firewall vendor landscape: the top eight...

Firewall Vendor Landscape: The Top Eight Vendors Publish Date: July 28, 2009

Firewalls are a security necessity in today’s business world. They serve to protect the enterprise network from a host of threats. Use this vendor landscape to gain an understanding of the leading firewall vendors and the key criteria on which to focus when choosing a new firewall for the enterprise.

© 1998-2009 Info-Tech Research Group

About this research note:

Product Comparison notes provide a detailed, head-to-head, analytical comparison of products in a given market in order to simplify the selection process.

www.infotech.com

http://www.infotech.com/

Executive Summary Info-Tech has identified three key areas to consider when evaluating firewalls:

» System architecture.

» System throughput.

» System management.

The top eight firewall vendors have been evaluated and grouped into three categories: Leaders, Competitors, and Followers. These groupings are based on specific rankings in the three evaluation categories plus how well suited the vendors and products are to mid-sized enterprises.

Product Comparison 2 Firewall Vendor Landscape: The Top Eight Vendors

www.infotech.com

Industry Overview The firewall industry is a mature one where both feature and market consolidation is rampant. It is nearly impossible to buy a firewall on its own anymore. Firewalls are now considered to be Unified Threat Management (UTM) appliances due to the inclusion of security features such as anti-malware, intrusion prevention and detection, and content filtering.

The shift from regular firewalls to UTM appliances has forced vendors to add more features to their products to remain competitive, hence the high number of acquisitions in the industry. Having multiple security features included with firewalls results in seamless communication and interaction between all of the products, potentially resulting in higher levels of security than would be present in security environments with distinct solutions.

Key Evaluation Criteria There are three main categories of criteria that IT must consider when selecting a firewall:

1. System Architecture

2. System Throughput

3. System Management

For more information on these criteria, refer to the ITA Premium research brief, “Firewall Fundamentals to Consider When Upgrading.”

System Architecture » Type of firewall. Firewalls can be stateful, application layer, or both:

− Stateful firewall. This type of firewall keeps track of the traffic as it traverses the network gateway. Transmission information is checked and all packets that belong to a checked transmission are allowed to pass.

− Application-layer firewall/proxy firewall. This type of firewall scrutinizes each packet of a communication, examining not only the headers, but also the packet contents. Once a packet has been checked, a copy is made and forwarded to the intended destination while the original is discarded.

» Integrated capabilities. Many of the integrated capabilities that are packaged with firewalls can also be purchased as distinct solutions. When the integrated features of a firewall are used, rather than distinct solutions, the overall security of the system is improved since there will be a higher level of seamless communication and efficiency in the security system.


www.infotech.com

http://www.infotech.com/ITA/Research%20Centers/Security/Security%20Management/FirewallFundamentalstoConsiderWhenUpgrading.aspx

http://www.infotech.com/ITA/Research%20Centers/Security/Security%20Management/FirewallFundamentalstoConsiderWhenUpgrading.aspx

» Software or hardware firewall. A hardware or appliance-based firewall is essentially a dedicated server that comes pre-loaded with the vendor’s software. Conversely, a software-based firewall requires that the company purchase the necessary hardware component separately. Hardware-based firewalls are fully compatible with the software loaded on them and are generally easier to manage and maintain.

System Throughput » Maximum firewall throughput. Firewall throughputs can range anywhere from under 100 Mbps

to over 4 Gbps. Be sure to choose a firewall throughput that best serves the organization’s current and future needs.

» Degraded firewall throughput. The effect of turning on integrated capabilities such as VPN, anti-virus software, and intrusion prevention systems (IPS) generally results in throughput degradation.

System Management » User interface. Two types of user interfaces are available: Graphic User Interfaces (GUI) or

Command Line Interfaces (CLI). GUIs allow users to manipulate the firewall using a familiar visual representation of folders and desktop structure, whereas CLIs allow users to manipulate the firewall using a specified command language in a text only interface. It is common for firewalls to offer both CLI and GUI; however, some have one or the other.

