The firewall market is a mature and competitive segment of the information security market. With numerous vendors and firewalls in all price ranges choose from, IT decision makers should be especially selective. This report presents a market overview and some criteria for selecting products from the long list of contenders.
Market Overview and Technology Background
The firewall market evolved from the need to secure perimeter networks and protect the data and information contained within these networks. The first products appeared in the market in the early 1990s and, originally, firewalls were designed to decide what network traffic should be let through or blocked by using network packet filters. Firewalls also partition proprietary or private information from public information on a computer network.
Check Point pioneered stateful packet inspection (SPI) at a time when other vendors were developing application proxies. Now, many firewalls today offer both SPI and application proxies, and are known as hybrid firewalls. The newest type of Internet protocol (IP) traffic analysis that is performed by firewalls is called deep packet inspection (DPI). While, SPI firewalls examine the packet headers at layers three and four of the open system interconnect (OSI) model (the transport and network layers), DPI occurs at OSI layer seven (the application layer). (See table 1 for layer descriptions.)
With an SPI firewall, only the source and destination IP addresses, the TCP/UDP source, and destination ports are examined. DPI, on the other hand, examines the payload of the packets at the application level, and by doing so, it can mitigate the risks associated with Trojans, viruses, worms, web page attacks, and NETBIOS exploits. At first, it may sound as though DPI and intrusion detection have the same capabilities; however, this is not the case. DPI can detect and block aberrant packets from ever hitting the destination. Intrusion detection systems might also detect aberrant behavior, but only after the packet has already reached the destination and done some damage.
Proxy firewalls make decisions about network traffic at the application level—in essence, creating a virtual connection between the internal client IP address and the outside world concealing your internal network topology. Proxy firewalls sit between the client and the actual service, acting as an intermediary, and communicating with the service on behalf of the client. It prevents the two from communicating with each other directly.
Years ago, proxy firewalls were touted as being much slower than SPI firewalls; however, today, it is unlikely that organizations will notice much of a performance hit when using a proxy firewall if they install it on a high-end server. One thing to consider about proxy firewalls is that although these firewalls provide excellent security, if a new application comes along, a new proxy has to be written for it.
Table 1. OSI Layers
||Presentation Layer |
||Session Layer |
||Transport Layer |
||Network Layer |
||Datalink Layer |
||Physical Layer |
1- Open System Interconnect (OSI) is a standard of the International Standards Organization (ISO)
Today, the leaders in the information security firewall market include Cisco, Check Point, Juniper Networks, and Symantec. Our research indicates that Check Point continues to be the number one leader in the firewall market with Cisco coming in a close second, and Juniper Networks and Symantec tied for third. However, the firewall market is a large and growing marketing with worldwide annual revenues of at least $2 billion (USD). While the firewall market is growing, the growth is slowing down and will likely hover around 6% in the coming year. However, given the size of the existing firewall market, even a growth rate of 5% is still an impressive $100 million (USD).
Currently, Relevant Technologies estimates that Check Point holds a 22% market share, Cisco holds 20%, and Juniper and Symantec both hold about 10% each. The remaining 38% of the market is held by a variety of second tier vendors. Notably, Nokia's firewalls are bundle in Check Point's firewall as a turn-key appliance, and if Nokia's percentage of the market is merged with Check Point's, Check Point holds an even greater lead. While Nokia appliance firewalls are technologically distinctive, their brand is less well-known and they likely hold not more than a 45% market share.
Table 2. Firewall Market Leaders, Size, and Growth
||$2.2 billion (USD) worldwide |
||Cisco, Check Point, Juniper, Symantec |
|Forecasted Growth Rate
Cisco (NASDAQ: CSCO) was founded in 1984, and though its roots are in networking, it has offered security and firewall products for many years. The company went public in February of 1990, and today it has approximately 35,000 employees with its current CEO being John Chambers. In 2004, Cisco had revenues of $22 billion (USD) and showed a $4.4 billion (USD) profit. With offices that span the globe, Cisco is an international company with a loyal customer base. Routers and switches are Cisco's primary products, and this is clear in their marketing message. However, that being the case, Cisco's security products are well developed and well respected in the industry. Cisco's profit per employee is $125,000 (USD).
