AlthoughweseeBarracudaFirewallinSMBdeals,BarracudaisnotvisibleonthefirewallshortlistsofGartnerenterprisecustomers,exceptinsomeregions,notablyGermanyandAustria.MostinteresthascomefromincumbentcustomersthathaveotherBarracudaproducts.

    CheckPointSoftwareTechnologiesCheckPointSoftwareTechnologiesiscoheadquarteredinTelAviv,Israel,andSanCarlos,California.Itsportfolioincludesnextgenerationfirewalls,threatprevention,Websecurity,endpoint,mobilesecurity,cloudsecurityanddistributeddenialofservice(DDoS)solutions.CheckPoint'senterprisefirewallproductlineincludes17appliancesandtwochassisforhardwareblades,scalingupto400Gbps.Itcanalsobedeliveredasavirtualappliance,deployedonVMware,AmazonWebServices(AWS),OpenStackandMicrosoftAzure,ordeliveredassoftware.CheckPointfirewallcapabilitiescanbeexpandedbypredefinedpackagesofadditionalsoftwareblades.CustomerscansupplementCheckPoint'sfirewallwithanadvancedthreatoffering(CheckPointThreatCloud),andcanaddadditionalthreatintelligencefeedsfromthirdparties(CheckPointIntellistore)andintegrateCheckPoint'sfirewallwithitsMobileSecuritysuitetoenforcesecuritypolicyformobileusers(usingCheckPointCapsule).

    GartnerassessesCheckPointSoftwareasaLeaderforenterprisefirewallsbecauseagoodscoreduringtechnicalevaluationcontinuallydrivesnewclientwinsandcontributestoretainingalargeportionofitsexistingcustomerbase.CheckPointalsoshowsstrongexecutiononitsenterprisefocusedroadmaptodeliverfeaturestargetingthevariousfirewallplacementusecasesforenterprises.

    Strengths

    CheckPointhasoneofthelargestexistingenterpriseclientbasesandcontinuestoappearfrequentlyonfinalshortlistsforenterprisefirewallselection.Itisabletosupporttheseclientsgloballywithastrongchannelpresenceandasignificantinternalteamdevotedtofirewallfeaturedevelopment.ItscomprehensiveproductportfolioallowsCheckPointtobedeployedinavarietyofenterpriseusecases.ThenewchassissolutionsfurtherexpandCheckPoint'sabilitytoscaletothelargestdatacentersandtoadapttotheirfuturegrowthrequirements.CheckPointfirewallsconsistentlygethighscoresfromclientsonsecurityandeaseofmanagementincomplexenvironments.Itcontinuestoinvestinitsmanagementsuite,withseveralfeaturesintheR80versionintendedtoimprovetheauditabilityandmanageabilityofthesecuritypolicy,andithasfinallymergedthenetworkandapplicationcomponentsinaunifiedpolicy.GartnerbelievesthatCheckPoint'sstrategytosupportVMwareNSX,OpenStackandCiscoApplicationCentricInfrastructure(ACI)isagoodsignalforclientsconsideringCheckPointsecuritysolutionswhentheyevaluatesoftwaredefinednetwork(SDN)projects.

    Cautions

    PriceisthemostcommonfactorinvokedbyGartnerclientstointroducecompetitionforCheckPointsolutionsatrenewaltimeorasareasontofavorcompetitionduringshortlists.Gartneranalystsnoticedthathardwareplatformssubmittedinresellerproposalstendtobemoretightlysized,andseeitasatactictocontroltotalcosts.Inafewreportedclientsituations,undersizingwasaclearreasonforperformanceissues,andcausedunnecessarybackandforthdiscussiontogettheadequatemodel.In2014,GartnerobservedahigherthanusualnumberofclientsreportingstabilityissueswithCheckPointsolutions,andunexpectedlongresolutiontime.Thispeakedin2Q14,thenplateauedatalowerleverduringthesecondhalfoftheyear.GartneranalystsobservedthatmanyoftheseincidentsinvolvedclustersofnewhardwareplatformsrunningthefirstversionsoftheunifiedGAiAOS,withthesituationimprovingasCheckPointsimplifiedthenumberofsupportedlegacyversions.CheckPointcustomersareoftenslowtoadoptnewsoftwareoptionslikeitsthreatemulationsoftwareblade.Gartnerbelievesthatreasonsincludeinsufficientresultsofmarketingoperationstosupportthelaunchoftheseoptions,aswellasthefactthatCheckPointclientsarenotwillingtosubscribetoadditionalsoftwareoptionsaftertheinitialsizing,infearofperformanceissues.Thisincreasesthetimeforthesenewoptionstobecomemature,astheybenefitfromaloweramountof

    requiringhelpwithcomplexityaretheverylargest.Additionally,verylargeenterprisesmayhavefirewallproductsfromdifferentvendorssometimesbyaccidentviaacquisitionratherthanthroughchoice,becauseasinglevendorsolutionisusuallythebestchoice.Inothercases,anenterprisemaybeinthemidstofamultistagerolloutofanewplatform.AllFPMvendorssupportmultiplefirewallproducts,whereasnofirewallvendorwilleffectivelymanageacompetingproduct.Inaddition,FPMvendorsareexpandingintomanagingothernetworksecuritydevices,suchasIPSs.

    EVALUATIONCRITERIADEFINITIONS

    AbilitytoExecuteProduct/Service:Coregoodsandservicesofferedbythevendorforthedefinedmarket.Thisincludescurrentproduct/servicecapabilities,quality,featuresets,skillsandsoon,whetherofferednativelyorthroughOEMagreements/partnershipsasdefinedinthemarketdefinitionanddetailedinthesubcriteria.

    OverallViability:Viabilityincludesanassessmentoftheoverallorganization'sfinancialhealth,thefinancialandpracticalsuccessofthebusinessunit,andthelikelihoodthattheindividualbusinessunitwillcontinueinvestingintheproduct,willcontinueofferingtheproductandwilladvancethestateoftheartwithintheorganization'sportfolioofproducts.

    SalesExecution/Pricing:Thevendor'scapabilitiesinallpresalesactivitiesandthestructurethatsupportsthem.Thisincludesdealmanagement,pricingandnegotiation,presalessupport,andtheoveralleffectivenessofthesaleschannel.

    MarketResponsiveness/Record:Abilitytorespond,changedirection,beflexibleandachievecompetitivesuccessasopportunitiesdevelop,competitorsact,customerneedsevolveandmarketdynamicschange.Thiscriterionalsoconsidersthevendor'shistoryofresponsiveness.

    MarketingExecution:Theclarity,quality,creativityandefficacyofprogramsdesignedtodelivertheorganization'smessagetoinfluencethemarket,promotethebrandandbusiness,increaseawarenessoftheproducts,andestablishapositiveidentificationwiththeproduct/brandandorganizationinthemindsofbuyers.This"mindshare"canbedrivenbyacombinationofpublicity,promotionalinitiatives,thoughtleadership,wordofmouthandsalesactivities.

    CustomerExperience:Relationships,productsandservices/programsthatenableclientstobesuccessfulwiththeproductsevaluated.Specifically,thisincludesthewayscustomersreceivetechnicalsupportoraccountsupport.Thiscanalsoincludeancillarytools,customersupportprograms(andthequalitythereof),availabilityofusergroups,servicelevelagreementsandsoon.

    Operations:Theabilityoftheorganizationtomeetitsgoalsandcommitments.Factorsincludethequalityoftheorganizationalstructure,includingskills,experiences,programs,systemsandothervehiclesthatenabletheorganizationtooperateeffectivelyandefficientlyonanongoingbasis.CompletenessofVisionMarketUnderstanding:Abilityofthevendortounderstandbuyers'wantsandneedsandtotranslatethoseintoproductsandservices.Vendorsthatshowthehighestdegreeofvisionlistentoandunderstandbuyers'wantsandneeds,andcanshapeorenhancethosewiththeiraddedvision.

    MarketingStrategy:Aclear,differentiatedsetofmessagesconsistentlycommunicatedthroughouttheorganizationandexternalizedthroughthewebsite,advertising,customerprogramsandpositioningstatements.

    SalesStrategy:Thestrategyforsellingproductsthatusestheappropriatenetworkofdirectandindirectsales,marketing,service,andcommunicationaffiliatesthatextendthescopeanddepthofmarketreach,skills,expertise,technologies,servicesandthecustomerbase.

    Offering(Product)Strategy:Thevendor'sapproachtoproductdevelopmentanddeliverythatemphasizesdifferentiation,functionality,methodologyandfeaturesetsastheymaptocurrentandfuturerequirements.

    BusinessModel:Thesoundnessandlogicofthevendor'sunderlyingbusinessproposition.

    Vertical/IndustryStrategy:Thevendor'sstrategy

  • clientfeedback.

    CiscoSanJose,CaliforniabasedCiscohasabroadnetworksecurityproductportfolioacrossfirewall/IPS,Websecurityandemailsecuritytiers.ThefirewallofferingisprimarilyviatheAdaptiveSecurityAppliance(ASA)brandthatincludesanIPSreleasedin2014.ASAwithFirePOWERservicesistheASAwiththeSourcefireIPSAdvancedMalwareProtection(AMP)andapplicationvisibilityandcontroladdedin.Cisco'svirtualfirewallinglines,theASAvandtheVSG,requirethepresenceoftheNexus1000vvirtualswitch.

    Forawhile,Ciscowillhavetwoprimaryconsoleofferings.First,theAdaptiveSecurityDeviceManager(ASDM)canfunctionasanonthedevicesingleinstancemanager.Inaddition,thecombinationofFireSIGHTwhichmanagestheIPSfunctionforASAwithFirePOWERservicesandCiscoSecurityManagerwhichmanagestheASAfirewallisthealternativeforASAwithFirePOWERservices.GartnerexpectsthatCiscowillunitetheCiscomanagementconsoleintheshortterm.

    BeforetheintroductionofASAwithFirePOWERservices,GartnersawCiscowinningfirewallprocurementsmostlythroughsales/channelexecutionoraggressivediscountingforlargeCisconetworkscustomers.WiththeintroductionofASAwithFirePOWERservicesinSeptember2014,CiscobecamemoreabletocompeteintheNGFWfield

    CiscoisassessedasaChallengerforenterprises.GartnerdidnotseeitdisplacingLeadersbasedonvisionorfeatures,andwerarelysawCiscoreleasefirewallinnovationsthatcausedLeaderstoreact.

    Strengths

    TheEnterpriseLicenseAgreement(ELA)forsecuritysoftwareandhardwareaddsvalueforCiscosecuritycustomersthatareundertakingmultiyeardeploymentsandwishtomaintainatimetableandproductflexibility.GartnerclientsconsistentlyratetheCiscosupportnetworkasexcellent,anditisthemostoftencitedreasonforloyaltytoCiscosecurityproducts.Thevendorhasstrongchannels,broadgeographicsupportandwideavailabilityofothersecurityproducts.SurveyedCiscofirewallclientsconsistentlyrankedtheavailabilityandpresenceofotherproductsfromCiscowithintheirnetworksasthemostimportantfactorintheirselectionofthevendor.Ciscooffersawidechoiceinfirewallplatforms.TheprimaryofferingisthestandalonefirewallASA,butfirewallsarealsoavailableviatheFirewallServicesModulebladefor6500and7600seriesswitches,onCisco'sASAforvirtualdatacenterandcloudenvironments,andonCisco'sInternetworkOperatingSystem(IOS)basedIntegratedServicesRouter.GartnerviewsthePlatformExchangeGrid(pxGrid)initiativetoallowthirdpartycomponentsontotheASAasthemostpromisingdevelopmentintheCiscofirewallroadmap.TheintegrationofreputationfeaturesacrossCiscosecurityproductsisastrength.TherichcontextprovidedbytheFirePOWERservicesintegrationaddstothisadvantage.TheinclusionofSourcefireIPSwithinASAhasimprovedthequalityoftheASAIPSandapplicationcontrol.

    Cautions

    GartnerclientsselectCiscofirewallproductsmoreoftenwhensecurityofferingsareaddedtoaCiscoinfrastructure,ratherthanwhenthereisashortlistwithcompetingfirewallappliances.Inthesurveysenttovendors,Cisco'sproductwasthesecondmostfrequentlylistedastheonevendorsclaimedtoreplacethemosthowever,itwasalsolistedthisyearasNo.2inthevendorlistofperceivedcompetitivethreats.Cisco'ssecurityconsoleofferingsconsistentlyscorelowversuscompetitorsinassessmentsconductedbyGartnerclients.However,GartnerbelievesthatmovingcompletelytotheSourcefireFireSIGHTwillbringimprovements.CiscoscoredlowerthanmostcompetitorsinaGartnersurveyofusersforoverallclientsatisfaction.CiscoASAhasafirewallconsoleintegrationofalocalsandboxbasedadvancedtargetedattack(ATA)cloudinstanceorappliancethroughAdvancedMalwareProtection(AMP)however,GartnerclientschooseAMPnotforitsundifferentiatedsandboxingcapability,butforotherATAdetectionstrengths.CiscocanimproveitsATAassociatedsandboxingifitintegratesits2014acquisitionofThreatGRID.

