“Next generation” capability has been achieved by the leading products in the network firewall market, and competitors are struggling to keep the gap from widening too much. Buyers must consider their own operational realities and the burden of switching.
The enterprise network firewall market represented by this Magic Quadrant is composed primarily of purpose-built appliances for securing enterprise corporate networks. Products must be able to support single-enterprise firewall deployments and large and/or complex deployments, including branch offices, multitiered demilitarized zones (DMZs) and, increasingly, the option to include virtual versions. These products are accompanied by highly scalable management and reporting consoles, and there is a range of offerings to support the network edge, the data center, branch offices, and deployments within virtualized servers. The companies that serve this market are identifiably focused on enterprises — as demonstrated by the proportion of their sales in the enterprise; as delivered with their support, sales teams and channels; but also as demonstrated by the features dedicated to solve enterprise requirements.
As the firewall market continues to evolve, other security functions (such as network intrusion prevention systems [IPSs], application control, full stack inspection and extrafirewall intelligence sources) will also be provided within an NGFW. The Secure Sockets Layer (SSL) VPN market has largely been absorbed by the firewall market. Eventually, the NGFW will also subsume much of the stand-alone network IPS appliance market at the enterprise edge. This will not be immediate, however, and some enterprises will choose to have best-of-breed IPSs embodied in next-generation IPSs (NGIPSs). Although firewall/VPNs and IPSs (and sometimes URL filtering) are converging, other security products are not.
All-in-one or unified threat management (UTM) products are suitable for small or midsize businesses (SMBs), but not for the enterprise. The needs for branch-office firewalls are becoming specialized, and they are diverging from, rather than converging with, UTM products. As part of increasing the effectiveness and efficiency of firewalls, they will need to truly integrate more granular blocking capability as part of the base product, go beyond port/protocol identification and move toward an integrated service view of traffic, rather than merely performing “sheet metal integration” of point products within the same appliance.