Enterprise firewall protection: Where it stands, where it's headed
A comprehensive collection of articles, videos and more, hand-picked by our editors
Hewlett-Packard entered the next-generation firewall market with a new line of Tipping Point firewalls.
The new line extends Tipping Point's existing intrusion prevention system (IPS) appliances with traditional stateful packet filtering and application control, according to Robert Greer, vice president and general manager of Palo Alto, Calif.-based Hewlett-Packard's (HP) Tipping Point business.
"We feel we can extend what we've been doing around security for years with the best research around known and unknown vulnerabilities, and extend that out [to firewalls]," Greer said.
Enterprises that consider IPS a core technology in their security architecture will find the Tipping Point firewalls appealing, but HP might struggle to attract other customers, said Greg Young, research vice president at Stamford, Conn.-based Gartner Inc.
"We've seen IPS vendors flex toward firewalls, but [it has] been tough trying to displace an incumbent firewall vendor," Young said. "Clearly, IPS translates to good IPS in the firewall, and that's the same path that SourceFire was taking when it was acquired by Cisco. There is a set of customers where IPS is very important in their firewalls, but the challenge is most enterprises need good firewalls first and need application control and IPS second. There are a lot of good firewalls with good IPS in them, and you have to have all of those bits to compete effectively."
Initially, HP is offering five models of its next-generation firewall, beginning with the branch office S1050F model, which ships with 500 Mbps of firewall throughput and throttles down to 250 Mbps with IPS and application control turned on. The S8010F is the top performer in HP's new firewall series, with 10 Gbps of firewall throughput that throttles down to 5 Gbps with IPS and application control activated.
HP is entering into a highly competitive market, where companies like Palo Alto Networks and Check Point Software Technologies have been pioneering application control on firewalls for years. And HP still has work to do to attack the high end of the market, according to Jeff Wilson, principal analyst for security at Campbell, Calif.-based Infonetics Research. HP's premium S8010F firewall, for example, does not offer the scale of Palo Alto's data center-class PA-5060. That firewall has 20 Gbps of throughput and it does not slow down with application control active, although it does throttle down to 10 Gbps with IPS turned on.
So while many HP customers may be happy to check out the new Tipping Point firewall, HP will have to compete head to head with a crowded market.
"Tipping Point [IPS] is a great product from a performance and security standpoint," Wilson said. "But they just don't have that big of a [customer] footprint."
Check Point and Palo Alto have firmly established themselves. Cisco Systems will be pushing hard with its ASA 5500-X and its SourceFire acquisition, while Dell is aggressively marketing the next-generation firewalls it acquired with SonicWall. Finally, McAfee, which earlier this year acquired Stonesoft, a Finnish vendor highly regarded for its firewall technology, will be looking for ways to expand Stonesoft's global presence.
In the next-generation firewall market, HP will have to compete on the granularity and the completeness of its application visibility and control, where companies boast about their ability to distinguish different types of activity on social networking sites like Facebook. HP believes the strong research resources it has underpinning Tipping Point IPS will give it a boost here.
"Initially we're going to have hundreds of application filters," said HP's Greer. Tipping Point traditionally ships new IPS signatures on Tuesdays, and customers can expect the same schedule for application filter updates as HP expands its malware research expertise into application filters. "It is absolutely an area where we will continue to drive significant volume with not only English-based, U.S.-centric applications, but also international applications."