CIO Update: Enterprise Firewall Magic Quadrant for 1H03

Transcription

1 IGG R. Stiennon Article 2 July 2003 CIO Update: Enterprise Firewall Magic Quadrant for 1H03 Deep packet inspection technology is driving the firewall market to an inflection point that is characterized by rapid changes in product evolution and the vendor space. Gartner s Enterprise Firewall Magic Quadrant helps enterprises evaluate vendors. Deep packet inspection technology is driving the firewall market to an inflection point that is characterized by rapid changes in product evolution and the vendor space. Gartner s Enterprise Firewall Magic Quadrant helps enterprises evaluate firewall vendors. Firewall Market Trends Network-level firewalls have become commodity products. Enterprises must make security decisions based on deep packet inspection of application content, in addition to simple stateful protocol filtering. Gartner believes that firewalls must provide a wider range of intrusion prevention capabilities, or face extinction. Gartner has updated its criteria for firewall market leadership to heavily weight ability to execute and vision in migrating to the next generation of firewalls. Firewalls long have been able to enforce security policies based on who or what gets to connect to which service or machine. However, the content of the packets allowed through has been invisible to the firewall. Firewalls typically look at only header information, so they have limited ability to block attacks based on packet content. However, new worms, malicious code and cyberattacks have targeted application weaknesses, and more applications and protocols are tunneling through the firewall by connecting over port 80 and, in some cases, encapsulating in HTTP or S-HTTP (Secure HTTP) formats. The greatest recent shakeup to the security area occurred in 2001, when Nimda, a multiheaded worm, exploited a vulnerability in the Microsoft Internet Information Server to infect hundreds of thousands of servers. This exploit was not detected by intrusion detection systems (IDSs), nor blocked by firewalls or antivirus software. Many enterprises experienced significant downtime and financial losses because of Nimda. In 2003, the SQL Slammer worm proved that although many enterprises had done a better job of patching Windows vulnerabilities, firewalls were still not providing useful protection at the application level. Application and Web Defense Products Gartner Entire contents 2003 Gartner, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.

2 Most investments in security are still in response to pain that is, reactive vs. proactive planning and risk assessment. Nimda caused visceral pain that has spawned investments in dozens of new products that emerged to address application vulnerability. Gartner recommends positioning these network devices in front of critical servers, typically in the transaction zone. These devices are in-line and apply security policies to protect the assets behind them. Gartner believes that application and Web defense products are firewalls, although they are not marketed as such. Several products meet the criteria for an enterprise firewall, including central management, a good graphical user interface, logging and reporting. Others exhibit the security capabilities of a firewall, but are several generations away from becoming a network s sole defense. They lack only the addition of a network stateful inspection capability. Magic Quadrant Criteria In this fresh look at perimeter defenses, Gartner modified the criteria used to determine positions on the Magic Quadrant for Enterprise Firewalls, 1H03 (see Figure 4). Figure 4 Gartner s Magic Quadrant for Enterprise Firewalls, 1H03

3 Challengers Leaders Cisco Systems Check Point Software Technologies NetScreen Technologies Ability to Execute Microsoft F5 Networks Symantec Mazu Networks Array Networks Radware SonicWALL ipolicy Networks Blue Coat Systems Sanctum Top Layer Networks Secure Computing Teros Network Associates (IntruVert) WatchGuard Technologies Whale Communications NetContinuum Fortinet TippingPoint Technologies Kavado Source: Gartner Niche Players Completeness of Vision Visionaries As of June 2003 Ability to Execute History of success in the traditional firewall market Financial strength, such as increasing revenue, the size of investment, number of employees and other factors Partnerships and channels, including partnerships with high-speed processing platforms and content inspection leaders Completeness of Vision Recognizes and blocks attacks based on protocol anomalies, signatures of attacks, content inspection, behavior (usually based on history of use) and traffic volume Builds solutions that address enterprises needs

