Vendor Landscape: Next Generation FirewallContinued consolidation of capabilities means high performing products.Vendor Landscape: NGFWInfo-Tech Research Group, Inc. Is a global leader in providing IT research and advice.Info-Tech’s products and services combine actionable insight and relevant advice withready-to-use tools and templates that cover the full spectrum of IT concerns. 1997-2014 Info-Tech Research Group Inc.Info-Tech Research Group1

IntroductionNetwork security is still a high priority for organizations; the right perimetermeans more threats stay outside and sensitive data remains inside.This Research Is Designed For:This Research Will Help You: Enterprises seeking to select a solution for Next Understand what’s new in the NGFW market.Generation Firewall (NGFW). Their NGFW use case may include: Enterprises looking for a network perimetersecurity appliance for comprehensiveprotection of the network edge. Evaluate NGFW vendors and products for yourenterprise needs. Determine which products are most appropriatefor particular use cases and scenarios. Enterprises that have established theirnetwork perimeter NGFW strategyindependently and need guidance inevaluating available products.Vendor Landscape: NGFWInfo-Tech Research Group2

Executive summaryInfo-Tech evaluated ten competitors in the NGFW market,including the following notable performers:Champions: Dell (SonicWALL) has the full package – great features and price. Fortinet: a consistent leader in the firewall space. WatchGuard: a strong product for organizations with a strictbudget. Sophos: one of the only products evaluated with a full feature set.Value Award: WatchGuard has a highly competitive price for organizationslooking for a comprehensive product without spending the dollars.Trend Setter Award: WatchGuard: the product’s reporting functions were adifferentiator amongst other NGFWs.Info-Tech Insight1. Protect outbound data as well asinbound.Built-in Data Leakage Protection (DLP)capabilities ensures that sensitive orconfidential data is protected.2. The more traffic your firewall can see, thebetter it can protect it.Encrypted traffic can conceal threats fromfirewalls, while Wi-Fi networks provide aroute for attacks to bypass firewalls. Today’sfirewall solutions focus on controlling thesetypes of traffic.3. Capabilities should not cut down onperformance.Despite the breadth of features, NGFWshould not have a significant impact to youroverall network performance, even if youhave the capabilities fully “switched on.”Vendor Landscape: NGFWInfo-Tech Research Group3

Market overviewHow it got hereWhere it’s going Firewalls originated theoretically in the late 1980s beforebeing brought to fruition as traffic-controlling tools. NGFWs reflect a movement towards more contentaware security, combining additional capabilities on topof anti-malware and intrusion prevention, such as: Firewalls have evolved four times over from simplepacket filters (that evaluated source, destination, andprotocol) to stateful inspectors (with the capability of“remembering” the nature of ongoing communicationsand origin of the packets involved), proxies (evaluatedpacket contents, rather than just the packets), to UnifiedThreat Management systems (UTMs) or NextGeneration Firewalls (NGFWs). The last iteration – originating as the term UTM – beganintegrating capabilities such as anti-malware andintrusion prevention for a more robust firewall. While there is still debate over the semantics, UTMs arenow frequently referred to as Next Generation Firewalls.o Data Leakage Protection (DLP)o Network Access Control (NAC)o Application controlo User identity-related controlA growing number of vendors are also adding webapplication firewalling functionality. As more organizations seek out consolidated solutionsfor economical savings and resource management,NGFW will be replacing most standalone securitysolutions like DLP. Some vendors have already startedphasing out standalones this year.As the market evolves, capabilities that were once cutting edge become default and new functionalitybecomes differentiating. Intrusion prevention has become a Table Stakes capability and should no longerbe used to differentiate solutions. Instead focus on DLP and web application control to get the best fit foryour requirements.Vendor Landscape: NGFWInfo-Tech Research Group4

NGFW vendor selection / knock-out criteria: market share,mind share, and platform coverage While there is some debate over semantics regarding UTM vs. NGFW, the market remains stable, represented by longtime, experienced vendors and newer, but just as strong, competitors. For this Vendor Landscape, Info-Tech focused on those vendors that offer broad capabilities across multiple platformsand that have a strong market presence and/or reputational presence among mid and large-sized enterprises.Included in this Vendor Landscape: Barracuda. Highly competitive solution in terms of features and the space’s best kept secret. Check Point. One of the progenitors of the firewall space and still one of the most recognizable names. Cisco. The ASA firewall line remains one of the strongest solutions, coupled with Cisco’s networking market share. Dell (SonicWALL). After being acquired by Dell in 2012, it has emerged as one of the stronger solutions features-wise. Fortinet. The vendor that coined the UTM term and one of the first to incorporate enhanced capabilities. Juniper. Entered the firewall market through acquisition of NetScreen and has established a solid foothold since then. McAfee. NGFW is another piece to the security giant’s already broad portfolio of products. Palo Alto. The most recent entrant to the market of the reviewed solutions, but still offering a competitive solution. Sophos. Acquired Cyberoam in 2014 to bolster its NGFW portfolio. WatchGuard. Another vendor growing into larger markets after an early focus in the SMB space.Vendor Landscape: NGFWInfo-Tech Research Group5