    DellSonicWALLDell,whichisheadquarteredinRoundRock,Texas,sellsenterprisenetworkfirewallsundertheDellSonicWALLname.ThemajorityofDellSonicWALL'sbusinesshadbeensellingUTMtomidsizeenterprises,withtheSuperMassivelineaimedatenterprises,andatcompetitiveprice/performancepoints.OtherDellSonicWALLsecurityproductsincludeSSLVPNs,emailsecuritygateways,cleanwirelessofferings,dataencryptionofferings,identitymanagementofferings,managedsecurityserviceprovider(MSSP)offeringsundertheSecureWorksbrand,andbackup/recoveryofferings.Thecompany'sfirewallofferingsareinfourbrandedlines:SuperMassive,EClassNetworkSecurityAppliance(NSA),NSAandTZ.GartnerobservesastrongcorrelationbetweenSonicWALLpurchasesandincumbentDellcustomers.

    DellSonicWALLisassessedasaNichePlayerforenterprises,inpartbecauseithasn'tbroughtinnovativesecurityfeaturestomarketinatimelymanner,anditssaleschannelsandmarketingprogramshaven'teffectivelyreachedenterprisebuyers.

    Strengths

    DellSonicWALL'sbroadmodelrangeisagoodoptionfordistributedenterpriseswithmanyremoteofficedeploymentsrequiringmanysmallerdevices,suchasinretailorfranchiseoutlets,orwithTypeCenterprises(seeNote1).GartnerhasobservedthattheDellSonicWALLchannelhasmigratedthecorefirewallbusinessintomoremidsizeorganizationsorintoorganizationsthat

    todirectresources,skillsandofferingstomeetthespecificneedsofindividualmarketsegments,includingverticalmarkets.

    Innovation:Direct,related,complementaryandsynergisticlayoutsofresources,expertiseorcapitalforinvestment,consolidation,defensiveorpreemptivepurposes.

    GeographicStrategy:Thevendor'sstrategytodirectresources,skillsandofferingstomeetthespecificneedsofgeographiesoutsidethe"home"ornativegeography,eitherdirectlyorthroughpartners,channelsandsubsidiariesasappropriateforthatgeographyandmarket.

  • alreadyhadastrongDellSonicWALLrelationship.ForcurrentDellcustomersthatwanttohavefewersecurityvendors,DellSonicWALLisagoodchoicebecauseofitswiderangeofproductsandavailableSMBorientedfeatureset.TheSuperMassivelinehasachievedmarkettractioninhighthroughputfirewalldeployments,suchascarriersandserviceproviders,inwhichfirewallthroughput,lowlatencyandpriceperprotectedmegabitspersecondareforemostinasurveytousers,customersrankedthroughputandspeedastheforemostselectioncriterionsupportingthisassessment.

    Cautions

    AsreportedbyGartnerclients,DellSonicWALLisnotyetwidelyviewedasanenterprisestrategicsecurityplayerrather,itisperceivedasamidsizebrandassociatedwiththegreaterDellbrand.GartnerrarelyseesDellSonicWALLinmostTypeAandTypeBenterprisefirewallselectionshowever,thisisnota"Caution"forotherorganizations.DellSecureWorkspresentsapotentialchannelconflictforsalestootherMSSPs,whichcanviewDellSonicWALLaspartofacompetitor.GartneranalystshaveobservedcompetitorsusingthisargumenttogatherchannelpartnersfromDellSonicWALL.DellSonicWALLscoredlowasasignificantenterprisecompetitivethreatbythevendorswesurveyed,andscoredpoorlyinasurveytousersinregardtofalsepositivesforIPSinthefirewall.TheproductlinesTZandNSAareaging.DellSonicWALLprospectsshouldasktoseeroadmapsforevidenceoffutureinnovationplans.

    F5F5,basedinSeattle,isaleadingdatacenterapplicationdeliveryvendor.Inadditiontothetrafficmanagementmodules(GTMandLTM)thatarethecoreofF5'sApplicationDeliveryController(ADC)offering,securitymodulesincludeApplicationSecurityManager(ASM),itsWebapplicationfirewall,andtheAdvancedFirewallManager(AFM),anetworkfirewall.ItsfirewallproductofferingreliesontheBigIPappliances(14models,from5Gbpsupto80Gbps)andViprionchassis(fourmodels,upto640Gbps)hardwareplatforms,runningtheF5TrafficManagementOperatingSystem(TMOS).F5alsooffersvirtualappliances(F5VE)andcentralizedmanagement(BigIQ)foritsBigIPsolutions.GartnerviewsF5assuccessfullyusingsecurityasacompetitivefeatureintheADCmarketratherthanbeingapureplayinthefirewallmarket.

    F5isassessedasaNichePlayerfortheenterprisefirewallmarket,becauseitsfirewallofferingisvisibleonlyinalimitednumberofusecases,mostlysoldasanaddonofotherfeaturestoexistingF5customers.

    Strengths

    F5'ssoftwareisoptimizedfordatacenterandISPinfrastructureprotectionusecases.ItincludesIPv6compatibility,robustroutingoptimizationandSDNfeatures.GartneralsoexpectsF5toaddintegrationwithitsfirewallanditsSilverlineDDoSprotectionoffering.F5'scustomergivegoodscorestoitshardwareplatformforitsabilitytoscale.Thisincludeshardwareaccelerationand40Gbpsnetworkinterfaces,butalsostrongSSLoptimizationcapabilities,whichareoftenaweakspotofotherfirewallplatforms.F5dedicatessignificanteffortstosecurityfeaturesandshowsitscustomersacommitmenttoconsidersecurityasacentraltopicofitsroadmap.Thisisapositivesignfortheseclientsthatcanaddafirewallcomponenttotheirexistingdatacenterdeploymentatafractionofthecostrequiredbytheacquisitionofadedicatedappliance.GartnerexpectsF5tocompeteindatacenteronlydealswhenarchitecturecomplexityislowGartnerhasalreadyseenF5competewellinfirewallplacementsforhostingproviders.

    Cautions

    F5doesnotappearonGartnerclientcompetitiveshortlistsforenterprisefirewallselection,exceptwhencustomersalreadyownF5ADCandevaluateF5'supgradeoptions.F5isnotseenyetasacompetitivethreatbyotherfirewallvendorsevaluatedinthismarket.F5ismissingthecriticalcompetitivecomponentofastandaloneInternetfacingfirewalltoprotectusersandserverswhereanADCisnotrequired,andlacksentrylevelappliancesrequiredforbranchesandsmallheadquarters.F5lacksanIPSmoduleandonlyrecentlyintroducedsecureWebgateway(SWG)services.TheapplicationcontrolfeatureislimitedtowhatusersgetfromSWGandWebapplicationfirewall(WAF)modules,buthasyettobecoveredbyaunifiedsoftwarecomponent.GartnerbelievesthatF5'seffortstocoverabroadfeaturesetcouldhurtitsabilitytoprovidesufficientdepthforthecorefeaturesusedinenterprisefirewallusecases.AsF5'sfirewallmodulesarelikelytobeusedasadatacentersupplementtoaperimeterfirewall,F5'sintegrationwithonlyonefirewallpolicymanagementsoftware(FireMon)limitssecuritybuyeroptions.

    FortinetSunnyvale,CaliforniabasedFortinethaslongfocusedonusingpurposebuilthardwaretoproduceenterprisefirewallandUTMapplianceswithawiderangeoffeaturesatstrongprice/performancepoints.Itoffersabroadsecurityportfolioandhassomepresenceinnetworkinfrastructure.ThefirewallfeaturesinFortinet'senterprisefirewallproductscannowmeetmostoftheneedsoffirewallfocusedlargeenterprisebuyers.

    FortinetcontinuestomakeprogresswithintheGartnercustomerbase,especiallyinbranchofficeorretaildeployments,butincreasinglyinmorewidespreadenterpriseusecases.Inaddition,itisverycompetitive

  • indatacenterevaluationsinwhichhighperformance,lowlatencystatefulfirewallsaretheprimaryneed.Fortinetisasignificantthreattocompetitorsinthismarketbecauseofitshardwareexpertise,competitivepricingandacceleratingrevenuegrowth.Itisaviableshortlistcontenderformostenterprisefirewallusecases.

    FortinetisassessedasaChallenger,mostlybecauseweseeitdisplacingcompetitorsonvalueandperformance,butstrugglingagainstLeadersinmainstreamenterpriseselectionsbasedonfeaturesandvision.FortinetdoesnotoftenreleasefeaturesthatcauseLeaderstoreact.

    Strengths

    FortinethasalargehardwareR&Dteamandusesittogotomarketquicklywithhigherperformancechipsets.Fortinetcontinuallydeliversnewfunctionsintheapplicationspecificintegratedcircuitandoperatingsystem,providingextensivepressureoncompetitorsandpleasingthechannel.Fortinetoffersagoodprice/performanceratioandawidemodelrange,includingbladedappliancesforlargeenterprisesandcarriers,aswellasSMBandbranchofficesolutions.InadditiontoenterpriseNGFWdeployments,Fortinetiswellsuitedtodeploymentsincarriers,datacenters,serviceprovidersanddistributedenterprises(forexample,retailandfranchises).Fortinethasawellarticulatedstrategyregardingvirtualization,publiccloudandSDN,andhasapromisingpartnershipwithVMwareNSX.

    Cautions

    Despitesomeimprovementsin2014,managementcapabilitycomparedwiththecompetitionremainsthereasonmostoftenlistedbyGartnerclientsasthereasonwhyFortinetwasshortlistedbutnotselectedbyenterprises.However,wheremultiplefirewallssharethesamepolicy,theFortinetconsoleismorecompetitive.Althoughit'sreducedthenumberofappliancesinitsoverallFortigateproductline,Fortinetstillsupportsmoreversionsandmodels(withoftenoverlappingspecifications)thanmanyofitscompetitors.Gartnerbelievesthatthenumberofappliancesandsoftwareversionsimpactscustomersupport.GartnerbelievesthatFortinet'sFeatureSelect,whichprovidespresetinitialconfigurationoptionsorbundlesoffeatures,doesn'teffectivelycommunicatethesupportofthevaryingusecasesofmanyenterprisesorcanconveytocustomersthattheNGFWisjustasubsetofthefullUTMsuiteratherthana"madeforenterprise"solution.WhileFortinet'smarketingmixbecamemuchmoreenterprisefocusedin2014,previousUTMorientedmarketinghascreatedalingeringbranddisadvantagewithsomeenterprisesecuritybuyers.

    HillstoneNetworksBasedinBeijingandSunnyvale,California,HillstoneNetworksisapureplayfirewallvendor.Itsfirewallportfolioiscomposedofthreeproductlines,theTSeries(3models),theESeries(13models)andtheXSeries(twochassis),withfirewallthroughputrangingfrom1Gbpsto360Gbps.Hillstonehasaddednetworkbehavioranomalydetectionintoitsfirewall,andoffersvirtualversionsinitsvirtualElasticFirewallArchitecture(vEFA).

    Althoughitisaggressivelymovingtoincreasesalesinmoreregionsbyexpandingitsworldwidepartnerecosystem,HillstoneisassessedasaNichePlayerbecauseitisvisibletoGartneronlyinoneregion,withamajorityofitssalesinChina.

    Strengths

    HillstonehasastrongpresenceinChina,andoffersdedicatedfirewallmodelsforthismarket.SurveyedcustomersinChinagivegoodscorestodirectvendorsupport.Hillstone'srecentreleaseofafirewallwithbehaviorbasedpolicy(namedIntelligentNextGenerationFirewall)indicatesamotivationtobringfurtherinnovationtotheenterprisefirewallmarket.HillstoneintegrateswithFireMonandAlgoSecpolicymanagementsoftware,whichcanfacilitatepurchasedecisionforinternationalcompanieswillingtousealocalvendorintheAsia/Pacificregion.

    Cautions

    HillstoneNetworks'firewallsarenotyetseeninenterpriseselectionsamongtheGartnerclientbaseoutsideofAsia/Pacific.GartneralsoobservesincreasingcompetitionforHillstoneinChinafromlocalandregionalvendors.Surveyedcustomersindicatethatperformancedegradationwhenenablingintrusionpreventionishigherthantheleadingvendorsevaluatedinthismarket.Surveyedcustomersfrequentlycitemanagementinterfaceasanareathatrequiresimprovement.

    HPPaloAlto,CaliforniaheadquarteredHPhastwolinesoffirewalls.ThefirstisthenewTippingPointNextGenerationFirewall(NGFW)linethesecondlineiscomposedofF5000andF1000,formerlyofH3CTechnologiesinChina.Thesetwolinesareondistinctcodebases,areunderdifferentconsolesandaresupportedbydifferentgroupswithinHP.ThenewTippingPointNGFW(x86compatible)istheredesignoftheolderTippingPointIPS,whichisbasedoncustomapplicationspecificintegratedcircuits(ASICs).Assuch,thereisnodirecthardwareupgradepathfromtheIPStotheNGFW.However,bothcontinuetobesold.TherearesixmodelsofNGFW,allbearingthe"S"prefix.HPisaddinganadvancedthreatsandboxsolutionviaalocalappliancebasedonTrendMicro'sDeepDiscoveryInspector,whichwillworkwithHP'sNGFWandIPSviatheintegrationwiththeHPTippingPointSecurityManagementSystemconsole.

