Executive Summary
The firewall market is a mature and competitive segment of the information security market. With numerous vendors and firewalls in all price ranges choose from, IT decision makers should be especially selective. This report presents a market overview and some criteria for selecting products from the long list of contenders.
Market Overview and Technology Background
The firewall market evolved from the need to secure perimeter networks and protect the data and information contained within these networks. The first products appeared in the market in the early 1990s and, originally, firewalls were designed to decide what network traffic should be let through or blocked by using network packet filters. Firewalls also partition proprietary or private information from public information on a computer network.
Check Point pioneered stateful packet inspection (SPI) at a time when other vendors were developing application proxies. Now, many firewalls today offer both SPI and application proxies, and are known as hybrid firewalls. The newest type of Internet protocol (IP) traffic analysis that is performed by firewalls is called deep packet inspection (DPI). While, SPI firewalls examine the packet headers at layers three and four of the open system interconnect (OSI) model (the transport and network layers), DPI occurs at OSI layer seven (the application layer). (See table 1 for layer descriptions.)
With an SPI firewall, only the source and destination IP addresses, the TCP/UDP source, and destination ports are examined. DPI, on the other hand, examines the payload of the packets at the application level, and by doing so, it can mitigate the risks associated with Trojans, viruses, worms, web page attacks, and NETBIOS exploits. At first, it may sound as though DPI and intrusion detection have the same capabilities; however, this is not the case. DPI can detect and block aberrant packets from ever hitting the destination. Intrusion detection systems might also detect aberrant behavior, but only after the packet has already reached the destination and done some damage.
Proxy firewalls make decisions about network traffic at the application level—in essence, creating a virtual connection between the internal client IP address and the outside world concealing your internal network topology. Proxy firewalls sit between the client and the actual service, acting as an intermediary, and communicating with the service on behalf of the client. It prevents the two from communicating with each other directly.
Years ago, proxy firewalls were touted as being much slower than SPI firewalls; however, today, it is unlikely that organizations will notice much of a performance hit when using a proxy firewall if they install it on a high-end server. One thing to consider about proxy firewalls is that although these firewalls provide excellent security, if a new application comes along, a new proxy has to be written for it.
Table 1. OSI Layers
| OSI Layer |
Description |
| 7 |
Application |
| 6 |
Presentation Layer |
| 5 |
Session Layer |
| 4 |
Transport Layer |
| 3 |
Network Layer |
| 2 |
Datalink Layer |
| 1 |
Physical Layer |
1- Open System Interconnect (OSI) is a standard of the International Standards Organization (ISO)
Industry Players
Today, the leaders in the information security firewall market include Cisco, Check Point, Juniper Networks, and Symantec. Our research indicates that Check Point continues to be the number one leader in the firewall market with Cisco coming in a close second, and Juniper Networks and Symantec tied for third. However, the firewall market is a large and growing marketing with worldwide annual revenues of at least $2 billion (USD). While the firewall market is growing, the growth is slowing down and will likely hover around 6% in the coming year. However, given the size of the existing firewall market, even a growth rate of 5% is still an impressive $100 million (USD).
Currently, Relevant Technologies estimates that Check Point holds a 22% market share, Cisco holds 20%, and Juniper and Symantec both hold about 10% each. The remaining 38% of the market is held by a variety of second tier vendors. Notably, Nokia's firewalls are bundle in Check Point's firewall as a turn-key appliance, and if Nokia's percentage of the market is merged with Check Point's, Check Point holds an even greater lead. While Nokia appliance firewalls are technologically distinctive, their brand is less well-known and they likely hold not more than a 45% market share.
Table 2. Firewall Market Leaders, Size, and Growth
| Market Name |
Firewall Market |
| Market Size |
$2.2 billion (USD) worldwide |
| Market Leaders |
Cisco, Check Point, Juniper, Symantec |
| Forecasted Growth Rate |
6% |
Company Background
Cisco
Cisco (NASDAQ: CSCO) was founded in 1984, and though its roots are in networking, it has offered security and firewall products for many years. The company went public in February of 1990, and today it has approximately 35,000 employees with its current CEO being John Chambers. In 2004, Cisco had revenues of $22 billion (USD) and showed a $4.4 billion (USD) profit. With offices that span the globe, Cisco is an international company with a loyal customer base. Routers and switches are Cisco's primary products, and this is clear in their marketing message. However, that being the case, Cisco's security products are well developed and well respected in the industry. Cisco's profit per employee is $125,000 (USD).