NGFW criteria & weighting factorsProduct Evaluation CriteriaFeaturesThe solution provides basic and advancedfeature/functionality.UsabilityThe end-user and administrative interfaces areintuitive and offer streamlined workflow.AffordabilityImplementing and operating the solution isaffordable given the technology.ArchitectureMultiple deployment options and extensiveintegration capabilities are available.Criteria AffordabilityProduct50%Vendor Evaluation CriteriaViabilityStrategyReachChannelVendor Landscape: NGFWVendor is profitable, knowledgeable, and will bearound for the long term.Vendor is committed to the space and has afuture product and portfolio roadmap.50%VendorViability25%Vendor offers global coverage and is able to selland provide post-sales support.Vendor channel strategy is appropriate and thechannels themselves are strong.Strategy30%15%Channel30%ReachInfo-Tech Research Group6

The Info-Tech NGFW Vendor LandscapeThe zones of the LandscapeThe Info-Tech NGFW Vendor LandscapeChampions receive high scores for most evaluationcriteria and offer excellent value. They have a strongmarket presence and are usually the trend settersfor the industry.Market Pillars are established players with verystrong vendor credentials, but with more averageproduct scores.BarracudaInnovators have demonstrated innovative productstrengths that act as their competitive advantage inappealing to niche segments of the market.Emerging Players are comparatively newervendors who are starting to gain a foothold in themarketplace. They balance product and vendorattributes, though score lower relative to ophosCiscoJuniperCheck PointPalo AltoMcAfeeFor an explanation of how the Info-Tech Vendor Landscape is created, see Information Presentation – Vendor Landscape in the Appendix.Vendor Landscape: NGFWInfo-Tech Research Group7

Balance individual strengths to find the best fit for arracudaCheck Point*CiscoFortinetJuniper*Intel(McAfee)*Palo Alto*Dell(SonicWALL)SophosWatchguardLegend Exemplary Good Adequate Inadequate Poor*The vendor declined to provide pricing and publicly available pricing could not be found.For an explanation of how the Info-Tech Harvey Balls are calculated, see Information Presentation – Criteria Scores (Harvey Balls) in the Appendix.Vendor Landscape: NGFWInfo-Tech Research Group8

The Info-Tech NGFW Value IndexWhat is a Value Score?On a relative basis, WatchGuardmaintained the highest Info-Tech ValueScoreTM of the vendor group. Vendorswere indexed against WatchGuard’sperformance to provide a complete,relative view of their product offerings.ChampionThe Value Score indexes eachvendor’s product offering andbusiness strength relative to itsprice point. It does not indicatevendor ranking.Vendors that score high offer morebang-for-the-buck (e.g. features,usability, stability, etc.) than theaverage vendor, while the inverse istrue for those that score lower.Price-conscious enterprises maywish to give the Value Score moreconsideration than those who aremore focused on specificvendor/product attributes.100Average Score: 5292859080 4270 26601150 1000040302010*The vendor declined to provide pricing andpublicly available pricing could not be found.For an explanation of how Price is determined, see Information Presentation – Price Evaluation in the Appendix.For an explanation of how the Info-Tech Value Index is calculated, see Information Presentation – Value Index in the Appendix.Vendor Landscape: NGFWInfo-Tech Research Group9

Table Stakes represent the minimum standard; without these,a product doesn’t even get reviewedThe Table StakesFeatureWhat it is:FirewallThe solution includes a stateful inspection.VPNOffers IPSEC (for site-to-site tunnels) and SSLVPN (for remote access) options.Anti-MalwareBuilt-in perimeter anti-virus and anti-spywareprotection.IntrusionPreventionAbility to recognize and restrict inappropriateand unauthorized access.What does this mean?The products assessed in this VendorLandscapeTM meet, at the very least, therequirements outlined as Table Stakes.Many of the vendors go above and beyond theoutlined Table Stakes, some even do so inmultiple categories. This section aims tohighlight the products’ capabilities in excessof the criteria listed here.If Table Stakes are all you need from your NGFW solution, the only true differentiator for the organization isprice. Otherwise, dig deeper to find the best price to value for your needs.Vendor Landscape: NGFWInfo-Tech Research Group10