  • HPisassessedasaNichePlayer,mostlybecauseGartnerhasnotyetseenthenewfirewallproductonshortlists(see"VendorRating:HP"formoreinformation)orasfullyfeaturedasmostChallengersandLeaders.HPhasthepotentialtobeadisruptiveinfluenceandamarketchallengerthroughcontinuedproductadvancementandutilizationoftheHPchannel.

    Strengths

    TheprovenTippingPointIPSenginebringsaverygoodqualityofIPStothenewNGFWline,whichisofinteresttoincumbentTippingPointIPSdeploymentsthatarelookingtoreplaceafirewall,ortothosedeploymentsinwhichIPSneedsaremorehighlyrankedthanotherfirewallfeatures.InaGartnersurvey,themostmentionedreasonforbuyingtheHPfirewallwasalreadyhavingotherHPsecurityproducts.Inasurveyoffirewallusers,HPNGFWscoredhighestforusersatisfactionregardingqualityofIPSrelatingtofalsenegativesandpositives.Thereisagoodrangeofmodelsinthenewfirewallline,meaningnewadoptersarelesslikelytohavetowaitfornewmodelstoconsiderdeployments.TheTippingPointNGFWandIPSaremanagedundertheHPTippingPointSMSconsole,whichwillalreadybefamiliartoHPIPScustomers.

    Cautions

    Enterprisefirewallbuyersareoftenhesitanttoinvestinsomethingthatdoesn'thaveaproventrackrecordinthismarket.HPhasbeenslowtoexecuteonaroadmapandaddnewfeaturestoitsfirewalltoallowittocompeteforgeneralenterprisebusinessbybeing"RFPready."However,incumbentHPcustomersmaystillfindthistobeashortlistoption.GartnerclientsrarelyincludedHPfirewallsintheshortlistsweobserved.Asisoftenthecasewithnewproducts,thesurveyedHPusersmostoftencitedthattheSMSconsoleneedsimprovementinmanagingthenewfirewallingcapabilities,andsupportwasnotratedhighly.BasedonconversationswithGartnerclientswhoarealsoHPTippingPoint'sprospectsandcustomers,GartnerviewsHPastrendingtowardreemphasizingstandaloneIPSsoverfirewalls,astheyarechallengedingainingshareinthefirewallmarket.HPNGFWprospectsandcustomersshouldevaluateHP'sNGFWreleasecadenceandfeaturequality,aswellasthetimelydeliveryofroadmapcapabilitiestodeterminecontinuedinvestmentandpriority.

    HuaweiShenzhen,ChinabasedHuaweihasbeenshippingfirewallproductsformorethanadecade(formoreinformation,see"VendorRating:Huawei"),andoffavarietyofothernetworksecurityappliances,includingantiDDoSandIPSs.Therangeoffirewallappliancesandmodelsisextensive,especiallyforhigherthroughputoptions,andforcustomersthatalreadyhaveHuaweiproductsandwishtoexpandthatbusinesstofirewalls.UnifiedSecurityGateway(USG)istheprimaryenterpriseline,andEudemonisthelineforcarriersandserviceproviders.MoreHuaweifirewallrevenueisderivedfromcarriers,ISPsandcloudandserviceprovidersthanfromenterprisesandSMBs.

    HuaweiisassessedasaNichePlayerforenterprisesovertheevaluationperiod,mostlybecauseweseeitmostlyinanarrowgeographicsegment,andbecausewedidnotseeitfrequentlydisplacingLeadersorChallengersbasedonvisionorfeature.

    Strengths

    GartnerassessesHuaweiashavingaverygoodoverallnetworksecuritystrategyandalargesecurityresearchteam.CustomerswhosenetworksarebasedprimarilyonHuaweiinfrastructureproductscanincludeHuaweifirewalls.UsersreporttoGartnerthatHuaweiappliancesperformasexpectedunderload.ThetopendoftheHuaweifirewalllinehasaveryhighthroughputandisagoodshortlistcandidateforcarriers.MostdeploymentsGartnerobservesarehigherthroughputdeployments.HuaweideliveredandimprovedsomeapplicationcontrolandotherNGFWfeaturesin2014,largelytargetedtoenterprisecustomers.Itsupcomingroadmapaddressesenterpriseorientedfeatures.

    Cautions

    HuaweihaslimitedcompetitivevisibilityoutsidetheAsia/Pacificregionhowever,thereissomeincreasingcompetitivepresenceandgrowthinEMEA.InterviewedusersreportedthattheywouldliketoseebetterfeaturesintheWebgraphicaluserinterface(GUI)console,andconsistentlyaskedforbetterreporting.Huaweilagsthecompetitioninpartneringwithfirewallpolicymanagementvendors,preventingitfromfullyfulfillingsomeenterprisecomplianceandsecurityneeds.HuaweihastakenconsiderablestepstoaddressconcernsaboutrelyingontechnologydevelopedinChinahowever,thisconcerncontinuestobeasecuritysaleschallengeinsomemarkets,especiallyNorthAmerica.

    IntelSecurity(McAfee)IntelfirewallsaresoldundertheMcAfeebrand.McAfee,whichisnowpartofIntelSecurity(basedinSantaClara,California),sellssecuritycontrolsattheendpoint,serverandnetworklayers.Intel(McAfee)networksecurityisbestknownforNetworkSecurityPlatform(NSP),itsnetworkIPSproductline.IntelSecurityobtaineditsnetworkfirewallin2013fromFinlandbasedStonesoft,whoseproductisnowcalledtheMcAfeeNextGenerationFirewall(NGFW).TheMcAfeeNGFWhasagoodrangeofmodels(scalingupto120Gbps),includingavirtualizedversion,andhasperformedwellinthirdpartytesting.(IntelSecurity

  • hasanadvancedthreatoffering[ATD]thatbecomesmoreeffectivethemoreIntelMcAfeesafeguardsareinplace.)

    Gartnerbelievesthat,inthenearfuture,IntelSecuritywillhaveasinglehardwareplatformsupportingtheMcAfeeNGFWandNSP,whichistheIPSproduct.

    IntelSecurityisassessedasaNichePlayerforenterprisesbecauseitprimarilysellsalongsideotherIntelandMcAfeesecurityproductsratherthanbeatingLeadersinshortlists.

    Strengths

    ThebreadthoftheIntelSecuritythreatintelligenceandreputationfeedsisapositivequalityelementandleveragestheIntelSecurityfootprintonendpoints,secureWebgateways,emailsecuritygatewaysandIPSs.TheMcAfeeNGFWfirewalllinehaslongbeenaleaderinhighavailabilitytechnology,andithasveryreliableclusteringandactive/activeconfiguration.Itfocusedearlyonantievasiontechnology,andprotectedcustomerswellasattacksevolvedtoincludefirewallanddeepinspectionevasiveness.ThevisibilityofePolicyOrchestrator(ePO)hostinformationwithinthefirewallreportingandconsoletoolsisofinteresttocurrentIntelSecurityePOcustomers.InaGartnersurveyofclients,theMcAfeeNGFWscoredveryhighinoverallclientsatisfaction.

    Cautions

    GartnerbelievesthathavingtheMcAfeenetworksecurityunitwithinaprimarilyhostbasedsecuritycompanywhichisitselfwithinalargeendpointfocusedchipmanufacturerremainsasignificantchallenge.IntelSecuritywasnotlistedbyanyvendorwesurveyedasasignificantenterprisecompetitivethreat,andIntelisnotestablishedasbeingastrongbrandinnetworksecurity.IntelSecuritycurrentlyhastwodifferentnetworkIPSenginesacrosstheMcAfeeNGFWandNSP(IPS)products.Rationalizingandcentrallyadministeringthesefromonemanagementconsolewillpresentchallenges.IntelSecurityisrarelyseenonGartnerclientnetworkfirewallshortlists,andGartnerestimatesthatthemarketshareissmallatlessthan5%.

    JuniperNetworksThefirewallofferingsofSunnyvale,CaliforniabasedJuniperNetworksareinmultiplemodellines:SRXSSG,NS,ISGandthevirtualizedversionofSRX(vSRX).TheJuniperSRXSecurityServiceGatewayoffersroutingasabasicfirewallelement,andrunsthesameJunosoperatingsystemasotherJuniperinfrastructurecomponents.Gartnerconsidersroutinginthefirewallasbeingofinteresttoalimitedsegmentofcustomers.JuniperhasAppSecureforapplicationcontrolandvisibilityintegratedIPSandthreatintelligencefeeds.Juniper'sJunosSpaceSecurityDesignisthecurrentsecuritymanagementplatform.

    JuniperisassessedasaNichePlayerforenterprises,mostlybecauseweseeitselectedinconcertwithotherJuniperofferings,ratherthandisplacingcompetitorsbasedonitsvisionorfeatures,andweseeitbeingreplacedinenterpriseenvironmentsmoreoftenthanweseeitselected.Juniperis,however,shortlistedand/orselectedinmobileserviceproviderdeploymentsandlargeenterprisedatacenterdeployments,primarilybecauseofpriceandhighthroughputonitslargestappliances.

    Strengths

    CustomerswhosenetworksarealreadystandardizedonJuniper'sJunosbasedinfrastructureproductscanbenefitfromtheSpaceSecurityDesignconsolebecauseitispartoftheJunosSpacenetworkmanagementplatform.Interviewedusersoftenselectedthefirewalls,withthroughputweightedhighlyintheirselection.Goodoptionsexistforhighthroughput,purposebuiltappliances,especiallyinthehigherendSRXmodels,becauseGartnerseesJunipermostlydeployedinlargedatacenters.Juniperhasastrongrangeofbranchofficefirewallscomplementingtheenterpriseproducts.ThesebranchofficefirewallsincludeWANandcellularbackuptechnologies.JuniperSRXisagoodshortlistcandidateindeploymentsforserviceprovidersorhosterswherestatefulfirewallthroughputisvaluedforemostandpriceisweightedhighly.Juniperoffersathreatintelligenceplatformsupportingthirdpartyfeedsandenablingdeploymenttoenforcementpoints.Thiscapabilitywillappealtoenterprisesthatusemultiplethirdpartythreatintelligencefeeds.

    Cautions

    GartnerdoesnotassessJuniperascurrentlyhavingacompellingordifferentiatedsecurityvision,oronethatiswellknowntononJunipercustomers.In2014,JuniperreleaseditsfirstNGFWfeatureset,wellbehindmostofthefirewallvendorsevaluatedinthisresearch.SomeGartnerclientshavecitedaneedforsupportandplatformstabilityimprovements.UsersthatGartnersurveyedreporthardwarefailuresoverthepast12months.Gartnerbelievesthatmostenterpriseswantanoperatingsystemintheirsecurityproductsthatdiffersfromtheoneininfrastructurecomponents.Juniperhascontinuedlosingsecuritymarketshareinthepastyear,andhasexperienceddecliningyearoveryearrevenueinagrowingmarket.Thecompanymustaddressfundamentalsalesandmarketingchallengesanddemonstratethatitcanwinbackcustomersandmarketsharewithitsnewercapabilities.

  • PaloAltoNetworksPaloAltoNetworksisaCaliforniabasedpureplaynetworksecuritycompanythathasbeenshippingenterprisefirewallssince2007.PaloAltoNetworksisknownmostlyforitsinnovationsinapplicationcontrolandforimprovingintegratedIPSinfirewalls.Thefirewallproductlineincludes18models,withamaximumthroughputof120GbpsforthePA7050,releasedin2014.WiththeacquisitionofCyvera(rebrandedasTraps),PaloAltoNetworksnowoffersasecondendpointproduct,inadditiontotheexistingGlobalProtect.PaloAlto'scloudbasednetworksandboxservice,WildFire,sawhighattachratesfornewandexistingcustomersin2014.PaloAlto'sworkwithVMwareNSXhasprovidedcustomersanotheroptionforplacingPaloAltoproductsinvirtualizeddatacenters.

    PaloAltoNetworksisassessedasaLeader,mostlybecauseofitsNGFWfocus,andbecauseofitsconsistentvisibilityinGartnershortlistsforadvancedfirewallsusecases,frequentlybeatingcompetitiononfeaturequality.

    Strengths

    GartnerclientsconsistentlyratethePaloAltoNetworksAppIDandIPShigherthancompetitors'offeringsforeaseofuseandquality.ThefirewallandIPSarecloselyintegrated,withAppIDimplementedwithinthefirewallandthroughouttheinspectionstream.This"singlepass"isassessedasadesignadvantagebyGartnerclients,asopposedtotheunnecessaryinspectionthatcanoccurincompetingproductsthatprocesstrafficinserialorder.PaloAltoNetworkswasconsistentlyonmostNGFWcompetitiveshortlistsseenbyGartner,andinthesurveytovendors,itwasmostmentionedasthestrongestcompetitorwithwhichthesevendorscompete.TheroadmapfocusonVMwareNSXdisplaysstrongleadershiptowardsolvingclients'futureproblems.PaloAltoshiftedfocuscorrectlytoeastwestsegmentationratherthanwholedatacenterfirewallvirtualization.TheWildFireadvancedthreatapplianceandcloudservicearepopularaddonswithnewandincumbentPaloAltoNetworksfirewallcustomers,givingthemanoptionversusthirdpartyadvancedthreatappliancesolutions.

