SlideShare a Scribd company logo

Report Gartner Magic Quadrant For Security Web Gateway 2011 En

R
RiccardoPelliccioli

The document summarizes Gartner's Magic Quadrant report on secure web gateways. It finds that anti-malware capabilities, especially the ability to detect both inbound and outbound threats, are the most important criteria when evaluating these solutions. It also notes that while most solutions rely on a mix of signature-based and behavioral detection techniques, the sophistication of these techniques varies widely. Finally, it outlines some key trends in the market including growing interest in cloud-based services and improving mobile device management capabilities.

1 of 23
Downloaded 67 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Magic Quadrant for Secure Web Gateway Gartner RAS Core Research Note G00212739, Lawrence Orans, Peter Firstbrook, 25 May 2011, V3RA1 05272012 The growing malware threat continues to drive the SWG market. Solutions for detecting malware vary widely in sophistication, ranging from basic signature-based to advanced heuristics- based analyses. The market is still dominated by on-premises solutions, but cloud services are growing rapidly. WHAT YOU NEED TO KNOW Anti-malware capabilities should be the most heavily weighted criterion when evaluating secure Web gateways (SWGs). Bidirectional protection (blocking inbound malware and analyzing outbound traffic to detect compromised endpoints) is critical. Organizations that need the most advanced security protection should evaluate solutions that use non- signature-based techniques capable of detecting targeted malware. Organizations that have more basic security requirements can consider solutions that primarily rely on signature- based malware detection. MAGIC QUADRANT Market Overview The Web 2.0 phenomenon and associated malware threats continue to drive the SWG market. Large and small enterprises now understand that they need perimeter-based anti- malware protection, and many organizations seek more granular policy controls for dealing with social networking. The market has responded with a range of options that broadly fits into two categories: on-premises equipment and cloud-based services (also known as “SWG as a service”). Each category includes diverse technology options. For example, on-premises equipment can be architected as a proxy (usually deployed to inspect only Web traffic) or as an in-line solution (deployed to inspect all traffic). The emerging SWG-as-a-service market also presents several architectural options for dealing with important functions such as authentication and traffic redirection. The vendors in the Magic Quadrant represent a broad spectrum of choices in this rapidly evolving market. After assessing the SWG solutions in today’s market, Gartner makes the following observations: • Malware detection is the key differentiator in the SWG market. Most solutions provide a “cocktail approach,” which includes traditional reactive techniques such as signature- based malware analysis and detection of known bad Web destinations, along with real- time techniques for detecting new and targeted threats. Site reputation analysis and real- time code analysis that look for common malware techniques in Web code (for example, JavaScript) are the most common approaches. The depth of these techniques varies considerably among solutions.
2 • Strong capabilities for detecting outbound Figure 1. Magic Quadrant for Secure Web Gateway malicious traffic are rare. The ability to detect compromised endpoints, to block challengers leaders their outbound communications to a malicious command-and-control center, and to generate reports are important features for combating malware. • URL categorization is an important market differentiator and should not be regarded as a commodity service. The ability to Cisco Blue Coat Systems ability to execute dynamically classify URLs is an important feature due to the exploding growth of Symantec Websense the Web. Also, language support and Trend Micro McAfee Barracuda Networks Zscaler geographical focus remain significant differentiators. M86 Security Sophos ContentKeeper Technologies • Application control and social media Webroot Actiance policies have become higher priorities Sangfor for enterprises. There are two types of SafeNet Web applications: those that can be Clearswift Cymphonix identified by URL (for example, FarmVille) Optenet and those that use unique protocols and Phantom Technologies client applications (for example, Skype). URL-based applications can be identified and classified, allowing for easy blocking or more granular control. The ability to niche players visionaries block or manage applications such as Skype and instant messaging (IM) requires broader port/protocol inspection and completeness of vision special network traffic signatures. As of May 2011 • Reporting and ease of management, Source: Gartner (May 2011) which vary significantly among vendor solutions, remain important decision criteria for SWG buyers. • Future requirements will focus on protection and control for an (software as a service — SaaS) are growing rapidly, primarily ever-increasing array of mobile devices and non-PC computing in organizations that have multiple distributed gateways, large platforms. Interest in data leak prevention (DLP) capabilities percentages of roaming workers, and organizations that are and the protection and management of corporate cloud-based attracted to the ease of implementing SaaS. applications (for example, salesforce.com) is growing, but remains low. • We continue to see very little interest in SWG and firewall integration, although all the major enterprise firewall vendors • Form factor is also an important consideration. Most of the and unified threat management (UTM) vendors have started to solutions in this analysis are hardware-appliance-based. incorporate SWG functionality. We have observed growing interest in virtual appliances. Awareness and market share of solutions delivered as a service © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website, http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp
3 Market Definition/Description • Vendors must have at least 50 production enterprise The SWG market includes on-premises solutions and cloud-based installations. SWG-as-a-service offerings. In 2011, we attempted to eliminate single-purpose proxy servers and URL revenue in our market- Added sizing estimates to get a more accurate reflection of the pure SWG market without the weight of legacy point products. Using • Phantom Technologies has been added, due to its growing this analysis, we estimate that, in 2010, the SWG market reached presence in the SMB market. $817 million, a growth of 17% over 2009. The five-year compound annual growth rate is approximately 15%. In 2011, we estimate • Sangfor has been added, due to its strong market position in that the market will grow approximately 17% to just under $1 China. billion. The market is still dominated by the on-premises solutions (approximately 90%), with SWG as a service representing the • Actiance replaces FaceTime Communications (the company remainder of the market (approximately 10%). However, the SWG- renamed itself in 2010). as-a-service segment is the fastest-growing segment (Gartner expects that it will grow 55% in 2011). • Due to improvements made to its appliance-based SWG, The SWG market is rapidly evolving into a segmented market, Sophos now meets our inclusion criteria and has been added to with some solutions optimized for small and midsize businesses the Magic Quadrant. (SMBs) and others optimized for large enterprises. SMB solutions are optimized for ease of use and cost-effectiveness, and provide Dropped security protection against basic threats. Large-enterprise solutions provide protection against more advanced security threats, and • CA Technologies has been dropped. It does not offer an some include the capability to detect targeted threats. independent SWG offering (although its CA Gateway Security solution bundles e-mail and Web security into one solution). Inclusion and Exclusion Criteria Vendors must meet these criteria to be included in this Magic Other Vendors That We Considered Quadrant: • St. Bernard Software acquired Red Condor in 2010 and rebranded as EdgeWave, repositioning the company with • The solution must include the core requirements of an SWG: a stronger focus on security and broader delivery models, URL filtering, malware protection and application control. The including cloud-based services. Gartner will reconsider vendor must own the technology for at least one of these EdgeWave for inclusion in the 2012 Magic Quadrant for Secure components. Other components may be licensed from an Web Gateway. original equipment manufacturer (OEM). • Microsoft has informed Gartner that it does not plan to ship • Gartner analysts have a generally favorable opinion, based on another full version release of its SWG product, the Forefront analysis, about the company’s ability to compete in the market. Threat Management Gateway (TMG). The product is effectively in sustaining mode, with Microsoft continuing to ship Service Pack (SP) updates; the next one, SP2, is planned for 3Q11. • SWG products that offer firewall functionality — for example, Microsoft will also continue to support TMG for the standard multifunction firewalls (also known as UTM devices) — are support life cycle — five years of mainstream support and five outside the scope of this analysis. These devices are traditional years of extended support. In the SWG category, TMG will network firewalls that also combine numerous network security become less competitive over time, since Microsoft’s goal is not technologies — such as anti-spam, antivirus, network intrusion to compete head-to-head with other vendors in that space. We prevention system (IPS) and URL filtering — into a single box. believe that Microsoft will repurpose TMG technologies in other Multifunction firewalls are compelling for the SMB and branch products and services as part of its overall cloud strategy. office markets; however, in most circumstances, enterprise buyers do not consider multifunction firewalls as replacements for SWGs. Examples of vendors with multifunction firewall • As a next-generation firewall, Palo Alto Networks offers some solutions include Astaro, Check Point Software Technologies, SWG functionality. However, as noted above, this analysis Fortinet and SonicWall. excludes solutions that are primarily firewalls. In “Next- Generation Firewalls and Secure Web Gateways Will Not Converge Before 2015,” Gartner predicts that the evolution of • Vendors that rebrand and sell complete SWG solutions are not complex threats will drive the need for separate network firewall included. For example, Google resells Cisco/ScanSafe. Google and Web security gateway controls for most organizations is not included in this analysis, but Cisco/ScanSafe is included. through 2015. • The solution must integrate with a directory (for example, Active Directory) so that policies may be enforced on a role basis, and so that behavior can be monitored and reported on a per-user basis (as opposed to IP addresses).
