Tuesday, January 13, 2015

Blueprint: Round-Two for Next Generation Firewalls

by Casey Quillin, Director at Dell'Oro Group

As the enterprise sector turns to the cloud to deliver applications to mobile users across widely dispersed networks, Cisco and Juniper must catch up with smaller competitors. But how much does time-to-market matter?

Risk is omnipresent in the enterprise sector. Business applications must be protected. Data must be protected. Users and their information must be protected. Business intelligence must be protected. Networks, servers, and infrastructures must be protected. While the fact of risk doesn’t change, the technologies that mitigate risk continue to evolve alongside the players and vendors bringing new solutions to market. Nowhere is this evolution more evident than in the realm of network firewalls.

The market opportunity today, and for the next several years, will be split between the slow and steady tortoises of vendors like Cisco and Juniper, and the sleek, speedy hares that include Check Point Software Technologies, Fortinet, and Palo Alto Networks. The enterprise-class firewall market is robust. Sales eclipsed $3 billion in 2013 and are projected to increase to the high single-digits over the next five years to almost $5 billion.

There are many layers of security. In this article, we are concerned with firewalls—hardware or software that ensures only approved users and data traffic can enter the business network from the “outside” (usually but not exclusively the public Internet) and mitigates inappropriate use of the internal LAN, including removal of information from the network. Over the past three years, firewalls have evolved from protecting networks at the perimeter to protecting the entire network from both external and internal threats.

The network has expanded from a system which allows users to share common resources, to an application delivery platform. Certainly, many applications continue to serve employees and customers from the data center; however, users may also be served from external service providers or cloud providers. End users may be co-located in the building on the LAN, or at home or in offices halfway around the world. Despite this dispersal, users demand the same experience and level of performance they would receive with local application access.

As application delivery platforms, networks continually face new and evolving security risks, as well as substantial changes in the way security policies are created and enforced.  These changes inspired application-aware security platforms (commonly referred to in the industry as “next generation firewalls”), which use deep-packet inspection to identify application traffic and enable both user- and application-layer policies.  Vendors of all sizes are jumping into the new application-aware next generation firewall space.

The next generation firewalls from Check Point, Fortinet, Palo Alto Networks, and others are a great fit for networks whose perimeters have been eroded due to the cloud, and users who now connect to the corporate network from different locations and with a variety of devices (BYOD). Offering nimble, early-to-market products—and without the risk of cannibalizing existing sales or disrupting publicly announced product roadmaps—these firms grabbed mindshare with their innovative technology and compelling use cases.

Like the hare in Aesop’s fable, these companies had a head start and have continued to innovate. Not unexpectedly, Cisco and Juniper, the slower tortoises, have responded in force. Indeed, they have largely closed the functionality gap. With its acquisition of Sourcefire in 4Q13, Cisco launched its new platform optimized for application delivery and enterprise edge-of-network (named ASA with FirePOWER Services).  Juniper has steadily added application-aware features to its SRX platform and is now fully competitive with the new-generation hares.

But, now, with product functionality fairly evenly matched across all enterprise firewall vendors, how will users choose which products to purchase? Previously, the hares with their first-to-market advantage had the most compelling sales propositions.

It would be premature to conclude that the game’s over. In fact, the race for the next-generation firewall is still in its early stages. As vendors market these products, a bifurcation has evolved between the data center and the network edge. Indeed, protecting the data center is a different matter from protecting the network edge. Each site requires the use of different technologies and for the next few years, we believe vendors will be able to excel at either the data center or the network edge—but unlikely at both.  One firewall cannot be optimized for both data center and network edge without sacrificing performance and simplicity of administration.  The intelligent user will optimize his network by deploying best-in-breed products—one class for the data center and another class for the network edge.

In the data center, the number of applications running and the number of users are limited and known. In addition, only a small number of device types are used and these are always connected with cable. Firewall products for the data center do not need to boast best-in-class support for mobile devices, nor do they need to be optimized to distinguish vast numbers of applications connecting via the Internet.  Data center networks are in the midst of a major transition to Software-Defined Networking (SDN) where the administrator will have a global view of the network across multiple platforms and be able to program the network to act upon real time intelligence such as denial of service and resetting traffic paths.

It is unlikely that a rational user would choose a data center firewall product that will have such a global command of the network from a young, small vendor.  The rational user will choose a vendor with years of experience and vast numbers of trained staff—a vendor with the ability to scale. In this scenario, companies such as Cisco and Juniper will have the advantage because they can integrate next-generation firewall functionalities into their broad product lines.