» Nature of console. There are three types of consoles that can be used with firewalls:

− Device consoles. Supports the firewall only.

− Vendor consoles. Supports the firewall as well as other vendor systems.

− Third-party consoles. Vendor neutral management consoles such as HP Software (previously HP OpenView), CA Unicenter, Altiris, and Tivoli.

Vendor Scorecard This vendor landscape takes a look at eight prominent firewall vendors. To be evaluated, each firewall has to have approximately 400 Mbps to 1 Gpbs of stateful throughput; anything more or less than this range is considered unsuitable for mid-sized enterprises. The rankings below are meant only as a guide; fully consider all options before choosing a firewall for the organization.


www.infotech.com

http://welcome.hp.com/country/us/en/prodserv/software.html

http://www.ca.com/us/products/product.aspx?id=4200

http://www.altiris.com/

http://www-01.ibm.com/software/tivoli/

To determine the leaders, competitors, and followers in the industry, Info-Tech compared vendor performance in three key areas:

» Company strength. A combination of vendor stability, market share, and focus on mid-sized enterprises.

» Features. The appropriateness of the amount and type of features offered to mid-sized enterprises.

» Affordability. Product prices among the vendors.

Refer to Figure 1 for the vendor ranking breakdown.

Figure 1. Vendor Rankings for Mid-Sized Companies*

Source: Info-Tech Research Group

Vendor Company Strength Features Affordability Vendor

Ranking

IBM ISS Proventia High Medium High Leader

Secure Computing (McAfee)

Medium High High Leader

SonicWALL Medium Medium High Leader

Fortinet Medium High Low Competitor

Check Point Software Technologies

Medium Medium Medium Competitor

Juniper Networks Medium Medium Medium Competitor

Cisco Systems High Low Low Follower

Palo Alto Networks Low High Low Follower

*Rankings include leader, competitor, and follower.


www.infotech.com

Leader Landscape IBM

Company Strength Features Affordability Vendor Score

High Medium High 8

Figure 2. IBM ISS Proventia Series Comparison Chart


Vendor IBM

Year Founded: 1924

Number of Employees: 386,558

Company Type: Public

Vendor Market Stability

2008 Sales: $103.6 Billion

Series Name ISS Proventia

Model MX4006

Protection Architecture

Stateful Firewall Yes

Application Layer Firewall No

Integrated VPN Capabilities Yes (250 tunnels)

Integrated IPS Yes

Integrated Anti-Malware Functionality

Yes


www.infotech.com

Figure 2. IBM ISS Proventia Series Comparison Chart (Continued)

Integrated Content Filtering Yes

Hardware or Software-Based Hardware-Based

Throughput

Maximum Stateful Firewall Throughput

600 Mbps

Maximum Application Firewall Throughput

N/A

IPS Throughput 450 Mbps

VPN Throughput 170 Mbps

Anti-Virus Throughput 120 Mbps

System Management

User Interface GUI and CLI

Console Type Vendor Console

Info-Tech Insight

The IBM ISS Proventia Series is a well priced, feature-rich firewall series. It includes features such as anti-virus, anti-spam, Web filtering, and spyware blocking, which many vendors charge for separately or on a subscription basis. When considering the ISS Proventia Series, companies need to bear in mind that the maximum firewall throughputs are degraded by switching on the included security features.

Key Points

Pros Cons

The acquisition of ISS by IBM resulted in an enhancement of the security products offered by IBM.