Figure 1. Cisco's Stock Performance Over the Last Year
Check Point
Check Point (NASDAQ: CHKP) has been around for eleven years, and began as a firewall pure-play selling nothing but firewalls in 1993. Check Point has been a public company since 1996 and in 2003 had revenues of $432 million (USD). Currently, Gil Shwed is Check Point's CEO. As of this writing, Check Point had not yet reported its 2004 revenues to the US Security Exchange Commission (SEC). With approximately 1,200 employees, Check Point returned a profit of $243 million (USD). A lean and well run organization, Check Point shows $202,500 (USD) profit per employee.
Figure 2. Check Point's Stock Performance Over the Last Year
Juniper Networks
Similar to Cisco's history, Juniper Networks (NASDAQ: JNPR), led by CEO Scott Kriens, started out as a networking company, and acquired the NetScreen firewall through the acquisition of NetScreen Technologies in February of 2004. NetScreen Technologies was a developer of high-performance firewalls and Juniper paid $4 billion (USD) in stock for the acquisition. By acquiring NetScreen, Juniper was able to add firewall products to its existing product line in order to address the security requirements of its current customers. In 2003, Juniper had revenues of $701 million (USD) and showed a net profit of $39 million (USD). As of this writing, Juniper had not yet filed its 2004 revenue numbers with the SEC. With approximately 1,500 employees, Juniper is still experiencing rapid growth and will likely gain more market share in the years ahead. Today Juniper has offices in the Pacific Rim, Europe, and the Americas. Juniper yields a $26,000 (USD) profit per employee, a year.
Figure 3. Juniper Networks Stock Performance Over the Last Year
Symantec
Symantec (NASDAQ: SYMC) has grown to be a security monolith showing a profit of $370 million (USD) on revenues of $1.8 billion (USD) in 2004, which is about $74,000 (USD) profit per employee, a year. Five years ago Symantec had annual revenues of $704 million (USD) and at that time, it appeared that its primary competitor in the security market was Network Associates (now McAfee). However, Symantec has eclipsed McAfee in sales, and now has over 5,000 employees that span the globe. Founded in 1982, Symantec is one of the biggest and most respected names in the world of Internet security products today and offers multiple Internet security product lines. John Thompson is Symantec's CEO.
Figure 4. Symantec's Stock Performance Over the Last Year
Product Overview
Cisco and Juniper primarily focus on selling appliance firewalls while Check Point only sells software firewalls. Symantec sells both software and appliance firewalls though for this article, we only profiled its software firewall. Though Check Point does not sell appliance firewalls, you can buy an appliance firewall from Nokia that uses Check Point's firewall engine.
Check Point, Cisco, and Juniper all offer SPI and DPI. Symantec does not offer DPI though it does offer nice proxy features and capabilities.
How the Products Stack Up
Methodology
Relevant Technologies surveyed the four firewall vendors profiled in this article, and the features and capabilities their firewalls offer are listed in figure 5. While we listed the features and capabilities of both software and appliance firewalls, a valid argument could be made that software firewalls should only be compared to software firewalls and appliance firewalls should only be compared to other appliance firewalls. However, the reason we chose to compare different types of firewalls against each other is because when IT decision makers shop for firewalls, they typically look at all types of firewalls and end up selecting usually one brand. Additionally, one area to keep in mind when comparing a software firewall against an appliance firewall, is price. With a software firewall, you still need to purchase the hardware and the cost could be significant depending on your requirements. We also opted to only select four vendors based on who we consider to be the market leaders, and compared them side by side.
Though the number of criteria we put together to evaluate these products was extensive, there are additional criteria which we did not take into consideration. Using thousands of criteria would have made the evaluation take so long that the information in it could have become outdated by the time this article was published. Today's firewalls are so fully featured that evaluating every possible criteria is not reasonable. IT decision makers should, therefore, select the criteria that are most important to their organization. The criteria that we have taken into consideration create ideal confines so that a decision can be made in a timely fashion and IT decision makers can implement security as quickly as possible. In a future evaluation of firewalls, we may change the criteria for the evaluation, dropping certain capabilities, and adding in new ones.