In contrast, the enterprise campus and network edge are tightly focused on ensuring secure access and use of mobile devices. In these deployment locations, firewalls must be able to distinguish an enormous variety of applications running on the Internet. Once an application is identified, a firewall must be able to implement policy user by user. Firewalls in these locations must also be able to provide secure access and context-based authentication to widely different types of mobile devices. In this realm, a vendor gains advantage based on its speed of innovation and the richness of its database of threats.

Let’s look deeper into vendors’ positions. As shown in Figure 1, since 2011 Cisco has maintained a 30% to 32% revenue share in the Enterprise Class Firewall market. Its next closest competitor, Palo Alto Networks, has grown to about 10%, while Fortinet, Huawei, and Juniper are tied in third place.

Cisco’s strength stems from sales to the data center, which have been a strategic focus and growth engine for the company. We estimate that sales to the data center of Cisco’s Ethernet switch and server businesses represent 20% of the company’s overall revenue. There are massive changes taking place in the data center with virtualization and SDN. Change brings opportunity to new entrants. Cisco’s challenge will be to rapidly innovate at the enterprise edge, while protecting its data center business.

Palo Alto Networks has built its reputation as best-in-breed based on its strength at rapid innovation at the enterprise network edge. In February 2014, the company launched its high-end platform, PA-7050, targeting large enterprise and carrier data centers. In order to grow its data center business, Palo Alto’s challenge will be to convince users it has the scale to fulfill the technical and service level demands of supporting data center class deployments.

Fortinet’s pioneering Unified Threat Management (UTM) product carved a powerful brand with its “single pane of glass” approach to managing network security. The company also spearheaded application-aware, enterprise-class firewalls targeting the network edge. Its FortiGate products with custom ASICs earned a reputation for high performance and ease of management at reasonable prices. Fortinet’s stronghold is at the enterprise network edge, a position the company is strengthening with its expansion into Wireless LAN access points.

Of notable mention is Fortinet’s doubling of market share over the past two years. Although the company offers high-end platforms targeting large enterprise and carrier data centers, we envision the same challenges that Palo Alto faces: securing user interest to test and deploy products and scaling to support the data center’s rapidly changing demands.

The foundation of both Huawei and Juniper’s strength is data center deployment, primarily from carrier purchases of the Eudemon8000E-X series and the SRX, respectively. We believe that Juniper’s sales were also bolstered by large enterprises, albeit to a lesser degree. Looking forward, we expect this trend to continue although both firms have deployed competitive, application-aware firewall products for the enterprise edge. Juniper’s challenge will be to shore up its share loss—and quickly—as time is not on its side. The longer it takes the company to get back on track, the greater the difficulty it will face. Huawei’s challenge will be to sell to large enterprises outside of China and to sustain rapid innovation at both the enterprise edge and the data center.

The bottom line is that customers need next-generation solutions that are more powerful than packet-oriented firewalls and unified threat management. These products must penetrate deep into applications without sacrificing performance. Firewalls must be capable of protecting today’s diversified networks—clouds, virtualization, mobile users, and BYOD. At present, the innovators in this area are the smaller players, whose offerings are more compelling to enterprises that understand the risks inherent in the evolving application delivery market. While small companies have the current advantage, the big players are ready to strike back.

Round two of the next-generation firewall race is about to begin. Things are going to get really, really interesting.

About the Author

Casey Quillin joined Dell’Oro Group in 2011. He is responsible for the Data Center Appliance and Storage Area Network market research programs. While at the firm, Mr. Quillin has significantly expanded Data Center Appliance research, including the build-out of Network Security Appliances. Mr. Quillin has over 20 years of experience as an executive manager and entrepreneur in the technology sector. Prior to joining Dell’Oro Group, he held positions with several startups, including Vice President of Engineering at Snapfish, the world’s largest online photo-sharing site, later acquired by HP. He was also CTO of Oasys Networks, an application service provider in the financial services market; Co-founder and CEO of Logic by Design, an interactive media agency; and Managing Partner of Cornice Networks, a network integration and IT consulting firm in San Francisco.

About Dell'Oro Group

As the trusted source for market information about the networking and telecommunications industries, Dell’Oro Group provides in-depth, objective research and analysis that enables component manufacturers, equipment vendors, and investment firms to make fact-based, strategic decisions. For more information, contact Dell’Oro Group at +1.650.622.9400 or visit www.DellOro.com

IBM Positions z13 Mainframe for Mobile Economy

IBM unveiled its z13 Mainframe built for the mobile economy.  The system, which springs from a $1 billion investment over five years, exploits more than 500 new patents for enhanced performance, availability, analytics and security.