4 Invests in specialized network processing hardware application-specific integrated circuits (ASICs) to perform deep packet inspection at wire speeds Enables central management of many remote devices Able to load balance or configure in a highly available mode Provides logging and reporting functionality Quickly rolls out new application defenses based on the ability to perform deep packet inspection Vendors that introduce new protection capabilities on an extremely short production cycle best leverage the strength of their investment in processing power for example, performing antivirus functions in-line, proxying instant messaging (IM), and providing Domain Name System and sendmail defenses. The greatest challenge will be to perform full Extensible Markup Language (XML) parsing and filtering. The ability to decrypt a Secure Sockets Layer (SSL) session, perform inspection and filtering, and re-establish the SSL session is also heavily weighted. To be considered Challengers, Visionaries or Leaders, vendors must combine network-level and application-level firewall capabilities in an integrated product. Vendors that have only one or the other will be Niche Players. Leaders Gartner believes that because of the trends described above, the enterprise firewall market is immature again. The market share leaders will not necessarily dominate as they previously have done. Therefore, no Leaders are identified in the 1H03 Magic Quadrant, although Gartner expects that several products will qualify for the Leaders Quadrant by the end of Challengers Check Point Software Technologies has recognized that the market is moving from access control to application defense, and it has rolled out a SmartDefense subscription service in which customers can get pre-configured defenses against newly discovered attacks. It recently launched Application Intelligence to ease management of application defenses. Application Intelligence relies on a combination of Check Point s stateful inspection engine and services, or software proxies. Gartner believes that this approach is not adequate for 100-percent deep packet inspection at wire speeds. Check Point will need to invest in silicon to compete. It likely will leverage its market-leading Firewall- 1 product line s best-of-breed management and graphical user interface to develop the added security functions of a deep packet inspection product. Cisco Systems has changed its market-leading focus on network security and is now committed to end-point security, as evidenced by its purchase of Okena, a host protection company (see Cisco to Buy Okena, Try to Compete in Security Software ). It may have recognized the need for integration because it has pulled together these elements into a single group. Cisco will need to combine separate products in intrusion detection and firewall with content inspection capabilities that it could derive from internal or external sources.

5 NetScreen Technologies was the first major firewall vendor to recognize the importance of deep packet inspection by purchasing one of the first intrusion prevention vendors, OneSecure. Today, the NetScreen Intrusion Detection and Protection appliance must be deployed behind the firewall to obtain full application defense. NetScreen s challenge is to deliver on its promise to produce an appliance that incorporates stateful inspection firewall and intrusion prevention functionalities by third-quarter The vendor also must show that it has the management capabilities to make this transition while continuing to grow. Radware is a content-switching appliance vendor that has added security features to its product line. Its application switches can block hundreds of attack signatures at wire speeds. Incorporating SSL termination and application defense, as well as stateful firewall capabilities, in the same appliance would make Radware a serious contender in this space. Visionaries Fortinet has demonstrated its investment in powerful network processing technology by filtering viruses in-line, which requires an unprecedented level of packet assembly and filtering. Fortinet has reached an impressive level of revenue in its first year of production because of its initial market penetration at the very low end of appliances. It will have to address the fact that many competitors in the Visionaries Quadrant have concentrated on SSL termination vs. traditional IPsec, or Internet Protocol Security, virtual private networks (VPNs). NetContinuum is the only deep packet inspection vendor that has architected its appliance to protect the privacy of communication going through it. Its split brain solution provides for management and policy setting on a separate CPU from the packet assembly, as well as filtering functions that reside on an ASIC with extremely high-speed processing capabilities for SSL termination, packet assembly and filtering. This may prove to be a deciding factor in purchase decisions where that separation is important. Network Associates has purchased IntruVert Networks. As an early player in the intrusion prevention space, IntruVert has gained market traction for its products, which take IDSs a critical step forward to blocking attacks in-line. Network Associates must recognize that it has re-entered the firewall space, and provide R&D and customer support, to be a Leader in next-generation firewalls. TippingPoint Technologies has most closely created a comprehensive network protection device, although it has been slow to gain customers because of its industry-leading marketing message of prevention vs. detection. Designed to be placed directly behind the firewall and provide protection across the spectrum of protocols, TippingPoint s product is poised to move to the gateway position with the addition of a complete set of network firewall filtering and reporting functions. Niche Players Blue Coat Systems is the reincarnation of CacheFlow, the network proxy vendor. Similar to F5 Networks, Blue Coat has recognized that the position of its product in front of critical Web servers as well as its content switching ability are the elements needed to provide protection for Web servers. An example of the power of deep packet inspection is Blue Coat s recent quick development and introduction of an IM proxy solution that allows enterprises to apply security policies to IM traffic. Blue Coat is the product of choice for secure proxying of outbound connections.

