Palo Alto Networks, Check Point top Products in Gartner Magic Quadrant for Enterprise Network Firewalls - 2014

As is probably no big surprise to those in the industry and those purchasing network security products, Palo Alto Networks (PAN) and Check Point had the top rated products in the 2014 Gartner Magic Quadrant for Enterprise Network Firewalls.  The report came out in April.  These are the only two companies in the Leaders Quadrant, with Palo Alto Networks leading on Completeness of Vision and Check Point for Ability to Execute. Fortinet and Cisco were the closest to the in the Challengers quadrant.   The report, ID:G00258296 is available on the PAN web site for those who register. http://connect.paloaltonetworks.com/gartner-mq-2014

Palo Alto Networks pretty much was the originator of the acronym NGFW or Next Generation Firewall, and PAN and Check Point Software Technologies companies compete for many of the same customers. Last year, PAN   introduced their Wildfire infrastructure, enabling the PAN firewall to detect and stop Advanced Persistent Threats (APTs) This is offered to customers via the public cloud or can be deployed as a private cloud.   Gartner also wrote that PAN    was consistently on most NGFW competitive shortlists.  PANS Advanced Persistent Threat Solution   was not among those recently tested by NSS Labs in their April Breach Detection Study.   

Check Point was cited by Gartner as being the market share leader in firewall installed base. They offer an extensive line of security appliances and were also delivered the industry’s first flexible, extensible security architecture, the Check Point Software Blade Architecture.   Check Point’s Anti-Bot Software Blade detects bot-infected machines, prevents bot damages by blocking bot C&C communications. This isn’t a comprehensive Advanced Persistent Threat Solution, but it helps protect the network.

PAN’s product portfolio isn’t quite as extensive Check Point’s,   they do offer a virtualized firewall platform in addition to the more traditional appliance offering, threat subscriptions for URL filtering, and a management platform.  

Fortinet was rated a Challenger by Gartner. They stated Fortinet was “not often beating Leaders in mainstream enterprise selections based on features and vision, nor causing Leaders to react to Fortinet.”

Cisco was rated a Challenger as well.  Gartner didn’t seem them displacing   PAN nor Check Point on the basis of visions or features.  They saw Cisco winning firewall business through channel “execution and “aggressive discounting”.

Juniper Networks completed the trio of companies in the Challenger quadrant.  McAfee was a leader in the Niche quadrant.

Offerings from F5, Arkoon-Netasq, and AhnLab were the furthest down and to the left in the Magic Quadrant.

Check out the complete report.  For an assessment of all sixteen vendors in the report. Some names you’re familiar with may be missing due to consolidation. Gartner also has some brief information on why virtualized firewall penetration is a less than two percent.  “Security-minded enterprises are also rightly skeptical of running firewalls within a hypervisor that is between the threat and the firewall,” according to Gartner. 

 Regarding the Leaders quadrant from the Gartner Magic Quadrant Endpoint report - “A leading vendor isn't a default choice for every buyer, and clients should not assume that they must buy only from vendors in the Leaders quadrant.  Some clients believe that Leaders are spreading their efforts too thinly and aren't pursuing clients' special needs.”

For more details on the Magic Quadrant and how it is created, read “Magic Quadrants and MarketScopes: How Gartner Evaluates Vendors within a Market”.     Sometimes a leader is not the best solution for a particular customer.  Despite that, you will see many   presentations where the vendor uses being in the Leaders quadrant   as a reason to buy from that particular vendor.  Who would have thought that they would do that? www.gartner.com

Some of NSS Labs reports are available at no charge.  www.nsslabs.com

craig kensek

Palo Alto Networks Tosses the Gauntlet at Check Point Software Technologies

Palo Alto Networks is offering a $2,000 PA-2000 Next Generation Firewall (NGFW) appliance to qualified companies who take a meeting with them to discuss their solutions.  They also have a series of Five TechBuster videos comparing their NGFW’s to Check Point's products. These videos include Episode 2,  “Check Point Firewalls Have Better Price/Performance than Palo Alto Networks", and Episode Five,  “Check Point Application Control is as Easy to use as Palo Alto Networks”.  You have to love it when the 800-pound gorillas go mano a mano.  You also wonder what SonicWall is saying on the sidelines about all this. 

http://www.paloaltonetworks.com/cam/techbusters/pa-200/

According to Palo Alto Networks, the Palo Alto Networks™ PA-200 is targeted at high-speed firewall deployments within distributed enterprise branch offices.  The PA-200 manages network traffic flows using dedicated computing resources for networking, security, threat prevention, and management.