4 • The OpenDNS Enterprise cloud offering provides a DNS-based Completeness of Vision URL-filtering solution. It is popular with consumers, school The Completeness of Vision (see Table 2) axis captures districts, some SMBs and other cost-conscious organizations, the technical quality and completeness of the product and but it does not have the enterprise-class reporting features to organizational characteristics, such as how well the vendor be included in this analysis (that is, it does not integrate with understands this market, its history of innovation, its marketing and Active Directory). Gartner will reconsider OpenDNS for inclusion sales strategies, and its geographic presence: in the 2012 Magic Quadrant for Secure Web Gateway. • In the market understanding evaluation, we ranked vendors Evaluation Criteria on the strength of their commitment to the SWG market in the Ability to Execute form of strong product management, their vision for the SWG Vertical positioning on the Ability to Execute (see Table 1) axis was market and the degree to which their road maps reflect a solid determined by evaluating these factors: commitment of resources to achieve that vision. • Overall viability: The company’s financial strength, as well as the • In the offering (product) strategy evaluation, we ranked vendors SWG business unit’s visibility and importance for multiproduct on these capabilities: companies. • Malware filtering: The most important capability in this • Sales execution/pricing: A comparison of pricing relative to the analysis is the ability to filter malware from all aspects market. of inbound and outbound Web traffic. Signature-based malware filtering is standard on almost all products evaluated. Consequently, extra credit was given for non- • Market responsiveness and track record: The speed with which signature-based techniques for detecting malicious code as the vendor has spotted a market shift and produced a product it crosses the gateway (in real time), as well as for the range that potential customers are looking for, as well as the size of of inspected protocols, ports and traffic types. Products that the vendor’s installed base relative to the amount of time the can identify infected PCs, identify the infection by name and product has been on the market. enable prioritized remediation also received extra credit. • Customer experience: The quality of the customer experience • URL filtering: Databases of known websites are categorized based on input from discussions with vendor references and by subject matter into groups to enforce acceptable use Gartner clients. and productivity, and to reduce security risks. To displace incumbent URL-filtering products and “steal” allocated • Operations: Corporate resources (in other words, management, budgets, SWG vendors will have to be competitive in this business facilities, threat research, support and distribution capability. Quality indicators — such as the depth of the infrastructure) that the SWG business unit can draw on to page-level categorization, the real-time categorization of improve product functionality, marketing and sales. uncategorized sites and pages, the dynamic risk analysis Table 1. Ability to Execute Evaluation Criteria Table 2. Completeness of Vision Evaluation Criteria Evaluation Criteria Weighting Evaluation Criteria Weighting Product/Service No Rating Market Understanding High Overall Viability (Business Unit, High Marketing Strategy No Rating Financial, Strategy, Organization) Sales Strategy No Rating Sales Execution/Pricing Standard Offering (Product) Strategy High Market Responsiveness and Track High Business Model No Rating Record Vertical/Industry Strategy No Rating Marketing Execution No Rating Innovation High Customer Experience High Geographic Strategy No Rating Operations Standard Source: Gartner (May 2011) Source: Gartner (May 2011)
5 of uncategorized sites and pages, and the categorization of • Innovation: This criterion includes product leadership and the search results — were considered. ability to deliver features and functions that distinguish the vendor from its competitors. Advanced features, such as the ability to perform on-box malware detection of dynamic content • Application control: Granular policy-based control of Web- (for example, JavaScript code), and the ability to pinpoint based applications — such as IM, multiplayer games, Web compromised endpoints by analyzing outbound traffic, were storage, wikis, peer-to-peer (P2P), public voice over IP rated highly. (VoIP), blogs, data-sharing portals, Web backup, remote PC access, Web conferencing, chat and streaming media — is still immature in most products and represents a significant Leaders differentiator. We considered the number of named Leaders are high-momentum vendors (based on sales and “mind applications that can be effectively blocked by checking share” growth) with established track records in Web gateway a box on the application category or a specific named security, as well as vision and business investments indicating that application. The ability to selectively block specific features they are well-positioned for the future. Leaders do not necessarily of applications and the presence of predeveloped policies to offer the best products and services for every customer project; simplify deployment were given extra credit. however, they provide solutions that offer relatively lower risk. • Manageability/scalability: Features that enhance the Challengers administration experience and minimize administration Challengers are established vendors that offer SWG products, but overhead were compared. Extra credit was given to do not yet offer strongly differentiated products, or their products products with a mature task-based management interface, are in the early stages of development/deployment. Challengers’ consolidated monitoring and reporting capabilities, and a products perform well for a significant market segment, but may role-based administration capability. Features such as policy not show feature richness or particular innovation. Buyers of synchronization between devices and multiple network Challengers’ products typically have less complex requirements deployment options enhance the scalability and reliability of and/or are motivated by strategic relationships with these vendors solutions. rather than requirements. • Delivery models: We analyzed deployment options for Visionaries on-premises solutions and SWG-as-a-service offerings. Visionaries are distinguished by technical and/or product For vendors that offer both deployment options (otherwise innovation, but have not yet achieved the record of execution in known as “hybrid”), we considered the level of integration the SWG market to give them the high visibility of Leaders, or they between the two approaches (for example, the ability to lack the corporate resources of Challengers. Expect state-of-the- manage policies from a unified console). For on-premises art technology from Visionaries, but buyers should be wary of a proxy-based solutions, we evaluated the breadth of proxy strategic reliance on these vendors and should closely monitor their features, including protocol support, Secure Sockets viability. Given the maturity of this market, Visionaries represent Layer (SSL) termination capabilities, and interoperability good acquisition candidates. Challengers that may have neglected with third-party antivirus and content-aware DLP scanners technology innovation and/or vendors in related markets are likely (for example, Internet Content Adaptation Protocol [ICAP] buyers of Visionaries’ products. Thus, these vendors represent a support). For on-premises bridge-based offerings, we slightly higher risk of business disruptions. evaluated the solution’s capabilities for packet filtering and the features that it enables, such as bandwidth control and outbound traffic analysis of non-HTTP/S traffic (which Niche Players is used for malware detection). For SWG-as-a-service Niche Players’ products typically are solid solutions for one of the offerings, we considered the options for redirecting traffic three primary SWG requirements — URL filtering, malware and to the cloud provider (for example, virtual private network application control — but they lack the comprehensive features of [VPN], Generic Routing Encapsulation [GRE] tunnels, Visionaries and the market presence or resources of Challengers. proxy chaining and other approaches) and authentication Customers that are aligned with the focus of a Niche Players options (for example, support for Security Assertion Markup vendor often find such provider offerings to be “best of need” Language [SAML]). solutions. Niche Players may also have a strong presence in a specific geographic region, but lack a worldwide presence. • Related investments: We gave minor credit to vendors with related investments, such as e-mail integration and native Vendor Strengths and Cautions content-aware DLP capability. Native DLP capability shows Actiance technical prowess and can be useful in tactical situations; however, integration with e-mail and/or dedicated DLP Actiance was called FaceTime Communications in our previous solutions is a more strategic feature. Magic Quadrants, but transferred the name and trademark to Apple for its video calling application. Actiance is a privately held company, based in California, that has branched out from its start — selling IM security to North American financial institutions — to
6 the broader SWG market. In 2010, the company introduced an • Multiple USG appliances can be clustered to share a database, innovative offering, Socialite, as a module in its SWG for controlling, which then allows for a shared repository of configuration and monitoring, recording and approving corporate social networking reporting for multiple, geographically dispersed USG appliances. participation. Actiance is a good candidate for organizations looking A separate reporting module can also provide for centralized for fine-grained Web 2.0 application controls and social media reporting for multiple USG appliances. monitoring tools. • Customers can choose between two URL-filtering databases. Strengths Actiance’s URL-filtering policy is average, but includes some advanced features, such as a coaching option for soft blocking, • Actiance has strong dashboard and reporting capabilities, custom categories and custom URL additions. Enforcing safe as well as a flexible and scalable object-based policy engine. search on popular search engines (Bing, Google and Yahoo) is The dashboard is fully customizable, and administrators can also available. create their own look and feel, adding virtually any report as a dashboard element. All dashboard elements are hyperlinked to Cautions reports and log data detail. The console also offers a unique, fully customizable heat map dashboard element that enables • Actiance’s biggest challenge is improving its visibility and administrators to visualize traffic and events rapidly. mind share against increasingly larger and more strategic competition. Despite an early focus on this market and a decent • Actiance has its own malware and application research growth rate, it has failed to achieve a significant market share. capabilities, which are combined with malware databases from It needs to rapidly expand its channel partners and client base, GFI Software (which acquired Sunbelt Software in July 2010). because it is at risk of becoming a Niche Player in the social Actiance’s Unified Security Gateway (USG) appliance can be network controls or the financial services market. deployed by connecting to a Switched Port Analyzer (SPAN)/ mirror port, can be deployed in line and can also interface with • Actiance’s licensed URL-filtering capability does not offer the proxies via ICAP. When deployed in line, the USG can proxy ability to dynamically classify uncategorized websites. URL- HTTP/S, FTP and traffic from common IM services. filtering updates default to daily, but can be customized to update as often as required. • Actiance has the broadest visibility and controls for Internet applications, with more than 5,000 named applications, • Actiance’s content-aware DLP capability is weak and comes including IM, P2P, anonymizers, IP television, gaming software, at an extra cost from the base license. Its keyword-filtering multimedia, remote administration tools, virtual worlds, VoIP, capability can be used to classify pages, but there is a shortage Web-based IM and Web conferencing. In particular, Actiance of predefined DLP lexicons, and users have to create and fine- offers the strongest control for Skype. A special plug-in to tune their own categorization policies. Skype clients enables it to detect and block malicious URLs within Skype IMs. • Actiance’s log search functionality is weak, and it is difficult to search on or isolate search terms. • Reporting on outbound threats is one of the best in this analysis, and includes specific detailed information on the malware (for example, name, threat rating and more) and links • Actiance relies on signature engines or known bad URLs to Actiance’s Web-based reference sites, spywareguide.com for malware detection, and has limited on-box capability to and applicationsguide.com. dynamically inspect Web pages for malicious intent. • Actiance offers archiving capabilities for IM traffic, social • Actiance provides Web content caching on proxies, but does media and HTTP/S traffic (such as Web mail and blog posts). not offer bandwidth quality of service (QoS) options to improve For example, policies can be enabled to control and log all the performance of priority applications. outbound content for Web 2.0 sites, including blog posts and social networking sites, and also for Web mail traffic. Policy Barracuda Networks options include taking a screen shot of the Web page for which Barracuda Networks offers the Barracuda Web Filter — a range the content-aware DLP policy is triggered. The logging can also of inexpensive proxy-based appliances (hardware and virtual) that be triggered by a lexicon match (for example, log all credit card leverages open-source technologies — as well as the Barracuda numbers posted to a social networking site). DLP capabilities Web Security Flex (“Flex”) product, which allows any combination can also be exploited for dynamic content-level blocking of of SWG-as-a-service offerings and appliances. The company offensive text content. enjoys high mind share in the SMB market, due to its focus on the needs of this demographic, extensive marketing and effective sales • The Socialite module provides specific social network feature channel management. It continues to experience solid growth, and controls, preapproved content controls (moderation), and is starting to move upmarket to larger enterprises. Barracuda Web archiving for LinkedIn, Twitter and Facebook. Socialite is Filter appliances are candidates for organizations seeking “set and available as a module for Actiance’s USG or through a SaaS forget” functionality at a reasonable price. option.