6 F5 Networks has recognized that load balancing, SSL termination and content switching rely on the same processing capabilities that are needed for a security appliance. The recent introduction of network attack blocking is F5 s first foray into the protection space. F5 s challenge is to pick a technology partner (or make an acquisition) with security domain expertise that can help it leverage its hardware and installed base to be a significant player in the firewall market. Microsoft, with its Internet Security Acceleration Server, offers a powerful software proxy and it is evolving into Microsoft s lead security product, with built-in application defense and access controls. Although the Internet Security Acceleration Server is good technology, it is trailing market expectations because most enterprises look for hardware gateway devices, not software running on general-purpose operating systems. Secure Computing has delivered on its promise to take the best of Gauntlet (acquired from Network Associates) and combine it with the best of Sidewinder, its own software firewall. The combined product, SidewinderG2, represents the freshest and most-advanced software proxy firewall, with central management and ease of deployment. Enterprises will continue to find positions in their networks for the specialized capabilities that are available from SidewinderG2. SonicWALL has been slow to move into the application defense space with an offering to address recent activity by Check Point and NetScreen. An investment in hardware-based network processing capabilities would give SonicWALL an opportunity to continue to translate large enterprise solutions into products that its small and midsize business customers demand. Symantec remains a Niche Player in the firewall space. The old Raptor technology in the Symantec Enterprise Firewall is being replaced more often than it is purchased a negative adoption rate. The Symantec Secure Gateway Appliance is new software running on an appliance that provides firewall, IDS, content filtering VPN and antivirus functionalities. This is a good solution for the small and midsize business market, and perhaps for remote offices. WatchGuard Technologies is profiting from its series of low-cost, easy-to-manage appliances. Its RapidStream purchase gave it the technology for more-advanced application defenses, while supporting Check Point Firewall-1 and virtual local-area networks. Whale Communications is focusing on the SSL VPN space. Whale s technology can process any payload traffic and apply security policies to it. Array Networks, ipolicy Networks, Kavado, Magnifire, Mazu Networks, Sanctum, Teros and Top Layer Networks each combine hardware appliances with application defense capabilities to address various attacks. Not on the Magic Quadrant Some firewall vendors, such as BorderWare Technologies and CyberGuard, greatly rely on software proxies for application defense. However, they have matured considerably and added improvements, as well as management capabilities, to these proxies. Several vendors, such as DataPower Technology and Reactivity, are targeting XML firewall functionality. Parsing XML and checking for protocol anomalies at wire speeds are daunting tasks because in theory, the schema could be different for every message. Decrypting, checking digital

7 signatures and blocking malicious code are other tasks that drive innovation in this arena. These tasks will require the most investment in hardware acceleration. Bottom Line The first major innovation in gateway security since stateful inspection is embodied in deep packet inspection firewalls. Leading vendors will offer the ability to assemble and inspect packet payloads at wire speeds. Enterprises should redirect intrusion detection system investments toward application defenses such as those offered by the thought-leading firewall vendors in the Magic Quadrant for Enterprise Firewalls, 1H03. Written by Edward Younker, Research Products Analytical source: Richard Stiennon, Gartner Research This article is an excerpt of a chapter from a new Gartner report, Securing the Enterprise: The Latest Strategies and Technologies for Building a Safe Architecture. The report is an offering of the Gartner Executive Report Series, a new business venture of Gartner Press that provides buyers with comprehensive guides to today s hottest IT topics. For information about buying the report or others in the Executive Report Series, go to For related Inside Gartner articles, see: CIO Update: IT Security Management and Gartner s Magic Quadrant, (IGG ) CEO and CIO Update: Establish a Strong Defense in Cyberspace for Information Security, (IGG ) Management Update: What You Should Know About the Antivirus Market, (IGG ) CIO Update: Enterprise Security Moves Toward Intrusion Prevention, (IGG ) Management Update: Security Strategies for Enterprises Using Web Services, (IGG )