Which firewall is the best? Leaders among UTM and Enterprise Firewalls (Gartner 2017)

Anyone who has ever thought about the question “which firewall should I choose?” Must have come across the magic square Gartner (well-known analytical agency).

At the end of June 2017. The regular report on the state of the Unified Threat Management (UTM) market was released - Magic Quadrant for Unified Threat Management (SMB Multifunction Firewalls) in July 2017. Enterprise Firewalls - Magic Quadrant for Enterprise Network Firewalls . If you are interested to know who was among the leaders, how the situation has changed over the past year and what trends are observed, then welcome under the cat ...

UTM market:
')
Let me remind you that by definition Gartner:

“Unified Threat Management (UTM) is a converged security platform, especially for the small businesses (SMBs). Firewall / intrusion prevention system (IPS) / Web-based virtual gateway security (URL filtering, Web antivirus [AV]) and messaging security (anti-spam, mail) AV). ”

That is, network security platforms targeted at small companies (Small) and slightly larger companies (Midsize) fall under this definition (under small companies (Small and Midsize Business) Gartner considers companies with 100 to 1,000 employees). UTM solutions typically include typical today firewall functionality, intrusion prevention systems (IPS), a VPN gateway, a web traffic filtering system (URL filtering, a streaming antivirus system for web traffic), and a mail traffic filtering system (filtering spam messages and anti-virus system for mail traffic), and of course we must not forget about the basic routing system and support for various WAN-technologies.

Interestingly, judging by the predictions of Gartner, the firewall market until 2020. will remain approximately in the same condition as now. In 2022 according to Gartner's predictions, solutions of the class Firewall as a Service (FWaaS) will start to be tightly integrated into SMB, i.e. cloud firewalls, where client traffic will be tunneled, and the share of new installations on the SMB market will be more than 50%, compared to the current share of 10%. In addition, 2022g. 25% of SMB segment users will use their firewall as a means of monitoring and an intermediate broker to provide inventory and control the use of SaaS resources, as a means of managing mobile devices or a means of enforcing security policies on end-user devices (less than 2% of users currently use this functionality). on firewalls). FWaaS solutions will be more popular for distributed branch offices; this solution will be used by 10% of new installations, compared with less than 1% today.

Since UTM solutions are focused on relatively small companies (by the standards of Gartner), it is clear that having received all the functionality from one box, the end customer will somehow be satisfied with trade-offs in terms of performance, network security efficiency and functionality, but for such customers also It is important that the solution is easily managed (browser control is an example), the administrator of the solution can be trained faster due to the simplified management so that the solution contains embedded means at least basic reporting, for some customers it is also important to have localized software and documentation.

Gartner believes that the needs of SMB customers and Enterprise customers are very different in terms of the needs of Enterprise in the implementation of more complex management policies, advanced features in the implementation of network security. For example, customers of the Enterprise segment, having a distributed branch structure, often have branches, which may be the same size as the whole SMB segment company. However, the criteria for choosing equipment for the branch are usually dictated by the choice of equipment at the head office (usually the branches choose the equipment of the same vendor that is used at the head office, that is, low end enterprise class equipment), because the customer needs ensuring compatibility of equipment, and in addition such customers often use a single management console to ensure manageability of the branch network (where there may not be specialists of the appropriate profile) from the head office. In addition, the economic component is also important, the corporate customer may receive additional discounts for the "volume" from the vendors of network solutions, including solutions for the branch network. For these reasons, Gartner is considering solutions for enterprise distributed branch offices of customers in the squares of solutions for the Enterprise segment (NGFW / Enterprise Firewall, IPS, WAF, etc.).

Separately, Gartner allocates customers with a distributed network of highly autonomous offices (a typical example is a retail network, where the total number of employees may be more than 1,000), which, like a typical SMB customer, has fairly limited budgets, a very large number of remote sites and usually a small IT / IB staff. Some UTM manufacturers even specifically focus on solutions for such customers more than traditional SMB.