7 Strengths Cautions • The Barracuda Web Filter’s Web graphical user interface • The Barracuda Web Filter appliance lacks some enterprise-class (GUI) is basic and designed for ease of use. Deployment is capabilities for management and reporting. The dashboard is simplified; all settings are on a single page with easily accessible not customizable. It offers only a single administration account and suggested configuration settings, and contextual help. and does not support role-based administration. Some policy The dashboard includes a summary of top reports, including features, such as file type blocking, are very manual rather than infection activity, hyperlinked to the detailed reports. Real-time menu-driven, and the overall workflow is feature-based instead log information can be filtered by a number of parameters for of task-based. The appliance can only store six months of easy troubleshooting. data; longer-term data storage or aggregated reporting across multiple boxes requires the Barracuda Control Center. Security threat reporting does not provide any guidance on the severity • Malware protection is provided by open-source Clam AntiVirus of a particular threat, nor does it provide links to more detail on and by in-house-developed signatures. The management the threats. Although the solution saves searched keywords in console includes optional infection thresholds that can kick off the log, it is difficult to search the logs for this information or to alerts or launch a malware removal tool. Barracuda offers basic report on it. It does not offer real-time dynamic classification of content-aware DLP functionality at no extra cost. URLs. • Application controls include a fair number of IM networks, • Barracuda uses open-source databases for URL and antivirus software updaters, media stores, remote desktop utilities, filtering (Sourcefire/Clam AntiVirus), supplemented with toolbars and Skype. Barracuda’s own research labs. However, Barracuda Labs is still relatively small. It does not offer any other third-party anti- • Bandwidth quotas can be leveraged to limit resource usage per malware engines. Real-time analysis of Web threats is limited in day or per week. the appliance-based solution. • The Barracuda Web Filter is one of the most economically • The Barracuda Flex offering still needs to mature to compete priced solutions in this Magic Quadrant, and annual updates are against the more established vendors in this space. The priced per appliance rather than per seat. management interface is missing some enterprise options, such as expansive role-based administration, customization • The Flex service component (formerly “Purewire”) provides a of dashboard elements, quick links to tasks, and full policy very clean and well-organized policy and reporting interface that administration audit reporting. Security threat reporting is simple and logical. All dashboard elements offer a consistent, would be improved with more inspection methods to detect hyperlinked drill-down into three levels of increasingly granular outbound threats, more information such as severity, and data. All security protection methods are included in the base more detailed information about specific threats. Reporting is price. In addition to using several signature and blacklist-based very basic and could be improved with more customization filters, the Web security service performs numerous advanced options. Predeveloped reports are too narrow and lack a single security checks, including page analysis, URL reputation, management summary report on activity. Log data can only exploit kit detection, JavaScript analysis and bot detection. URL be stored in the cloud, not on the local devices. Barracuda filtering is driven by the Barracuda database. does not offer a zero-client footprint option with transparent authentication. The Flex service only offers an uptime service- level agreement (SLA). It does not support SAML authentication • Advanced options for Flex include coaching and password- integration. The service does not have a global footprint and protected bypass with custom blocking pages for each rule. currently only has data centers in the U.S., the U.K. and The solution also allows quotas based on connection bytes Germany. and time limits. Application control includes several dozen named applications in four categories — browsers, IM, P2P file Blue Coat Systems sharing and streaming media — that are based on request and response headers and traffic signatures. The content-aware While Blue Coat Systems remains the overwhelming installed DLP capability includes five static libraries/lexicons and SSL base leader in the enterprise proxy market, it faces a number of scanning by category. challenges. It was late with SWG as a service (launched in April 2011). In January 2011, it introduced an appliance, ProxyOne, targeted at SMBs, although Blue Coat must demonstrate that it can • Redirecting traffic to the service component of the Flex offering build an SMB-focused value-added reseller (VAR) partner channel is optionally enabled with an on-premises Barracuda Web Filter that is capable of distributing the product. Blue Coat has a new appliance that caches traffic and provides for on-premises CEO (as of August 2010). With its Mach5 products, Blue Coat also authentication, a Microsoft Internet Security and Acceleration competes in the WAN optimization controller market. Blue Coat’s (ISA) 2006 plug-in, and a variety of direct connect and Active ProxySG is a very good candidate for most enterprise customers. Directory configurations. The Flex service also offers a tamper- SMBs that are willing to take the risk on a new appliance can now proof software client for roaming laptop users that enforces consider the new ProxyOne. remote/roaming traffic through a cloud service.
8 Strengths • Blue Coat offers an endpoint agent (free of charge) that provides URL-filtering support (and application acceleration) for mobile workers on Windows platforms. • The ProxySG product is well-tested for scalability and performance in the demanding large-enterprise market, and includes numerous advanced proxy features, such as support • Blue Coat sends uncategorized URLs to its cloud-based for a long list of protocols, extensive authentication and WebPulse service for dynamic categorization and malware directory integration options, raw policy scripting capabilities, analysis. WebPulse’s dynamic classification capabilities a command line interface, a GUI, SSL decryption, support categorize all URLs, not just those that match a subset of for ICAP, and centralized management and reporting. The inappropriate URL categories. Some malware may be detected company has one of the largest development and support in real time, whereas other malware checks are done in the organizations in this market. background and the results are stored in the WebPulse cloud. • ProxySG supports nine URL-filtering databases, including its Cautions own (Blue Coat WebFilter), and four antivirus engines on its ProxyAV platforms — the most options of any vendor in the • Blue Coat must deliver on its SWG-as-a-service offering and market. demonstrate that it can compete against security services from other cloud-based services, many of which have a head start • Content-aware DLP support is available via an appliance of two years or more. Blue Coat must demonstrate that its based on technology licensed from a third party. The appliance partners can sell its service, and it must also demonstrate that it interfaces with the ProxySG via ICAP. has the operational expertise to manage a cloud-based service. • The Blue Coat Reporter provides flexible capabilities to create • Blue Coat must demonstrate that it can build an SMB- custom reports, and enables multiple ProxySG products to focused VAR partner channel that is capable of distributing the report log information back to an aggregated log database. Log ProxyOne appliance. search functionality is very good and easily allows searching for specific search terms. • Blue Coat lacks an e-mail gateway — all other SWG cloud providers in this Magic Quadrant own a cloud-based e-mail • In addition to signature scanning, ProxySG uses a URL gateway. database (owned by Blue Coat) to detect known malicious URLs, and has static policy triggers to validate or limit active • The ProxySG does not support on-box antivirus. A separate content (for example, ActiveX controls or Java applets). appliance, the ProxyAV, is necessary to perform antivirus ProxyAV has limited active code analysis to detect unknown scanning. malware. • The WebPulse “cloud assist” approach, which requires Blue • Blue Coat ProxySG appliances proxy (that is, they fully Coat to actively probe suspect websites, can be bypassed terminate and can apply policy to) popular IM services, P2P by attackers who recognize a request from WebPulse. A applications, streaming media protocols, FTP, Telnet, DNS sophisticated attacker will know how to respond to Blue Coat and SOCKS v.4/v.5. Many competing solutions can only proxy (and other “cloud assist” security vendors’ probes) with good HTTP/S traffic. content, but will respond to typical end-user Web requests with malicious content. Blue Coat would benefit from more on-box • Bandwidth management policies can be specified per protocol malware detection, as offered by several of its competitors. (for example, streaming media) and can be applied to users The WebPulse cloud assist limitation only applies to ProxySG or groups. The ProxySG also optimizes bandwidth by stream implementations, not to Blue Coat’s SWG-as-a-service offering splitting and caching. (the concept of cloud assist does not apply to a cloud-based service). • Blue Coat WebFilter is often one of the least expensive URL- filtering options. Its pricing model is based on a one-time • Blue Coat cannot monitor all network traffic (which is helpful for perpetual license fee plus annual maintenance charges. detecting outbound malware) in its most commonly deployed proxy mode (known as explicit proxy), but it can be configured in other modes to monitor all traffic. • Blue Coat’s SSL termination capabilities (via an optional card on ProxySG) enable Blue Coat to terminate and decrypt SSL content and hand it off (via ICAP) to third-party devices, such as content-aware DLP scanners (Blue Coat partners with five DLP vendors), for further analysis.
9 Cisco • Customers commented on the ease of deployment in Cisco offers appliance-based SWGs (IronPort S-Series) and cloud- migrating to the ScanSafe service. The graphical dashboard is based SWG services (via its 2009 acquisition of ScanSafe). Also, in hyperlinked to filtered log views. The service offers a real-time 2009, Cisco acquired its own URL-filtering database (previously, it classification service to classify unknown URLs into a small had licensed Websense’s SurfControl database), and developed its set of typically blocked categories (for example, pornography own reporting capabilities so that its customers no longer needed or gambling). URL filtering is enhanced with some advanced to use a third-party package (Sawmill). In addition, Cisco offers functionality, such as bandwidth and time-based quotas, and a hosted e-mail services under the IronPort brand. Cisco’s strategy “search ahead” feature that decorates search engines with URL is to develop an integrated Web and e-mail cloud-based security classifications. service with a single console that would also manage its IronPort appliances. Currently, these components are not integrated, and • Cisco provides native support for SAML in the IronPort S-Series each has its own management console, although they do share and in ScanSafe. The S-Series creates SAML assertions to a common URL-filtering database. Cisco’s IronPort S-Series federate identity from the enterprise to SaaS applications. The appliances are very good candidates for most midsize and large ScanSafe service consumes SAML assertions and enables a enterprises, and the ScanSafe service is a good candidate for all transparent authentication process for organizations that have enterprises. already implemented SAML single sign-on solutions. Strengths • ScanSafe SWG as a service offers simple outbound content- aware DLP functionality (dictionary keyword matching, named • The S-Series provides good on-box malware detection. It file detection and preconfigured number formats), and file hash also provides parallel scanning capabilities across multiple matching can integrate with some enterprise DLP vendors. verdict engines for inbound as well as outbound security and content scanning. Signature databases are offered from • Cisco’s AnyConnect 3.0 client integrates ScanSafe’s agent. McAfee, Sophos and Webroot, and two of these can be run Cisco’s large installed base of VPN customers will now have simultaneously. Non-signature-based detection includes exploit ready access to the ScanSafe cloud (provided they migrate to filters that proactively examine page content, site reputation, the 3.0 version of AnyConnect). Using AnyConnect 3.0, traffic is botnet network traffic detection, transaction rules and Cisco- SSL-encrypted from the client to the ScanSafe cloud. generated threat center rules. The S-Series also uses a mirroring port (SPAN) network interface card for out-of-band traffic analysis to detect evasive outbound phone-home traffic • Cisco’s channel strength should help it ramp up some SWG or application traffic. The S-Series is one of the few products opportunities. It has enabled all IronPort and Cisco partners that include a full native FTP proxy and SSL traffic decryption. to resell the ScanSafe cloud Web security service. Also, Cisco has included IronPort products as a core part of the standard certification for all Cisco security partners. • IronPort has numerous features to enhance the scalability of the S-Series for demanding large-enterprise needs, including Cautions native active-active clustering and centralized management for up to 150 servers. S-Series appliances can support up to 1.8TB of storage with hot-swappable serial attached SCSI • Cisco needs a unified management console for its on-premises (SAS) drives, RAID 10 configuration and RAID 1 mirroring, IronPort appliances and ScanSafe cloud services to ease and six 1GB network interfaces, as well as a fiber option. In migration for customers that are interested in hybrid addition, the security scanning is enhanced by stream scanning, deployments. which enables scanning for larger or long-lived objects without creating the bottlenecks associated with buffer-based scanning. • The IronPort management console needs improvement for highlighting and investigating infected endpoints. While it • The S-Series provides good content-aware DLP functionality reflects the top malware threats that have been detected in the with the combination of integrated, on-box data security policies environment, it does not provide a correlated and prioritized and the choice of advanced DLP content scanning through malware effects report or dashboard widget that would help ICAP interoperability with third-party DLP solutions RSA and desktop administrators track down and remediate potentially Symantec/Vontu. Policy options include the capability to block infected machines. Also, it does not provide severity information “posting” to Web-2.0-type sites. for the threats that it has detected. • Application control on the S-Series is very strong, with the • The S-Series is one of the most expensive SWG appliances in ability to identify and block 13,000 Web-based applications. the market, and Cisco charges extra for the Cisco IronPort Web The Traffic Monitor feature enables the S-Series to connect Reputation Filters. to a port-mirroring switch port, and to detect and block port- hopping applications. Granular control is provided for social • Log search functionality is weak on the S-Series, and it is networking applications, such as blocking posts to Facebook. difficult to search on or isolate search terms. ScanSafe, however, does provide the ability to search on search terms.