Instead of trying to find the best firewall on the market, IT decision makers should strive to find the firewall that is right for their organization. It is possible that each of the four firewalls we have evaluated is the right firewall for a particular, unique environment. IT decision makers should work within their restricted budgets, and identify firewall features and capabilities that are most important to their organizations. For example, if your organization does not use up anywhere near all of its available bandwidth, you may not need a firewall with the fastest throughput. If your company uses voice over IP (VoIP) you will want to give more consideration to firewalls that can inspect small packets. If your organization has firewall administrators around the globe, you may want to consider standardizing your firewall with a user interface that has been translated into the languages of your global points of presence. If your current firewalls are too slow, you may want to consider firewalls based on application specific integrated circuits (ASIC) which provide high throughput. However, if having the flexibility to support changing network protocols and exploits are key criteria, and you don't care about throughput, a software firewall is likely a better choice.
All of the criteria we selected and evaluated can be viewed on-line by logging into TEC's security evaluation knowledge base. Some of the criteria used include
- Whether or not the firewall needs to be rebooted after changing a policy
- SNMP and monitoring capabilities
- Interoperability with netForensics, Arcsight, QRADAR, eTrust, Tivoli, NetCool
- Maximum throughput in Mbps
- Attack resiliency
- Types of authentication supported
- The different types of NAT that is supported
- Multimedia and collaboration protocols supported
To access the evaluation link to see all of the criteria, click here. All of the results can be viewed on-line using the firewall section of the security evaluation knowledge base.
The TEC decision engine ranks criteria (priorities), to calculate its scores. While we have selected default priorities as a starting point, they may differ from the priorities that are optimal for your organization. If you change the priorities with the decision engine, you will receive different scores, and this is one of the reasons why you should strive to ascertain the right firewall, and not the best firewall. One firewall may score highest with one set of priorities, and then score entirely differently with other priorities. With the default priorities selected by Relevant Technologies, you can login to the security evaluation tool and find out more about the different features and capabilities of the four market leaders.
A screen shot of the Criteria Performance Sorted by Rank quadrant is shown in figure 5. Something worth understanding is that some vendors offer other firewalls, which we have not evaluated. It is likely that if evaluations were done for other firewalls from these same vendors, different scores would be generated. For example, Cisco offers an embedded firewall that plugs into one of its high-end switches that will give you different throughput than the Cisco PIX 535.
Figure 5. Firewall Scores Using TESS Decision Analysis Tool
Many more menus, charts, and graphics about these firewalls can be viewed using TEC's on-line firewall knowledge base.
This is Part One of a two-part note.
Part Two will detail current market trends and user recommendations.
About the Author
Laura Taylor is the president and CEO of Relevant Technologies (http://www.relevanttechnologies.com), a leading provider of original information security content, research advisory services, and best practice IT management consulting services. Contact her by e-mail at ltaylor@relevanttechnologies.com.
WARNING AND DISCLAIMER OF LIABILITY
The information included on this web site, whether provided by personnel employed by Technology Evaluation (TEC), Relevant Technologies, or by third parties, is provided for research and teaching purposes only. Neither TEC, Relevant Technologies, nor any of their employees, consultants, contractors, or affiliates warrant the accuracy or completeness of the information or analyses displayed herein, and we caution all readers that inclusion of any information on this site does not constitute an endorsement of the truthfulness or accuracy of that information. In particular, this web site contains references to complaints and other documents filed in federal and state courts, which make allegations that may or may not be accurate. No reader should, on the basis of information contained herein or referenced by this web site, assume that any of these allegations are truthful.