No application layer firewall is available in the ISS Proventia series.


www.infotech.com

http://www.ibm.com/us/en/

http://www-935.ibm.com/services/us/index.wss/offerfamily/iss/a1029097

Secure Computing (McAfee)


Medium High High 8

Figure 3. Secure Computing Sidewinder Series Comparison Chart


Vendor Secure Computing (McAfee)

Year Founded: Secure Computing: 1989 / McAfee: 1987

Number of Employees: 971 / 4250

Company Type: Public / Public

Vendor Market Stability (Secure Computing/McAfee)

2007 Sales: $237.9 Million / $1.3 Billion

Series Name Sidewinder

Models Sidewinder 210 Sidewinder 410 Sidewinder 510



Stateful Firewall Yes Yes Yes

Application Layer Firewall Yes Yes Yes

Integrated VPN Capabilities (PPTP/IPSec Tunnels)

Yes (unlisted number of tunnels)



Integrated IPS Yes Yes Yes


Available Available Available


www.infotech.com

Figure 3. Secure Computing Sidewinder Series Comparison Chart (Continued)

Protection Architecture (Continued)


Integrated Content Filtering Available Available Available

Hardware or Software-Based Hardware-Based Hardware-Based Hardware-Based

Throughput



170 Mbps 250 Mbps 600 Mbps


140 Mbps 230 Mbps 250 Mbps

IPS Throughput Unlisted Unlisted Unlisted

VPN Throughput 80 Mbps 160 Mbps 160 Mbps

Anti-Virus Throughput Unlisted Unlisted Unlisted

System Management


User Interface GUI and CLI GUI and CLI GUI and CLI

Console Type Vendor Console Vendor Console Vendor Console

Info-Tech Insight

McAfee has recently been involved in a number of acquisitions, the most recent being that of Secure Computing in 2008. Through this acquisition, McAfee intends to broaden its firewall offerings. The Sidewinder series offers mid-sized enterprises many choices at competitive prices. One potential concern with McAfee and Secure Computing is that the total number of firewall models offered seems excessive. Since all of the available models will not use the same components and parts, if a company purchases a low selling model from the vendor, it may run into problems in the future if that model is discontinued and it requires a part or component for repairs.


www.infotech.com

http://www.mcafee.com/us/

http://www.securecomputing.com/

http://www.securecomputing.com/

http://www.mcafee.com/us/enterprise/products/network_security/firewall_enterprise.html

Key Points

Pros Cons

Secure Computing has a strong focus on mid-sized enterprises and offers a wide range of security products and options to best suit their needs.

Secure Computing was only just acquired by McAfee. Since this occurred fairly recently, both companies may potentially experience some growing pains in the future.

SonicWALL


Medium Medium High 7

Figure 4. SonicWALL NSA Series Comparison Chart


Vendor SonicWALL

Year Founded: 1991

Number of Employees: 700



2007 Sales: $199.2 Million

Series Name NSA Series

Models NSA 240 NSA 2400


www.infotech.com

Figure 4. SonicWALL NSA Series Comparison Chart (Continued)



Stateful Firewall Yes Yes

Application Layer Firewall Yes Yes

Integrated VPN Capabilities Yes Yes

Integrated IPS Available Available


Available Available

Integrated Content Filtering Available Available

Hardware or Software-Based Hardware-Based Hardware-Based

Throughput



600 Mbps 775 Mbps


Unlisted Unlisted

IPS Throughput 195 Mbps 275 Mbps

VPN Throughput 150 Mbps 300 Mbps

Anti-Virus (plus UTM suite) Throughput

115 Mbps 160 Mbps


www.infotech.com

Figure 4. SonicWALL NSA Series Comparison Chart (Continued)

System Management


User Interface GUI GUI

Console Type Third Party Management Console

Third Party Management Console

Info-Tech Insight

The SonicWALL NSA 240 and NSA 2400 models are highly customizable, allowing organizations to subscribe to various UTM functionalities. The models in the NSA series are offered at affordable price points – likely because additional features such as anti-virus, anti-spyware, and content filtering are available only through subscription, resulting in additional costs.

Key Points

Pros Cons

SonicWALL offers products that are well tailored for use by small and mid-sized enterprises.

The company is shifting its focus from small and mid-sized enterprises to larger organizations and carriers. This may have negative implications for smaller enterprises.

