IT has changed considerably, moving from a client-server environment to one driven by digital transformation, which increases the interaction of mobile devices, cloud resources -- such as SaaS and IaaS -- and IoT. All this innovation has greatly expanded the ability of people and devices to communicate. What remains constant, however, is that the network, no matter what form it takes, must protect the usability and integrity of network resources.
Worldwide, IT organizations spend more than $20 billion per year on hardware and software across a wide variety of network security components. Research from Doyle Research and Security Mindsets forecasted that this spending will reach nearly $25 billion by 2024. Dozens of suppliers focus on unique security capabilities, and most large organizations use multiple vendors and various elements of network security for in-depth defense.
As network and security intelligence moves to the cloud, suppliers continue to refine their network security capabilities. New categories of network security products have emerged, which will continue to morph as vendors move from hardware appliance offerings to an as-a-service business model. In addition to new product types, virtual appliances and the use of cloud services to perform network security functions, the market will continue to see the integration of additional capabilities to support IoT, software-defined WAN (SD-WAN) and AI.
Defining network security
The simple definition of network security is any combination of hardware and software products that operate in Layers 3 and 4 -- the network and transport layers -- of the OSI stack, with the primary function to manage access to the corporate network and network-embedded resources. Network security acts as a gatekeeper that permits entry to authorized users and detects and prevents anything that tries to infiltrate the network to cause harm or compromise data.
Network security is not one-size-fits-all, as it typically comprises nine different elements. Below, we explore nine elements of network security and their roles in a security strategy. Please note that these components are not mutually exclusive, as many features and technologies overlap in various suppliers' offerings.
- Network firewall. Firewalls are the first line of defense in network security. These network applications or devices monitor and control the flow of incoming and outgoing network traffic between a trusted internal network and untrusted external networks. Network traffic is evaluated based on state, port and protocol, with filtering decisions made based on both administrator-defined security policy and static rules.
Firewalls make up the single largest segment of the network security market, according to Doyle Research and Security Mindsets. In 2019, firewalls of all types were responsible for about 40% of network security spending, around $8 billion.
Representative vendors: Check Point Software, Cisco, Juniper Networks and Palo Alto Networks
- Intrusion prevention system (IPS). Network IPSes are software products that provide continuous monitoring of the network or system activities and analyze them for signs of policy violations, deviations from standard security practices or malicious activity. They log, alert and react to discovered issues. IPS products compare current activity with a list of signatures known to represent threats, or they use alternative detection methods -- such as protocol analysis, anomaly and behavioral detection or heuristics -- to discover suspicious network activity. Sophisticated IPSes use threat intelligence and machine learning to increase accuracy.
Although many IPS features have been incorporated into NGFWs and unified threat management (UTM) appliances, the IPS market is still responsible for 10% of network security spending.
Representative vendors: Alert Logic, Check Point Software, Cisco, McAfee and Trend Micro
- Unified threat management. A UTM product integrates multiple networking and network security functions into a single appliance while offering consolidated management. UTM devices must include network routing, firewalling, network intrusion prevention and gateway antivirus. They generally offer many other security applications, such as VPN, remote access, URL filtering and quality of service. Unified management of all these functions is required, as the converged platform is designed to increase overall security while reducing complexity.
UTM devices are best suited for SMBs and for branch and remote sites. UTM products are the second largest network security category with over $5 billion in spending.
Representative vendors: Barracuda Networks, Fortinet, SonicWall, Sophos and WatchGuard
- Advanced network threat prevention. Advanced network threat prevention products perform signatureless malware discovery at the network layer to detect attacks that employ advanced malware and persistent remote access. These products employ heuristics, code analysis, statistical analysis, emulation and machine learning to flag and sandbox suspicious files. Sandboxing -- the isolation of a file from the network so it can execute without affecting other resources -- helps identify malware based on its behavior rather than through fingerprinting.
The benefit of advanced network threat prevention tools is their ability to detect malware that has sophisticated evasion or obfuscation capabilities, as well as detect new malware that hasn't been previously identified. Additionally, they validate threat information and uncover critical indicators of compromise that can be used for future investigations and threat hunting.