Now let's look at the current situation with the Gartner square on the UTM market as of June 2017:



But that was a year ago, in August 2016:



In the list of leaders of the UTM market are all the same familiar faces - Fortinet, Check Point, Sophos. Moreover, the situation is gradually heating up - the positions of the leaders are gradually pulling together. Juniper from his pursuers moved to niche players. Pull up a bit of their positions SonicWall.
What does Gartner think about the market leaders in the UTM segment separately:

1. Fortinet:

He is a representative of the leaders of the UTM-market, a frequent guest in the short-lists of SMB, has a strong position in terms of functionality / price / performance, which helps him to be a frequent choice of UTM solution. The most frequently selected vendor in the shortlists for both the regular SMB and the distributed network of autonomous offices.

The headquarters is located in Sannivale (USA, California). It has more than 4,600 employees worldwide, including an R & D staff of more than 1,000 people. The product portfolio contains solutions for network security and endpoint security, including SMB and Enterprise class firewalls (Fortigate), endpoint protection platform (FortiClient), Web Application Firewall / WAF (FortiWeb), and an integration solution from its products network security (Fortinet Security Fabric).

2. Check Point Software Technologies:



Is a representative of the market leaders UTM, SMB solution is represented by an enterprise-class firewall (Enterprise), which is fairly easy to manage and has an intuitive graphical user interface (GUI).

Headquarters are located in Tel-Aviv (Israel) and San-Carlos (USA). Check Point is a network security vendor with more than 1,300 R & D employees. The product portfolio contains SMB and Enterprise class firewalls (Security Gateway), a specialized endpoint security solution ( Sandblast Agent ), a mobile device security solution (Sandblast Mobile) and virtual firewalls ( vSEC for private and public clouds). The current line of SMB class firewalls includes the 700, 1400, 3100, 3200, 5100, 5200, 5400, 5600 families, all devices were introduced in 2016/2017.

3. Sophos:



It is a representative of the leaders of the UTM market. It continues to increase its market share due to its ease of use, good functionality of the Security component, and successful integration with its own end-node security solution. Frequent guest in the short-lists of SMB-customer, as well as for distributed networks of autonomous offices.

Headquartered in Abingdon (UK), it has more than 3,000 employees worldwide. The product portfolio contains a mixture of network security solutions and endpoint protection solutions. The Sophos XG firewall line contains 19 models and was last updated in the 4th quarter of 2016, and the portfolio also includes the outdated Sophos SG line. Sophos UTM solutions are available as virtual appliques with integration of IaaS platforms - AWS and Azure. Endpoint security solutions include Sophos Endpoint and Intercept X. The integration solution between Sophos UTM and Sophos Endpoint is called Sophos Synchronized Security. There are also solutions in the vendor portfolio to protect mobile devices and ensure data encryption.

Enterprise Firewall Market:

In 2011 Gartner has introduced the Next Generation Firewall (NGFW) Enterprise Firewall definition:

“Next-generation firewalls (NGFWs) can be used for firewalls. An NGFW should not be confused with a network of intrusion prevention systems (IPSs), which includes a firewall, or a firewall and IPS system. ”

Then it was an innovation, around which there was a lot of controversy. A few years have passed, a lot of water has flowed, and now in 2017. Gartner no longer considers this to be any particular advantage, but simply states the fact that all the leading players in this market have long acquired this functionality, and now they differentiate themselves from other vendors in terms of functionality.

According to Gartner forecasts by 2020. Enterprise-class virtualized firewalls will take up to 10% of the market compared to 5% currently. By the end of 2020. 25% of the sold firewalls will include the integration of cloud-based security brokers to connect to cloud services ( Cloud Access Security Broker, CASB ), integrated by the appropriate API. By 2020 50% of new firewall installations will use the outgoing TLS inspection, compared with less than 10% currently.