    Cautions

    GartnerclientsreportPaloAltoNetworks'directsalesandresellersbeingoverlyoptimisticabouttheperformanceimpactofturningonantivirus(thatis,Webantimalware),andconflatingantiviruswithIPSand/orotherfeatures,orclaiminga0%performanceimpactwhenenablingtheantivirus(AV)function,whichisnotcrediblewithcustomers.GartnerbelievesthatthisapproachhaserodedcustomertrustinthePaloAltoNetworksbrand.GartnerdoesnotseePaloAltoreproducingitsfirewallsuccessinitsattempttoentertheendpointmarket.GartnerconsidersPaloAlto'sentryintotheendpointmarketasahighriskmovethatcoulddilutecompanyattentionintoanonadjacentmarketandcouldalienatethenetworksecuritybuyingcenter.Theendpointshouldbeaddressedthroughathirdpartyecosystemorpushedstrongerasanindependenteffort.Thecompanymustdevelopabetterthirdpartyproductsupportecosystem.Likeothervendorswithleadingproducts,PaloAltoNetworksischallengedtowinselectionsinwhichpriceisweightedmorethansecurityfeatures,asinTypeCenterprises(seeNote1).Italsodoesnotofferthesmallerappliancesthatcompetitorspositionindistributedenterprisedeals.Theclientsweinterviewedwouldliketoseebetterloghandlingatscale.Also,theclientcomplaintswereceiveregardingPaloAltoNetworksusuallyrelatetomanagementconsoleissuesatscale,oranecdotesofchannelpartnershortcomings.

    SangforHeadquarteredinShenzhen,China,andfoundedin2000,SangforprovidesWANoptimization,accessmanagementandnetworksecuritysolutions,includingfirewall,SSLVPNandInternetaccessmanagement.Sangforstartedshippingitsenterprisefirewallproductline(NextGenerationApplicationFirewall)in2011.Itnowfeatures16models,forafirewallthroughputofupto80Gbps.Sangfordoesnotofferavirtualappliance.

    SangforisevaluatedasaNichePlayerforenterprisefirewallbecauseitservesanarrowedsegmentofthemarketandoperatesmostlyinChina.

    Strengths

    Sangforclientsliketheeaseofinstallation,reportingonsecurityandhighperformance.Theyalsocitecompetitivepriceasareasonforselectingthesolution.CloudbasedsandboxingandactivevulnerabilityscanningareavailableonSangfor'sfirewallatnoadditionalcharge.

    Cautions

    GartnerdoesnotseeSangforfirewallsbeingshortlistedoutsideofChina.InternationalizationoftheSangforfirewallproductlineisstillanongoingprocess.PotentialcustomersoutsideofChinashouldfirstverifytheavailabilityofvendorsupportandproductdocumentationfortheirusecase,andrequestreferencesfororganizationsinthesameregion.Surveyedcustomersshowedamajorityofuppermidsize/smallenterpriseusecases,withalimitednumberoffirewallsforasinglecustomer.Sangfor'senterprisefirewallisnewcomparedwithmostofitscompetitors,andseveralfeaturesarestillunproven,withaquicklygrowingnumberofdeploymentsbutalimitedexistence.

  • SophosSophosisasecuritycompanyheadquarteredinOxford,U.K.,thatisprimarilyknownforitsendpointsecuritysolution.Itsenterprisefirewallportfoliomainlyconsistsoftwoproductlines,theSGseries(14models,from1.5Gbpsto60Gbps)andtheNGproductline,resultingfromtheacquisitionofIndiabasedCyberoam(19models,from400Mbpsto160Gbps).ThetworemoteEthernetdevice(RED)modelsallowremoteVPNconnectionsforsmallbranches.SophosfirewallsarealsoavailableinvirtualapplianceformatandcanrunonAWS.SophosalsosellssecureWebgatewaysandsecureemailgatewaysinadditiontoitsendpointsecurityandmobilesecuritysolutions.

    Sophos'NichePlayerpositioninthisMagicQuadrantreflectsitsfocusonuppermidmarketandsmallerenterpriseneeds,whichisshown,too,inthelimitedvisibilityforSophosfirewallsondatacenterandlargerenterprises'shortlists.

    Strengths

    AgrowingnumberofSophosendpointcustomersshortlistSophosasapotentialfirewall,citingeaseofuse,potentialproductsynergiesandsimplifiedprocurementasthemainreasonsforselectingthevendor.TheSophosCloudmanagementofferingcombinesmobile,endpointandnetworkmanagement,andappealstovastlydistributedenterprisesandorganizationswithalargemobileworkforce.TheSophosroadmapshowsagoodunderstandingoftheneedsofmidsizeandsmallerenterprisesclients,theirtargetmarket,andhowtheyplantoaddressoverlapsbetweentheirtwofirewallproductlines,increasecrosssynergiesacrosstheirsolutions,andfilltheremaininggapsintheirsecurityportfolio.SophosleadsthemarketinAWSfeaturesandmarketpenetration,andisagoodchoiceforAWSonlyplacements.

    Cautions

    Sophos'visibilityonGartnerenterpriseclientshortlistsremainslow,andisalmostexclusivelyfromexistingSophoscustomers.Sophosstillmaintainstwofirewallproductlines,andwillbedeliveringitsunifiednextgenerationproductinmid2015.CustomersmustensuretheirSophosappliancescanreceivethefirmwareupgradeinordertotakeadvantageofthenewplatform.Gartnerbelievesthatmidmarketandlargeenterprisehavedifferentneedsandexpectationsforcentralizedmanagementandreportingsolutions.Sophos'currentmanagementandreportingofferingsareorientedtowardUTMuseanddistributedorganizations,andgetlowerscoresincompetitiveevaluationswherecomplexpolicyandstringentworkflowrequirementsarehighlyweightedhowever,Sophosisagoodchoiceforuppermidmarketcustomers,smallerenterprisesandTypeCenterprises.

    StormshieldStormshield(formerlyArkoon+Netasq),headquarteredinFrance,hasbeenapureplaynetworksecurityvendorformorethan15years,sellingUTMsystemsandenterprisefirewallswithintegratedIPSsandvulnerabilitymanagement.In2012,AirbusDefenceandSpaceCyberSecurity(formerlyCassidianCyberSecurity,asubsidiaryofEADSGroup)acquiredNetasq.InApril2013,itacquiredArkoon,anotherFrenchsecuritycompanywithfirewallsandendpointprotectionplatforms.ThetwogroupshaveunitedundertheStormshieldbrand,andhaveintroducedtheStormshieldNetworkSecurityline.Theseproductsarecomposedofnineappliances,rangingfrom400Mbpsto80Gbps.

    VirtualversionsarealsoavailablewiththeVseries,andattheAWSMarketplace.

    StormshieldisassessedasaNichePlayerforenterprises,mostlybecauseitbestservesmidsizebusinessesandgovernmentagenciesinWesternandCentralEurope.

    Strengths

    StormshieldisaEuropeanvendorandbenefitsfromlocalcertifications,suchasthe"EURestricted"orspecificassessmentfromtheFrenchgovernment,whichisofinteresttoEUgovernmentsandagencieslookingforsimplerprocurementoralocalprovider.Itsownership(Airbus)addscredibilitytoFrenchgovernmentanddefensecustomers.Stormshieldhasquicklyexecutedonaplantoproduceanewproductline,givingaclearchoicetoprospectsandexistingclientsfromtheformercompanieswhenconsideringafirewallrefresh.StormshieldhasawiderangeofvirtualappliancesandAWSbasedinstances,makingitagoodcandidatetoprotecthybridnetworks.CustomersciteIPSqualityasamainreasontheyselectStormshieldastheirnetworkfirewall.

    Cautions

    ThemajorityofStormshield'spenetration,visibilityandchannelisfocusedonEMEA,especiallyFrance.ThevendorhasnotbeenpartofNGFWselectionsthatGartnerhasseen.Theburdenofmaintainingsoftwaresupportfor36modelsmaystressStormshield'sR&Dresourcesanditsabilitytoexecuteonitstechnologyroadmaps.Stormshieldlackstheabilitytoapplyqualityofservice(QoS)rulesbasedonapplicationdetection.

    WatchGuardWatchGuardisaSeattlebasednetworksecuritycompanythathasprimarilyseensuccessinsellingUTMproductstomidsizeenterprises.ItsXTMseriesofproductsspansperformanceandfeatureranges

  • demandedbylargeenterpriseshowever,WatchGuard'sbranding,channelsupportandmanagementcapabilitiestendtobemoreorientedtowardSMBs.WatchGuardalsohasproductsthatincludeSSLVPN,emailandWebsecurityproductlines.

    TheXTMbrandedfirewallmodelsfallintotwocategories:TheXTM2SeriesandXTM5SeriesareUTM,whiletheXTM8SeriesandtheXTM1520andabovearetargetedattheenterprise.SinceWatchGuard'sintroductionofthe"NGFWBundle"optionforappliancesin2011andthe2014releaseofAPTBlocker,WatchGuard'scloudbasedmalwaredetectionofferingbasedonLastlinetechnology,thecompanyhassolutionsthatbettersuitprospectiveenterprisebuyersthantheUTMonlyapproach,thoughwehavenotseenmuchenterprisetractionyet.

    WatchGuardisassessedasaNichePlayerforenterprises,mostlybecauseitservesSMBsanddistributedenterprises.However,wedonotoftenseeitdisplacingLeadersfortheedgefirewallusecasebasedonfeatures.Moreover,itisnotpresentondatacentershortlists.

    Strengths

    WatchGuard'sstrongprice/performancepointshaveenabledittowinpricesensitivecompetitionsacrossretail,branchoffice,remoteofficeandTypeCdistributedenterprisedeployments.WatchGuardcontinuestoinvestinenterpriseusecases,withenhancedIPv6andbettertrafficmanagementreleasedin2014,alongwithAPTBlocker.UsersreporthighsatisfactionwiththeWatchGuardmanagementconsole.EnterprisemodelsarecorrectlytargetedatNGFWsratherthanUTMfunctionality.ThecloudbasedreportingsolutionWatchGuardDimension,withitsexecutivedashboardandtrafficheatmaps,hasproventobeagoodadditiontothesetoffeaturesthatistargetingareaswheremanyfirewallswillbedeployed,suchasinfranchisesorretailstores,orviaanMSSP.Theinteractiveheatmapview(FireWatch)isusefultoquicklyidentifynetworkissuescreatedbyaspecificuserorapplication.

    Cautions

    GartnerrarelyseesWatchGuardinmostTypeAandTypeBenterprisefirewallselections.EnterpriseclasschannelsandsupportwillneedtobeexpandedifWatchGuardwishestocompeteinabroadersegmentofenterprises.Forexample,WatchGuarddoesnothavetheoptionforlargeenterprisestodeployaWatchGuardresidentengineer,arequirementforsomeenterprisedeployments.WatchGuardscoredlowasasignificantenterprisecompetitivethreatbythevendorswesurveyed,andithaslowvisibilityinGartner'scustomerbase.WatchGuardlagsbehindtheLeadersinarticulatingacomprehensivedatacenterstrategy,andinincludingSDNinitsroadmap.

    VendorsAddedandDroppedWereviewandadjustourinclusioncriteriaforMagicQuadrantsandMarketScopesasmarketschange.Asaresultoftheseadjustments,themixofvendorsinanyMagicQuadrantorMarketScopemaychangeovertime.Avendor'sappearanceinaMagicQuadrantorMarketScopeoneyearandnotthenextdoesnotnecessarilyindicatethatwehavechangedouropinionofthatvendor.Itmaybeareflectionofachangeinthemarketand,therefore,changedevaluationcriteria,orofachangeoffocusbythatvendor.

    AddedSangforwasaddedtotheMagicQuadrant.Arkoon+NetasqwasrenamedStormshield,whichnowappearsintheMagicQuadrant.

    DroppedNovendorsweredropped.

    InclusionandExclusionCriteriaInclusionCriteriaNetworkfirewallcompaniesthatmeetthemarketdefinitionanddescriptionwereconsideredforthisresearchunderthefollowingconditions:

    Gartneranalystshaveassessedthatthecompanyhastheabilitytoeffectivelycompeteintheenterprisefirewallmarket.Thecompanyregularlyappearsonshortlistsforselectionandpurchases.Thecompanydemonstratesacompetitivepresenceinenterprisesandsales.Gartneranalystsconsiderthataspectsofthecompany'sproductexecutionandvisionmeritinclusion.Thevendorhasachievedenterprisefirewallproductsales(notincludingmaintenance)inthepastcalendaryearofmorethan$10million,andwithinacustomersegmentthatisvisibletoGartner.

    ExclusionCriteriaNetworkfirewallcompaniesmayhavebeenexcludedfromthisresearchforoneormoreofthefollowingreasons:

    ThecompanyhasminimalornegligibleapparentmarketshareamongGartnerclients,oritisnotactivelyshippingproducts.