Palo Alto Networks outperformed  Check Point Software Technologies on the NSS Labs 2012 Next Generation Firewall Value Map.  This report was released during RSA 2012, San Francisco.  It is available online.  The report measures Block Rate versus Price per Protected-Mbps.  SonicWall also outperformed Check Point. 

 http://kensek.blogspot.com/2012/03/sonicwall-palo-alto-networks-top.html

 

What’s a little Next Generation name calling between friends? Particularly when the Palo Alto Networks founders came from Check Point.

Palo Alto Networks reported their fiscal Q1 2013 revenues during the first week of December.  Total revenue for the fiscal first quarter grew 50 percent year-over-year to $85.9 million, compared with $57.1 million in the fiscal first quarter of 2012.  They suffered a GAAP net loss for the fiscal first quarter of $3.5 million.  The market wasn’t pleased.  The stock fell below $47 shortly after the announcement after peaking around $72 in early December. 

 

It'll be a battle in  2013 in the NGFW marketplace.   SonicWall, owned by Dell,  has NGFW products that extend to the enterprise.  Fortinet has been claiming since January that they have the world’s fastest firewalls.  While Fortinet had a high Block Rate in the NSS test, their Price per Protect Mbps was the highest of any company’s product tested, with the exception of Juniper Networks.

CRN UK Channel Awards 2012 Winners

CRN UK announced their   Channel Awards 2012  winners in an event in London’s Battersea Park Arena  Thursday night.  Attendance was over 1700.  The Security Vendor of the Year was Mimecast. The Security Distributor of the Year – Vigil.  No deep analysis can be done :(

  .

Security Vendor of the Year Finalists

• Check Point
• McAfee
• Palo Alto Networks 
• Kaspersky
• Mimecast
• Fortinet 

Security Distributor of the Year Finalists

• E92plus
• Computerlinks
• Vigil Software
• Wick Hill
• Exclusive Networks

For a listing of all the winners, go to

http://www.channelweb.co.uk/crn-uk/news/2225230/channel-awards-2012-results

There were a couple of dozen awards presented during the ceremony.

Fun and Excitement on the Next Generation Firewall Front

The Next Generation Firewall (NGFW) market place  is getting a little more exciting these days.  NSS Labs  has released their NGFW Comparative Analysis 2012.  It’s available on their website for $3,500, pre coupon!

Key Findings of the   NSS  NGFW Comparative Analysis 2012  Report

1. Few NGFWs are ready for “prime time”: Only 50% of the NFGWs tested scored over 90% in security effectiveness vs. 75% of major IPS vendors in the dedicated IPS group.
2. Convenient configurations mean less protection: NSS Labs research shows that IPS features in NGFWs are seldom tuned and the devices are often deployed using vendors’ default or recommended policy settings, creating significant gaps in coverage between NGFWs and dedicated firewall and IPS devices.
3. Vendor claims are often exaggerated: Of the eight  products tested, five performed well below vendors’ throughput claims.  Maximum connection rates were lower than preferred in all products tested - revealing a major concern; NGFWs must improve performance before they are ready for large enterprise deployments

This Comparative Analysis Report  2012 consists of five sections, covering the following topics in-depth: Security Value Map (SVM), Security, Performance, Management,   and Total cost of ownership (TCO).  

