ng=0 cellspacing=0 width=100%>
Yahoo! is not affiliated with the authors of this page or responsible for its content.
Magic Quadrant for Network Intrusion Prevention System Appliances, 1H08 Magic Quadrant
for Network Intrusion
Prevention System Appliances, 1H08
Gartner RAS Core Research Note G00154849, Greg Young, John Pescatore, 4 February 2008, R2688 04022009
The network intrusion prevention system market continues to
mature and evolve at a rapid pace as smaller vendors innovate
and focus on specific markets. Vendors are starting to
incorporate adjacent market features, but there is little progress
in addressing emerging threats.
WHAT YOU NEED TO KNOW
This document is an updated version of the document published on 14 February 2008.
Network intrusion prevention systems (IPSs) can detect and block attacks, and can act as
pre-patch shields for systems and applications. IPS has long since eclipsed by multitudes the
intrusion detection system (IDS) market (see Figure 1).
MAGIC QUADRANT
Market Overview
The network IPS market is the successor technology to the IDS market. IPS contains all the
detection features of IDS, with two critical areas of improvement: Intrusion prevention moves beyond simple attack signature detection to add vulnerability-
based signatures and nonsignature detection capabilities. Network IPS sensors operate at wire speeds to enable in-line automated blocking and
attack handling. Essentially, network IPS adds block attacks and let everything else
through security enforcement to the deny everything except that what is explicitly
allowed policy enforcement that first-generation firewalls provide.
Although the market for separate network IPS and firewall devices will continue through at least
2008, most next-generation firewalls (NGFWs) will use common processing engines to support
both functions in one product, even if there is limited interaction between the two products.
The network IPS market for stand-alone appliances continues to grow, from more than $700
million in 2006 to a forecast $1 billion in 2007. In 2007, there were challenges for market
leaders, with Sourcefire off to a bumpy start with its initial public offering (IPO), Internet
Security Systems working to integrate into IBM, and TippingPoint running into potential
barriers to the acquisition of 3Com by Bain and Company and Huawei to foreign interests.
Firewall vendors have been lethargic in improving their in-the-firewall IPS offerings, enabling the
stand-alone IPS market to expand faster than it would with competition from firewall vendors.
This is mostly because the update cycles for firewalls and IPS appliances have been out of
sync, but as enterprises look to replace first-generation IPS units, vendors with integrated
capabilities have an opportunity to grow at the expense of stand-alone IPS vendors. 2
When enterprises compare products, signature
quality remains the most weighted and competitive
factor on shortlists. Most vendors employ some form
of external vulnerability research as an input to
signature creation. Some vendors, however,
repurpose the open source Snort engine and/or
signatures, or other third-party signatures, resulting in
problems such as late or inaccurate signatures
(owing to poor translations or failure to accommodate
the detection signatures in an IPS role), or constraints
in innovation, as they potentially must follow the
technology direction of Snort. Vendors that invested
in their own primary vulnerability research, detection
engines and signature creation fared best in our
evaluation. Sourcefire owns the copyright on the
Snort license, putting the vendors that re-use Snort
at a competitive disadvantage, because they can be
seen as subordinating themselves to a competitors
road map and a potentially more-restrictive future
license under Snort 3.0.
The nature of the most damaging attacks on
businesses has changed. Financially motivated
attacks dont simply go after unpatched PCs and
servers; they increasingly are using targeted malware
that requires more than simple, signature-based
detection. IPS vendors have not made major
advances in detecting and blocking these advanced
attacks. Although there has been some increase in
zero day attacks (which take advantage of
computer security holes with no solutions), zero-day
signatures, which are signatures for vulnerabilities not
yet publicly disclosed, remain controversial.
The risk of reverse-engineering signatures has led
vendors that support these signatures to better
obfuscate them in 2008. A small percentage (Gartner estimates
less than 10%) of enterprises deploy zero-day signatures, and they
do not represent a major competitive factor. The creation of
custom signatures by end users is on the increase, although it is in
place in less than 20% of deployments, mostly for custom
applications or unusual protocols. If IPS vendors provide
capabilities for easy offline testing of signatures or filters effective in
detecting and/or blocking targeted attacks, then early adopter
(Type A) enterprises would increase their use of these features.
IPS products are starting to incorporate features from other
emerging security products. Early IPS product offerings include
post-connect network access control (NAC) enforcement and data
loss prevention (DLP). DLP is not a good fit for in-line blocking,
because most DLP concerns are in e-mail and outgoing Web
traffic, and effective DLP requires a tight connection to business-
specific policies to reduce false positives. However, IPS products
can provide simple features for detecting specific types of
information (such as credit card and social security numbers) that
may offer stopgap capabilities for organizations that are not yet
able to deploy DLP.
challengers
leaders
niche players
visionaries
completeness of vision
ability to execute
As of February 2008
Cisco
TippingPoint
IBM
Sourcefire
McAfee
Juniper Networks
Top Layer Networks
Reflex Security
DeepNines Technologies
NitroSecurity
Radware
StillSecure
Enterasys
Check Point Software Technologies
Source: Gartner (February 2008)
Figure 1. Magic Quadrant for Network Intrusion Prevention System
Appliances, 1H08
The Magic Quadrant is copyrighted
February
2008 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a
marketplace at and for a specific time period. It depicts Gartners analysis of how certain vendors measure against criteria for that marketplace, as defined by
Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those
vendors placed in the Leaders quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner
disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose
© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written
permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the
accuracy, completeness or adequacy of such information. Although Gartners research may discuss legal issues related to the information
technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no
liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to
change without notice. 3
Encrypted traffic is increasing gradually, a significant problem for
IPS. As the percentage of Secure Sockets Layer (SSL) and
otherwise encrypted traffic increases, it presents a growing blind
spot when SSL decryption is not in the product. A small proportion
of IPS placement points are less subject to encrypted-traffic
problems (for example, behind the analog-to-digital conversion or
Web server); however, for most deployments, these difficulties are a
growing concern. IPS vendors must include SSL inspection or
similar capabilities to meet this challenge. 802.1AE/AF-based
networks will support policy-based link encryption that can decrypt
traffic on links where IPS devices are located.
IPS pricing has destabilized significantly during the past 12 months.
In 2006, there was a consistent average of $50,000 per gigabits
per second (Gbps) of deep inspection. In 2007, there was
considerable price variance. This change is attributed to new IPS
features in some products (such as adding vulnerability
management integration), making direct product price comparisons
less possible, and to some vendors considerably increasing their
prices without much change in their products. Thus, enterprises
should weight price as a factor in product selections.
Performance, reliability and availability are key criteria for any in-line
device. Most vendors include in their base pricing bypass unit
modules enabling fail-open for copper ports. Several IPS products
are advertised as having speeds of 10 Gbps, although none has
any recognized third-party testing to support this cl