  • Thecompanyisnottheoriginalmanufacturerofthefirewallproduct.ThisincludeshardwareOEMs,resellersthatrepackageproductsthatwouldqualifyfromtheiroriginalmanufacturers,aswellascarriersandISPsthatprovidemanagedservices.WeassessthebreadthofOEMpartnersaspartoftheevaluationofthefirewall,andwedonotrateplatformprovidersseparately.Thecompany'sproductssellasnetworkfirewalls,butdonothavethecapabilities,scalabilityandabilitytodirectlycompetewiththelargerfirewallproduct/functionview.ProductsthataresuitedforSMBs(suchasUTMfirewalls,orthoseforsmalloffice/homeofficeplacements)arenottargetedatthemarketthisMagicQuadrantcovers(enterprises)andareexcluded.ThecompanyprimarilyhasanetworkIPSwithanonenterpriseclassfirewall.

    Thecompanyhaspersonalfirewalls,hostbasedfirewalls,hostbasedIPSsandWAFs(seeNote2)allofwhicharedistinctlyseparatemarkets.

    EvaluationCriteriaAbilitytoExecute

    Productorservice:Thisincludesserviceandcustomersatisfactioninenterprisefirewalldeployments.Executionconsidersfactorsrelatedtogettingproductssold,installed,supportedandinusers'hands.StrongexecutionmeansthatacompanyhasdemonstratedtoGartneranalyststhatproductsaresuccessfullyandcontinuallydeployedinenterprises,andthatthecompanywinsalargepercentageincompetitionwithothervendors.CompaniesthatexecutestronglygeneratepervasiveawarenessandloyaltyamongGartnerclients,andalsogenerateasteadystreamofinquiriestoGartneranalysts.Executionisnotprimarilyaboutcompanysizeormarketshare,althoughthosefactorscanaffectacompany'sAbilitytoExecute.Salesareafactorhowever,winningincompetitiveenvironmentsthroughinnovationandqualityofproductandserviceismoreimportantthanrevenue.Keyfeaturesareweightedheavily,suchasfoundationfirewallfunctions,consolequality,lowlatency,rangeofmodels,secondaryproductcapabilities(logging,eventmanagement,compliance,ruleoptimizationandworkflow),andtheabilitytosupportcomplexdeploymentsandmodernDMZs.Havingalowrateofvulnerabilitiesinthefirewallisimportant.Thelogisticalcapabilitiesformanagingappliancedelivery,productserviceandportdensitymatter.Supportisratedonthequality,breadthandvalueofofferingsthroughthespecificlensofenterpriseneeds.Overallviability:Thisincludesoverallfinancialhealth,prospectsforcontinuingoperations,companyhistory,anddemonstratedcommitmentinthefirewallandsecuritymarkets.Growthofthecustomerbaseandrevenuederivedfromsalesarealsoconsidered.Allvendorswererequiredtodisclosecomparablemarketdata,suchasfirewallrevenue,competitivewinsversuskeycompetitors(whicharecomparedwithGartnerdataonsuchcompetitionsheldbyourclients)anddevicesindeployment.Thenumberoffirewallsshippedorthemarketshareisnotthekeymeasureofexecution.Rather,weconsidertheuseofthesefirewallstoprotectthekeybusinesssystemsofenterpriseclients,andthosebeingconsideredoncompetitiveshortlists.Salesexecution/pricing:Weevaluatethecompany'spricing,dealsize,installedbase,andusebyenterprises,carriersandMSSPs.Thisincludesthestrengthofthevendor'ssalesanddistributionoperations.Presalesandpostsalessupportisevaluated.Pricingiscomparedintermsofatypicalenterpriseclassdeployment,andincludesthecostofallhardware,support,maintenanceandinstallation.Lowpricingwillnotguaranteehighexecutionorclientinterest.Buyerswantgoodresultsmorethantheywantbargains,andthinkintermsofvalueoversheerlowcost.Costofownershipoveratypicalfirewalllifecycle(threetofiveyears)isassessed,asisthepricingmodelforconductingarefreshwhilestayingwiththesameproductandreplacingacompetingproductwithoutintolerablecostsorinterruptions.Therobustnessoftheenterprisechannelandthirdpartyecosystemisimportant.Marketresponsiveness/record:Thisevaluatesthevendor'sabilitytorespondtochangesinthethreatenvironment,andtopresentsolutionsthatmeetcustomerprotectionneedsratherthanpackagingupfear,uncertaintyanddoubt.Thiscriterionalsoconsiderstheprovider'shistoryofresponsivenesstochangesindemandfornewfeaturesandformfactorsinthefirewallmarket,andhowenterprisesdeploynetworksecurity.Marketingexecution:CompetitivevisibilityisakeyfactoritincludeswhichvendorsaremostcommonlyconsideredtohavetopcompetitivesolutionsduringtheRFPandselectionprocess,andwhichareconsideredtopthreatsbytheothers.Inadditiontobuyerandanalystfeedback,thisrankinglooksatwhichvendorsconsidertheotherstobedirectcompetitivethreats,suchasbydrivingthemarketoninnovativefeaturescopackagedwithinthefirewall,orbyofferinginnovativepricingorsupportofferings.AnNGFWcapabilityisheavilyweighted,asareenterpriseclasscapabilities,suchasmultidevicemanagement,virtualization,adaptabilityofconfigurationandsupportforenterpriseenvironments.Unacceptabledevicefailurerates,vulnerabilities,poorperformance,andaproduct'sinabilitytosurvivetotheendofatypicalfirewalllifespanareassessedaccordingly.Significantweightingisgiventodeliveringnewplatformsforscalableperformanceinordertomaintaininvestment,andtotherangeofmodelstosupportvariousdeploymentarchitectures.Customerexperienceandoperations:Theseincludemanagementexperienceandtrackrecord,aswellasthedepthofstaffexperiencespecificallyinthesecuritymarketplace.Thegreatestfactorinthesecategoriesiscustomersatisfactionthroughoutthesalesandproductlifecycles.Lowlatency,throughputoftheIPScapabilityandhowthefirewallfaredunderattackconditionsarealsoimportant.Succeedingincomplexnetworkswithlittleintervention(forexample,oneoffpatches)ishighlyconsidered.

    Table1.AbilitytoExecuteEvaluationCriteria

    EvaluationCriteria Weighting

  • ProductorService High

    OverallViability Medium

    SalesExecution/Pricing Medium

    MarketResponsiveness/Record High

    MarketingExecution Medium

    CustomerExperience High

    Operations Medium

    Source:Gartner(April2015)

    CompletenessofVisionMarketunderstandingandmarketingstrategy:Thisincludesprovidingatrackrecordofdeliveringoninnovationthatprecedescustomerdemand,ratherthanan"us,too"roadmap.Wealsoevaluatethevendor'soverallunderstandingofandcommitmenttothesecurityandnetworksecuritymarkets.Gartnermakesthisassessmentsubjectivelybyseveralmeans,includinginteractionwithvendorsinbriefingsandfeedbackfromGartnercustomersoninformationtheyreceiveconcerningroadmaps.Incumbentvendormarketperformanceisreviewedyearbyyearagainstspecificrecommendationsthathavebeenmadetoeachvendor,andagainstfuturetrendsidentifiedinGartnerresearch.Vendorscannotmerelystateaggressivefuturegoalstheymustputplansinplace,showthattheyarefollowingtheirplans,andmodifythoseplansastheyforecasthowmarketdirectionswillchange.Understandinganddeliveringonenterprisefirewallrealitiesandneedsareimportant,andhavingaviableandprogressiveroadmapandcontinuingdeliveryofNGFWfeaturesisweightedveryhighly.TheNGFWcapabilitiesareexpectedtobeintegratedtoachievecorrelationimprovementandfunctionalimprovement.Salesstrategy:Thisincludespreproductandpostproductsupport,valueforpricing,andprovidingclearexplanationsandrecommendationsfordetectingevents,includingzerodayevents.Buildingloyaltythroughcredibilitywithafulltimeenterprisefirewallstaffdemonstratestheabilitytoassessthenextgenerationofrequirements.Vendorsneedtoaddressthenetworksecuritybuyingcentercorrectly,andtheymustdosoinatechnicallydirectmanner,ratherthansellingjustfearornextgenerationhype.Channelandthirdpartysecurityproductecosystemstrategiesmatterinsofarastheyarefocusedonenterprises.Offering(product)strategy:Thiscriterionfocusesonavendor'sproductroadmap,currentfeatures,NGFWintegrationandenhancement,virtualizationandperformance.Credible,independentthirdpartycertificationsincludetheCommonCriteriaforInformationTechnologySecurityEvaluation.Integrationwithothersecuritycomponentsisalsoweighted,aswellasproductintegrationwithotherITsystems.Wealsoevaluatehowthevendorunderstandsandservestheenterprisebranchofficeanddatacenter.Innovation,suchasintroducingpracticalnewformsofintelligencetowhichthefirewallcanapplypolicy,ishighlyrated.Anarticulated,viablestrategyforaddressingthechallengesinSDNdeploymentsisimportant.Businessmodel:ThisincludestheprocessandsuccessratefordevelopingnewfeaturesandinnovationitalsoincludesR&Dspending.Vertical/industrystrategyandgeographicstrategy:Theseincludetheabilityandcommitmenttoservicegeographiesandverticalmarkets,suchascomplexenterprisemultinationaldeployments,MSSPs,carriersorgovernments.Innovation:ThisincludesR&Dandqualitydifferentiators,suchas:

    Performance,whichincludeslowlatency,newfirewallmechanisms,andachievinghighIPSthroughputandlowappliancelatency.Firewallvirtualizationandsecuringvirtualizedenvironments.Integrationwithothersecurityproducts.Managementinterfaceandclarityofreportingthatis,themoreaproductmirrorstheworkflowoftheenterpriseoperationscenario,thebetterthevision."Givingbacktime"tofirewalladministratorsbyinnovatingtomakecomplextaskseasier,ratherthanaddingmorealertsandcomplexity.

    Productsthatarenotintuitiveindeployment,oroperationsthataredifficulttoconfigureorhavelimitedreporting,arescoredaccordingly.Solvingcustomerproblemsisakeyelementofthiscriterion.Reducingtherulebase,offeringinterproductsupportandleadingcompetitorsonfeaturesareforemost.

    Table2.CompletenessofVisionEvaluationCriteria

    EvaluationCriteria Weighting

    MarketUnderstanding High

    MarketingStrategy Medium

    SalesStrategy Medium

    Offering(Product)Strategy High

    BusinessModel Medium

  • Vertical/IndustryStrategy Medium

    Innovation High

    GeographicStrategy Low

    Source:Gartner(April2015)

    QuadrantDescriptionsLeadersTheLeadersquadrantcontainsvendorsthatbuildproductsthatfulfillenterpriserequirements.Theserequirementsincludeawiderangeofmodels,supportforvirtualizationandvirtualLANs,andamanagementandreportingcapabilitythatisdesignedforcomplexandhighvolumeenvironments,suchasmultitieradministrationandrule/policyminimization.AsolidNGFWcapabilityisanimportantelementasenterprisescontinuetomoveawayfromhavingdedicatedIPSappliancesattheirperimeterandremotelocations.Vendorsinthisquadrantleadthemarketinofferingnewsafeguardingfeatures,providingexpertcapabilityratherthantreatingthefirewallasacommodity,andhavingagoodtrackrecordofavoidingvulnerabilitiesintheirsecurityproducts.Commoncharacteristicsincludehandlingthehighestthroughputwithminimalperformancelossandofferingoptionsforhardwareacceleration.

    ChallengersTheChallengersquadrantcontainsvendorsthathaveachievedasoundcustomerbase,buttheyarenotconsistentlyleadingwithdifferentiatednextgenerationcapabilities.ManyChallengersareslowtoworktowardastrongNGFWcapabilityortheyhaveothersecurityproductsthataresuccessfulintheenterpriseandarecountingontherelationship,ratherthantheproduct,towindeals.Challengers'productsareoftenwellpriced,and,becauseoftheirstrengthinexecution,thesevendorscanoffereconomicalsecurityproductbundlesthatotherscannot.ManyChallengersholdthemselvesbackfrombecomingLeadersbecausetheyareobligatedtoplacesecurityorfirewallproductsatalowerpriorityintheiroverallproductsets.FirewallmarketChallengerswilloftenhavesignificantmarketshare,buttrailsmallermarketshareLeadersinthereleaseoffeatures.

    VisionariesVisionarieshavetherightdesignsandfeaturesfortheenterprise,buttheylackthesalesbase,strategyorfinancialmeanstocompeteconsistentlywithLeadersandChallengers.MostVisionaries'productshavegoodNGFWcapabilities,butlackinperformancecapabilityandsupportnetwork.Savingsandhightouchsupportcanbeachievedfororganizationsthatarewillingtoupdateproductsmorefrequentlyandswitchvendorsifrequired.Iffirewallingisacompetitiveelementforanenterprise,thenVisionariesaregoodshortlistcandidates.VendorsthatdonothavestrongNGFWcapabilitiesaresupplementingtheminadefensivemove,whilevendorsthathavestrongNGFWofferingsarefocusedonmanageabilityandusability.Gartnerexpectsthenextwaveofinnovationinthismarkettofocusonbetteridentificationofmaliciousprotocolsatmultigigabitpersecondrates.