10 • Application control is weak with ScanSafe. Popular applications • In 2010, the company brought 24/7 customer support back like Skype, IM and other common P2P applications cannot be in-house and built a new support portal. Clearswift also lowered controlled with policies. its pricing scheme, moving to subscription-based pricing. • ScanSafe lacks bandwidth control capabilities. Cautions • ScanSafe’s content-aware DLP support is weak. Administrators • Clearswift remains primarily an EMEA brand, with a growing can use basic dictionaries to monitor and alert on text strings, presence in Japan, but it does not enjoy significant brand but the solution lacks more sophisticated data detection recognition in North America. Its SWG revenue growth rate and techniques, and lacks predefined dictionaries and policies. market share remain very small. Clearswift • Malware detection is primarily limited to signatures and only in HTTP/S traffic. Although the solution provides some data on Clearswift is a veteran secure e-mail gateway vendor with a potentially infected machines inside the organization, it is not high profile in EMEA. It has integrated its proxy-based SWG correlated or prioritized, nor does it have enough information on — Clearswift Web Appliance — with its e-mail security solution the suspected threat for quick remediation. to provide cross-channel policy and consolidated reporting. Clearswift does not provide an SWG-as-a-service offering. Overall, Clearswift’s primary advantages are its integration with its e-mail • Although the interface is simple enough to be used by solutions and the provision of content-aware DLP across both nontechnical users, it is limited in detail for more technical channels, making the vendor a candidate for existing e-mail enterprise users. The dashboard offers very limited customers or EMEA buyers seeking both solutions from the same customization. Reports are not linked to dashboard elements. vendor. Although the solution can edit existing reports, there is limited capability to create totally new reports. It does Strengths not have extensive role-based management and cannot limit administrative access to specific groups. Log search functionality is weak, and it is difficult to search on or isolate • Clearswift offers a clean, logical, browser-based interface for users’ Internet search keywords for investigative analysis. policy development and reporting for Web and e-mail that is easy to use, even for nontechnical users, with lots of context- sensitive recommendations and help functions. Multiple devices • Application control is limited to blocking URL destinations (and/ can be managed from any machine. or streaming protocols) and file type blocking. It is possible to detect and block specific applications, but it requires the creation of custom rules within the appliance to identify and • Policy development for content-aware DLP is very good, and block based on the specific characteristics of the application several policy constructs — Sarbanes-Oxley Act, Gramm- found in the HTTP content. It cannot filter or manage evasive Leach-Bliley Act, Payment Card Industry Data Security applications, such as Skype. It does not offer any bandwidth Standard, U.S. Securities and Exchange Commission, controls, except limiting file sizes. accounting terms and stock market terms — are included. The same policy can be applied to Web and e-mail, and it is possible to intercept and copy/archive Web mail and IM traffic • The proxy does not support ICAP or WCCP, and it does not that trigger the DLP policy. Clearswift also provides strong support in-line/bridge mode deployments. policy audit and printable policy summaries for troubleshooting. • Considering how long Clearswift has been offering DLP • Clearswift offers good reporting capability. All machines in a capability, it has not advanced to best-in-class capability, cluster are capable of local or consolidated reporting. Reports and continues to lack a comprehensive compliance workflow are active and include a hyperlink drill-down of details. Malware management interface. filtering is provided by Kaspersky Lab and GFI Software (which acquired Sunbelt Software in July 2010). It is augmented with ContentKeeper Technologies some in-house, preconfigured, policy-based code analysis. ContentKeeper Technologies is based in Australia, where it has The Clearswift Web Appliance is capable of SSL certificate many large government and commercial customers. It offers validation, decryption and inspection. URL categorization a family of SWG appliances that deploy as in-line bridges. is provided by the RuleSpace database (now owned by The company maintains its own URL-filtering database, and it Symantec), augmented by real-time dynamic classification of provides a choice of third-party antivirus engines that run on the uncategorized sites that would likely be blocked by liability ContentKeeper appliance. It provides its own SWG-as-a-service concerns. plan and offers cloud-based e-mail protection through a partnership with Webroot. ContentKeeper is a candidate for organizations • Clearswift offers a good array of form factors, including a seeking URL-filtering capability and signature-based malware dedicated hardware appliance, a “soft” appliance for installation detection in supported geographies. on any hardware, or as a virtual appliance for VMware, and has a native ability to “peer” a cluster of appliances together.
11 Strengths Cymphonix Cymphonix, a privately held Utah-based company, was founded • ContentKeeper offers a series of five appliances, the largest in 2004. The Cymphonix Network Composer is an appliance- of which is based on IBM blade server technology, which based product that is mostly deployed as an in-line transparent ContentKeeper states has a maximum throughput rate of 14 bridge, but it can also be deployed as a proxy. Cymphonix licenses Gbps. The appliances “fail open” due to a high-availability malware signatures from GFI Software (which acquired Sunbelt hardware module. In addition to supporting in-line bridge mode, Software in July 2010) and Clam AntiVirus. The URL-filtering the appliances also proxy SSL traffic and provide decryption database is licensed from RuleSpace and enhanced through capabilities. ContentKeeper provides basic IPS protection internally maintained updates. In 2010, Cymphonix released a through a combination of third-party and internally developed new line of appliances with higher throughput to target midsize signatures. enterprises. Cymphonix is a candidate for SMBs seeking an SWG with advanced bandwidth management capabilities at a reasonable price. Its ability to detect and block proxy anonymizers • The Advanced Reporting Module (ARM) is an optional solution (used to bypass URL filtering) makes it a good candidate for the that provides good graphical analysis of log information, kindergarten through Grade 12 education environment. including the option to display data in bar and pie charts. The ContentKeeper appliances can be set to export data to Strengths the ARM in real time or on a periodic basis. The ARM may be deployed on the ContentKeeper appliance or off-box. Real-time monitoring and alerting are achieved through the • Cymphonix offers one of the strongest bandwidth control ContentKeeper Monitor package. capabilities in the SWG market. Its bandwidth-shaping policies can be nested within one another for more granular control. For example, users in a particular role can be assigned a maximum • ContentKeeper can dynamically classify unknown URLs. of 30% of available bandwidth for an Internet connection. This group can be further shaped so that 10% of its bandwidth • ContentKeeper provides a choice of three antivirus engines is assigned to IM, while 70% is reserved for mission-critical (BitDefender, Kaspersky and The Last Line of Defense), in applications. Bandwidth shaping can be performed at a broad addition to internally developed signatures that are included with level for virtual LANs, IP ranges and Active Directory groups, the base system. or at a very precise level down to a specific host media access control (MAC) address or IP address, Web category, specific • ContentKeeper provides application control for more than 90 URL, file type, MIME type, and user. applications. • The Network Composer includes more than 650 application Cautions signatures that can be used to build network policies for blocking or allowing applications. Applications can also be prioritized in terms of relative importance, using the bandwidth • Malware detection and control are limited. Outbound malware control capabilities described. detection lacks detail. It shows which malware-infected websites have been blocked, and provides a link to Google to display more information, but — unlike some other solutions • Cymphonix offers a series of seven appliances, the largest of — does not contain severity indicators or detailed information which the company states has a maximum throughput rate of about infections. 1 Gbps. The appliances can be configured to “fail open.” In addition to supporting the in-line bridge mode, the appliances also proxy SSL traffic and provide decryption capabilities. • The SWG-as-a-service offering, which is agent-based and Cymphonix also offers a useful free network utility that enables primarily targeted at SMBs, provides a limited capability to organizations to identify rogue and bandwidth-hogging dynamically inspect Web pages for malicious intent. application traffic on their networks. • Data from geographically distant gateways is not aggregated in • The Web GUI is simple and easy to use, and the reporting real time. However, real-time data can be obtained from each capability is good. Tabs provide easy navigation to a collection appliance, and syslog files can be imported from appliances on of reports that can be modified, saved and scheduled, and a scheduled basis to generate reports. reports provide hyperlink drill-downs that show more details. Policy management is easy to use and includes numerous • The URL database needs more granularity. It only supports 32 advanced functions to combine application-shaping and categories, while most competitors support more than twice as content-control policies to individuals or groups. many categories (although custom categories can be added). • The Network Conductor appliance aggregates log data and centralizes policy management, report generation and policy management for multiple, geographically dispersed Network Composer products.