Advanced Features are the capabilities that allow for granularmarket differentiationScoring MethodologyInfo-Tech scored each vendor’s featuresoffering as a summation of its individual scoresacross the listed advanced features. Vendorswere given one point for each feature theproduct inherently provided. Some categorieswere scored on a more granular scale withvendors receiving half points.Advanced FeaturesFeatureWhat we looked for:Identity-BasedControlData LeakageProtectionNetwork AccessControlMapping of specific security policies to defineduser groups and individuals.URL FilteringApplicationControlWi-Fi NetworkControlWAN Routing &OptimizationEncrypted DataControlWeb AppFirewallingRestriction on the egress of sensitive privilegedor confidential data.Endpoint integration to ensure each connectingdevice has appropriate security.Restrictive filtering of web surfing to limitexposure to harmful and inappropriate sites.Ability to restrict, on a granular level, which webapps are allowed to run.Ensuring Wi-Fi networks have the same securitystance and abilities as the perimeter.Dynamic routing of WAN traffic backed by QoSand prioritization capabilities.Native decryption and re-encryption of SSL andSFTP traffic for thorough inspection.Ability to protect web servers against attacks likeSQL injections.For an explanation of how Advanced Features are determined, see Information Presentation – Feature Ranks (Stoplights) in the Appendix.Vendor Landscape: NGFWInfo-Tech Research Group11

Each vendor offers a different feature set; concentrate on whatyour organization needsEvaluated FeaturesIdentityDLPWCFApp ControlApp FWNACWi-FiWANEncryptionBarracudaCheck PointCiscoFortinetJuniperMcAfeePalo AltoDell(SonicWALL)SophosWatchGuardLegend Feature fully present Feature partially present/pending Feature absentFor an explanation of how Advanced Features are determined, see Information Presentation – Feature Ranks (Stoplights) in the Appendix.Vendor Landscape: NGFWInfo-Tech Research Group12

Beyond traffic, data also deserves protection and NGFW haveincorporated such capabilitiesSolutions with either DLP, web application control, and encryption, or justweb application control and encryption, will inspect and control your data.112Enhanced inbound trafficprotectionCustomer requires DLP, web app control, & encryptionWhy Scenarios?In reviewing the products includedin each Vendor LandscapeTM,certain use cases come to theforefront. Whether those use casesare defined by applicability incertain locations, relevance forcertain industries, or as strengths indelivering a specific capability, InfoTech recognizes those use casesas Scenarios, and calls attention tothem where they exist.Customer has DLP; requires Web app control &encryptionFor an explanation of how Scenarios are determined, see Information Presentation – Scenarios in the Appendix.Vendor Landscape: NGFWInfo-Tech Research Group13

Dell (SonicWALL) is one of the best all-around solutions,along with being one of the most arters:Website:Founded:Presence:SuperMassive Series, NSASeries, TZ Series100,000Round Rock, TXdell.com1991NASDAQ:DELL3 year TCO for this solution falls into pricingtier 5, between 50,000 and 100,000 After Dell’s acquisition of SonicWALL in 2012, Dell leveraged itsexisting presence to establish a strong NGFW strategy.Strengths The Dell (SonicWALL) NGFW Series has a strong feature set,missing only NAC. The product’s interface was one of the best of the solutionsevaluated. It was interactive, featuring an attractive and usefulgeographical map to show where the firewalls were located. It alsoincluded data transfer reporting to see what it was costing theorganization by day (ideal for demonstrating producteffectiveness). Many of the offered reporting options were alsoattractive.Challenges Currently the NGFW series is only available through hardware andvirtual deployments, limiting the options organizations have fortheir NGFW. 1 2.5M Pricing provided by vendorVendor Landscape: NGFWInfo-Tech Research Group14

The SuperMassive, NSA, and TZ series all offer one of thestrongest feature sets in this evaluationVendor rd.Arch.OverallViabilityStrategyReachChannelSocial Features for Customer ServiceFW Throughput Ranges800406003040020200100TZTZTZ105/W 205/W 215/WValue Index853rd out of 10FW Throughput Ranges500NSANSA220W 250M/WGbpsMbpsSolutions range from 200 Mbps to 40 GbpsFeaturesIdentityDLPWCFApp ControlApp FWNACWi-FiWANEncryptionInfo-Tech Recommends:The one downside to the otherwise stellar Dell (SonicWALL)’s firewalls is that they currently only offerhardware and virtual deployment options. But for organizations that want a highly competitive andaffordable solution, Dell (SonicWALL)’s firewall products are ideal choices.Vendor Landscape: NGFWInfo-Tech Research Group15