    NichePlayersMostvendorsintheNichePlayersquadrantaresmallervendorsofenterprisefirewalls,makersofmultifunctionfirewallsforSMBs,orbranchofficeonlyproductmakersthatareattemptingtobreakintotheenterprisemarket.ManyNichePlayersaremakinglargerSMBproductswiththemistakenhopethatthiswillsatisfyenterprises.SomeenterprisesthathavethefirewallneedsofanSMB(forexample,someTypeC"riskaverse"enterprises)mayconsiderproductsfromNichePlayers,althoughothermodelsfromLeadersandChallengersmaybemoresuitable.Iflocalgeographicsupportisacriticalfactor,thenNichePlayerscanbeshortlisted.

    ContextTheenterprisefirewallmarketisoneofthelargestandmostmaturesecuritymarkets.Itispopulatedwithmaturevendorsandsomemorerecententrants.Changesinthreats,aswellasincreasedenterprisedemandformobility,virtualizationanduseofthecloud,haveincreaseddemandfornewfirewallfeaturesandcapabilities.Organizations'finalproductselectiondecisionsmustbedrivenbytheirspecificrequirements,especiallyintherelativeimportanceofmanagementcapabilities,easeandspeedofthedeployment,acquisitioncosts,ITorganizationsupportcapabilities,andintegrationwiththeestablishedsecurityandnetworkinfrastructure.

    MarketOverviewAsthefirstlineofdefensebetweenexternalthreatsandenterprisenetworks,firewallsneedtocontinuallyevolvetomaintaineffectiveness,respondingtochangesinthreatsaswellaschangesinenterprisenetworkspeedandcomplexity.Thefirewallmarketishighlypenetratedinthelargermarkets(NorthAmerica,WesternEuropeandmatureAsia/Pacific),whichmeansthat,toprotecttheirinstalledbase,incumbentsmustaddimprovedcapabilitiesandincreaseperformance,orfaceeitherreplacementbyinnovativemarketentrantsorcommoditizationbylowcostproviders.Firewallpolicymanagement(FPM)productsareincreasinglybeingusedtomanagecomplexity(seeNote3).

    NextGenerationFirewallsOnekeyareaoffirewallevolutionthathasbeensupportediswhatGartner(in2009)called"NGFWfeatures"namely,integrateddeeppacketinspectionintrusiondetection,applicationidentificationandgranularcontrol.ThekeydifferentiatorsintheseareasareIPSeffectiveness,asdemonstratedthroughthirdpartytestingunderrealisticthreatandnetworkloadconditions,andfinegrainedpolicyenforcementinapproximatelythetop40businessapplications.Identitybasedpolicyenforcement,ortheabilitytoenforcepolicyonthousandsofapplications,hasbeenhighlytoutedbutusedinfrequently.

  • Becauseitishighlypenetrated,thefirewallmarketisdrivenbyrefreshcycles.WehaveseensomecommonpatternsinthefirewallmarketasenterpriseswiththreetofiveyearoldfirewallsandIPSsevaluatereplacement:

    EnterprisesnotcurrentlyusinganyIPSsmigratetoNGFWswithminimaluseofadvancedfeatures.EnterpriseswithfirewallsandstandaloneIPSsthatareemployedprimarilyindetectionmode(thatis,usingminimalsignaturesets)migratetoNGFWsusingthebuiltinIPScapabilities.EnterpriseswithfirewallsandstandaloneIPSsthatareusedforactiveprevention,withlargesignaturesetsandsomecustomsignatures,migratetoNGFWsforthefirewallwithapplicationcontrolandusercontext,butcontinueusingstandaloneIPSs.HighsecurityenvironmentsupgradetoNGFWsforthefirewall,andupgradeIPSstoNGIPSs(see"DefiningNextGenerationNetworkIntrusionPrevention").Organizationsarelookingtoextendtheironpremisesfirewallvendorintoinfrastructureasaservice(IaaS)cloudproviders.

    UTMCan'tCompeteWithNGFWsinEnterprisesHistorically,UTMvendorstargetedSMBclients.However,inthepastfewyears,thelargeUTMvendorshavetriedtoexpandbeyondtheirtraditionalusecase.TheynowtrytosellUTMtoenterpriseclientsthatscorepricecompetitivenesshigherthansecurity.GartnerseessomelimitedsuccessforTypeCenterprises,butitisrestrictedtotwousecases:distributedTypeCenterprises(mostlyintheretailindustry),andstatefulfirewallfornetworksegmentationatlowcost.However,theUTMapproachfailstoconvinceTypeAandTypeBenterprisesthatrequireNGFWcapabilitiesanddonotconsolidateWebantivirusontheInternetfacingfirewall(see"NextGenerationFirewallsandUnifiedThreatManagementAreDistinctProductsandMarkets").

    UTMvendorsalsofacedifficultiesinbuildingastrongsalesandsupportchannelforenterprises(similarly,enterprisefirewallvendorswouldunderestimatetheworkofbuildinganSMBchannel).MostenterprisebuyersarealsowaryofshortlistingaUTMvendorbecauseofitsprimaryfocusonSMBsandlimitedbrandawareness.

    VirtualizedFirewalls:HypeOutrunsDemandAsdatacentervirtualizationhascontinued,demandforvirtualappliancesupporthasgrown.Performanceandtheabilitytomanagefirewallpolicythroughasingleintegratedmanagementconsoleforstandaloneappliancesorvirtualappliancesarekeydifferentiators.Gartnerhasnotseenthefirewallfeaturesofvirtualizationplatforms(suchasthoseofferedwithVMware)asamajorcompetitortomainstreamfirewallvendorsbecausetheneedforseparationofdutiesdrivesclientstodoubttheinfrastructure'sabilitytoprotectitself.GartnercoversvirtualonlyfirewallvendorssuchasvArmourandIllumio,buthasnotseensignificantadoption.EarlyVMwareworkwithPaloAltoNetworks,andnowCheckPointandFortinet,hascreatedsomebuzzforvirtualizingdatacentersandnetworksandeastwestsegmentation,butfewcustomershaveadoptedthese,thoughadoptionisgrowingquickly.AsothervirtualizationplatformssuchasXenandHyperVgaintraction,managingheterogeneousvirtualizedfirewallsfromexistingphysicalfirewallvendors,virtualizationplatformvendorsandvirtualonlyfirewallswillpresentachallenge.Performanceremainsabarriertowiderdeployment:Almostallnetworkfirewallstodayaredeliveredonpurposebuiltappliancesbecauseofthepoorerperformanceofrunningfirewallsongeneralpurposeservers.Almostalloperatingsystemswithinfirewallappliancesareuniquelyhardened,subjecttostringentthirdpartysecurityevaluations.Securitymindedenterprisesarealsorightlyskepticalofrunningfirewallswithinahypervisorthatisbetweenthethreatandthefirewall.

    Gartnermarketdataindicatesthat,in2014,thenumberofvirtualversionsoffirewallssoldremainedflatatlessthan2%.Amongthe95referencecustomerssurveyedforthisMagicQuadrant,0%listed"virtualversionavailable"asatopthreereasontheyselectedtheircurrentvendor,whereas53%selected"throughput/speed"asatopthreereason,andapproximately30%ofrespondentsselected"price"(34%),"managementconsole/reporting"(32%),"IPS"(32%),"applicationcontrol"(29%),and"highavailability/clustering"(27%).

    Nodynamicshifttowardvirtualapplianceswilloccuruntilafundamentalchangetothecurrentnetworksecurityvirtualizationmarketismadeanddemanddrivesvendorinnovation.

    TheFirewallMarketSlowsDownonAcquisitions,butRemainsDynamicAcquisitionsinthefirewallspacesloweddownin2014from2013'sbreakneckpace,butgrowthremainedrobust.

    Duringtheevaluationperiod,thefirewallmarketgrew9.5%to$9.5billion.For2015,Gartnerestimatesthefirewallmarketwillgrowapproximately10%toreach$10.5billionin2015.Wealsoforecastthatthismarketwillreachacompoundannualgrowthrateof10%through2017,andwillbeelevatedbytheadditionoffirewalladdonssuchasIPSsandadvancedthreatdefenses.Gartnerbelievesthatthefirewallmarketis"atcapacity":Althoughthegrowthrateisjustaround10%,thisisthelargestsecurityproductmarket(fastapproaching$10billion),andincrementalmarketgrowthissignificant.Firewallrefreshesremainconstantatafiveyearaverage,soevenifgreatnewproductsemerge,incumbentfirewallsarerarelyrefreshedbeforetheyreachmaturity.Thisrefreshdynamicresultsinthemarketbeinglinear,ratherthanhavingmacrorefreshcyclesor"bumps"ofrefreshes,asinothermarkets.

    HaveSomeAdvancedThreatDetectionWithThatFirewallAdvancedthreatdetectionusinganetworksandbox,pioneeredbyFireEye,hasbecomearapidlygrowingmarket.Asadvancedthreatdefense/detectionfurtherpenetratesthemainstreammarket,firewallvendorshaveintroducedsolutionsoverthepastthreeyears.Thesefirewallattachedsandboxesaredeliveredmostlyascloudbasedsandboxespricedassubscriptionbasedservices.Mostofthefirewall

  • vendorsevaluatedhereeitherdeliveranetworksandboxtoday,orhaveitontheirshorttermroadmaps.Someofthesearebuiltbythefirewallvendors,othersaredeliveredthroughthirdpartypartnerships.

    Thusfar,we'veseenfirewallconnectedsandboxesappealmostlytobudgetconstrainedTypeBenterprisesthatwouldrathermaintainsingleconsolecontrolovertheirfirewallthandeployaseparateplatform.Asthedesiretodefendagainsttheadvancedthreatmorefullypermeatesthemainstreammarket,weexpectthatcustomerswillincreasinglyturntotheirfirewallvendorsfortheirnetworksandboxingneeds(see"MarketGuideforNetworkSandboxing").

    ConfusingUseof"Application"and"Firewall"inThreeDistinctProductsOverlappingterminologyandunclearmarketingcanleadtoconfusionamongthethreedistinctissuesofapplicationcontrol,WAFsandfirewallsonapplicationdeliverycontrollers(ADCs).ThefirewallapplicationcontrolapproachesusedbymostNGFWvendors(suchasCheckPoint,DellSonicWALL,FortinetandPaloAltoNetworks)aremostlyaboutcontrollingaccesstoexternalapplications,suchasFacebookandpeertopeer(P2P)filesharing.

    WAFsaredifferent:TheyareplacedprimarilyinfrontofWebserversinthedatacenters.PureplayWAFcompanies(suchasImperva)ordatacenterinfrastructurevendorsthatprovideWAFtechnologywithintheirADCsareconcernedwithprotectingcustominternalWebapplications.

    WhilesomeADCvendors(suchasF5)arenowofferingnetworkfirewallingwithintheirADCsaswell,GartnerdoesnotseeNGFWandWAFtechnologiesconvergingbecausetheyarefordifferenttasksatdifferentplacements.MosttraffictoenterpriseWebserversremainsencrypteduntilitreachestheADC,meaningtheownersoffirewallsandIPSsfacethedifficultdecisionofwhethertoengageSSLinspection,whichinvolvesaterminationandreencryptionofthesesessions(see"SecurityLeadersMustAddressThreatsFromRisingSSLTraffic"and"WebApplicationFirewallsAreWorththeInvestmentforEnterprises").

    AsGartneradvisesclients,mostenterpriseshaveasinglebrandofnetworkfirewallforallplacements,includingInternetfacing,virtualized,datacenterandbranch(see"OneBrandofFirewallIsaBestPracticeforMostEnterprises").Thesedatacenterfirewallswillbechallengedtogainanynoteworthyshareuntiltheycanprovidecompetitivefirewallingforallenterpriseplacements.Theycan,however,serveaspecializednicheofplacements,suchasincaseswherethedatacenterisaseparatebusinesswithitsownfirewalloperationsstaff.

    AsiaPacificContext22April2015

    Analyst(s):CraigLawson,AdamHils,MatthewCheung

    TheAsia/Pacificregionwillrepresentjustover11%ofthetotalenterprisenetworkfirewallmarketin2015.ItsdiverseculturesanddifferencesinmarketmaturitycreatespecificexpectationsandrequirementswhenAsia/Pacificenterprisesevaluatefirewallvendors.

    MarketDifferentiatorsFirewalltechnologycontinuestobeafundamentalelementofnetworksecuritystrategyforAsia/Pacificorganizations.Thisregionhasadifferentcompetitivelandscapetoothergeographiesduetoitssizeandgeopoliticalalignments.TheAsia/Pacificmarketisforecasttomakeup$926millionofthetotal$8.346billionspentonenterprisefirewalls(11%oftheglobalmarket)in2015.Thisoverallmarketisexpectedtogrowto$9.745billionby2017,withAsia/Pacificaccountingfor$1.12billion,or11%.