12 Cautions languages for malicious intent. It has very good capability for stripping or neutralizing the offending threats rather than blocking the entire page, which reduces help desk complaints. • Although Gartner believes that Cymphonix is growing faster It can even block nonmalicious, but potentially unwanted, than the SWG market, it remains one of the smallest vendors in objects that have been downloaded from Web pages. this Magic Quadrant, and still has low market share and brand recognition. • Although the solution offers on-box reporting, larger enterprise customers will prefer to use the more scalable appliance-based • Although the solution can edit existing reports, there is limited reporting engine, which can support log consolidation of up capability to create custom reports. to 32 enforcement nodes and 12TB of data on the largest appliance. The reporting engine is easily customized and • Non-signature-based malware detection is limited. provides an extensive collection of predeveloped reports, as well as an ad hoc reporting capability to create new reports. • The solution has no ability to block posts to social networking Searching the log is easy to do, and the solution saves user sites. search terms. It also stores transaction IDs that are presented to users via blocked pages, and allows the help desk to quickly isolate events. • Application control is somewhat limited. For example, file transfers cannot be blocked from IM services. • M86 is launching an innovative offering that allows customers to create a custom YouTube portal that is limited to approved M86 Security content only. The Secure Web Gateway has a zero post policy While there is still work to do, in 2010, M86 Security made very option that enables “read only” access to selected website or good progress converging its various acquisitions into a cohesive Web categories to prevent posting to social media or other product offering and company, while retaining much of the interactive websites. The solution includes limited content- acquired talent and bringing aboard new management to move the aware DLP capability, including the ability to detect content company to the next level. M86 offers an appliance-based solution in attachments and perform lexical analysis on files and posts that can be augmented with a virtual server hosted by M86 for across HTTP/S or FTP. roaming users. The company just released a new version (v.10) of the Secure Web Gateway solution (formerly the Finjan solution), Cautions as well as the Security Reporter v.3. The combination of these products continues to be a good candidate for security-conscious • M86 continues to be challenged by addressing the needs organizations. of its very diverse customer base, which ranges from SMBs to very large enterprises across multiple industry segments, Strengths geographies and product interests. M86 is consolidating its product code base to deliver more integrated and seamless • The Secure Web Gateway (based on technology from the Finjan functionality across the product suite. Although growth has acquisition) is a proxy-based appliance solution (hardware and accelerated in 2010 and early 2011, the combined company virtual appliances). It has a native Web-based management market share over the past five years has been flat in a rapidly interface for policy, configuration and reporting. M86 also growing market. M86 must continue to improve its channel and offers an advanced consolidated reporting engine in a separate recover best-of-breed mind share or risk being overshadowed dedicated reporting appliance (from the 8e6 Technologies by rapidly improving and more strategic competitors. acquisition). The solution has a number of advanced enterprise features, such as administration roles that can limit visibility into • M86’s solutions are clearly still integrating, and the look and data, audit logs, policy summaries and syslog integration. Policy navigation are inconsistent. The collection of management development is object-oriented and can allow for very detailed interfaces has many different windows and applications that are policies. M86 Secure Web Gateway benefits from its own URL- not consolidated in a single portal. The reporting engine and filtering database. Policies can block posting to categorized dashboard on Secure Web Gateway are completely different websites (for example, social networks), and provide a limited from the capabilities of Security Reporter, and Security Reporter capability to block some Web applications by name. M86 offers is an extra cost. Administrative access rights capabilities are a hosted version of its virtual appliances in four data centers inconsistent and uncoordinated across both devices. for use by remote access users in supported geographies when they’re off the corporate network. This provides unified management of policies and reporting for on-premises and • Although Security Reporter provides some data on potentially mobile users. infected machines inside the organization, it is not correlated or prioritized, nor does it have enough information on the suspected threat for quick remediation. Secure Web Gateway • The M86 Secure Web Gateway combines standard malware console has better information than Security Reporter. signatures — from a choice of Kaspersky, Sophos or McAfee — with very strong unknown-malware detection based on real- time code analysis, which scans an array of Web programming
13 • Secure Web Gateway lacks more innovative features, such • MWG includes SSL decryption, which will combine well with as dynamic URL classification, page reputation analysis, McAfee’s strong, native, content-aware DLP capability. bandwidth control, advanced content-aware DLP identifiers, and predefined policies and lexicons. • In addition to its standard appliances, MWG is also available as a virtual appliance and as a Blade Server form factor. • Bandwidth prioritization is on the road map, but for now, Secure Web Gateway is only able to restrict applications or Cautions URLs by time-of-day conditions. • McAfee hasn’t significantly expanded its market share in the • The M86 Secure Web Gateway has the ability to block or SWG market since the Secure Computing acquisition, and it allow IM clients covering AOL, ICQ, MSN Messenger, Yahoo does not show up on Gartner client shortlists as often as we Messenger and Skype, but not to control specific features of would expect, given McAfee’s channel reach. these applications. Port evasive applications require network firewall assistance to force these applications through the • McAfee still has a lot of work to do to integrate ePO with its gateway for control and monitoring. DLP, e-mail and endpoint solutions to deliver the security and deployment advantages of a single solution. Although McAfee is • Content-aware DLP capabilities are limited to keyword analysis a major DLP solution provider, DLP capabilities across the three and do not include predefined policies, dictionaries, or lexicons, SWG products is inconsistent, and integration with enterprise nor do they offer much workflow support for compliance DLP is still a work in progress. Also, there is no meaningful officers. coordination between the SWG product line and the McAfee Endpoint Protection Platform (EPP) client. McAfee McAfee has three SWG solutions: the McAfee Web Gateway • Hybrid integration between the SWG-as-a-service appliance (MWG) appliances, SaaS Web Protection service, and its legacy and the MWG appliance is still a work in progress; currently, the Email and Web Security Appliance. This analysis focuses mainly on integration consists of the URL categorization engine, the same the flagship MWG product, which remains a very good candidate McAfee signature antivirus engine, the same Gateway Anti- for most enterprise customers, especially those that are already Malware Engine, the same Global Threat Intelligence network, McAfee ePolicy Orchestrator (ePO) users. The Web Protection and report consolidation via McAfee’s Web Reporter. service is a candidate in supported geographies. • MWG does not provide a correlated and prioritized malware Strengths effects report or dashboard widget that would help desktop administrators track down and remediate potentially infected • The MWG Ajax/Web-based management interface is well- machines inside the organization. organized, is easy for technical users to navigate and deploy, and offers numerous advanced management features, such as • MWG’s management features are still maturing; however, granular role-based administration, data “anonymization,” FTP the product does not offer dynamic classification of content command filtering, object-oriented policy, native centralized in unknown sites beyond the security risk analysis. Some management and user quotas. MWG is now integrated with commands can only be executed via a command line interface, McAfee’s ePO management platform. MWG has a reporting and some changes require a server reboot. The dashboard application that offers tiered administration and ships with the cannot be customized; it lacks a good raw log search Enterprise Edition of MySQL, or integrates with Microsoft SQL capability. Also, the policy change audit log is very basic. Server or an Oracle Database. • Consolidated and advanced reporting functions require Web • McAfee has a solid antivirus research team. MWG has strong Reporter, which is a separate application with a different on-box malware protection through use of the McAfee Gateway look and feel from the management interface, and it does Anti-Malware Engine, which uses McAfee’s signature engine as not have hyperlinks from the dashboard logs or reports on well as real-time code analysis technology that scans a broad the appliance. The basic Web Reporter version is included array of Web programming languages for malicious intent, and with MWG; however, the premium version is required for offers optional use of a third-party antivirus signature engine advanced features, such as delegated administration and from Avira. ad hoc reporting. The number of canned reports is low, and some reports do not have obvious features, such as pie graph • MWG includes several advanced URL-filtering policy features, options. Some customers have complained about the scalability such as progressive lockout, which senses multiple bad URL of the reporting interface. requests and locks out Internet access. Bandwidth quotas, coaching and soft blocking are also available. MWG offers • The SaaS Web Protection service lacks enterprise features integrated IM proxy functionality to block and control IM, and and the global reach of the leaders in this space because it provides granular control of the posting of content to Web 2.0 only has eight data centers. McAfee’s clientless transparent sites. authentication only records IP addresses for reporting (rather
14 than user names). It does not offer transparent authentication Cautions for mobile devices. Only mobile devices that accept proxy settings and VPN clients are supported. SaaS Web Protection • Optenet has a very small market share that is primarily only offers an uptime SLA, and it does not yet support SAML centered in Southern Europe and Latin America, but it has for directory integration. little brand recognition or presence in other markets. It has a development and sales presence in the U.S., but expansion Optenet into the U.S. market has been very slow. Although the company Optenet is a private company that was spun off from the University has many small enterprise customers, the solution’s primary of Navarra’s Engineering Faculty and San Sebastian’s Research advantage is multitenancy support that appeals primarily to Centre in San Sebastian, Spain. It provides its customers with telecommunications companies and large enterprises seeking to a multitenant SWG, the Optenet WebSecure (that is, it enables deliver MSSP-type service solutions to their clients. service delivery to multiple customers using shared infrastructure), and an e-mail infrastructure solution primarily for carriers, managed • Log search functionality is weak, and it is difficult to search on security service providers (MSSPs) and large enterprises that or isolate search terms. want to create service offerings for their own clients. Optenet is a candidate for large organizations and service providers that plan on delivering a multitenancy SWG. • Optenet provides a unified policy management console that includes firewall and IPS functions. Policies have the same Strengths structure, which simplifies administration. However, the inclusion of some firewall and IPS-specific configurations in the management policy can cause some confusion for SWG • Optenet’s Ajax-based dashboard and management interface is customers. Moreover, few of Optenet’s customers use Optenet the same for Web and e-mail solutions. It is very customizable, WebSecure as a primary firewall or IPS. enabling users to add different reports in numerous combinations. Hyperlink drill-downs allow fast movement from the dashboard into active reports and log data. Most report • Application control is good for client applications, such as P2P, elements can be right-clicked for context-aware options. Role- and it supports the capability to create custom filters using based management includes four roles. Policy auditing and firewall rules or custom URLs, but it would benefit from more policy review capabilities are very good. Optenet also offers a predefined application controls. command line interface and direct policy script editing for more proficient users. • Optenet has the capability to create custom filters to effect some content-aware DLP functionality, but it does not include • The solution can be deployed in bridge and proxy/cache any predefined content or DLP workflow. mode or WCCP and ICAP, and provides malware filtering for HTTP/S, FTP, POP, SMTP and MMS on a variety of platforms, Phantom Technologies including Crossbeam Systems and Linux (Red Hat), as well Phantom Technologies, a privately held company based in San as appliances. Optenet also offers a full client that does local Diego, is a new entrant in this Magic Quadrant. Its proxy-based filtering for malware and URL policy, and is synchronized with iBoss Web-filtering solution is available as a family of appliance- on-premises appliances. based platforms. Phantom owns its URL-filtering database. More than 95% of its customers are in North America. iBoss is a • Optenet augments Kaspersky, Sophos and Snort, with its candidate for organizations that are based in North America. own security analysis for emerging threats. Outbound threat reporting includes a severity indicator in a graphical format. Strengths • Application control includes numerous named applications • iBoss includes a unique autorecord feature (up to three detected via network signature detection. The solution also minutes) that enables a video playback for a sequence of offers bandwidth management and QoS features, as well as events. Organizations can customize the event that triggers a good network analyzer that provides network application the autorecord feature. The capability can be used to confirm visibility. intentional versus unintentional user violations. • URL filtering is provided with Optenet’s own URL database, • Log search capabilities are strong. Search engine requests are which is augmented by a dynamic categorization engine. SSL highlighted clearly in the log (for example, Bing, Google, Yahoo decryption enables dynamic classification of encrypted content. and YouTube), and the actual text string entered by the user is Spanish URL categorization, in particular, is strong. It also has stored and can be easily searched. an image analyzer for pornography detection. • Bandwidth controls are very flexible. Bandwidth quotas can be • Optenet is very attractively priced. applied to a specific organizational unit in Active Directory, and they can also be assigned to a specific domain.
