Tuesday, January 13, 2015

Blueprint: Round-Two for Next Generation Firewalls

by Casey Quillin, Director at Dell'Oro Group

As the enterprise sector turns to the cloud to deliver applications to mobile users across widely dispersed networks, Cisco and Juniper must catch up with smaller competitors. But how much does time-to-market matter?


Risk is omnipresent in the enterprise sector. Business applications must be protected. Data must be protected. Users and their information must be protected. Business intelligence must be protected. Networks, servers, and infrastructures must be protected. While the fact of risk doesn’t change, the technologies that mitigate risk continue to evolve alongside the players and vendors bringing new solutions to market. Nowhere is this evolution more evident than in the realm of network firewalls.

The market opportunity today, and for the next several years, will be split between the slow and steady tortoises of vendors like Cisco and Juniper, and the sleek, speedy hares that include Check Point Software Technologies, Fortinet, and Palo Alto Networks. The enterprise-class firewall market is robust. Sales eclipsed $3 billion in 2013 and are projected to increase to the high single-digits over the next five years to almost $5 billion.

There are many layers of security. In this article, we are concerned with firewalls—hardware or software that ensures only approved users and data traffic can enter the business network from the “outside” (usually but not exclusively the public Internet) and mitigates inappropriate use of the internal LAN, including removal of information from the network. Over the past three years, firewalls have evolved from protecting networks at the perimeter to protecting the entire network from both external and internal threats.

The network has expanded from a system which allows users to share common resources, to an application delivery platform. Certainly, many applications continue to serve employees and customers from the data center; however, users may also be served from external service providers or cloud providers. End users may be co-located in the building on the LAN, or at home or in offices halfway around the world. Despite this dispersal, users demand the same experience and level of performance they would receive with local application access.

As application delivery platforms, networks continually face new and evolving security risks, as well as substantial changes in the way security policies are created and enforced.  These changes inspired application-aware security platforms (commonly referred to in the industry as “next generation firewalls”), which use deep-packet inspection to identify application traffic and enable both user- and application-layer policies.  Vendors of all sizes are jumping into the new application-aware next generation firewall space.

The next generation firewalls from Check Point, Fortinet, Palo Alto Networks, and others are a great fit for networks whose perimeters have been eroded due to the cloud, and users who now connect to the corporate network from different locations and with a variety of devices (BYOD). Offering nimble, early-to-market products—and without the risk of cannibalizing existing sales or disrupting publicly announced product roadmaps—these firms grabbed mindshare with their innovative technology and compelling use cases.

Like the hare in Aesop’s fable, these companies had a head start and have continued to innovate. Not unexpectedly, Cisco and Juniper, the slower tortoises, have responded in force. Indeed, they have largely closed the functionality gap. With its acquisition of Sourcefire in 4Q13, Cisco launched its new platform optimized for application delivery and enterprise edge-of-network (named ASA with FirePOWER Services).  Juniper has steadily added application-aware features to its SRX platform and is now fully competitive with the new-generation hares.

But, now, with product functionality fairly evenly matched across all enterprise firewall vendors, how will users choose which products to purchase? Previously, the hares with their first-to-market advantage had the most compelling sales propositions.

It would be premature to conclude that the game’s over. In fact, the race for the next-generation firewall is still in its early stages. As vendors market these products, a bifurcation has evolved between the data center and the network edge. Indeed, protecting the data center is a different matter from protecting the network edge. Each site requires the use of different technologies and for the next few years, we believe vendors will be able to excel at either the data center or the network edge—but unlikely at both.  One firewall cannot be optimized for both data center and network edge without sacrificing performance and simplicity of administration.  The intelligent user will optimize his network by deploying best-in-breed products—one class for the data center and another class for the network edge.

In the data center, the number of applications running and the number of users are limited and known. In addition, only a small number of device types are used and these are always connected with cable. Firewall products for the data center do not need to boast best-in-class support for mobile devices, nor do they need to be optimized to distinguish vast numbers of applications connecting via the Internet.  Data center networks are in the midst of a major transition to Software-Defined Networking (SDN) where the administrator will have a global view of the network across multiple platforms and be able to program the network to act upon real time intelligence such as denial of service and resetting traffic paths.

It is unlikely that a rational user would choose a data center firewall product that will have such a global command of the network from a young, small vendor.  The rational user will choose a vendor with years of experience and vast numbers of trained staff—a vendor with the ability to scale. In this scenario, companies such as Cisco and Juniper will have the advantage because they can integrate next-generation firewall functionalities into their broad product lines.