Figure 1. Cisco's Stock Performance Over the Last Year
Check Point (NASDAQ: CHKP) has been around for eleven years, and began as a firewall pure-play selling nothing but firewalls in 1993. Check Point has been a public company since 1996 and in 2003 had revenues of $432 million (USD). Currently, Gil Shwed is Check Point's CEO. As of this writing, Check Point had not yet reported its 2004 revenues to the US Security Exchange Commission (SEC). With approximately 1,200 employees, Check Point returned a profit of $243 million (USD). A lean and well run organization, Check Point shows $202,500 (USD) profit per employee.
Figure 2. Check Point's Stock Performance Over the Last Year
Similar to Cisco's history, Juniper Networks (NASDAQ: JNPR), led by CEO Scott Kriens, started out as a networking company, and acquired the NetScreen firewall through the acquisition of NetScreen Technologies in February of 2004. NetScreen Technologies was a developer of high-performance firewalls and Juniper paid $4 billion (USD) in stock for the acquisition. By acquiring NetScreen, Juniper was able to add firewall products to its existing product line in order to address the security requirements of its current customers. In 2003, Juniper had revenues of $701 million (USD) and showed a net profit of $39 million (USD). As of this writing, Juniper had not yet filed its 2004 revenue numbers with the SEC. With approximately 1,500 employees, Juniper is still experiencing rapid growth and will likely gain more market share in the years ahead. Today Juniper has offices in the Pacific Rim, Europe, and the Americas. Juniper yields a $26,000 (USD) profit per employee, a year.
Figure 3. Juniper Networks Stock Performance Over the Last Year
Symantec (NASDAQ: SYMC) has grown to be a security monolith showing a profit of $370 million (USD) on revenues of $1.8 billion (USD) in 2004, which is about $74,000 (USD) profit per employee, a year. Five years ago Symantec had annual revenues of $704 million (USD) and at that time, it appeared that its primary competitor in the security market was Network Associates (now McAfee). However, Symantec has eclipsed McAfee in sales, and now has over 5,000 employees that span the globe. Founded in 1982, Symantec is one of the biggest and most respected names in the world of Internet security products today and offers multiple Internet security product lines. John Thompson is Symantec's CEO.
Figure 4. Symantec's Stock Performance Over the Last Year
Cisco and Juniper primarily focus on selling appliance firewalls while Check Point only sells software firewalls. Symantec sells both software and appliance firewalls though for this article, we only profiled its software firewall. Though Check Point does not sell appliance firewalls, you can buy an appliance firewall from Nokia that uses Check Point's firewall engine.
Check Point, Cisco, and Juniper all offer SPI and DPI. Symantec does not offer DPI though it does offer nice proxy features and capabilities.
How the Products Stack Up
Relevant Technologies surveyed the four firewall vendors profiled in this article, and the features and capabilities their firewalls offer are listed in figure 5. While we listed the features and capabilities of both software and appliance firewalls, a valid argument could be made that software firewalls should only be compared to software firewalls and appliance firewalls should only be compared to other appliance firewalls. However, the reason we chose to compare different types of firewalls against each other is because when IT decision makers shop for firewalls, they typically look at all types of firewalls and end up selecting usually one brand. Additionally, one area to keep in mind when comparing a software firewall against an appliance firewall, is price. With a software firewall, you still need to purchase the hardware and the cost could be significant depending on your requirements. We also opted to only select four vendors based on who we consider to be the market leaders, and compared them side by side.
