Summary
"Next
generation" capabilities have been achieved by all products in the
enterprise network firewall market, and vendors differentiate on feature
strengths. Security and risk management leaders must consider the trade-offs
between best-of-breed enterprise network firewall functions and cost.
What
Has Changed
All
enterprise firewall vendors offer NGFW features to better enforce policy
(application and user control) or detect new threats (intrusion prevention
systems [IPSs], sandboxing and threat intelligence feeds). Enterprise firewall
is now synonymous with NGFW. Enterprise firewalls continue to gradually replace
stand-alone network IPS appliances at the enterprise edge. Although this is
happening now, some enterprises will continue to choose to have best-of-breed
next-generation IPSs (NGIPSs). Many enterprises are looking to firewall vendors
to provide cloud-based malware-detection instances to aid them in their
advanced threat detection efforts, as a cost-effective alternative to
stand-alone sandboxing solutions (see "Network Sandboxing for Malware
Detection" ).
However,
enterprise firewalls will not subsume all network security functions.
All-in-one or unified threat management (UTM) approaches are suitable for small
or midsize businesses (SMBs), but not for the remainder of the enterprise
market (see "Next-Generation Firewalls and Unified Threat Management
Are Distinct Products and Markets").
The
needs for enterprise branch-office firewalls have become specialized, and they
have diverged from UTM products. As part of increasing the effectiveness and
efficiency of firewalls, branch-office firewalls need to offer the same levels
of security efficacy as the primary gateway does. Having a subpar configuration
and protection capability for branches is not acceptable today.
As
more organizations are moving strategic workloads to the public cloud, an
increasing number of them wish to protect those workloads with their incumbent
enterprise firewall vendor. Today, vendor offerings to AWS and Microsoft Azure
are uneven. Some don't offer the same level of inspection that on-premises
firewalls do, and they all lack sufficient policy automation. Enterprise
firewall vendors must improve in these areas to remain relevant in the hybrid
cloud era.
Magic Quadrant
Figure 1. Magic Quadrant for Enterprise Network Firewalls
Quadrant
Descriptions
Leaders
The
Leaders quadrant contains vendors that build products that fulfill enterprise
requirements. These requirements include a wide range of models, support for virtualization
and virtual LANs, and a management and reporting capability that is designed
for complex and high-volume environments, such as multitier administration and
rule/policy minimization. A solid NGFW capability is an important element, as
enterprises continue to move away from having dedicated IPS appliances at their
perimeter and remote locations. Vendors in this quadrant lead the market in
offering new features that protect customers from emerging threats, provide
expert capability rather than treat the firewall as a commodity and have a good
track record of avoiding vulnerabilities in their security products. Common
characteristics include handling the highest throughput with minimal
performance loss, offering options for hardware acceleration and offering form
factors that protect enterprises as they move to new infrastructure form
factors.
Challengers
The
Challengers quadrant contains vendors that have achieved a sound customer base,
but they are not consistently leading with differentiated next-generation
capabilities. Many Challengers have not fully matured their NGFW capability —
or they have other security products that are successful in the enterprise and
are counting on the relationship, rather than the product, to win deals.
Challengers' products are often well-priced, and, because of their strength in
execution, these vendors can offer economical security product bundles that
others cannot. Many Challengers hold themselves back from becoming Leaders
because they choose to place security or firewall products at a lower priority
in their overall product sets. Firewall market Challengers will often have
significant market share, but trail smaller market share Leaders in the release
of features.
Visionaries
Visionaries
have the right designs and features for the enterprise, but they lack the sales
base, strategy or financial means to compete consistently with Leaders and
Challengers. Most Visionaries' products have good NGFW capabilities, but lack
in performance capabilities and support networks. Savings and high-touch
support can be achieved for organizations that are willing to update products
more frequently and to switch vendors if required. If firewalling is a
competitive element for an enterprise, then Visionaries are good shortlist candidates.
Vendors that do not have strong NGFW capabilities are supplementing them in a
defensive move, while vendors that have strong NGFW offerings are focused on
manageability and usability. Gartner expects the next wave of innovation in
this market to focus on better, more automated east/west microsegmentation in
public cloud and SDN environments.
Niche Players
Most
vendors in the Niche Players quadrant are smaller vendors of enterprise
firewalls, makers of multifunction firewalls for SMBs or branch-office-only
product makers that are attempting to break into the enterprise market. Many
Niche Players are making larger versions of SMB products with the mistaken hope
that this will satisfy enterprises. Some enterprises that have the firewall
needs of an SMB (for example, some Type C risk-averse enterprises and some
distributed enterprises) may consider products from Niche Players, although
other models from Leaders and Challengers may be more suitable. If local
geographic support is a critical factor, then Niche Players can be shortlisted.