Tested Products

•     Barracuda F-900
•     Check Point 12600
•     DELL SonicWALL SuperMassive E10800
•     Fortinet FortiGate 3140B
•     Juniper Networks SRX 3600
•     Palo Alto Networks PA-5020
•     Sourcefire 8250
•     Stonesoft FW-1301

Only two products were positioned in the Leaders portion of the December 2011 Gartner Magic Quadrant for the “Enterprise Network Firewall”.   Gartner takes great care to explain that products in other portions of the Magic Quadrant  can be best for a given customer.

NGFW Events  over the Last Several Months

In early July, Dell SonicWALL announced that their NGFW appliance was the first   to receive NGFW certification. SonicWall was a top performer on the NSS Next Generation Firewall Security Value Map.

https://www.icsalabs.com/press-release/dell-sonicwall-receives-first-next-generation-firewall-evaluation-icsa-labs

In early October, Barracuda Networks  raised $130 million from Sequoia Capital and Francisco Partners.  The proceeds will help them   with  expansion and provide cash to founders and early employees. 

“They’ve done a wonderful job of putting together a value proposition and creating a solution that’s often a 10th the cost” of traditional products, said Jim Goetz, a partner at Sequoia and a Barracuda director.  Initial Public Offering (IPO) in the offing?  Barracuda has a base of 150,000 customers.  They won SearchSecurity's Readers' Choice Bronze Award for Best of Web Application Firewalls 2012 in mid October (this is different from their NGFW solutions).  Barracuda topped both Fortinet and Juniper on the   NSS 2012 "Next Generation Firewall Security Value Map". This was released during RSA San Francisco.

.

In early October, Check Point issued a press release stating that IDC Data in the latest IDC Worldwide Q2 2012 Security Appliance Tracker, that they lead the global market with 20.9% Firewall and UTM appliance revenue share.  They also stated that they are the leader in Firewall and UTM factory revenue in US with  a 22.1% share and Western Europe with a  29.8% share.

Fortinet rolled out their Fortinet second generation FortiASIC-SoC2 this week.  Groundbreaking performance!  Double the processing capacity!  They also rolled out their new Fortinet FortiOS 5.0 operating system.  Enabling more security!  Additional intelligence to fight advanced threats and secure BYOD (Bring your own Device) environments!  On the    "Next Generation Firewall Security Value Map",   Fortinet had  great Block Rate but a high Price per Protected Mbps.   

The rumor mill has Juniper Networks reportedly considering putting itself   up for sale.  Early names floating around as acquirers, EMC (this one is being panned), Brocade, and Arista.  Nonetheless, the stocked jumped 11% because of the rumors. 

http://www.networkworld.com/news/2012/101812-juniper-sale-update-263504.html?t51hb&hpg1=mp

A Juniper Networks patent suit is slowly working its way through the system, with a trial date set for February 2013.  There are a handful of patents being contested.  Palo Alto Networks founders Nir Zuk and Yuming Mao left Juniper to start Palo Alto Networks.  Juniper Networks was outperformed by everyone on the "Value Map".

Channelnomics has a nice summary about Juniper Networks, Palo Alto Networks suit  at http://channelnomics.com/2012/10/19/patent-list-grows-slow-juniper-palo-alto-suit/

 

Palo Alto Networks has been as high as $73 this year since closing at around $51 when they went public. They closed at $62 on October 19.

Look for lots of spin to take place with the  NSS  Comparative Analysis report over the next couple of months.  It's a comprehensive document. 

Becoming Learned on  the NGFW

Sourcefire is making NSS’s evaluation of their product available at https://info.sourcefire.com/2012NSSLabsNGFW.html

It’s several months old, but an additional nice source of information is the  NSS “2012 Next Generation Firewall Security Value Map”, released by NSS Labs during RSA San Francisco.  http://o-www.sonicwall.com/us/en/14233.html , which graphs Block Rate versus Price per Protected Mbps.

