Firewalls are crucial for companies with information on-line. However, because the security market is mature and well-established, decision makers need to know more than whether to pick an appliance or software firewall. They need to know how to pick the right firewall based on their companies' needs. This can be a daunting experience, given the thousands of criteria each solution has. To help you navigate through the market, the Information Security Firewalls Market Report looks at four of the leaders in the information securities firewall market: Cisco, Check Point, Juniper Networks, and Symantec. Earlier, we evaluated their solutions based on a set of priorities using TEC's decision engine (see Part One). To view all the criteria used and the subsequent results, visit TEC's security evaluation knowledge base at http://www.securityevaluation.com/.
In part two, we will continue to explore the firewall market, discuss current market trends, and make user recommendations on how to selection an appropriate solution.
This is Part two of a two-part note.
Part One provided the market overview, technology background, and product analysis.
Current Market Trends
While more and more companies are migrating to appliance firewalls, many appliance firewalls do not offer the flexibility of software firewalls. The advantage of appliance firewalls is that you can install and configure them more quickly, and often they offer performance gains that cannot be matched by software firewalls. However, the disadvantage of appliance firewalls is that they typically cannot respond to new security exploits as quickly as software firewalls. Software firewall vendors can respond to new exploits by releasing new code that organizations can download and install "on the fly". Additionally, updating an appliance firewall is more cumbersome and for that reason, appliance firewall vendors do not typically release updates as often.
While firewall and virtual private network (VPN) products were originally separate and distinct, the two product types have converged and now, most firewalls offer built-in VPN capabilities. Similarly, VPN products today come bundled with built-in firewalls. Check Point has in fact dropped the well-established Firewall-1 branding and now sells its firewall and VPN together in one package known as VPN-1. This could be confusing to prospective buyers who are looking for a firewall, and who may end up thinking that VPN-1 only offers VPN capabilities.
While traditionally most VPN products were either based on Internet protocol security (IPSec) or secure sockets layer (SSL), more and more vendors are starting to offer both. IPSec is a collection of standards and works at the network layer. SSL works at the application layer. IPSec traffic can be routed, and SSL traffic cannot.
More vendors are starting to offer deep packet inspection (DPI). DPI is an exciting new technology that could cut into the intrusion detection and prevention market. Some IT decision makers may opt to purchase a DPI firewall in lieu of a stateful packet inspection (SPI) firewall and an additional intrusion detection system. Intrusion detection vendors should rightly be worried about losing market share and start innovating other technologies to remain competitive.
Recommendations to Enterprise Firewall Customers
There is significant value to be gained from one-stop-shopping. You can leverage better pricing and decrease administrative complexities. For these reasons, organizations that already have a significant investment in any of these vendor's products, and are, for the most part, satisfied with the products and service, should consider sticking with their trusted vendor. Switching vendors and products is extremely expensive and there should be lengthy requirements and justification for an IT decision maker to recommend switching significant amounts of firewalls from one vendor to another.
In many large enterprises, firewalls made by different vendors exist as part of the same architecture plan using a screened-subnet model. If you use two different vendors to set up a perimeter choke point, it is possible that an exploit get through the second firewall, if it has gotten through the first.
Figure 6. Screened Subnet Architecture
Check Point, Cisco, Juniper, and Symantec are all reputable vendors with good products. However, for networks that are laden with performance bottlenecks, Juniper or Cisco firewalls may be a better choice. Symantec makes an all around solid firewall based on the firewall code from its acquisition of AXENT.
Probably the biggest mistake IT decision makers make when purchasing firewalls is buying firewalls with features that they have no need for. Relevant Technologies recommends keeping your firewall requirements basic, and buying only those features you plan on using. For this reason, we recommend doing a full scale product evaluation that takes into consideration your priorities of the particular features offered on the market. While one type of firewall may be best for one organization, it may not necessarily be best for another organization because each organization has its own unique requirements. For example, if you're organization does not use SSL VPNs, you don't necessarily need to purchase a firewall with SSL options.
Large enterprises that are prone to network performance problems may want to take a close look at both Juniper and Cisco firewalls which are optimized for performance. Organizations that have had past security incidents related to application exploits may want to consider a DPI firewall. If your organization does not have a senior firewall engineer with a strong understanding of how firewalls work, you are probably better off using appliance firewalls. Savvy firewall engineers who are well-versed in security may prefer software firewalls due to their robust customizability.
Ethics and liabilities have become more important than ever for corporate America. Due to the large number of US Security and Exchange Commission (SEC) violations, and increased class action lawsuits, not only should a potential shareholder research a company before investing, but a potential customer should also research companies before investing in a company's products. Vendors who have not gotten their accounting or IPO numbers right, may not have their marketing metrics right, and if they advertise that their products may give a certain number of simultaneous connections, perhaps the products won't. Given the current landscape of corporate America, ethics should be given more consideration going forward. IT decision makers may want to avoid vendors that have poor ethics track records. Relevant Technologies recommends that IT decision makers check SEC's filings to find out if a publicly traded company has been party to any patent violations or recent litigation.