Some highlights:

  • z13 is the first system able to process 2.5 billion transactions a day - equivalent of 100 Cyber Mondays every day of the year.  z13 transactions are persistent, protected and auditable from end-to-end, adding assurance as mobile transactions grow -- estimated to grow to 40 trillion mobile transactions per day by 2025. [1]
  • z13 is the first system to make practical real-time encryption of all mobile transactions at any scale.  z13 speeds real-time encryption of mobile transactions to help protect the transaction data and ensure response times consistent with a positive customer experience.  
  • z13 is the first mainframe system with embedded analytics providing real-time insights on all transactions. This capability can help guarantee the ability of the client to run real-time fraud detection on 100 percent of their business transactions by delivering 'on the fly' analytic insights that are 17X faster than compared competitive systems at a fraction of the cost. 
  • The z13 includes new support for Hadoop, enabling unstructured data to be analyzed in the system. Other analytics advances include faster acceleration of queries by adding DB2 BLU for Linux providing an in-memory database, enhancements to the IBM DB2 analytics accelerator, and vastly improved performance for mathematically intense analytics workloads.
  • The z13 can run in a private or hybrid cloud architecture. In a scale-out model, it is capable of running up to 8,000 virtual servers -- more than 50 virtual servers per core, helping to lower software, energy and facilities costs.
  • IBM estimates a z Systems cloud on a z13 will have a 32 percent lower total cost of ownership over three years than an x86 cloud and a 60 percent lower total cost of ownership over three years than a public cloud. 
  • The z13 is based on open standards, fully supporting Linux and OpenStack.

"Every time a consumer makes a purchase or hits refresh on a smart phone, it can create a cascade of events on the back end of the computing environment. The z13 is designed to handle billions of transactions for the mobile economy.  Only the IBM mainframe can put the power of the world's most secure datacenters in the palm of your hand," said Tom Rosamilia, senior vice president, IBM Systems. "Consumers expect fast, easy and secure mobile transactions. The implication for business is the creation of a secure, high performance infrastructure with sophisticated analytics."


Mavenir to Acquire Ulticom for Diameter Signaling

Mavenir Systems agreed to acquire Ulticom, a supplier of telecom signaling solutions. Financial terms were not disclosed.

Ulticom, which is based in Mount Laurel, New Jersey, offers a scalable, virtualized Diameter Signaling Controller (DSC) that scales mobile operator networks and securely provides interoperable 4G LTE and Voice over LTE (VoLTE) services. The Ulticom DSC is suitable for deployment in IMS and EPC environments.  Major functions include: Central Routing, Edge Routing (DEA), IPX Hubbing, Policy Routing (DRA) and Load Balancing. Ulticom also supplies a Diameter SS7 Gateway (D7G) that provides 2G-3G-4G interworking between Diameter and SS7 to enable migration and roaming functions in multi-generation networks.  Ulticom said its software-based diameter solutions are deployed in ten carrier networks globally, two of which are among the world’s top ten Mobile Network Operators (MNOs). The company was founded in 1974 and is currently owned by Platinum Equity.

Mavenir said Ulticom’s Diameter software products are uniquely designed for high transaction performance with adaptive signal control capabilities that optimize elasticity and orchestration in NFV networks.

Without question, the explosive growth of mobile data traffic and the increase in VoLTE deployments creates a need to better manage signaling traffic at scale,” said Pardeep Kohli, President and Chief Executive Officer, Mavenir Systems. “Tier one customers have already adopted Ulticom’s DSC, powerful evidence of the team’s expertise and strategic importance to the marketplace. Ulticom also brings deep channel relationships to Mavenir in this accretive acquisition.”


Alcatel-Lucent Hits 10 Million VDSL2 Vectoring Line Shipments

Alcatel-Lucent has reached the milestone of 10 million VDSL2 vectoring line shipments. VDSL2 vectoring allows operators to deploy ultra-broadband services of up to 100 Mbps over their existing copper telephone networks. Alcatel-Lucent first launched its VDSL2 vectoring solution three years ago.

Proximus (formerly Belgacom), Belgium’s operator and the first in the world to deploy a nationwide VDSL2 vectoring network, celebrated a year of successful VDSL2 vectoring operations with the award of a golden line card from Alcatel-Lucent to represent the historic 10 million–shipment milestone.