According to Gartner, the Enterprise Firewall market consists mainly of enterprise network security solutions (Enterprise Networks). Products included in these solutions can be deployed as a single firewall, as well as larger and more complex scenarios, including branch networks, multi-layer demilitarized zones (Multitiered DMZs), in traditional deployment scenarios in the form of a “large” firewall in the data center, and include the use of virtual firewalls in the data center. Customers should also have the ability to deploy solutions within Amazon Web Services (AWS), Microsoft Azure public cloud infrastructures, and the vendor should have Google Cloud support over the next 12 months on its roadmap. Products should be able to be managed using highly scalable (and granular) management tools, have an advanced reporting system, and also have a wide range of solutions for the network perimeter, data center, branch network and deployment in the virtualization infrastructure and public cloud. All manufacturers in this market segment should support the subtle definition and control of applications and users. The Next Generation Firewall functionality is no longer an advantage, but a necessity. So Gartner strikes out the term invented by her, since this functionality is considered quite ordinary and absolutely necessary in the Enterprise Firewall market. In essence, Gartner considers NGFW and Enterprise Firewall synonymous. Manufacturers operating in this market focus on and build sales strategies and technical support for large companies (Enterprises), and the functionality they develop is also focused on solving problems of large companies (Enterprise).

Gartner claims that, according to her research, NGFW is gradually continuing the trend to replace stand-alone IPS devices at the network perimeter, although some customers state that they will continue to use Next Generation IPS specialized devices (NGIPS), adhering to the Best of Breed strategy. Many corporate customers are interested in Malware's cloud-based discovery solutions as a cheaper alternative to separately installed sandboxing solutions .

Unlike the UTM market, the corporate firewall market does not imply that NGFW solutions should contain all the functionality to protect the network. Instead, Gartner sees corporate firewalls need specialization specifically for NGFW functionality. For example, branch office firewalls of the Enterprise class require support for a high degree of granularity of blocking network traffic, which should go in the product database, an integrated service approach to processing network traffic is required, product management should be highly integrated, and not look like a hastily compiled different engines in one product . The level of protection and ease of configuration of corporate-class firewalls for branch networks should not be inferior to head-office solutions.

In 2017 Gartner pays special attention to solutions to ensure that TLS sessions are terminated to ensure that outgoing traffic is scanned for threats, such as malicious code downloads, and botnet management. In some ways, the ability to check outgoing TLS traffic brings the NGFW closer to DLP solutions in a lightweight version, since decoding and subsequent inspection of outgoing TLS traffic ensures that sensitive data is not sent out. However, some customers using this feature may notice significant performance degradation when this feature is activated due to the high cost of TLS decryption.

Some progressive customers are planning, and some are already using the opportunities provided by the software-defined network paradigm (Software Defined Networking, SDN), and are using the micro-segmentation capabilities in virtualized data center. Such customers look at manufacturers with support for various SDN solutions, as well as their plans for further development in the direction of SDN. Solution makers include more and more automated approaches to orchestrating gateway policies to provide the flexibility and business benefits that the SDN paradigm promises.

Now let's look at the current situation with the Gartner square on the Enterprise Firewall market as of July 2017:



But that was a year ago, in May 2016:



Palo Alto Networks, Check Point, is a list of long-standing market leaders in Enterprise Firewall. This year, Gartner moved Fortinet from its pursuers (Challengers) also to the category of leaders. Passions run high - the positions of leaders in this segment also approach each other. Cisco and this year could not go into the lead, remaining in the pursuers. But it surprises Huawei, which of the niche players was quite confidently placed in the pursuers section.

What Gartner thinks about the Enterprise Firewall market leaders separately:

1. Palo Alto Networks:



It is one of the market leaders in Enterprise Firewall, is also a purely Security vendor, based in Santa Clara (USA, California), with a staff of more than 4,000 employees. Produces firewalls since 2007, in 2016. revenues exceeded $ 1.4 billion. The portfolio of solutions includes Enterprise class firewalls in physical and virtualized versions, endpoint protection solutions (Traps and GlobalProtect), collection, aggregation, correlation solutions, real-time threat analytics to support defensive measures (Threat Intelligence , AutoFocus), security solutions for SaaS (Aperture). The manufacturer is actively working on the integration of solutions into a single network security platform.

Palo Alto Networks has recently released the 8th version of the PAN-OS operating system with improvements for WildFire and Panorama, new SaaS security features, and protection of user credentials. The entry-level PA-220 firewall model, the PA-800 Series middle class device was also released, and the PA 5000 Series firewall line (new models 5240, 5250, 5260), which has been released since 2011, was also updated.