15 • iBoss provides application control for popular IM services and • Application controls are above average and include an extensive some P2P applications. list (nearly 600) of potentially unwanted applications. eSafe also supports blocking IM file attachments and enforcing acceptable browser types. eSafe provides basic content-aware • Reporting capabilities are strong, particularly the ability to DLP protection with consistent policies across e-mail and Web create custom reports. The reporting tool includes some unique traffic. It can monitor, log and alert on files attempting to leave features aimed at executive management, such as calculating the organization, and it supports archiving of outbound content the hourly cost of using the Web. for investigative purposes. Cautions Cautions • Malware detection capabilities are limited. Snort rules and • eSafe continues to struggle with brand awareness, especially in Clam AntiVirus are used to detect problems and trigger alerts, North America, and overall with its SWG product mind share, but Phantom only has limited resources (a small team of and growth is slower than the overall market. researchers) to develop its own signatures. • SafeNet’s strategy of combining the eSafe SWG with encryption • Phantom’s non-signature-based approach to malware detection and identity and access management is unique, and although is very limited. these are some of the components of an enterprise data security program, very few enterprises consider these domains • Although the solution provides some data on potentially together when making purchasing decisions. eSafe lacks many infected machines inside the organization, it is not correlated enterprise-class, content-aware DLP features. or prioritized, nor does it have enough information on the suspected threat for quick remediation. • Despite significant improvements in the management interface and reporting engine, some enterprise features are still lacking. • Uncategorized URLs are not classified in real time. They are The dashboard is not customizable, and with the volume of sent for classification to one of two data centers (New York reports available, it would be beneficial to have a “favorites” tab. and Los Angeles), and the results are pushed out to the iBoss installed base of appliances. The process can take several • Policy creation is not object-oriented and will be difficult to scale minutes. for organizations with numerous policy exceptions. SafeNet • Policies for establishing time usage quotas are limited. SafeNet targets the SMB market with its appliance-based eSafe Web Security Gateway solution, which is part of the company’s Enterprise Data Protection (EDP) strategy. This approach combines • Although the solution provides some data on potentially encryption and multifactor authentication with the SWG and its infected endpoints, it is not correlated or prioritized, nor does native, content-aware DLP capability. SafeNet moved into the it have enough information on the suspected threat for quick Niche Players quadrant (from the Visionaries quadrant) in 2011, remediation. primarily due to its SMB focus and some product shortcomings, as noted below. The eSafe solution is a candidate for midmarket Sangfor enterprises in supported geographies. Sangfor is a new entrant in this Magic Quadrant. It is a network equipment vendor based in China, and its 2010 revenue was Strengths approximately $50 million (according to U.S. accounting standards). Sangfor states that 55% of its revenue comes from its SWG • The dashboard has extensive information in a graphical format products, and the remaining revenue comes from its VPN, WAN with hyperlinked drill-down into detailed report information. The optimization controllers and application delivery controller products. reporting engine contains more than 240 predefined reports, Sangfor’s SWG is a proxy-based solution that comes in a hardware including graphical end-user activity reports. Incident analysis appliance form factor. All the company’s revenue comes from the is easy with strong log file search functionality and drop-down Asia/Pacific region, although it has goals to compete globally in pick lists of potential search terms. 2011 and beyond. Sangfor has two versions of its Web-based console — a Chinese version and an English version. Features and enhancements are added to the Chinese version first, followed • Due to its merger with Aladdin Knowledge Systems in 2009, by the English version at a later date. Sangfor is a candidate for SafeNet has strong malware-filtering capabilities, including organizations that are based in China. in-memory code emulation for analyzing suspicious code, vulnerability shielding, script analysis, active content policy options and SSL decryption. SafeNet offers an optional Kaspersky engine. The eSafe Web Security Gateway solution is usually deployed as an in-line bridge, allowing it to see all network traffic, but it can also function as a proxy.
16 Strengths Sophos Sophos, a leader in the enterprise endpoint protection platform • Sangfor provides flexible and granular bandwidth control (EPP) market, is gradually improving the features of its hardware capabilities. For example, utilization parameters can be specified appliance and virtual appliance SWGs to appeal to larger enterprise for uplink and downlink traffic. customers. Ambitious management has resulted in company growth and geographic expansion from its European base to the North American and global enterprise markets. Sophos is • Basic content-aware DLP functionality is performed on box. a candidate for SMBs seeking simple management and policy Several preformatted dictionary templates are included (some capabilities with good security. are specific to the Chinese market), and organizations can create their own keyword-based custom DLP policies. Strengths • The URL-filtering database will appeal to Chinese customers, • Sophos is an established player in the malware detection since 80% of its entries are Chinese URLs. Sangfor plans to market, and the Sophos Web Appliance (SWA) uses Sophos’ offer an English-based URL-filtering list in 2011 via a partnering Behavioral Genotype technology to detect previously unknown agreement. malware by performing a pre-execution analysis of all downloaded code, including binary files and JavaScript. Sophos • For antivirus support, organizations can choose from F-Prot or also provides increasing integration with its endpoint solution. Sophos (both via an OEM agreement). Today, it offers client-based URL protection from malicious websites. Future offerings (due in 1Q12) will provide full Web • Sangfor’s application signature database lists more than 600 policy filtering at the endpoint, using cloud services to provide entries, including gaming, IM and P2P applications. live URL lookups and policy synchronization. • Sangfor has a large distribution channel in China, with more • Sophos provides very simple products to understand and than 300 resellers and 25 distributions in large cities and most manage. The management interface provides “three clicks provinces. to anywhere” navigation. SWA is very easy to set up, with automated network and directory discovery, contextual help functions and simple to understand policy configuration. Cautions Sophos even optionally monitors customers’ appliances and provides proactive assistance for critical conditions (for • Although the solution provides some data on potentially example, disk failures, overheating and power issues). infected machines inside the organization, it is not correlated or prioritized, nor does it have enough information on the • Security URL classification is supplied by SophosLabs and suspected threat for quick remediation. augmented with SurfControl URL categorization data provided by Websense. • The appliance lacks a hardware SSL accelerator. • SWA offers very good log search capability, including the ability • The proxy does not support ICAP, thereby limiting its capability to search for groups of keywords used in Google and other to send content to third-party scanners (such as DLP sensors searches, and isolates search terms in reports for clarity. In or antivirus scanners). addition, SWA has a completely ad hoc reporting capability to create totally new reports, which is also very good. • The English version of the Web interface lacks the capability to customize the dashboard. However, the dashboard of the • Sophos continues to have a strong reputation for support and Chinese version can be customized. service from customers and its channel. • The English version of the URL-filtering database lacks the • Full inspection of encrypted HTTPS content and sessions is capability to dynamically categorize unknown URLs. However, supported for all modes of deployment, including explicit proxy, the Chinese version of the database does have this capability. transparent, WCCP and bridged modes of deployment. • The process of combining reports from various geographically Cautions distant gateways into a single report is difficult. The data cannot be viewed in real time because of the manual process involved • Sophos has been gaining momentum in this market in recent with exporting data from each gateway. years; however, its growth is mainly in the sub-1,000 seat level. It still doesn’t appear often in hotly contested large enterprise deals. It needs to improve its marketing message and its product to gain more recognition among midsize to large enterprises.