Demystifying SAP Solution Manager | Cloud Assets: A Guide for SMBs—Part 3 | I Want My Private Cloud | The Sum of All Malware Fears: Siemens on Stuxnet | Managing the Overflow of E-mails | Security Risk Assessment and Management in Web Application Security | Are You Adequately Protecting Your IT Infrastructure Components Inside the Firewall? | Enterprise Resource Planning Giants Eye the Shop Floor | Who Else is Using Your Wireless Network? | Information Security Firewalls Market Report
Part Two: Current Market Trends and User Recommendations | Automated Enterprise: Many High-ROI Opportunities | Secure Transfers of Large Files Over the Internet Using YouSendIt | Fed Warms Up to ERP Spending, but Will Contractors and Their ERP Vendors Comply?
Part Two: Challenges and User Recommendations | Feds Warms Up to ERP Spending, but Will Contractors and Their ERP Vendors Comply?
Part One: Event Summary and Market Impact | Product Review: GFI's LANguard Network Security Scanner |
The Best ACT! Is Still to Come | HIPAA-Watch for Security Speeds Up Compliance
Part Two: Phase III and IV, and Product and User Recommendations | HIPAA-Watch for Security Speeds Up Compliance
Part One: Vendor and Product Information | EAM Versus CMMS: What's Right for Your Company? Part One | Using PKI to Protect Your Business Information | The CyberAngel: Laptop Recovery and File Encryption All-in-One | Evaluating Enterprise Software-Business Process or Feature/Function-Based Approach? All the above, Perhaps?
Part Three: Knowledge Bases and User Recommendations | InsideOut Firewall Reporter Unravels the Mysteries of Your Firewall Logs | The Future of Secure Remote Password (SRP)
Part Two: Overcoming Obstacles to Success | The Future of Secure Remote Password (SRP) | Integrated Security: A New Network Approach
Part Two: The Shift Toward Integration | Integrated Security: A New Network Approach | Vendor Analysis: Kaspersky Anti-Virus Products Examined | 6 Immediate Business Improvements Offered by an Online SRM System:
Part 3: Other Points to Consider | Legacy Single Sign-On: Novell, Evidian, IBM, PassGo, or Computer Associates? | Fourth Shift's evolution Within SoftBrands' DemandStream | OKENA Brews Up a StormSystem that Secures All Applications | Incident Handling and Response Capability: An IT Security Safeguard
Part 2: Establishing the Capability | Incident Handling and Response Capability: An IT Security Safeguard
Part 1: Are You Ready to Support an Incident Response Capability? | Outsourcing Security
Part 3: Selecting a Managed Security Services Provider | Outsourcing Security
Part 2: Measuring the Cost | Outsourcing Security
Part 1: Noting the Benefits | Vendor Review: SecureWave Protects Microsoft Operating System Platforms | Thanks to a Smart Little Company called Lexias, CIOs Can Now Empower their Users to Assist in eBusiness Security | Feds Buckle Down on Customer Information Security | Identix Leads Biometric Authentication | Bootcamp for the Pros; Why Ernst & Young Will Lead Security Auditing Standards | Vendor Analysis: Interliant's Security Vulnerability Assessment | OKENA Pioneers Next-Generation Intrusion Prevention | Social Engineering Can Thwart the Best Laid Security Plans | Application Single-Sign On: Netegrity, Securant, or Evidian? | Lost Your Laptop? The CyberAngel® Brings It Back | InsideOut Makes Firewall Reporting Useful | The SOAP Opera Progresses - Helping XML to Rule the World | Talarian and NextSet Team for B2B Solutions | Tempest Creates a Secure Teapot | E*Trade Ignores Private Security Warning, But Public Hullaballoo Gets Response | My Network Engineers are Talking about Implementing Split DNS. What Does that Mean? | Human-Machine Interaction Company Ramps Up Firewall Product Line | Security Information Market Heading for Growth | Alibris Charged with Intercepting Email | Cart32 in Need of Duct Tape | Deutsche Telekom to Acquire VoiceStream Wireless | Study Shows: FBI Alienates Industry Security Experts | Firewall Cowboyz Set the Stage to Free Innocent