Alcatel-Lucent currently has 27 VDSL2 vectoring customers in every region of the world, including Israel’s Bezeq, KPN in the Netherlands, Telecom Argentina, Telecom Italia, TE Data in Egypt and NBN Co. in Australia, with more than 65 commercial trials of the technology conducted by operators.

Federico Guillén, president of Alcatel-Lucent’s Fixed Access Business Line said: “We’re seeing huge growth for VDSL2 vectoring alongside our fiber-to-the-home solutions as more and more operators realize they need both copper and fiber technologies to meet their customers’ ultra-broadband demands. Having been first to market with VDSL2 vectoring and again with G.fast and TWDM-PON technologies, we are committed to giving operators the choice of technologies they need to provide the best services for their customers.”


Huawei Cites Strength in Carrier, Enterprise, Consumer Business

Huawei posted further details on its 2014 unaudited results, saying sales revenue were expected to reach CNY287-289 billion, an increase of nearly 20% year-on-year, with profits of CNY33.9-34.3 billion and a margin of 12%, which is proportionately in line with 2013. Both cash flow from operating activities and asset to liability ratios remained stable and strong.

Huawei's Carrier, Enterprise, and Consumer Business Groups recorded strong performances in 2014.

  • Revenue at Huawei’s Carrier Network business increased by approximately 15% over the previous year. The main drivers of the growth were a steady increase in 3G investment and the jump in 4G investments across the globe.
  • Huawei's Enterprise Business grew by around 27%. The business now serves more than 100 of the world's top 500 companies. Huawei also established strategic partnerships with leading enterprises including SAP and Accenture for joint innovation in areas including cloud computing and big data.
  • Huawei's Consumer Business recorded a revenue increase of around 32% year-on-year thanks to the higher sale of mid-range and high-end handsets within a rapidly growing smartphone market worldwide, with Huawei enjoying particularly strong growth in emerging markets.

In 2014, Huawei invested between CNY39.5-40.5 billion in R&D, an increase of 28% over 2013.

The core values of 'being customer-centric, making dedicated employees the foundation of our success, and our overall commitment to dedication' have been the cornerstones of Huawei's growth over the past 20-plus years," noted Huawei's Chief Financial Officer Meng Wanzhou. "Huawei will continue to follow and embed these core values across the organization over the next decade to help us become the leader in the ICT industry."


Fortinet Intros WLAN APs with Threat Protection and Analytics

Fortinet released seven new Wireless LAN Access Points aimed at retailers, branch offices and distributed enterprises.

Fortinet's new FortiAP Wireless Access Points combine the company's threat prevention technology with dual and triple stream MIMO 802.11ac. The company said the FortiAP Wireless LAN Access Points integrate seamlessly with its FortiGate Next Generation Firewall (NGFW) and Unified Threat Management (UTM) products, eliminating the need for stand-alone network switches or wireless LAN controllers, greatly reducing complexity.

Going beyond just Wi-Fi access, FortiAP's can also be paired with Fortinet's FortiPresence Analytics solution, launched in August 2014, which delivers customer presence analytics to power the brick-and-mortar retail stores of the future. FortiPresence enables FortiAP's to function as a sensor that can analyze the location of foot traffic, distinguish between new or repeat visitors, provide historical and real-time data analysis and much more. Enabling innovative marketing engagement initiatives like social Wi-Fi access and smart digital signage, FortiPresence paired with FortiAP's enable retailers to optimize their businesses for the digital age and turning your network a competitive advantage.

"The launch of the new FortiAP Wireless LAN Access Points further bolsters Fortinet's industry-leading portfolio of hyper-secure solutions tailored for distributed enterprises," said John Maddison, Vice President, Marketing Products for Fortinet. "Fortinet's solutions go a step further than the competition, providing advanced services like FortiGuard real-time threat research and intelligence, streamlining complex networking infrastructures to ensure no downtime or interference with existing applications, and enabling deep analytics that make an organization's distributed network a competitive asset that delivers greater profitability."


Ionic Security Raises $40 Million

Ionic Security, a start-up based in Atlanta, has raised $40.1 million in Series C funding for its distributed data protection platform.

Ionic's platform combines protection, visibility, attribution, and granular control with massive-scale machine learning, and streaming graph analytics to provide enterprises with control of their data without the need for, or use of, gateways.

Meritech Capital Partners led the round with participation from Kleiner Perkins Caufield & Byers (KPCB), which invested previously, and other existing investors, including Google Ventures, Tech Operators and Jafco Ventures. This latest investment brings Ionic’s total funding to-date to $78.1 million.