17 • Sophos is still missing some enterprise features, such as support SLAs, and customers give it high marks for service and dashboard customization, limitations on log visibility and support. comprehensive audit logs. Role-based administration is on its road map for mid-2011. Sophos also lacks advanced Web • Symantec.cloud recently added usage quotas and expanded management features, such as bandwidth and application the management interface languages (now English, German controls, while features such as blocking social posts (for and Japanese). It has decent reporting capability that includes example, in Facebook) and streaming media controls may not flexible, ad hoc reporting with easy custom group creation. provide sufficient granularity for some enterprises. Malware is filtered with Symantec’s own antivirus scanner as well as the F-Secure engine, and augmented by MessageLabs’ • The URL-filtering feature does not provide dynamic Skeptic malware filters. The Websense URL database has been classification, except for anonymizer proxy sites. replaced with Symantec’s own solution (from the RuleSpace acquisition), which offers limited dynamic classification for 15 types of typically blocked categories. Symantec also recently • Consolidated policy management and reporting across multiple released the “Smart Connect roaming agent,” which forces appliances require Sophos Management Appliances. traffic to the nearest data center. • Although the solution provides some data on potentially • The appliance-based Symantec Web Gateway is most infected machines inside the organization, it is not correlated commonly deployed as an in-line bridge (it may also be or prioritized, nor does it have enough information on the deployed out of band, on a mirrored port), which enables suspected threat for quick remediation. bidirectional malware scanning of most ports and protocols, and provides for simple network implementation. Scale is • Signature-based malware detection is limited to the Sophos achieved by correctly sizing the appliance for the network (up to engine. Some organizations may want to increase the diversity 1 Gbps), or by using a load balancer to deploy multiple boxes of signature-based protection by using different signature to get beyond 1 Gbps. In-line deployment allows for very broad, engines in the gateway and on the desktop. protocol-level application control with binary control (blocking/ allowing) and policy control of a large number of named • Although Sophos has some native DLP capability in the applications, such as P2P, IM, games and remote access. endpoint, it has not transferred that technology to the Web gateway solution, and it does not provide ICAP support for DLP • Symantec Web Gateway has strong management interfaces. integration. Policy creation is done on a single-page view with intelligent options based on previous selections. The dashboard and • Sophos does not yet offer a native method to apply policy and reporting interface are also strong. Most notable is the reporting protection to mobile and off-LAN devices. A client for Windows emphasis on outbound traffic that indicates the presence devices is due in 2011; however, it is integrated into the full of specific malware, the severity and type of the threat, and Sophos EPP client. quick access to more detail. Dashboard data is hyperlinked to relevant reports and logs with granular details (for example, geolocation data, search terms, file names/types and cross- Symantec referencing to aid investigative analysis). Symantec Web Symantec has two offerings in the SWG market: the Symantec. Gateway provides a centralized server for configuration and cloud SWG as a service (formerly MessageLabs) and the Symantec consolidated reporting, as well as long-term storage of log Web Gateway appliance. Symantec.cloud is the foundation for data. Symantec replaced the Sophos and GFI Software (which Symantec’s cloud-based solutions, which also include secure acquired Sunbelt Software in July 2010) scan engines and e-mail gateway, archiving and disaster recovery, as well as hosted remediation tools (previously licensed by MI5) with its own endpoint protection management and backup services. However, scan engine and URL blacklist, while retaining MI5’s network integration between these two SWG offerings is lacking. Symantec. traffic detection techniques, botnet, malware phone-home cloud is a candidate for customers seeking a simple-to-use, detection, and inbound content inspection. Threat intelligence service-based solution, especially if they are also interested in and rule creation have been transitioned to Symantec’s Global secure e-mail gateway security services. Symantec Web Gateway Intelligence Network and Security Technology and Response is a candidate for customers seeking a scalable, in-line appliance teams. The URL database is still licensed from IBM, but we SWG, or for those looking to augment their existing proxy solutions expect this solution to adopt the RuleSpace data in 2011. with better security and application control. Cautions Strengths • Symantec has been very careful not to disrupt the • The Symantec.cloud Web GUI has the same simple and easy- MessageLabs business as a result of the acquisition, and to-use interface as the e-mail and IM security services, making despite the new branding as Symantec.cloud, it continues to it a good choice for customers seeking multiple services. operate relatively independently. We anticipate that this will Symantec.cloud has 10 data centers for the Web security continue; however, the pressure to integrate back-end functions service. The service offers strong antivirus, latency, uptime and will be strong and could potentially increase performance risk.
18 • Integration between the Symantec.cloud, the Symantec Web Trend Micro Gateway appliance, the Symantec Endpoint Protection Client Trend Micro has a long history of focusing on antivirus for the Web and the Vontu DLP platform is still limited. gateway market. As a result, it has a respectable market share with global enterprises. InterScan Web Security Virtual Appliance • Symantec did not increase the global data center footprint (IWSVA) is offered only in software solutions for virtual servers or or management interface localization as aggressively as bare metal installations. However, the company has not sufficiently anticipated, and now finds itself behind several competitors in invested in advanced features that differentiate its SWG offering global reach. and allow it to break into the Leaders quadrant. Trend Micro is a candidate for SMBs that already have a strategic relationship with the company. • The MessageLabs services have suffered from slow feature development to enhance the management interface, especially Strengths for a service provider. The dashboard and reporting features haven’t changed significantly since 2010, and customers have said that reporting needs significant improvement. Reports • The management benefits from a very customizable Adobe Flex are relatively static and do not allow for drill-down and drill- dashboard environment and a significantly improved Advanced up capabilities, log search is not possible in the management Reporting and Management solution. New customized reports interface, and it does not allow restrictions on what group can be created using open-source iReport and added as a data is visible to administrators. Outbound malware reporting dashboard element or in completely new tabs. Dashboards is minimal and does not yet show severity indicators or threat provide quick, hyperlinked drill-down into detailed and details. Links to Symantec’s threat library and correlated data searchable logs. In distributed environments, a centralized showing high-risk PCs would be improvements. The service Advanced Reporting and Management solution instance can only supports relatively simple policies and does not allow act as a consolidated reporting engine/database and remove conditions, which means it takes several rules to create granular a task from the scan engine to improve and consolidate local policy. The URL policy would benefit from advanced options, performance. The solution can redact user names from reports such as self-authorization and coaching. Application control and restrict administrators’ visibility to managed groups. is very limited and based only on URL destination rather than network/protocol signatures; also, it has only a very limited • Policy development and configuration are easy to use and number of named applications for use in building policies. It provide a powerful scripting capability that can be used to block does not offer SAML directory integration. actions such as social network posts or file transfers. • Signature-based malware detection is limited to the Symantec • Malware detection is provided by Trend Micro’s signature detection engine. Some organizations may want to increase database, script analysis, and a reputation service that is the diversity of signature-based protection by using different provided by its in-the-cloud Smart Protection Network. Trend signature engines in the gateway and on the desktop. Micro’s Damage Cleanup Services can provide remote client remediation for known threats. IWSVA offers a quarantine • Symantec Web Gateway’s unique design may cause problems disposition action for parking suspicious files or blocked FTP file for some larger enterprises. For example, it is difficult to types. Suspicious files can be automatically sent to Trend Micro add users to multiple policy groups, and the dashboard is labs for analysis. not customizable and does not integrate with less common directory environments. Symantec Web Gateway does not • Trend Micro offers its own URL categorization database. It also proxy applications or offer a cache; although it was on the offers time of day and time and bandwidth quota policy options. road map for 2010, it will not be delivered until the first half of Application control includes some P2P and IM traffic types that 2011 (currently, it is in public beta). Symantec Web Gateway are detected by network signatures. application control can be improved by blocking social networking and blog postings, and by using granular Web application function control. The solution would benefit from • Total cost of ownership is improved with Trend Micro’s use the IM control capability that Symantec acquired from IMlogic of its software virtual appliance platform, which allows a bare — which is currently in the e-mail gateway. SSL decryption metal install on customer-owned hardware or on VMware ESX/ is still missing; although it was on the road map for 2010, it Microsoft Hyper-V. IWSVA has multiple deployment options will not be delivered until the first half of 2011 (currently, it is including ICAP, WCCP, transparent bridge, and forward and in public beta). Advanced policy options (such as coaching or reverse proxy with automatic policy synchronization across self-authorization, time and bandwidth quota, or bandwidth rate clusters. shaping) are missing.
19 Cautions • The Web management interface provides centralized management of Web and e-mail services, is user-friendly and can be administered by nontechnical users. The graphical view • Despite Trend Micro’s history in this market, it has failed to lead of its SWG URL-filtering policy is especially easy to understand. the market with enterprise-class features. This has allowed its It provides a granular role-based administration rights capability, more aggressive competition to steal mind share, particularly in and good role-based policy and policy audit logs. Log search large enterprises. IWSVA tends to be a suite component add- capability is also very good. Log data includes the search term on, rather than a product that the channel will lead with, and query string and has a link to the search results, which is a we rarely see IWSVA in hotly contested large-enterprise deals. good feature to help understand user intent. Trend Micro needs to invest in advanced product features if it wants to regain momentum in the SWG market. • Policy options include blocking certain files by type and size, and a soft block function that enables users to visit a blocked • IWSVA is software-based and does not offer an SWG hardware category for a certain length of time. Quota-based policies appliance or an SWG-as-a-service solution. There is no native can be configured to limit the amount of bandwidth used capability to protect and manage the Web traffic of off-LAN in a specified time window. The URL filtering provides an devices. anonymous proxy detection capability. • IWSVA solutions are still lacking in numerous large-enterprise • Malware protection is provided by Webroot and a Sophos features, such as advanced role-based administration, policy malware signature database. Nonsignature threat detection summaries and synchronization with multiple different directory capabilities include an anti-phishing engine, client Web solutions. Bandwidth control is limited to quotas only. The application vulnerability scanning, as well as heuristic-based outbound malware detection report lacks severity indicators to attack analysis. Webroot has had considerable experience with enable prioritized remediation. Although the solution can edit and a strong track record in the area of Web-borne malware existing reports, it cannot isolate search keywords in logs or detection, which has been the company’s focus since its reports. It does not offer dynamic classification of URLs. inception in 1997. • Application control is limited to binary blocking of some P2P, • The service provides security warnings and URL categorization IM and URL categorization blocking. Policies to block specific icons on search results pages (Google, Yahoo, Bing and Ask. applications or application features require a high level of com) to warn users of unsuitable links in search results. understanding of the application specifics and are relatively coarse. Trend Micro does not have any SWG DLP, although it does offer an endpoint content-aware DLP solution. Cautions • Signature-based malware detection is limited to the Trend Micro • Webroot has had initial success in the SMB market (fewer engine. Some organizations may want to increase the diversity than 1,000 seats), but has failed to get the attention of larger of signature-based protection by using different signature enterprise customers. It needs to improve its enterprise feature engines in the gateway and on the desktop. set and expand its global footprint and channel to break out of the SMB niche. Although Webroot has done a good job of catching up to the state of the art in the management console Webroot and feature set, it has not yet distinguished itself with any Webroot, which is well-known for its endpoint spyware protection outstanding differentiated feature that would move it into the solutions, has a rapidly growing cloud-based SWG and secure Visionaries quadrant. e-mail gateway (SEG) offering. Webroot is a candidate for SMBs seeking service provider options in supported geographies. • The dashboard is very basic and static, with little customization. There are no hyperlinks to drill down into the detail from Strengths dashboard elements. There is no ability to create ad hoc reports, although administrators can change options on the • HTTP traffic is redirected to Webroot’s cloud via a local proxy or 25 report templates to get different slices of data. Outbound firewall settings, a client proxy setting or a client software agent. threats are in static reports, but not in real-time dashboard The mobile client is easy to use and configurable via the cloud- views, and threat information is restricted to threat types based centralized management console. or names of known threats. There are no links to malware encyclopedia information or severity indicators. There is no user-readable policy summary for auditing or troubleshooting. • In 2010, Webroot acquired URL classification vendor Limited customization capability makes it difficult to create BrightCloud, which provides URL classification, website regional block pages for global companies. The cloud-based reputation and security risk analysis. SWG service does not offer SAML directory integration. • Application control is limited to blocking the URLs of registration servers, and the solution offers no DLP capability.