Relevant Technologies advises IT decision makers to go to the Stanford Securities Class Action Clearing House web site and enter the vendor's ticker symbol to read about any past or pending litigation against them. The Stanford Securities Class Action Clearing House can be found at this URL:
In researching the vendors profiled in this article, Relevant Technologies found Symantec to be the easiest company to work with, and the most forthcoming with information regarding questions about its products. Symantec provided more information than we asked for, and represented itself accurately with no discrepancies. It's also worth noting that of the four companies profiled, only Check Point did not have any litigation listed against it on the SEC web site. Information on SEC filings for all the companies profiled in this article can be found at http://www.sec.gov.
Market Predictions and Forecast
The firewall market is large enough to support multiple vendors; however, current market leaders will have to be extremely competitive to maintain their positions. Many large organizations purposely purchase different brands of firewalls to set up security demilitarized zones (DMZ) that take advantage of the features and functionality from multiple vendors.
Innovation, advertising, and pricing will play key roles in accumulating new market shares. Relevant Technologies expects Cisco and Juniper to continue to brand themselves as networking companies that offer security products, while Check Point and Symantec will continue to brand themselves as security companies that offer one-stop security shopping.
Large enterprises will require firewalls that interoperate with an enterprise management console—either its own, or a third-party add-on, such as those made by netForensics or ArcSight. You cannot manage multiple firewalls from one location without an enterprise management console.
As application exploits increase, more firewall vendors will start offering DPI if they expect to remain competitive. There are numerous second tier vendors offering reputable products that are competing for market share. Some of the more notable second tier vendors include Borderware, Fortinet, Nortel Networks, Secure Computing, Stonesoft, and WatchGuard. These second tier vendors offer technically sound products and some offer the same features as the market leaders—and some may offer more. Additionally, some of the second tier vendors—in particular the pure-plays—could be acquired by larger companies in an effort to consolidate the market. Second tier vendors that offer high availability solutions and DPI are more likely to be acquired than those that don't.
Relevant Technologies forecasts that Juniper Networks will be the primary company that Cisco will be competing with in the security market segment. Symantec will be able to leverage its anti-virus customers to gain new firewall customers, and Check Point will continue to lead the market in innovation. Note that these predications are forward looking statements, and other industry analysts and security experts may have different opinions.
Companies that perform e-commerce (monetary transactions) over the Internet ought to be using some sort of firewall or VPN—not using a firewall or VPN is fiscally irresponsible. After all, customers would not want to put money in a bank that did not lock its doors at night. Failing to secure your Internet transactions is tantamount to the same thing. Credit card theft is rampant and does not appear to be subsiding and e-commerce is fueled by credit card numbers.
If the firewalls currently in operation on your network are working well for you, and your security administrators are already well-versed in how to run them, it also may be fiscally irresponsible to go out and buy all new firewalls just for a few extra new features. However, if you are suffering performance problems, and attacks are penetrating your network, it may be time to evaluate the latest available firewalls products. However, before you write-off your existing firewalls, make sure that any problems you are seeing aren't due to improper configurations.
One of the biggest mistakes that customers make when implementing a firewall is that they have not put enough time and thought into careful firewall configuration and administration. Buying the right firewall is not enough. A firewall needs to be expertly configured, and you need to take time to read the firewall logs. Just logging information is not going to improve the security of your network. You need to examine the logs for aberrant behavior and block IP addresses and domains that pose threats to your network. Ultimately, knowledge and assessment are key when evaluating and implementing a firewall solution that successfully meets your company's unique needs. If your company does not have the in-house expertise to make the purchasing decision, it might save your company money in the long-run to have an outside consultant help you with a proper firewall evaluation. The primary objective should always to be buy only the features you need, at the lowest possible price. The more firewalls you plan on purchasing, the more important it is to make the right purchasing decision. You don't want to have to replace your firewalls in a year or two. The right firewall should last at least three years. By prioritizing your needs, and performing a diligent evaluation, you can make sure you have the right resources to protect your data at the most cost-effective price.
This concludes Part Two of a two-part note.
Part One provided the market overview and technology background.
Part Two detailed current market trends and made user recommendations.
About the Author
Laura Taylor is the president and CEO of Relevant Technologies (http://www.relevanttechnologies.com), a leading provider of original information security content, research advisory services, and best practice IT management consulting services. Contact her by e-mail at firstname.lastname@example.org.
WARNING AND DISCLAIMER OF LIABILITY
The information included on this web site, whether provided by personnel employed by Technology Evaluation (TEC), Relevant Technologies, or by third parties, is provided for research and teaching purposes only. Neither TEC, Relevant Technologies, or any of their employees, consultants, contractors, or affiliates warrant the accuracy or completeness of the information or analyses displayed herein, and we caution all readers that inclusion of any information on this site does not constitute an endorsement of the truthfulness or accuracy of that information. In particular, this web site contains references to complaints and other documents filed in federal and state courts, which make allegations that may or may not be accurate. No reader should, on the basis of information contained herein or referenced by this web site, assume that any of these allegations are truthful.