Competitor Landscape Fortinet


Medium High Low 6


www.infotech.com

http://www.sonicwall.com/us/

http://www.sonicwall.com/downloads/NSA_Series_DS_US.pdf

http://www.sonicwall.com/downloads/NSA_Series_DS_US.pdf

Figure 5. Fortinet FortiGate 300-800 Series Comparison Chart


Vendor Fortinet

Year Founded: 2000

Number of Employees: 1000+

Company Type: Private


2007 Sales: $150 M

Series Name Fortinet 200-800 Series

Models 300A 400A 500A 800/800F


Models 300A 400A 500A 800/800F

Stateful Firewall Yes Yes Yes Yes

Application Layer Firewall Yes Yes Yes Yes


Yes (2000 tunnels)

Yes (3000 tunnels)

Yes (3000 tunnels)

Integrated IPS Yes Yes Yes Yes


Yes Yes Yes Yes

Integrated Content Filtering Yes Yes Yes Yes


Hardware-Based

Hardware-Based

Hardware-Based


www.infotech.com

Figure 5. Fortinet FortiGate 300-800 Series Comparison Chart (Continued)

Throughput

Models 300A 400A 500A 800/800F


400 Mbps 500 Mbps 600 Mbps 1000 Mbps


Unlisted Unlisted Unlisted Unlisted

IPS Throughput 200 Mbps 300 Mbps 400 Mbps 600 Mbps

VPN Throughput 120 Mbps 140 Mbps 150 Mbps 200 Mbps

Anti-Virus Throughput 70 Mbps 100 Mbps 120 Mbps 150 Mbps

System Management

Models 300A 400A 500A 800/800F

User Interface GUI GUI GUI GUI


Vendor Console

Vendor Console

Vendor Console

Info-Tech Insight

The Fortinet FortiGate 200-800 series is aimed specifically at enterprises that are mid-sized or larger and offers plenty of choices. On the medium to high end of the pricing scale, the series comes with the full suite of security features that small and mid-sized enterprises require: anti-virus, Web filtering, anti-spam, and IPS software. While these features are included in-the-box, enterprises will have to pay a subscription fee to keep the feature signatures up to date.

Key Points

Pros Cons

Fortinet offers a wide selection of firewall and UTM products and has strong in-house technological capabilities.

Fortinet products are very expensive for most mid-sized enterprises.


www.infotech.com

http://www.fortinet.com/

http://www.fortinet.com/doc/FGT200_800DS.pdf

Check Point Software Technologies


Medium Medium Medium 6

Figure 6. Check Point Software Technologies UTM-1 Series Comparison Chart


Vendor Check Point Software Technologies

Year Founded: 1993

Number of Employees: 1800



2007 Sales: $730.9 Million

Series Name UTM-1

Models UTM-1 270 UTM-1 570



Stateful Firewall Yes Yes


Integrated VPN Capabilities Yes (tunnels unlisted) Yes (tunnels unlisted)

Integrated IPS No No


Yes Yes

Integrated Content Filtering Yes Yes



www.infotech.com

Figure 6. Check Point Software Technologies UTM-1 Series Comparison Chart (Continued)

Throughput



Unlisted Unlisted


400 Mbps 1100 Mbps

IPS Throughput N/A N/A


Anti-Virus Throughput Unlisted Unlisted

System Management


User Interface GUI and CLI GUI and CLI

Console Type Vendor Console Vendor Console

Info-Tech Insight

Check Point Software Technologies is a well recognized Internet security software vendor. The UTM-1 270 and UTM-1 570, the models best suited to the mid-sized market, are reasonably priced for these companies. However, in the UTM-1 series, unified threat management is not included in the suite by default. In order to get full UTM protection, companies must subscribe to the UTM suite.

Key Points

Pros Cons

Check Point Software Technologies is a strong company with good technological backing behind all of its firewall products.

