Firewall Futures

In April, Information Security spoke with four infosecurity market analysts about trends in the firewall product space. Although they differ on the exact future of the firewall

market, all four analysts agree that small and medium-sized companies have opened up a new market for firewall appliances, while software-based firewall vendors, having saturated the enterprise environment, will continue to expand into new services and revenue streams. How these vendors will fare in the face of changing market demands is anybody’s guess.

Swimming Upstream

In a study released last July, International Data Corp. (IDC) analyst Chris Christiansen reported that the firewall market grew 143 percent worldwide in 1997. Although the firewall business will be lucrative for some time to come, Christiansen predicted that revenue growth would gradually decrease over the next few years (see tables).

IDC is currently tabulating 1998 data on the firewall market, and so far it looks like 1997’s predictions are right on target, according to Christiansen. "Our forecasts are pretty much on the mark, if not conservative," he says. "We’ve collected some 1998 preliminary data, and we’re looking at revenue of $400 million to $450 million worldwide for software-based firewalls alone."

That figure doesn’t include firewall appliances, Christiansen says, which "have a growing market among small and medium-sized companies looking for simple plug ’n play solutions. Things may have slowed down somewhat, but [to pronounce] the death or disappearance of the firewall market is a little premature to say the least."

E-commerce and remote access continue to drive the high-end firewall market, Christiansen says. "What’s new this year is a concern among Fortune 500 companies about putting in internal firewalls," he says. "There’s been a growing realization,

especially in the financial space, that it’s essentially wrong or dangerous to trust everybody inside the firewall."

Last year’s IDC study also saw the emergence of more firewalls packaged with VPNs, a trend that has expanded to include other security tools. "While there is still a firewall market, there are no longer any firewall-only vendors," Christiansen states. "Practically every vendor in that space has moved upstream to become a full-fledged

security vendor. This is because customers want more for their money. Also, integration is seen as increasing the robustness of the security system product."

The Need for Resiliency

Larry Deitz, information security analyst at the Alec Group, an affiliate of Current Analysis, agrees that the firewall market is moving toward integrated solutions. He indicates, moreover, that users of software-based and hardware-based firewalls clearly break down according to market size.

"I tend to segregate the firewall market into ‘early adopters’ and ‘everybody else,’" Deitz says. "Early adopters are the classic consumers of information security products—financial services, defense contractors, government, etc. In this big enterprise marketplace, the network operation center now controls all of the security aspects of the network, which includes Internet, intranet and extranet, and so requires a collection of security products, such as firewalls, VPNs and intrusion detection. The trend here is to consolidate those into fewer points, and so a software product located on a dedicated server makes the most sense. Everybody else is middle and small businesses—and schools—who are starting to use the Internet, and have no technical support whatsoever. That marketplace is attractive for the plug ’n play firewall content filtering appliance."

Deitz, however, questions whether there’s still room for expansion in the big enterprise environment. "Because there is nothing there now, growth should be on the appliance-product side," he says. "Where security is at the moment, they’ve already purchased some level of firewall security, so the software firewall companies need to be resilient and do other functions."

Firewallers Refocus

Eric Hemmendinger, senior analyst of information security at Aberdeen Group, agrees that high-end firewall vendors should look to diversifying their product offerings. "Small and medium-sized companies tend to outsource to a greater degree than large companies that have already made a heavy investment in security," Hemmendinger says. "That doesn’t bode well for the high-end firewall suppliers. Also, people are gravitating to ISPs and hardware appliances, and [they] aren’t looking to use the appliance the same way they used an enterprise firewall.

"What people focus on today is whether or not the firewall is hacker proof," he adds. "They are more concerned with making sure it’s going to allow everything they need to allow and yet stop what they don’t want going on. It’s more to help control priorities than provide a full security solution. They don’t want to buy a Cadillac if all they need is the capabilities of a sub-compact."

The end result, Hemmendinger contends, is a smaller revenue base for enterprise firewall suppliers. "If the service you provide becomes desired by a smaller segment of the purchasing community, your business prospect is lousy," he contends. "And so, vendors have to expand their business beyond the firewall-centric view. If people are not interested in buying the firewall the way they used to, they aren’t going to be

interested in buying a VPN. Instead, vendors have to focus on offering a variety of different security services that are network oriented."

The Demand for Performance

Forrester Research’s network strategies analyst Ted Julian predicts that hardware-based firewalls will eventually win out over the software-based approach. He attributes this to increased demands for firewall performance. "Firewalls tend to sit at the edge of

the network," Julian says. "We don’t recommend users deploying multiple firewalls within the enterprise. People presume they can segment a network according to their business, which we feel is impossible. They are better off having an inspection point at the edge of the network. What they need is good authorization technology.

"If you buy that analysis, firewalls are probably sitting next to the edge router," Julian adds. "I would love to see a piece of software perform as fast as today’s edge routers do. However, it is physically impossible. Consequently, software vendors are in a position where they don’t perform as well as the hardware they are competing against, and so [they] have to come up with an exit strategy."

As middle and small companies enter the security arena, Julian notes, they are looking for appliance technology. "Herein lies the dilemma of Check Point, Axent and everyone else who has a software product," he says. "Everybody has other things they are leaning on right now. You hear Check Point talk a lot more about VPNs and management. Axent has its intrusion detection business. A lot of vendors will turn to the intrusion detection and scanning business, and because it’s such a hot market, it will get crowded pretty quickly. And so some of today’s more marginal software firewall providers will end up simply as security consulting firms."

In addition, Julian expresses doubts about the efficacy of integrating increasing numbers of security tools. "I think ‘Security Suites: Dead on Arrival’ hints at how I feel about integrated security solutions," he says, referring to a Forrester report issued in November 1998. "The fundamental problem is that the acquisition and implementation of security suites will become more distributed."

What it boils down to, Julian says, is system scalability. "As the company becomes compartmentalized, the scalability implications of the security manager having to touch every piece of equipment that has to do with security are rightly scary," he says. "We believe that security managers will get people in IT more directly involved in security product selection, implementation and management. The network manager can pick the firewall, for example, as long as it meets with the corporation’s agreed-to security policy guidelines."

Margot Suydam is managing editor of Information Security.

IDC’S CHRISTIANSEN: "Customers want more for their money."
ALEC GROUP’S DEITZ: "The software firewall companies need to be resilient and do other functions."
ABERDEEN GROUP’S HEMMENDINGER: "What people focus on today is whether or not the firewall is hacker proof." FORRESTER’S JULIAN: "Marginal software firewall providers will end up simply as security consulting firms."




*Preliminary industry estimates pending actual results Source: IDC


Year 1997 1998 1999 2000 2001 2002
Total Revenues (M) $353.5 $602.4* $953.4 $1,240.6 $1,550.3 $1,845.4
Growth (%) 143 70* 50 30 25 19

*Preliminary industry estimates pending actual results Source: IDC

&copy 1999 Information Security Magazine. Used with permission.
Information Security, the official publication of the ICSA, is dedicated to the needs of all security-conscious IT professionals. Free to qualified readers, Information Security features in-depth articles, product announcements and more analysis of information security issues than any other trade magazine. Subscribe today!

Latest Articles

Follow Us On Social Media

Explore More