Fortinet offers a best all-around NGFW ters:Website:Founded:Presence: Fortinet helped define the UTM space with its original FortiGate.Fortinet’s firewalls still remain its strongest product, even with itsexpanded portfolio.FortiGate NGFW2,300Sunnyvale, CAfortinet.com2000NASDAQ:FTNTStrengths3 year TCO for this solution falls into pricingtier 5, between 50,000 and 100,000 Fortinet offers a wide range of deployment options: hardwareappliances, cloud-ready, multi-tenant/virtual domain options, andthrough Amazon Web Services. In today’s diverse market,organizations are looking beyond simply hardware, giving Fortineta competitive advantage. While Fortinet has only been in the space since 2000,organizations can feel confident in its overall stability and stronggrowth internationally – including support options.Challenges Fortinet’s web application firewall capability is in a separateproduct, rather than an inherent capability of the NGFW product. 1 2.5M Pricing provided by vendorVendor Landscape: NGFWInfo-Tech Research Group16

FortiGate NGFW is feature rich, with flexible deploymentoptionsVendor rd.Arch.OverallViabilityStrategyReachChannelSocial Features for Customer ServiceFW Throughput RangesFW Throughput Ranges15010008001006004005020000100D30DValue Index424th out of 10MbpsGbpsSolutions range from800 Mbps to 120 GbpsFeaturesIdentityDLPWCFApp ControlApp FWNACWi-FiWANEncryptionInfo-Tech Recommends:Fortinet’s FortiGate solution is ideal for organizations looking for a lot of bells and whistles, along with thebudget to afford it. The solution also offers a range of deployment possibilities from cloud-ready optionsto Amazon Web Services.Vendor Landscape: NGFWInfo-Tech Research Group17

WatchGuard’s XTM series is the best bangfor any organization’s :Website:Founded:Presence: WatchGuard strongly, through no longer exclusively, focuses onthe firewalling needs of the SMB space. The company is strongand the products able.XTM Series400 Seattle, WAwatchguard.com2006Privately HeldStrengths WatchGuard’s XTM series offers the best bang-for-your-buck withan affordable price for a solid and scalable product. The XTM firewall can provide reports from different levels(executive dashboard, security dashboard, threat map, etc.), andeach dashboard includes various components that are clickable toprovide detailed event information in an attractive way – adifferentiator amongst its competitors.3 year TCO for this solution falls into pricingtier 5, between 50,000 and 100,000Challenges The XTM series is missing some key advanced features such asweb application firewalling and NAC. 1 2.5M Pricing provided by vendorVendor Landscape: NGFWInfo-Tech Research Group18

WatchGuard’s affordability is unprecedented in this evaluationVendor rd.Arch.OverallViabilityStrategyReachChannelSocial Features for Customer ServiceXTM 5 SeriesXTM 800 Series1543102510Value Index1001st out of 100XTM515XTM525XTM535XTM545XTM XTM XTM850 860 870GbpsGbpsWatchGuard recommended the 5 Series and the 800 Series for our pricing scenario, so the ranges are spec’d out here. The 5Series ranges from 2 Gbps to 3.5 Gbps. The 800 Series ranges from 8 bps to 14 Gbps.FeaturesIdentityDLPWCFApp ControlApp FWNACWi-FiWANEncryptionInfo-Tech Recommends:With a solid advanced features set and the right price, WatchGuard’s XTM series also offers goodscalability, making it a good choice for any-sized organization looking to stay within a budget.Vendor Landscape: NGFWInfo-Tech Research Group19

Sophos’ SG Series’ full feature set and high performancemakes it a rs:Website:Founded:Presence:SG Series2,200 Oxford, UK & Boston, MAsophos.com1985Privately Held Acquired NGFW company, Cyberoam, in 2014 demonstrating itsincreased focus on the firewall space, as they also transition to thehigh performance SG Series.Strengths Sophos SG Series has a full advanced features set – meaning allof the capabilities are there if you want all features (such as DLP,web application firewalling, etc.) turned on your NGFW. The SG Series interface is highly configurable for networkdefinitions, offers bandwidth control, a wide range of reportingoptions, drag-an