Though the number of criteria we put together to evaluate these products was extensive, there are additional criteria which we did not take into consideration. Using thousands of criteria would have made the evaluation take so long that the information in it could have become outdated by the time this article was published. Today's firewalls are so fully featured that evaluating every possible criteria is not reasonable. IT decision makers should, therefore, select the criteria that are most important to their organization. The criteria that we have taken into consideration create ideal confines so that a decision can be made in a timely fashion and IT decision makers can implement security as quickly as possible. In a future evaluation of firewalls, we may change the criteria for the evaluation, dropping certain capabilities, and adding in new ones.
Instead of trying to find the best firewall on the market, IT decision makers should strive to find the firewall that is right for their organization. It is possible that each of the four firewalls we have evaluated is the right firewall for a particular, unique environment. IT decision makers should work within their restricted budgets, and identify firewall features and capabilities that are most important to their organizations. For example, if your organization does not use up anywhere near all of its available bandwidth, you may not need a firewall with the fastest throughput. If your company uses voice over IP (VoIP) you will want to give more consideration to firewalls that can inspect small packets. If your organization has firewall administrators around the globe, you may want to consider standardizing your firewall with a user interface that has been translated into the languages of your global points of presence. If your current firewalls are too slow, you may want to consider firewalls based on application specific integrated circuits (ASIC) which provide high throughput. However, if having the flexibility to support changing network protocols and exploits are key criteria, and you don't care about throughput, a software firewall is likely a better choice.
All of the criteria we selected and evaluated can be viewed on-line by logging into TEC's security evaluation knowledge base. Some of the criteria used include
- Whether or not the firewall needs to be rebooted after changing a policy
- SNMP and monitoring capabilities
- Interoperability with netForensics, Arcsight, QRADAR, eTrust, Tivoli, NetCool
- Maximum throughput in Mbps
- Attack resiliency
- Types of authentication supported
- The different types of NAT that is supported
- Multimedia and collaboration protocols supported
To access the evaluation link to see all of the criteria, click here. All of the results can be viewed on-line using the firewall section of the security evaluation knowledge base.
The TEC decision engine ranks criteria (priorities), to calculate its scores. While we have selected default priorities as a starting point, they may differ from the priorities that are optimal for your organization. If you change the priorities with the decision engine, you will receive different scores, and this is one of the reasons why you should strive to ascertain the right firewall, and not the best firewall. One firewall may score highest with one set of priorities, and then score entirely differently with other priorities. With the default priorities selected by Relevant Technologies, you can login to the security evaluation tool and find out more about the different features and capabilities of the four market leaders.
A screen shot of the Criteria Performance Sorted by Rank quadrant is shown in figure 5. Something worth understanding is that some vendors offer other firewalls, which we have not evaluated. It is likely that if evaluations were done for other firewalls from these same vendors, different scores would be generated. For example, Cisco offers an embedded firewall that plugs into one of its high-end switches that will give you different throughput than the Cisco PIX 535.
Figure 5. Firewall Scores Using TESS Decision Analysis Tool
Many more menus, charts, and graphics about these firewalls can be viewed using TEC's on-line firewall knowledge base.
This is Part One of a two-part note.
Part Two will detail current market trends and user recommendations.
About the Author
Laura Taylor is the president and CEO of Relevant Technologies (http://www.relevanttechnologies.com), a leading provider of original information security content, research advisory services, and best practice IT management consulting services. Contact her by e-mail at firstname.lastname@example.org.
WARNING AND DISCLAIMER OF LIABILITY
The information included on this web site, whether provided by personnel employed by Technology Evaluation (TEC), Relevant Technologies, or by third parties, is provided for research and teaching purposes only. Neither TEC, Relevant Technologies, nor any of their employees, consultants, contractors, or affiliates warrant the accuracy or completeness of the information or analyses displayed herein, and we caution all readers that inclusion of any information on this site does not constitute an endorsement of the truthfulness or accuracy of that information. In particular, this web site contains references to complaints and other documents filed in federal and state courts, which make allegations that may or may not be accurate. No reader should, on the basis of information contained herein or referenced by this web site, assume that any of these allegations are truthful.