2. Check Point Software Technologies:



It is a representative of the market leaders Enterprise Firewall. The product portfolio for the Enterprise market contains a large number of solutions, including NGFW firewalls and endpoint protection solutions, cloud and mobile network security solutions. Check Point flagship products are Enterprise Level Security Gateways (5,000, 15,000, 23,000, 44,000, and 64,000). Cloud security is provided through a vSEC solution for private and public clouds, there is also a SandBlast Cloud solution for SaaS applications. Endpoint security solutions include SandBlast Agent and mobile security solutions - Check Point Capsule and SandBlast Mobile. Also released is the SandBlast Cloud solution for scanning mail traffic in Microsoft Office 365. In 2016. models 15400 and 15600 became available for large corporate customers, as well as 23500 and 23800 for data centers.

Recently, new Hi-End platforms 44000 and 64000 were introduced, vSEC for Google Cloud was released, as well as a new version of the R80.10 software with improvements for the management console, improved performance and SandBlast Anti-Ransomware, providing protection against malicious Ransomware class software. Also presented is the new network security architecture Check Point Infinity, which unites the security of networks, clouds and mobile users.

Check Point also expanded the Malware cloud protection solution, which can be integrated before SaaS email services. Check Point offers numerous software blades that enhance firewall capabilities, including advanced protection against malicious programs - Advanced Mailware Protection ( Threat Emulation and Threat Extraction ), Threat Intelligence services - ThreatCloud IntelliStore and Anti-Bot. Check Point supports its firewalls in Amazon Web Services (AWS) and Microsoft Azure public clouds, and integration solutions with VMNare NSX and Cisco Application Centric Infrastructure (ACI) SDN solutions are available.

The Check Point solution should be on the shortlist of a corporate customer, for which price sensitivity is not as important as the granularity of network security functionality, coupled with high-quality centralized management for complex networks. It is also a good candidate for customers using hybrid networks consisting of customer-installed hardware, virtualized data centers, and clouds.

3. Fortinet:

Is a newcomer to the segment of the market leaders Enterprise Firewall. The flagship product is Fortigate, which held 75% of the company's revenue in 2016. The manufacturer also offers other products, such as wireless networks (FortiAP) and a specialized solution for protecting Web - Application Firewall (FortiWeb). A new integration solution from network security products is presented under the name Fortinet Security Fabric.

The Fortigate line has recently introduced models with the “-E” index, which are equipped with a hardware platform based on the latest generation of dedicated Fortinet Security Processors (SPU) network security processors. Fortinet also acquired AccelOps SIEM-maker and re-branded its solution called FortiSIEM. The latest releases of the FortiOS operating system include various features that relate to the Fortinet Security Fabric solution with tighter integration between the components of the solution, including the solution for protecting FortiClient end nodes. The availability of a FortiCASB solution that provides protection for SaaS was announced.

Fortinet is also an excellent candidate for the corporate customer shortlist for all application scenarios, especially if the customer appreciates the price / performance ratio and puts it in first place in its rating.

And if we abstract from what was written above, then many modern UTM solutions are already quite Enterprise-class, and many vendors produce Enterprise-class firewalls, adapted to the budgets of SMB customers.

In fact, all the leading manufacturers of network security do not have a clear division into UTM / NGFW solutions, therefore, in our opinion, the Gartner segmentation of network security markets into UTM and Enterprise Firewall / NGFW is somewhat artificial and contrived, since in fact, in real life, the boundary between the markets is blurred, only Gartner divides them for the sake of the marketing component, possibly also with the goal of selling more of their reports .

On the other hand, Gartner’s position on the UTM (All-Security-In-a-Box approach) should be viewed as a distribution on the market to the customer, who are primarily interested in an integrated solution for providing network protection and end-node protection from one box (by analogy with appliances - integrated music center or boombox). And separate Gartner squares for Enterprise Firewall, Web Application Firewall, Web / E-Mail Security, Endpoint Security, etc. (by analogy with home appliances - block HiFi audio equipment) - for those customers who need even more functionality than they can provide UTM solutions, either it is necessary to provide end-to-end network security and security of end nodes, or those customers who are not satisfied with the scalability UTM solutions.

Article prepared - Chingis Taltaev .