Want to learn more about evaluating NGFWs?  NSS has a relatively neutral document “What do You Need to Know about Next Generation Firewalls” at https://www.nsslabs.com/can-next-generation-firewalls-stand-heat

Learn about “Next Generation Firewalls for Dummies” and get a subtle push for the Palo Alto Network NGFW solution at http://connect.paloaltonetworks.com/ngfw-4dummies-EN

A Fortinet 2011 take on “Next-Generation Security for Enterprise Networks” is available at http://www.fortinet.com/next_generation_security_for_enteprise_networks.html

Secureworld expo 2012, Decrypting the Mayan Code - Santa Clara Day 1 Musings

Day 1 of secureworld expo 2012, Decrypting the Mayan Code, in Santa Clara (Bay Area) was a lightly attended event.  None of the smaller sessions I    attended on Day 1 were more than half-full.  The afternoon panel discussion was full, however.  There were more than sixteen sessions on Day 1, a combination of open sessions, 2-Day   conference attendees’ sessions, and invitation only session.  A sense of déjà vu over a past RSA San Francisco event.  The theme of the conference,   “Decrypting the Mayan Code” 

Some Observations

• Opening   Keynote – PCI in 2012 and Beyond.  More of the presentation was spent on promoting the organization than where PCI was heading.  I learned that the speaker has a hearing-impaired dog.

• Check Point Software - Security Blueprint talk -   Good talk about Check Point’s security map without doing a technology deep dive.  Check Point delivers their technology “your way”, depending on whether you want an appliance,   VMware, or you have fully imbibed the private or public cloud kool aid.  They stated that their solutions provide comparable features, functions, performance, regardless of the form factor you purchase or license their technology.

• RSA - Authentication, Addressing a Changing IT Environment talk -   Quick overview of some authentication alternatives.  Brief mention of “issues” RSA had in the past year with theft.  Other companies involved with authentication were in the audience (and identified themselves).

• Panel discussion – BYOD; Laptops, Smartphones, Tablets, Oh My!  (Absolute, Air-Watch, Appsense, Good Technology, RSA ) – A good discussion.  Well attended.  The consensus was that BYOD has taken off and there is no going back.  Now, it is a matter of protecting the data.  Members of the panel felt that  t there is an obvious positive ROI to implementing BYOD within the company.  Disagreement as to whether the growth has come from the masses demanding (or just doing) this, or from the executive offices demanding it.  One company more or less recommended the 80/20 suggestion for implementation.  Namely, that you could get 80% of what your company needs with 20% of the effort.  Much of the discussion used the briefcase motif.  If the employee owns the briefcase, how can  you justify the company owning the lock if there is  personal information in the briefcase?  The suggestion; consider the company having a smaller briefcase within the personal briefcase.  The company then would own  that briefcase, the lock, the data, and the right to wipe/empty that briefcase of any information.

• Little success in getting competitors to dis one another in the exhibitor area despite my gentle lobbing of hanging curves.  Fortinet stated that they had next generation firewalls, (NGFWs);  before Palo Alto Networks and that Palo Alto Networks took over the phrase, (most people consider them the originator of the term).  Palo Alto Networks recognizes Websense not at the event) as a competitor, but feels that their technology still provides a better solution (it also sounds as Palo Alto Networks   had a nice internal celebration when they had their IPO.  Riverbed; no discussion of interest.  Blue Coat; a tad sensitive.  Their response when I asked what technology was under the hood of their DLP appliance (it appears not be a DLP/Malware appliance as in the previous version); their initial response was a non-confrontational, “why are you asking that?”  They then mentioned that it was from Code Green.

For those who are interested – Tchotchkes!

In addition to the usual data sheets;  tee shirt (leftover  from Black Hat), commuter mugs, BPA free water bottles, mugs with handles pens, pens, pens, transformer like pen!, mobile phone holder, a  ring style Frisbee flying saucer clone, candy, and a sumo wrestler stress toy (very cool).  

 

Casino break! 

Interesting listening to non-professionals explain the game and rules to those who had little experience with the games.

 An advanced screen of the movie “code 2600” is scheduled for day two of the conference. 

About secureworld expo 2012 – Decrypting the Mayan Code

 This is a multi city event.  Events are scheduled for Detroit, Dallas, and Seattle.

 http://www.secureworldpost.secureworldexpo.com/