In contrast, the enterprise campus and network edge are tightly focused on ensuring secure access and use of mobile devices. In these deployment locations, firewalls must be able to distinguish an enormous variety of applications running on the Internet. Once an application is identified, a firewall must be able to implement policy user by user. Firewalls in these locations must also be able to provide secure access and context-based authentication to widely different types of mobile devices. In this realm, a vendor gains advantage based on its speed of innovation and the richness of its database of threats.

Let’s look deeper into vendors’ positions. As shown in Figure 1, since 2011 Cisco has maintained a 30% to 32% revenue share in the Enterprise Class Firewall market. Its next closest competitor, Palo Alto Networks, has grown to about 10%, while Fortinet, Huawei, and Juniper are tied in third place.

Cisco’s strength stems from sales to the data center, which have been a strategic focus and growth engine for the company. We estimate that sales to the data center of Cisco’s Ethernet switch and server businesses represent 20% of the company’s overall revenue. There are massive changes taking place in the data center with virtualization and SDN. Change brings opportunity to new entrants. Cisco’s challenge will be to rapidly innovate at the enterprise edge, while protecting its data center business.

Palo Alto Networks has built its reputation as best-in-breed based on its strength at rapid innovation at the enterprise network edge. In February 2014, the company launched its high-end platform, PA-7050, targeting large enterprise and carrier data centers. In order to grow its data center business, Palo Alto’s challenge will be to convince users it has the scale to fulfill the technical and service level demands of supporting data center class deployments.

Fortinet’s pioneering Unified Threat Management (UTM) product carved a powerful brand with its “single pane of glass” approach to managing network security. The company also spearheaded application-aware, enterprise-class firewalls targeting the network edge. Its FortiGate products with custom ASICs earned a reputation for high performance and ease of management at reasonable prices. Fortinet’s stronghold is at the enterprise network edge, a position the company is strengthening with its expansion into Wireless LAN access points.

Of notable mention is Fortinet’s doubling of market share over the past two years. Although the company offers high-end platforms targeting large enterprise and carrier data centers, we envision the same challenges that Palo Alto faces: securing user interest to test and deploy products and scaling to support the data center’s rapidly changing demands.

The foundation of both Huawei and Juniper’s strength is data center deployment, primarily from carrier purchases of the Eudemon8000E-X series and the SRX, respectively. We believe that Juniper’s sales were also bolstered by large enterprises, albeit to a lesser degree. Looking forward, we expect this trend to continue although both firms have deployed competitive, application-aware firewall products for the enterprise edge. Juniper’s challenge will be to shore up its share loss—and quickly—as time is not on its side. The longer it takes the company to get back on track, the greater the difficulty it will face. Huawei’s challenge will be to sell to large enterprises outside of China and to sustain rapid innovation at both the enterprise edge and the data center.

The bottom line is that customers need next-generation solutions that are more powerful than packet-oriented firewalls and unified threat management. These products must penetrate deep into applications without sacrificing performance. Firewalls must be capable of protecting today’s diversified networks—clouds, virtualization, mobile users, and BYOD. At present, the innovators in this area are the smaller players, whose offerings are more compelling to enterprises that understand the risks inherent in the evolving application delivery market. While small companies have the current advantage, the big players are ready to strike back.

Round two of the next-generation firewall race is about to begin. Things are going to get really, really interesting.

About the Author

Casey Quillin joined Dell’Oro Group in 2011. He is responsible for the Data Center Appliance and Storage Area Network market research programs. While at the firm, Mr. Quillin has significantly expanded Data Center Appliance research, including the build-out of Network Security Appliances. Mr. Quillin has over 20 years of experience as an executive manager and entrepreneur in the technology sector. Prior to joining Dell’Oro Group, he held positions with several startups, including Vice President of Engineering at Snapfish, the world’s largest online photo-sharing site, later acquired by HP. He was also CTO of Oasys Networks, an application service provider in the financial services market; Co-founder and CEO of Logic by Design, an interactive media agency; and Managing Partner of Cornice Networks, a network integration and IT consulting firm in San Francisco.

About Dell'Oro Group


As the trusted source for market information about the networking and telecommunications industries, Dell’Oro Group provides in-depth, objective research and analysis that enables component manufacturers, equipment vendors, and investment firms to make fact-based, strategic decisions. For more information, contact Dell’Oro Group at +1.650.622.9400 or visit www.DellOro.com