Convict | Symantec Swallows AXENT; Takes on Network Associates | Novatel Wireless and Diversinet Team Up to Provide Security for Wireless Modems | Windows 2000 Bug Fixes Posted | Baltimore Technologies Doubles Revenues, Offers World-Class PKI Hosting | The Whys and Hows of a Security Vulnerability Assessment | Earthlink Leads the Way in DSL Security | PKI and Biometrics Ready for Take-Off | Secure Transport of EDI and XML for Trading Exchanges | Can You Trust Entrust? | Standard & Poor's Announces Security Certification | Check Point Leads Firewall Market | Fighting Cybercrime on the Internet | NetWare for Small Business – NetWhy? | Let Your Hard Drives Tell You Where they Are! | E&Y Spins-Off eSecurity Online and Unveils Security Vulnerability Assessment Services | With Record Revenues, AXENT Puts Down a Solid Fist | NAI Will Pay Trend $12.5 Million Resulting from Law Suit | Sub7 Tells Chat Rooms All Your Stuff; F-Secure Leads the Battle | E-Cash Rollout Replaces Amex | GSA Schedule Partnership Gets Network-1 in the Door | Los Alamos Loses Top-Secret Information, Again! | Standard & Poor's Exposes Customers' Security | The AS/400 Takes You Securely Where You Want to Go | Trend Micro Steps into PDA/Wireless AntiVirus Information Market | CryptoSwift Takes Rainbow Revenues Up 620% | Smart Shoppers Go Abroad for Affordable Information Security Programs | Anti-Virus Advisories: Rating Them | The 7 Habits of Highly Effective Security | Fischer’s Prio! SecureSync ~ A Solution to Enterprise Directory Chaos | Abandon All Insecurity, Ye Who Enter Here | Top 10 Excuses For Not Securing Your Website or Network | Ernst & Young Leads Big 5 in Security | 6 Days After Advisory Posted, AboveNet Gets Hit | A Firewall is Cheaper Than a Lawyer | Fixing Security Backdoors:
Red Hat 1, Microsoft 0 | WAP Forum Specifies RSA’s RC5 Encryption For Wireless | Netpliance Responds Quickly to Hardware Hack | Security Stocks Burn Rubber | DSL Provider Scoops up Netscreen Firewall Goldmine | Cyclone Untangles Digital Partnerships | Security Begins on Your Desktop | Network Associates Hopes to Rekindle the Flame | Hacker Publication Gets Top Defense Attorney | Saudi Arabian Network Security Provokes Local Considerations | Gosh, There’s a Bug in Windows 98 | Robust Systems are Built from the Bottom Up | DOJ Keeps Low Profile on Curador; Protect Your IIS Server Today! | Security Breach: Now What? | Sendmail, Inc. and Disappearing, Inc. Team Up to Add Enhanced Security | Is Your Financial Transaction Secure? | Compaq, HP, IBM, Intel and Microsoft Create New PC Security Alliance | Expect Boom in Electronic Signatures | Secure Your Search Engine | President Proposes Security of Medical Records | Sendmail Takes Security to the Next Level with Version 3.0 for NT | CheckPoint & Nokia Team Up to Unleash a Rockin' Security Appliance | Trend Micro Anti-Virus Server for Microsoft Exchange ~ A Secure Choice For Enterprise Wide Anti Virus Protection. | Security Snafu at NetBank | Freeware Vendor's Web Tracking Draws Curses | The "S" in SAP Doesn't Stand for Security (that goes for PeopleSoft too) | Content Technologies releases MIMEsweeper PolicyPlus | Hackers Will Be Out in Full Force On New Year's Eve | Analysis of Virgin Net's Hacker Scare | Network Associates RePositions Itself as a Security E-Village | Lexiguard™: The Coming "Adobe Acrobat" of Encryption | CyberPeepers from Korean Sites Peek at U.S. Networks | Would You Hire a Hacker? What Would Your Mother Say? | @Home Scans Own Customers | CIOs Need to Be Held Accountable for Security | New Market for Security Insurance | At Least Your Boss Can't Read Your Home E-mail, Right? Wrong! | PrettyPark Virus Litters Cyberspace | Packard Bell / NEC Leads Secure Etoken Deployment | Congress Acknowledges Outdated Banking Laws | How Secure is Your E-Mail? | Trend Virus Control System - A Centralized Approach to Protection | VPNs Are Hot, but What Are They? | ATM Machines Hacked in Moscow | How To Mitigate Holiday Cybercrime | Surf's Up at Akamai |