IGG-11202002-02 J. Pescatore, M. Easley, R. Stiennon Article 20 November 2002 CIO Update: Security Platforms Will Transform the Network Security Arena An integrated network security platform approach will increase network security and reduce the cost of ownership for perimeter security, while preserving best-of-breed options. CIOs and other executives are interested in insights on how network-based applications can be made safe for mission-critical businesses. An integrated network security platform approach will increase network security and reduce the cost of ownership for perimeter security, while preserving best-of-breed options. The Rise of Network Security Platforms Best-of-breed security solutions have long been the most-effective choices for securing enterprise networks. However, that approach has resulted in the deployment of a disparate set of products for firewall, intrusion detection, antivirus blocking, vulnerability analysis and other network-centric security functions. That has led to gaps in protection and a high cost of ownership because of the need for multiple management consoles and a lack of integration. Gartner believes that the rise of network security platforms will enable best-of-breed security solutions to blur the lines between firewalls, network-based intrusion detection and vulnerability scanning, as well as other network-centric security technologies. What Are Network Security Platforms? Network security platforms are network-attached devices that can apply multiple security functions at a minimum, firewall, intrusion detection and vulnerability scanning at wire speeds. They provide environmental inputs (power, cooling and console) for the security capabilities, a common backplane for communications, and a control structure for communications between and to control across to security processing functions. Network security platforms use a variety of algorithms and techniques to inspect incoming and outgoing network traffic to determine if connections and payloads are dangerous to enterprises. The platforms decide whether to raise an alert regarding suspected malicious activity or to take specific actions such as block connections, drop packets or terminate sessions when malicious activity is detected. The platforms perform functions that are currently performed by firewall (network- and application-level), intrusion detection, vulnerability assessment, gateway antivirus and URL blocking products. Many network security platforms will include virtual private network capabilities. However, Gartner Entire contents 2002 Gartner, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.
Gartner believes that such capabilities will not be long-term platform requirements, except for site-tosite connections. Network security platforms must run at wire speeds for most enterprises, that will be in the 100 Mbps (megabits per second) to 1 Gbps (gigabits per second) range for single connections, and much higher for multiple networks. For in the cloud security applications, with which telecom and Internet service providers provide security processing in the network, throughput of 2 Gbps or higher will be required. Those requirements will drive most network security platforms to be based on custom, application-specific, integrated circuits or network-security processors to support complex processing at high data rates. However, the platforms must support software-based updates, customization and scripting, similar to software-based systems. Hardware-based stack and protocol processing will be required to perform deep packet inspection without introducing unacceptable network latency. Software processing that runs on generic computing platforms will be sufficient where the network security platform primarily will be used for detection, not prevention; applications are simple or repetitive; or network data rates are low enough (see Figure 3). Figure 3 Network Security Management Through 2006 Firewall 1 Gbps or more In the Cloud Security Services Intrusion Detection Vulnerability Assessment Gateway Antivirus Network Security Platforms 100 Mbps or less Enterprise Intrusion Prevention Intrusion Prevention Appliances 2002 2004 2006 Source: Gartner Research Types of Network Security Platforms The four primary types of network security platforms are: Closed integrated platforms. The network security platform vendor implements all security functions in a proprietary environment and can integrate processing across functions, which enables security functions to make processing decisions based on the results of other processing functions. Vendors in this category include Tipping Point, NetScreen, BlueCoat Systems and Array Networks.
Closed separate platforms. The vendor implements all security functions in a proprietary environment without supporting integration across functions. Vendors include Symantec, with its initial Gateway Security product, and Cisco Systems, with its blade approach. Open integrated platforms. The vendor licenses security functions from other vendors (or supports open source) or partners with multiple security vendors that port their applications to the network security platform. Vendors include Nortel Networks/Alteon, CloudShield and Ingrian Networks. Open separate platforms. The vendor licenses security functions from other vendors (or supports open source) or partners with multiple security vendors that port their applications to the platform. However, integrated processing across functions isn t supported. Vendors include Crossbeam Systems, Blade Fusion and OmniCluster. Closed integrated platforms offer more-effective security via tighter integration between functions, but they require that enterprises abandon the best-of-breed approach to individual functions. Open integrated platforms enable enterprises to stay with best-of-breed options and preserve investments in network security products, as well as reduce the need to migrate security policies to new products. Both types of separate platforms will be interim offerings until fully integrated capabilities are available. Meaningful integration across functions is a complex issue. Gartner believes that this integration will not provide reliable results until 2H04. Within these types of platforms, different performance and price points will emerge: Carrier class. Products that run at OC-24 (Optical Carrier Rate 24 1.24 Gbps) and higher rates, and that allow network service providers to offer in the cloud security services, which eliminate the need for customer premises equipment and enable low-cost managed service offerings. Enterprise class. Platforms that can process multiple 100 Mbps networks that are used by Global 2000-class enterprises as enterprise intrusion prevention systems. Small-and-midsize-enterprise class. Products that offer limited flexibility or operate at 100 Mbps or lower rates at low price points. Types of Network Security Platform Vendors Network security product vendors will migrate to offering security platforms, while other network performance management vendors will also provide such platforms. Network-security-focused vendors (such as firewall, intrusion detection and gateway antivirus companies) will begin to offer security platforms to meet the challenges of blended and application-level attacks, and to address market demand to lower total cost of ownership. By 2006, 60 percent of firewall and intrusion detection functionality will be delivered via network security platforms (0.6 probability).