    TherearetwousageprofilesinAsia/Pacificconcerningfirewallacquisitionanddeployedfeatures:TechnologicallymoreadvancedAsia/Pacificcountries(suchasJapan,SingaporeandAustralia)haveasimilarfeatureadoptionratetotheU.S.andEurope,embracingmorerecenttrendssuchascloudbasedsandboxingmeanwhile,emergingAsia/Pacificcountries(China,Indonesiaandothers)arestillmovingthroughearlierphasesofnextgenerationfirewall(NGFW)featureadoption.

    TheAsia/Pacificregion'sdiversityintermsofgeography,culture,industryandeconomicmodelsmeanstherearevaryinglevelsofITorganizationmaturityandprocurementpolicies.ThisisdifferentinmakeupcomparedwiththeNorthAmericanandEuropeanmarketsthatpredominantlyoperateundersimilarsetsoflegislativerequirementsandalimitednumberofcurrencies.Asia/Pacific'sdiversitymeansthatvendorsmustsupportthesenuancesandthecostofdeliveryburdenswithinalargeregioncomposedofmanylargeandsmallcountries,eachwithitsownlegislative,cultureandcurrencyrequirements.InAsia/Pacific,anumberofvendorsdealwiththiscomplexitybyleveragingatieredvalueaddeddistributor/valueaddedreseller(VAR)model.

    Theeffectsonnetworksecurityvendors'salesandmarketshareinlightoftheU.S.surveillancerevelationsstartingin2013areyettobefullyseeninAsia/Pacific.WhileGartnerdoesnotexpectthistochangethesizeofthefirewallmarket,itislikelytochangethemarketshareofvendorsasnonU.S.customersmoveawayslightlyfromU.S.providers.ThiswillfavorAsia/Pacificnativesecurityprovidersthatwillbenefitfroma"builthere"sentimentthatisstronginsomebutnotallpartsofAsia/Pacific(see"TheSnowdenEffect:DataLocationMatters").

    ConsiderationsforTechnologyandServiceSelectionClientsinAsia/Pacificshowapreferenceforprovidersthathavealocalpresence,atleastforsalesandpresalessupport.Asia/Pacificorganizationsexpectsupportforlocallanguagesinboththeproductmanagementinterface,documentation(withreportingataminimum)andfortechnicalsupport.

  • WiththesteadytransitiontoapplicationandidentitybasednetworksecuritydeliveredbyNGFWs,vendorsalsoneedtosupportsocialnetworkingandbrowserapplicationsthatareheavilyusedinAsia/Pacific,althoughnotprevalentintheinaproduct'shomecountryofdevelopment.ExamplesincludeTencent(QQ,WeChat,QQBrowser)Weibo,Line,KakaoTalk,ViberandPPSEntertainment.DeepunderstandingofthisapplicationecosystemandsubsequentabilitytofilterisaproductdifferentiatorintheAsia/Pacificmarket.

    IntheemergingAsia/Pacificcountrieswithmorematureeconomies,priceisastrongdriver,andthemarketiscontinuingtoshowthatproductsdeliveringamajorityof"goodenough"featuresatapalatablepricewillcontinuetoholdandinsomecasestakesharefrommoreprominentbrands.Additionally,largescalethroughputisalsoanimportantfactorinthetelco/ISPverticalintheAsia/Pacific'sheavilypopulatedcountries.

    InsidematureAsia/Pacific(suchasJapan,Singapore,Australia,NewZealandandHongKong),NGFWfeaturessuchassecurityefficacy,advancedmanagementandrobustsupportareallvaluedbycustomers,asiscompetitivepricing.GartnerisalsoseeinghighlevelsofinterestinmaturecountiesintheregionforintegratedadvancedthreatdetectioncapabilitiesleadingtoincreasedattachrateinNGFWsales.Vendorsthatofferthis"feature"toadvancedAsia/Pacificcustomersaspartoftheiroverallarchitecturewillbemoresuccessfulthanpointproductvendors(seePredicts2015:InfrastructureProtection).

    NotableVendorsVendorsincludedinthisMagicQuadrantPerspectivehavecustomersthataresuccessfullyusingtheirproductsandservices.SelectionsarebasedonanalystopinionandreferencesthatvalidateITproviderclaimshowever,thisisnotanexhaustivelistoranalysisofvendorsinthismarket.Usethisperspectiveasaresourceforevaluations,butexplorethemarketfurthertogaugetheabilityofeachvendortoaddressyouruniquebusinessproblemsandtechnicalconcerns.ConsiderthisresearchaspartofyourduediligenceandinconjunctionwithdiscussionswithGartneranalystsandotherresources.

    CheckPointSoftwareTechnologies

    CheckPointhasasignificantexistingclientbaseinAsia/Pacificandhasconsistentlyoutsoldallcompetitorsintheregion'sfirewallmarket,whichvaluessecurityfeaturesandmanagingcomplexityaswellascompetitive,butnotthelowest,pricing.Thevendorhasstrongbrandrecognition,marketleadingfeatures,alargechannelandextensivecountrylevelcoverageinAsia/Pacific.WithNGFWadoptionratesinemergingAsia/PacificlaggingthoseinmatureAsia/Pacificandotherregions,thereisalargepotentialtomoveexistingandnewclientsontoitsNGFWplatform,inadditiontofeaturedrivencompetitivedisplacement.CheckPointhasalsoaddedadvancedthreatcapabilitiesviasandboxingtotheplatform,whichisanimportantbuyingfactorinAsia/Pacific.

    CheckPointshouldbeconsideredbysecurityconsciousorganizationswithintheAsia/Pacificregionforitsbreadthofsecuritycontent,regionalchannelsupportandrangeofappliances.

    Cisco

    Ciscohasasignificantshareofthesecuritymarketintheregionandhasleverageditsnetworkingheritageverysuccessfullyoveralongperiodoftimeinsalesofitsfirewallplatform.ItcontinuestobeaformidablevendorinthismarketdueprimarilytoitslargechannelandcrosssellingopportunityforAsia/Pacificpartnersandclients.Cisco'sintrusionpreventionandadvancedthreatdetectioncapabilitiesviatheSourcefireacquisitionareincludedwithintheASAwithFirePOWERproductsandcomplementedbythebroaderportfolioofWeb,emailandidentityproducts.ThisenablesCiscotocontinuetocompeteforpricesensitiveAPACbuyerswhileallowingforupgradesforclientsthatalsorequireadvancedsecurityfeatures.However,latelyCisco'ssalesinChinahavetakenadownturnbasedonrecentpublicfinancialannouncements,whichweattributetogeopoliticalmachinationsstemmingfromthe2013NationalSecurityAgency(NSA)disclosures.

    Ciscoshouldbeconsideredformidsizeandlargeenterprisesthatvalueasinglevendorfornetworkingandsecuritysolutions,Asia/Pacificwidefieldcoverageandchannelsupport.

    DellSonicWALL

    DellSonicWALLlagsbehindmanyenterprisefirewallsinregionalmarketpresence.Itispricecompetitive,however,withregionalvendors,buttodatehasnotdevelopedaneffectiveAsia/Pacificsaleschannel.SonicWALLcouldbenefitfromDell'srecentcommitmentofresourcestotheregion,particularlyChina.DellSonicWALL'srangeofapplianceshavelocalizedlanguagesupporttotargetorganizationsinChina,SouthKoreaandJapan,andwillhelpitappealtoorganizationsthatdemandalocallanguageexperience.

    SonicWALLshouldbeconsideredforAsia/PacificclientsthatarealreadyrunningDellinfrastructure,andasacompetitiveoptionforpriceconsciousmidmarketbuyersanddistributedenterpriseusecasesduetoitslargerangeofappliances.

    Fortinet

    Asia/PacificandJapanespeciallyrepresentahealthypercentageofFortinet'sworldwiderevenueshare,puttingitaheadofanumberofextraregionalcompetitorsintheregion.InmanyAsia/Pacificmarkets,Fortinetisthesecondlargestnetworksecurityvendor.FortinethasalsoinvestedinAsia/PacificwithR&DinBeijing,athreatresearchcenterinSingaporeandasupportcenterinMalaysia.Thisfostersitslocalpresenceaswellasitsproductlocalizationefforts.

    Fortinet'sfocusonlowercost,highthroughputfirewallapplicationspecificintegratedcircuit(ASIC)basedtechnologies,incombinationwithacompetitivesecurityfeaturesetandadvancedthreatcapabilities,has

  • givenitmarketappealintheregion,wherecost,rangeofappliancesandperformancearekeyrequirementsforusecasesthatconvergemultipletechnologiesonasingleappliance.

    FortinetshouldbeconsideredbyallmidmarketandlargeclientsduetoitsrangeofproductsandsupportoftheAsia/Pacificregion.

    HillstoneNetworks

    HillstoneNetworksisafirewallvendorheadquarteredbothinChinaandtheU.S.withanambitiontoexpandfurthergloballybyincreasingitspresenceintheU.S.andotherregions.Since2014,Hillstonehassetupoperationsanddistributors/resellersnetworksinmostregionsgloballynow,includingSoutheastAsia.Hillstonehasabroadportfolioofnetworksecurityproducts,butamajorityofrevenuecomesfromfirewall,targetingbothcarriersandenterprises.Hillstone'scustomerbaseismostlyinChina.

    AlthoughHillstonefocusedoriginallyondeliveringcommonfirewallfeaturesandfunctions,ithasmarketeditsiNGFWcapabilities("i"forintelligent)andasoftwaredefinednetwork(SDN)strategyinitsproductportfolio.ThesefeaturesdifferentiateHillstonefrommostofthecommodityfirewallvendorsfromChina.Hillstonelookstocompetewithglobalplayerswiththesefeatures.

    Hillstoneisalsoperceivedasapricecompetitivelocalprovider,anditshighperformanceandstabilityarecitedbycustomers.

    Huawei

    HuaweiisoneofthefewChinesenetworksecuritycompaniesthathasexpandeditsfootholdoutsidetheregion.MorethanhalfofHuawei'sfirewallrevenuecomesfromoutsideofChina,buttherestofAsia/PacificisrelativelyasmallmarketinHuawei'soverallrevenuesplit.Huawei'ssecurityproductsaresoldwidelytobothenterprisesandtelecomoperators.

    Huawei'skeydifferentiatorsareitsintegrationwithitsnetworkingbusiness,competitivepricingandrelationshipwithtelecomoperators.AlthoughHuaweisecurityispartofitsnetworkingandsecuritydivision,Huaweisecurityhasitsownsecuritysalesteamanddedicatedchannelpartners.

    Huaweisecuritysolutionsshouldbeconsideredbyclientsvaluingthesamenetworkandsecurityvendor,prospectswithinChina,andadditionallywherepriceisaprimarybuyingconsideration.

    JuniperNetworks

    JuniperNetworksdoesagreaterpercentageofitsfirewallbusinessinAsia/Pacificthanmostglobalvendors,continuingitslongtimelegacyofservingregionalcustomers'firewallneeds.JuniperNetworkshasaprovennetworkingchannelintheregion,andithasleveragedtosellitsSRXproductline.JuniperNetworksalsoseessuccesswithmanagedsecurityserviceprovider(MSSP)partnersthatoftensellitsfirewalls(physicalorvirtual)asthedefaultoption,whichisduetocostandperformance.

    AsJuniperincreasinglyshiftsitssecurityemphasistohigherendcloudprovidersandtelecommunicationsareas,Asia/Pacificenterprisesshouldaskforroadmapcommitmenttocontinuedenterpriseclassproductdevelopmentandsupport.

    PaloAltoNetworks

    PaloAltoNetworksisseenasaninnovatorinfirewallsduetoitsearlytomarketnextgenerationfirewallfeatures.Asaconsequence,ithasmanywinsamongcustomersinAsia/PacificwithmorematureITadoptionprofiles.ThecompanyhasinvestedinAsia/Pacificandhasestablishedaviablepresence,butcustomeradoptionofPaloAltoNetworks'technologyisnotasstrongonarelativebasiswhencomparedwithNorthAmericaandEurope.Thisisduetoconsiderablecompetitionfromregionallystrongplayers(Huawei,Hillstone),thestrengthinAsia/Pacificofentrenchedglobalplayers(Cisco,CheckPoint,Fortinet)andtherelativesizeofPaloAltoNetworks'Asia/Pacificstaffingandchannel.

    Advancedfeaturescontinuetomakeitaworthyshortlistcandidatefor"leanforward"Asia/PacificorganizationswiththeskillsandbudgetnecessarytoleveragePaloAltoNetworks'"nextgeneration"featuresandsecuritycontent.GartnerexpectsitsintegratedadvancedthreatpreventionarchitecturetobeastrongfeaturedifferentiatorintheAsia/PacificNGFWmarket.

    LeanforwardorganizationswithintheAsia/PacificregionwithasecurityovercostpreferenceshouldconsiderPaloAltoNetworksfortheirshortlists.