The company on the whole has a poor focus on small and mid-sized enterprises.


www.infotech.com

http://www.checkpoint.com/index.html

http://www.checkpoint.com/products/utm-1/



Juniper Networks


Medium Medium Medium 6

Figure 7. Juniper SSG Series Comparison Chart


Vendor Juniper Networks

Year Founded: 1996

Number of Employees: 5800+




Series Name SSG Series

Models SSG 140 SSG320M/ SSG350M

SSG 520/ SSG 520M

SSG 550/ SSG 550M



SSG 520/ SSG 520M

SSG 550/ SSG 550M

Stateful Firewall Yes Yes Yes Yes

Application Layer Firewall Yes Yes Yes Yes


Yes (250/350 tunnels)

Yes (500 tunnels)

Yes (1000 tunnels)

Integrated IPS No* No* No* No*


Yes Yes Yes Yes


www.infotech.com

Figure 7. Juniper SSG Series Comparison Chart (Continued)

Protection Architecture (Continued)

Integrated Content Filtering Yes Yes Yes Yes


Hardware-Based

Hardware-Based

Hardware-Based

Throughput


SSG 520/ SSG 520M

SSG 550/ SSG 550M


350 Mbps 450 Mbps/ 550 Mbps

600 Mbps 1000 Mbps


Unlisted Unlisted 300 Mbps 500 Mbps

IPS Throughput N/A N/A N/A N/A

VPN Throughput 100 Mbps 175 Mbps/ 225 Mbps

300 Mbps 500Mbps

Anti-Virus Throughput Unlisted Unlisted Unlisted Unlisted

System Management


SSG 520/ SSG 520M

SSG 550/ SSG 550M

User Interface GUI GUI GUI GUI


Vendor Console

Vendor Console

Vendor Console

*Listed as having integrated IPS functionality, however, this is actually deep inspection functionality.


www.infotech.com

Info-Tech Insight

The Juniper Networks SSG series provides many options from which to choose. Juniper is partnered with other security vendors for various aspects of the SSG series; these vendors are the best in their respective classes, thus strengthening the SSG series security protection. The SSG series does not support IPS, and while the SSG series data sheets list them as having integrated IPS functionality, it is actually deep packet inspection functionality. In other words, instead of stopping intrusions from occurring, the firewall is really just performing the role of an application firewall.

Key Points

Pros Cons

Juniper Networks is a large company with a broad product portfolio.

Juniper has very limited small and mid-sized enterprise focus due to its mandate to focus on large enterprises only.

Follower Landscape Cisco Systems


High Low Low 5

Figure 8. Cisco ASA 5510 Comparison Chart


Vendor Cisco Systems

Year Founded: 1984

Number of Employees: 61,000+




Series Name ASA 5500


www.infotech.com

http://www.juniper.net/

http://www.juniper.net/products_and_services/firewall_slash_ipsec_vpn/index.html

Figure 8. Cisco ASA 5510 Comparison Chart (Continued)

Models ASA 5520 ASA 5540



Stateful Firewall No No


Integrated VPN Capabilities Yes (750 tunnels) Yes (5000 Tunnels)

Integrated IPS Available Available


Available Available



Throughput


Maximum Stateful Firewall Throughput N/A N/A


450 Mbps 650 Mbps

IPS Throughput (Firewall and IPS Throughput)

(225/375/ 450 Mbps*) (500/ 650 Mbps*)


Anti-Virus Throughput Unlisted Unlisted


www.infotech.com

Figure 8. Cisco ASA 5510 Comparison Chart (Continued)

System Management


User Interface CLI and GUI CLI and GUI


* The maximum firewall and IPS throughput is determined by the type of Advanced Inspection and Prevention Security

Services Module that is installed.

Info-Tech Insight

Cisco Systems is the dominant player in the enterprise networking space. For mid-sized enterprises, the Adaptive Security Appliance (ASA) 5500 Series is available. This series offers multiple security options at the medium to high end of the pricing scale. While intrusion prevention and anti-malware are available in the ASA 5520 and 5540 models, they are not capable of running the features concurrently, forcing enterprises to choose between the two. This represents a severe limitation of the ASA series – most vendors do not impose such limitations.