Infonetics: Global Service Provider CAPEX to Flatten After 2015

Global mobile service revenue barely budged in the first half of 2014 (1H14), up just 0.5 percent from the same period a year ago, badly dragged by Europe again, according to a new report from Infonetics.

Overall, growth in telecom revenue continues to slow in every geographic region. Europe’s 5 largest service providers—Deutsche Telekom, Orange, Telecom Italia, Telefónica, and Vodafone—continue to experience declining revenue, though less pronounced than in the past 3 years. And in North America, AT&T and Verizon have signaled that the mobile services price war started by T-Mobile US is taking a bite,” says Stéphane Téral, principal analyst for mobile infrastructure and carrier economics at Infonetics Research.

Co-author of the report Matthias Machowinski, Infonetics’ directing analyst for enterprise networks, adds: “After a weak 2013, enterprise networking and communication revenue growth accelerated in 2014 thanks to a resurging North American market and stepped-up investments in security infrastructure. We expect similar results in 2015, when strong end-user demand in North America and Asia Pac is likely to be offset by a slowdown in Europe.”

Some other highlights:

  • Macroeconomic indicators point to moderate global economic growth of 3 percent for the full-year 2014 due to persistent weaknesses in the Eurozone and a significant slowdown in Brazil and Russia.
  • Mobile data services (text messaging and mobile broadband) rose again in every region in 1H14, driven by the increasing usage of smartphones.
  • Mobile broadband services grew 26 percent year-over-year, enough to offset the decline of SMS revenue.
  • Key trends affecting the enterprise networking and communication markets include the adoption of cloud services, the use of cloud architectures in enterprise data centers, and security becoming a part of every IT decision.


DragonWave Tops $47 Million in Quarterly Revenue

DragonWave reported revenue for its third quarter of fiscal year 2015, ended November 30, 2014,  of $47.3 million, compared with $37.9 million in the second quarter of fiscal year 2015 and $22.2 million in the third quarter of fiscal year 2014. DragonWave had two customers who each generated more than 10% of revenue. Revenue through the Nokia channel was $23.7 million or 50% of total revenue this quarter, versus 60% in the second quarter of this fiscal year and 51% in the third quarter of the prior fiscal year. Another international customer contributed 26% of revenue in third quarter of fiscal year 2015.

Gross profit in the third quarter of fiscal year 2015 was 16.3%, compared with 15.5% in the second quarter and 11.1% in the third quarter of fiscal year 2014.

“DragonWave delivered strong revenue growth again this quarter as we expected,” said Peter Allen, President and CEO. “As we look forward, we believe that we have the opportunity in Q4 to again have sequential revenue growth of up to 10%.  We are pleased that we have received first orders for our recently announced Harmony Enhanced product line, which extends our product leadership and will help drive the revenue growth opportunity beyond Q4.”


Alcatel-Lucent Hires Bhaskar Gorti to lead IP Platforms

Alcatel-Lucent appointed Bhaskar Gorti as President of its IP Platforms business.  He will take charge of business units developing technologies for cloud-based networking and virtualization, including NFV (network functions virtualization), as well as OSS, the Charging/Policy/Payments activity, Customer Experience Management, Network Performance, and the Cyber-Security monitoring and prevention software platforms.

Gorti, who will hold the title of President IP Platforms, will report directly to CEO Michel Combes and will join the Alcatel-Lucent Executive Committee. He joins Alcatel-Lucent from Oracle where he was Senior Vice-President and General Manager of Oracle Communications Global Business Unit. Previously he had been with Portal Software, and led the sale to Oracle in July 2006 to form the Communications business at Oracle. Prior to Oracle, Gorti worked at Chordiant Software/OnDemand, Hewlett Packard, Alcoa and Office of Naval Research/Arpanet.


Infinera Adds to its Sales Team

Infinera announced the appointments of Pete Dale as vice president of sales for Cloud and Content, and Wray Varley as vice president of Government sales.

Most recently, Dale was the senior vice president of America sales at BTI Systems. Prior to BTI, he held leadership positions at telecommunications companies including Optovia, Ciena, Internet Photonics, Lucent and Bay Networks.

Varley previously was the area vice president of sales at CenturyLink where he played a pivotal role on the company's Government Advanced Programs, Department of Homeland Security, Department of Justice, and Department of Energy sales and business development teams. Varley held numerous positions prior to CenturyLink, playing leading roles at Bell Atlantic, Veridian and Sytel, Inc., where he developed Sytel's federal enterprise business.