    Sophos

    NottraditionallyalargeplayerintheAsia/Pacificenterprise,Sophos,withitsFebruary2014acquisitionofIndiabasedCyberoam,hasbolstereditspresenceintheregion,especiallySouthAsia.Cyberoam'sproductlinehasexcelledatuseridentitycontrolandhasembeddedreportingitscustomerslike.Inaddition,Cyberoamhasaddedfeaturestoappealtoindustrialenterpriseusecases.SophosisintheprocessofintegratingdifferentiatedfeaturesofthelegacySophosandCyberoamproductlines,buttheCyberoamappliancesremainavailable.Clientsshouldassesstheoutcomesoftheproductlinesmergingtoensurethisprocessstillalignswithtacticalandstrategicproductchoices.

    SouthAsianorganizationslookingforalowcostregionaloptionwithadvancedidentitybasedcontrolsshouldevaluateSophosasashortlistcandidate.

    WatchGuard

    WatchGuard'sregionalpresenceintermsofthenumberofitsAsia/Pacificcustomermixisaboutonparwithitsextraregionalcompetitors.Overthepastseveralyears,WatchGuardhasgrownitspresencein

  • theregionwithadditionalstaff.IthasasimilargotomarketapproachwithitstechnologyasvendorslikeFortinet,offeringagoodrangeandfeaturesofNGFWandunifiedthreatmanagement(UTM)appliancesatcompetitivepricing.Thissuitssmaller,midmarketAsia/Pacificclients.WatchGuardhasalsopartneredtodeliverpayloadadvancedpersistentthreat(APT)detectionfunctionality,whichisincreasinglybecomingatablestakescomponentofperimeterarchitecturesinAsia/Pacific.

    WatchGuardshouldbeconsideredbymidmarketandgeographicallydispersedAsia/Pacificbusinessesthatrequireamixofsecurityfeaturesatacompetitiveprice.

    Wins

    WinsisheadquarteredinSouthKorea,whereitalreadyhasadomesticallysuccessfulnetworkintrusionpreventionsystem(IPS)offering.ItsNGFWincludesthesameIPSengine.ThecompanycompetesprimarilyinSouthKoreaandJapan.AlthoughWinsisexpandingintoIndonesia,Malaysia,SingaporeandotherpartsofSoutheastAsia,GartnerhasseenitsproductsmostlyinWins'corenations.KoreanandJapanesecustomersshouldconsiderthisvendorforinclusiononfirewallshortlists.

    WinsshouldbeconsideredbyclientsinWin


Magic Quadrant for Enterprise Network Firewallspaniz.co/media/attachments/2018/01/15/magic-quadrant-for... · 2018. 1. 15. · Magic Quadrant for Enterprise Network Firewalls Published:

Magic Quadrant for Enterprise Network Firewallspaniz.co/media/attachments/2018/01/15/magic-quadrant-for... · 2018. 1. 15. · Magic Quadrant for Enterprise Network Firewalls Published:

Documents
Magic Quadrant for Customer Communications … Quadrant for Customer...Magic Quadrant Figure 1. Magic Quadrant for Customer Communications Management Software Source: Gartner (November

Magic Quadrant for Customer Communications … Quadrant for Customer...Magic Quadrant Figure 1. Magic Quadrant for Customer Communications Management Software Source: Gartner (November

Documents
Magic Quadrant - IAAS

Magic Quadrant - IAAS

Documents
Magic Quadrant for Data Integration Tools Papers/Magic Quadrant for...Magic Quadrant for Data Integration Tools 22/02/15 12:04 Magic Quadrant Magic Quadrant for Data Integration Tools

Magic Quadrant for Data Integration Tools Papers/Magic Quadrant for...Magic Quadrant for Data Integration Tools 22/02/15 12:04 Magic Quadrant Magic Quadrant for Data Integration Tools

Documents
Magic Quadrant for Enterprise Governance, Risk - SAPfm.sap.com/data/UPLOAD/files/Gartner_Magic_Quadrant... · Magic Quadrant for Enterprise Governance, ... This Gartner Magic Quadrant

Magic Quadrant for Enterprise Governance, Risk - SAPfm.sap.com/data/UPLOAD/files/Gartner_Magic_Quadrant... · Magic Quadrant for Enterprise Governance, ... This Gartner Magic Quadrant

Documents
Magic Quadrant for Midrange and High-End Modular Disk …marketing.dell.com/Global/FileLib/Compellent/magic-quad-compell... · Magic Quadrant for Midrange and High-End ... Magic Quadrant

Magic Quadrant for Midrange and High-End Modular Disk …marketing.dell.com/Global/FileLib/Compellent/magic-quad-compell... · Magic Quadrant for Midrange and High-End ... Magic Quadrant

Documents
Magic Quadrant for Application Delivery Controllersvalleytalk.org/wp-content/uploads/2014/06/2013-Gartner-ADC-Magic... · Magic Quadrant Figure 1. Magic Quadrant for Application Delivery

Magic Quadrant for Application Delivery Controllersvalleytalk.org/wp-content/uploads/2014/06/2013-Gartner-ADC-Magic... · Magic Quadrant Figure 1. Magic Quadrant for Application Delivery

Documents
Magic Quadrant for Advanced Analytics Platformssemanticommunity.info/@api/deki/files/28638/GartnerMagicQuadrant... · Magic Quadrant Figure 1. Magic Quadrant for Advanced Analytics

Magic Quadrant for Advanced Analytics Platformssemanticommunity.info/@api/deki/files/28638/GartnerMagicQuadrant... · Magic Quadrant Figure 1. Magic Quadrant for Advanced Analytics

Documents
Magic Quadrant for Enterprise Network Firewalls...WAF Web application firewall EVIDENCE This Magic Quadrant was conducted in accordance with Gartner's well-defined methodology. The

Magic Quadrant for Enterprise Network Firewalls...WAF Web application firewall EVIDENCE This Magic Quadrant was conducted in accordance with Gartner's well-defined methodology. The

Documents
Magic Quadrant for Web Application Firewalls Quadrant for Web Application Firewalls 17 June 2014 ID:G00259365 Analyst(s): Jeremy D'Hoinne, Adam Hils, Greg Young, Joseph Feiman VIEW

Magic Quadrant for Web Application Firewalls Quadrant for Web Application Firewalls 17 June 2014 ID:G00259365 Analyst(s): Jeremy D'Hoinne, Adam Hils, Greg Young, Joseph Feiman VIEW

Documents
Magic Quadrant for Unified Threat Management (SMB … Gartner... · 2018-03-09 · (see "Magic Quadrant for Enterprise Network Fir ewalls" and "Next-Generation Firewalls and Unified

Magic Quadrant for Unified Threat Management (SMB … Gartner... · 2018-03-09 · (see "Magic Quadrant for Enterprise Network Fir ewalls" and "Next-Generation Firewalls and Unified

Documents
Magic Quadrant for Enterprise Network Firewalls - …eqinc.com/.../Magic-Quadrant-for-Enterprise-Network-Firewalls-April...Magic Quadrant for Enterprise Network Firewalls 4/24/15,

Magic Quadrant for Enterprise Network Firewalls - …eqinc.com/.../Magic-Quadrant-for-Enterprise-Network-Firewalls-April...Magic Quadrant for Enterprise Network Firewalls 4/24/15,

Documents
Magic Quadrant for User Authentication - Securite€¦ · Magic Quadrant for User Authentication - Securite ... Quadrant

Magic Quadrant for User Authentication - Securite€¦ · Magic Quadrant for User Authentication - Securite ... Quadrant

Documents
Magic Quadrant for Integrated Software Quality Suitesdocs.media.bitpipe.com/io_11x/io_113461/item_818827/Gartner Magic... · Magic Quadrant Magic Quadrant for Integrated Software

Magic Quadrant for Integrated Software Quality Suitesdocs.media.bitpipe.com/io_11x/io_113461/item_818827/Gartner Magic... · Magic Quadrant Magic Quadrant for Integrated Software

Documents
Magic Quadrant for Single-Instance ERP for Product … Magic Quadrant for Single-Instance ERP for Product-Centric Midmarket Companies Magic Quadrant companies

Magic Quadrant for Single-Instance ERP for Product … Magic Quadrant for Single-Instance ERP for Product-Centric Midmarket Companies Magic Quadrant companies

Documents
Magic Quadrant for Multichannel Campaign Managementtokarasolutions.com/wp-content/uploads/2015/02/Gartner-MCCM-MQ... · Magic Quadrant for Multichannel Campaign ... Magic Quadrant

Magic Quadrant for Multichannel Campaign Managementtokarasolutions.com/wp-content/uploads/2015/02/Gartner-MCCM-MQ... · Magic Quadrant for Multichannel Campaign ... Magic Quadrant

Documents
Magic Quadrant for Application Performance Monitoring Suites · Magic Quadrant Figure 1. Magic Quadrant for Application Performance Monitoring Suites Source: Gartner (December 2015)

Magic Quadrant for Application Performance Monitoring Suites · Magic Quadrant Figure 1. Magic Quadrant for Application Performance Monitoring Suites Source: Gartner (December 2015)

Documents
Magic Quadrant for User Authentication - Securitesecurite.net.au/.../2014/05/Magic-Quadrant-for-User-Authentication.pdf · 3/13/13 Magic Quadrant for User Authentication ... SAML

Magic Quadrant for User Authentication - Securitesecurite.net.au/.../2014/05/Magic-Quadrant-for-User-Authentication.pdf · 3/13/13 Magic Quadrant for User Authentication ... SAML

Documents
Magic Quadrant for Unified Threat Management - …branden.biz/.../09/Magic-Quadrant-for-Unified-Threat-Management.pdf · Magic Quadrant for Unified Threat Management Published: 30

Magic Quadrant for Unified Threat Management - …branden.biz/.../09/Magic-Quadrant-for-Unified-Threat-Management.pdf · Magic Quadrant for Unified Threat Management Published: 30

Documents
Magic Quadrant for GeneralPurpose Disk Arraysitheadaches.com/.../uploads/2015/02/Magic-Quadrant... · 2/5/2015 Magic Quadrant for General-Purpose Disk Arrays ... in this Magic Quadrant

Magic Quadrant for GeneralPurpose Disk Arraysitheadaches.com/.../uploads/2015/02/Magic-Quadrant... · 2/5/2015 Magic Quadrant for General-Purpose Disk Arrays ... in this Magic Quadrant

Documents
Next-Generation Firewall with Palo Alto Networks€¦ · Palo Alto Networks is positioned as a Leader in the Gartner Magic Quadrant for enterprise network firewalls.* *Gartner Magic

Next-Generation Firewall with Palo Alto Networks€¦ · Palo Alto Networks is positioned as a Leader in the Gartner Magic Quadrant for enterprise network firewalls.* *Gartner Magic

Documents
Magic Quadrant for Customer Communications Management Softwarehosteddocs.ittoolbox.com/Magic Quadrant for... · Magic Quadrant Figure 1. Magic Quadrant for Customer Communications

Magic Quadrant for Customer Communications Management Softwarehosteddocs.ittoolbox.com/Magic Quadrant for... · Magic Quadrant Figure 1. Magic Quadrant for Customer Communications

Documents
Magic Quadrant for Unified Threat Management · 2016-10-20 · firewall markets (see "Magic Quadrant for Enterprise Network Firewalls" and "Next-Generation Firewalls and Unified

Magic Quadrant for Unified Threat Management · 2016-10-20 · firewall markets (see "Magic Quadrant for Enterprise Network Firewalls" and "Next-Generation Firewalls and Unified

Documents
Education Creatio Business Technology · Magic Quadrant for Enterprise Low-Code ApplicationPlatforms Magic Quadrant for the CRM CustomerEngagement Center Magic Quadrant for Intelligent

Education Creatio Business Technology · Magic Quadrant for Enterprise Low-Code ApplicationPlatforms Magic Quadrant for the CRM CustomerEngagement Center Magic Quadrant for Intelligent

Documents
Magic Quadrant for Enterprise Network Firewalls - · PDF fileMagic Quadrant for Enterprise Network Firewalls 15 April 2014 ID:G00258296 Analyst(s): Greg Young, Adam Hils, Jeremy D'Hoinne

Magic Quadrant for Enterprise Network Firewalls - · PDF fileMagic Quadrant for Enterprise Network Firewalls 15 April 2014 ID:G00258296 Analyst(s): Greg Young, Adam Hils, Jeremy D'Hoinne

Documents
Magic Quadrant for Enterprise Network Firewalls · Magic Quadrant for Enterprise Network Firewalls 15 April 2014 ID:G00258296 Analyst(s): Greg Young, Adam Hils, Jeremy D'Hoinne VIEW

Magic Quadrant for Enterprise Network Firewalls · Magic Quadrant for Enterprise Network Firewalls 15 April 2014 ID:G00258296 Analyst(s): Greg Young, Adam Hils, Jeremy D'Hoinne VIEW

Documents
Magic Quadrant for Enterprise Network Firewalls - Vertical Resources

Magic Quadrant for Enterprise Network Firewalls - Vertical Resources

Documents
Magic Quadrant Abril 2015 for Enterprise Network Firewalls

Magic Quadrant Abril 2015 for Enterprise Network Firewalls

Documents
Gartner Magic Quadrant

Gartner Magic Quadrant

Documents
Magic Quadrant for Web Application Firewalls June 2014

Magic Quadrant for Web Application Firewalls June 2014

Documents