Advanced network threat prevention products represent a similar size as the IPS market, about 10% of the network security market.
Representative vendors: Check Point Software, FireEye, Forcepoint, Palo Alto Networks and Symantec
Emerging network security categories
The four elements of network security below -- network access control (NAC), cloud access security broker (CASB), distributed denial-of-service (DDoS) mitigation and network behavior anomaly detection (NBAD) -- each generates less than $1 billion in spending, according to Doyle Research and Security Mindsets. Combined, however, they account for about 11% of the total market, and they are all growth categories.
- Network access control. NAC is an approach to network management and security that supports network visibility and access management. It consists of policies, procedures, protocols, tools and applications that define, restrict and regulate what an individual or component can or cannot do on a network. NAC products enable compliant, authenticated and trusted endpoint devices and nodes to access network resources and infrastructure. For noncompliant devices, NAC can deny network access, place them in quarantine or restrict access, thus keeping insecure nodes from infecting the network.
Representative vendors: Aruba Networks, Cisco, Forescout Technologies, Fortinet and Pulse Secure
- Cloud access security broker. CASBs are on-premises or cloud-based security policy enforcement points for cloud application access and data usage. By acting as an intermediary among mobile users, in-house IT architectures and cloud vendor environments, CASBs enable an organization to extend the reach of its security policies -- especially regarding data protection -- into the public cloud.
CASB features include authentication, device profiling, auditing, malware detection and prevention, data loss prevention, data encryption and logging. The value of CASBs stems from their ability to give insight into cloud application use across cloud platforms and identify unsanctioned use. This is especially important in regulated industries.
Representative vendors: Bitglass, McAfee, Microsoft, Netskope, Symantec and Zscaler
- Distributed denial-of-service mitigation. DDoS mitigation is a set of hardening techniques, processes and tools that enable a network, information system or IT environment to resist or mitigate the effect of DDoS attacks on networks. DDoS mitigation activities typically require analysis of the underlying system, network or environment for known and unknown security vulnerabilities targeted in a DDoS attack. This also requires identification of what normal conditions are -- through traffic analysis -- and the ability to identify incoming traffic to separate human traffic from humanlike bots and hijacked web browsers.
DDoS mitigation uses connection tracking, IP reputation lists, deep packet inspection, blacklisting, whitelisting or rate limiting to filter traffic and mitigate attacks. Many times, organizations have their DDoS mitigation needs covered by specialized service providers, but the largest companies will include DDoS mitigation as an in-house capability.
Representative vendors: Cloudflare, F5 Networks, Imperva, Pulse Secure, NetScout and Radware
- Network behavior anomaly detection. NBAD products provide real-time monitoring of network traffic for deviations in normal activity, trends or events. The tools complement traditional perimeter security systems with their ability to detect threats and stop suspicious activities that are unknown or specifically designed to avoid standard detection methods. When NBAD products discover unusual activity, they generate an alert that provides details and pass it on for further analysis.
For NBAD to be optimally effective, it must establish a baseline of normal network or user behavior over a period of time. Once it defines certain parameters as normal, it can then flag any departure from one or more of those parameters.
Representative vendors: AT&T Cybersecurity, Cisco, Flowmon Networks, IBM Security and LogRhythm
Network and security convergence
The elements of network security and networking functionality continue to intersect. For example, many network vendors offer security features, and security vendors offer networking functionality. This is especially prevalent in SD-WAN and software-defined branch.
- SD-WAN security. Advanced network security capabilities are increasingly being built into SD-WAN products. SD-WAN security overlays security components -- such as firewalls, IPSes, malware detection, content filtering and encryption -- onto SD-WANs to ensure the corporate security policy is enforced at all levels. SD-WAN security provides the ability to monitor and secure traffic that travels directly to the internet -- e.g., SaaS and IaaS -- which is an increasing portion of branch WAN bandwidth.
SD-WAN security is adjacent to the network security market, as SD-WAN constitutes its own market with multiple vendors. For more information on how SD-WAN and security merge, read this article.