Key Points

Pros Cons

Cisco Systems is a mature and reliable company, it has a large install base, and is considered to be the litmus test for the rest of the IT industry.

The available features in the ASA 5500 series are quite limited compared to the offerings of other vendors.

Palo Alto Networks


Low High Low 5


www.infotech.com

http://www.cisco.com/

http://www.cisco.com/en/US/products/ps6120/

Figure 9. Palo Alto Networks PA-2000 Series Comparison Chart


Vendor Palo Alto Networks

Year Founded: 2005

Number of Employees: Unlisted

Company Type: Private


2008 Sales: $12 Million

Series Name PA-2000

Models PA-2020 PA-2050



Stateful Firewall No No


Integrated VPN Capabilities Yes (1000 Tunnels) Yes (2000 Tunnels)

Integrated IPS Yes Yes


Available Available




www.infotech.com

Figure 9. Palo Alto Networks PA-2000 Series Comparison Chart (Continued)

Throughput



N/A N/A


500 Mbps 1000 Mbps

IPS Throughput 200 Mbps 500 Mbps


Anti-virus Throughput Unlisted Unlisted

System Management


User Interface CLI and GUI CLI and GUI


Info-Tech Insight

Palo Alto Networks is a young company that was founded in 2005. The company uses its own proprietary technology in its firewalls:

» App-ID: (Patent Pending) Classifies Internet traffic by the applications that are generating it.

» User-ID: Monitors user activity by linking IP addresses to specific users and groups. This allows enterprises to monitor and regulate network traffic.

» Content-ID: Contains aspects of traditional Data Leakage Protection and Content Filtering technologies.

Palo Alto Networks PA-2000 Series is priced at the high end of the pricing range. The higher prices are perhaps due to the use of the company’s proprietary technologies in the firewalls. Palo Alto is an up-and-comer in the firewall industry; enterprises should be on the lookout for its movement both upstream and downstream in the market. For now, its products are better suited to larger companies seeking to obtain a cutting-edge UTM device.


www.infotech.com

http://www.paloaltonetworks.com/

http://www.paloaltonetworks.com/products/pa2000.html

Key Points

Pros Cons

Palo Alto proprietary firewall technologies are market leading and cutting edge.

The company currently focuses mainly on large companies, and the prices of the units are significantly higher than other firewall solutions.

Recommendations 1. Know enterprise security requirements. Before sifting through all of the firewalls available, IT

professionals must have an understanding of enterprise security requirements. Pay attention to security policy requirements and any regulatory standards that need to be met. Also, keep in mind any growth that the enterprise will experience in the future and take this into consideration in the decision process. This will help prevent enterprises from buying firewalls with too much or too little security protection and capacity.

2. Base vendor selection on company needs. Don’t base the vendor selection process solely on the rankings presented in this vendor landscape. Depending on the needs of the enterprise, different vendors will be ranked higher on the enterprise’s individual vendor scorecard. The rankings in this note are based on the average requirements of a mid-sized enterprise.

3. Consider how the TCO will be calculated. Since firewalls are not replaced very often, when performing Total Cost of Ownership calculations, use a time period of between three to five years.

Bottom Line Firewalls are a security necessity in today’s business world. They serve to protect the enterprise network from a host of threats. Use this vendor landscape to gain an understanding of the leading firewall vendors and the key criteria on which to focus when choosing a new firewall for the enterprise.

Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full

spectrum of IT concerns. Our practical approach is designed to have a clear and measurable positive impact on your organization's bottom line.

We serve over 21,000 clients at 8,000 organizations around the world. Since 1998, we have focused on making the work of IT professionals

easier - and on helping them achieve greater personal and corporate success.

More About Info-Tech


www.infotech.com

http://www.infotech.com/

firewall vendor landscape: the top eight...

Documents