Content-switching and load-balancing vendors will add security functionality to their platforms, which already offer high-speed processing and deep packet inspection for making caching and loadbalancing type decisions. These vendors view security as a new revenue stream from their installed base, and as a way to avoid the threat of network security platform vendors that are adding switching and load-balancing functions to their platforms. Although content-switching and loadbalancing vendors have extensive experience in wire-speed traffic processing, they don t have deep security expertise. That will prompt network performance vendors to acquire network security technology companies that specialize in deep packet processing. Market Road Map for Network Security Platforms In 2002, firewall vendors such as Check Point Software, Symantec and NetScreen took steps toward becoming network security platform vendors: Check Point announced Smart Defense, which integrates intrusion detection capabilities onto Firewall-1. Symantec s Gateway Security product combines firewall, intrusion detection, gateway antivirus and URL blocking functions into one appliance. NetScreen s implementation of simple, signature-based filtering and its acquisition of OneSecure were strong moves in the platform direction. Gartner s Firewall Magic Quadrant for 2H02 provides an assessment of the major firewall vendors (see Figure 4). Figure 4 Firewall Magic Quadrant for 2H02
Challengers Leaders Microsoft Symantec Cisco Systems Check Point Software Ability to Execute Stonesoft Whale Communications CyberGuard NetScreen SonicWALL Secure Computing WatchGuard Source: Gartner Research BorderWare Niche Players Completeness of Vision As of August 2002 Visionaries However, those first-generation efforts provide minimal integration between functions, and they generally don t add vulnerability assessment capabilities. Newer market entrants such as TippingPoint provide tighter integration of the required functions, but in a closed architecture that will require enterprise testing to determine the effectiveness of the individual firewall, intrusion detection and antivirus functions, as well as integrated capabilities. Gartner believes that products that fully integrate network security functions and that operate at wire speeds will not affect the firewall and intrusion detection markets until 2H04. After 2H04, intrusion detection vendors that do not offer network security platforms will begin to exit the market through acquisition by network security platform players or loss of market share. The initial product focus between 2004 and 2006 will be at the enterprise level, with price points in the $25,000 to $75,000 range. If the telecom market recovers from the economic downturn before 2006, mainstream telecom and Internet service providers will begin to offer managed security services that will drive the development of higher-speed, lower-priced offerings and use-based pricing models. Gartner believes that aggressive telecom providers will offer some in-the-cloud services by late 2004. The low-end, small-and-midsize-enterprise-class network security platform will
not be a market factor until 2007, when platforms with limited functionality and processing speeds will be available at price points of less than $10,000. Managing Multiple Security Devices Most enterprises have deployed numerous firewalls, and many have also deployed one or more intrusion detection products. Network security platforms will be viable enterprise solutions by 2006, and they will transform today s disparate network security market. Until that occurs, enterprises that have deployed firewalls and intrusion detection systems can use security device management products to gain a preliminary level of integration between network security products. Those products support alarm and alert normalization, aggregation, data reduction and a degree of correlation to greatly reduce the false alarm rate and the operational burden of monitoring security devices. Although the loose integration that is provided by the products doesn t support the speed of response necessary to implement intrusion prevention, security management products enable enterprises to extend their investments in security products and provide a management structure for incorporating advanced security products. Security management price points will have to drop below the six figures of the current offerings to reach the broad market. Outsourcing the monitoring and management of perimeter network security devices is another option for enterprises that are looking to avoid investing in early-stage technology or limited security staffing levels. Bottom Line Tighter integration and common management across network security controls is a panacea of Internet security. Network security platforms maintain best-of-breed security approaches while supporting improved attack blocking and lowering total cost of ownership. Written by Edward Younker, Research Products Analytical sources: John Pescatore, Matt Easley and Richard Stiennon, Gartner Research For related Inside Gartner articles, see: CIO Update: Answer Six Key Questions, Improve Internet Security, 6 November 2002 CIO Update: The Gartner Firewall Magic Quadrant for 2H02, 25 September 2002 Management Update: Network Security Predictions for 2002, 13 February 2002