20 • The solution does not offer dynamic classification of Web URLs. • Websense’s Defensio technology, which protects blogs and social networking sites from spam, malware and other threats, provides another source of signatures for the ThreatSeeker • Like other SWG SaaS providers, Webroot’s inbound and Network. outbound malware detection is limited to HTTP traffic types that are redirected to the service. • Application control includes more than 150 applications, such as IM and chat, streaming media, P2P file sharing, e-mail and • Webroot’s agentless solution requires a user name and collaboration based on network signatures. password combination to authenticate each Web session. Websense • The acquisition of PortAuthority in 2007 provided Websense with strong DLP technology, which is included in its SWG and Websense offers a wide range of options in the SWG market, from enables granular, content-aware policy and reporting. Data basic URL filtering to software and appliance-based SWGs, and detection techniques are complete, and the product includes a cloud-based services for e-mail and Web security. Websense also broad range of predefined dictionaries and data usage policies. owns DLP technology, which it offers as a stand-alone solution and also as an embedded option with its Web Security Gateway (WSG) solution. Websense is a very good candidate for most enterprise • For its cloud-based service, Websense supports SAML with its customers. included VMware TriCipher solution integration. Strengths • Websense is one of the few vendors that can offer software, appliances, client software and SWG as a service. Websense • Websense has a strong distribution channel that enables it to software solutions can run on Windows, Linux and Solaris, as target large enterprises and SMBs. well as on numerous third-party network hardware platforms (firewalls and proxies). In addition, Websense has partnered with Crossbeam, Celestix Networks, Resilience and HP for • Websense offers a unified console that is capable of managing preinstalled solutions. a hybrid SWG solution (on-premises and SWG as a service). Cautions • Websense owns all the core technology in its products, with the exception of third-party antivirus signatures. • With only two appliances, the V5K and the V10K, Websense’s SWG appliance family is limited. It needs to broaden this • The Websense WSG provides extensive on-box, non-signature- product line and add higher-performing appliances and lower- based methods for detecting malware and advanced persistent performing appliances to provide a stronger fit for a range of threats (APTs). opportunities. • The Network Agent component, which is positioned on a port- • Agentless transparent authentication is not supported for mobile mirroring port, analyzes all traffic on a network segment, which users. They must authenticate to the service by providing their enables Websense to monitor non-HTTP traffic for malware e-mail addresses and a Websense-specific passwords. If a detection. Many organizations use this feature to set and mobile endpoint has the Websense client, then the user will be enforce policies for P2P applications and other undesirable automatically authenticated and traffic will be redirected to the traffic. Websense cloud. • The Websense Triton solution’s management console is one of • Some of Websense’s VAR partners are complacent and the best in the market and is consistent across all its offerings. simply aim to renew traditional URL-filtering licenses, instead of Navigation is task-based, and policy creation is intuitive and upselling more advanced SWG functionality. easy to use. There is a useful, customizable toolbox element that enables common tasks to be consolidated into a single • Although the solution provides some data on potentially menu. The dashboard includes hyperlink drill-downs into more infected endpoints, it is not correlated or prioritized, nor does detailed reporting data. Policy can be developed in a single it have enough information on the suspected threat for quick pane, with extensive parameters and a logical workflow. URL remediation. policy parameters are broad and include options such as bandwidth and time-based restrictions for Web surfing. • In addition to third-party malware signatures and the Websense database of infected URLs, the WSG provides very extensive on-box, real-time malware content analysis to detect suspicious code fragments and other signs of infection.
21 Zscaler • Application control includes numerous named applications that Zscaler is a SaaS provider of SWG and SEG services. The can be blocked using a combination of destination URLs and company is the only one to separate policy administration, reporting some network signature analysis. Companies under pressure to and enforcement, enabling each element to scale independently. liberalize productivity filters can allow Web 2.0/social networking Zscaler moves into the Leaders quadrant in 2011 due to the page views while blocking posting to these sites, as well as demonstrated success of its unique architecture, rapid feature allow optional content-aware DLP, which is adequate for most development, global rollout of enforcement nodes, and impressive organizations’ corporate or government-compliance needs. growth in numerous global markets among small and very large Zscaler offers granular, policy-based control of Web-based enterprise clients. Zscaler is a very good candidate for most applications, such as IM, blogs, streaming and Web mail, enterprise customers. including QoS bandwidth control. Strengths • Zscaler’s unique architecture and highly scalable purpose- built enforcement nodes enable fast global deployments. It already has the largest global footprint of data centers (by far) • The Flash-based management interface for Web and e-mail with a total of 50, and it is adding one new location per month services is easy to use, even for nontechnical administrators. in 2011. It also allows for “private node” and “private cloud” Zscaler is strong in the reporting category. Reports are deployments for very large organizations, service providers, or based on live data and allow very rapid drill-down into organizations in unique geographies. detailed analysis. Custom reports can be created and run instantaneously. User names can be redacted from reports. Zscaler’s NanoLog technology reduces log size by a factor of • Zscaler customer support continues to get high marks from 50, enabling very fast reports and longer retention of detailed customers for fast response rates and a very technically data. The Analyze tool allows an administrator to set filters on knowledgeable support staff. any field and retrieve matching log data in a few seconds, and save views as favorites for repeat queries. Super categories Cautions (liability, productivity, bandwidth and malicious) allow faster usage analysis. The dashboard has a unique “compared to • Zscaler has handled its rapid growth very well so far, but it must industry peers” report, which shows relative data compared continue to invest ahead of demand for customer support. with averages for Zscaler customers. Zscaler is the only solution Although it is one of the fastest growing vendors in this market, that provides latency statistics for each stage of a round-trip it lacks the resources of its larger competitors. Web request, enabling fast troubleshooting as well as SLA- compliance monitoring. • Although its enforcement nodes are widely dispersed geographically, the reporting and policy data resides only in • The policy manager is easy to use and logical. All policy is user- the U.S. and the Netherlands so far, although expansion is based and follows roaming users, allowing immediate service at expected to follow customer demand for local storage. the nearest enforcement node (cloud-based proxy appliance). • The management interface is missing full customization of • Zscaler has several methods for redirecting clients. It was dashboard elements. Although it provides some data on the first vendor to offer authenticated redirection to the cloud potentially infected machines inside the organization, it is not without a software client. Now, it also offers a client-based correlated or prioritized, nor does it have enough information redirection agent for higher security on unmanaged devices. on the suspected threat for quick remediation. While providing It also supports standards-based GRE tunnels, and can host more than 16 different filters, the log filter functionality lacks the customer proxy autoconfiguration (PAC) files. Zscaler also ability to search on or isolate search keywords. supports SAML for directory integration. Juniper Networks’ SRX, ISG and SSG firewalls provide simple interfaces to connect to Zscaler using GRE tunnels. Zscaler also integrates • Not all network devices support GRE tunnels, which is Zscaler’s with Juniper’s Junos Pulse mobile protection solution to preferred method of traffic redirection. For example, Cisco’s connect mobile devices or laptops to Zscaler’s cloud. ASA firewall does not support GRE tunnels, thereby requiring customers to use alternate forwarding techniques or their gateway routers instead of the firewall. Zscaler is in the process • Zscaler offers two levels of security protection. In addition of deploying IP security (IPsec) VPN termination capability to using several signature and blacklist-based filters, Zscaler across its cloud. has numerous advanced security checks, including page analysis, URL reputation and script analysis. Zscaler provides reporting and policy options to enable organizations to block • Clientless PAC file redirection can be disabled by users or unsupported or vulnerable browsers, plug-ins or browser malicious software, and only redirects traffic from applications versions. Zscaler augments its security coverage with feeds (that is, browsers) that use the proxy settings. Evasive client from partnerships with Microsoft, VeriSign, Qualys and others. applications, such as Skype and P2P or malware, may not
22 be forwarded to the Zscaler network on clients that rely on Acronym Key and Glossary Terms PAC files. Zscaler has a client that can enforce proxy PAC file settings, but it does not stop evasive traffic from bypassing DLP data leak prevention the Zscaler network. The new IPsec VPN connection method ePO ePolicy Orchestrator should alleviate this concern in the future. GRE Generic Routing Encapsulation GUI graphical user interface • There are no native FTP application controls, but the service supports stand-alone FTP clients as well as FTP over HTTP. HTTP/S HTTP over SSL ICAP Internet Content Adaptation Protocol • Compared with its larger competitors, Zscaler only has a limited IM instant messaging number of dedicated malware researchers. IP Internet Protocol PAC proxy autoconfiguration • The SWG solution comes in five different packages, and buyers must be aware that capabilities such as content-aware DLP, P2P peer-to-peer bandwidth control, Web 2.0 controls and APT protection are SMB small and midsize business only available in the premium-price packages. SSL Secure Sockets Layer • Dynamic classification of websites is limited to a subset of URL SQL Structured Query Language categories (for example, potential legal liability and malware SWG secure Web gateway hosting sites). USG Unified Security Gateway UTM unified threat management Vendors Added or Dropped We review and adjust our inclusion criteria for Magic Quadrants VoIP voice over IP and MarketScopes as markets change. As a result of these WCCP Web Cache Communication Protocol adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.
23 Evaluation Criteria Definitions Ability to Execute Product/Service: Core goods and services offered by the vendor that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets, skills, etc., whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria. Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includes an assessment of the overall organization’s financial health, the financial and practical success of the business unit, and the likelihood of the individual business unit to continue investing in the product, to continue offering the product and to advance the state of the art within the organization’s portfolio of products. Sales Execution/Pricing: The vendor’s capabilities in all pre-sales activities and the structure that supports them. This includes deal management, pricing and negotiation, pre-sales support and the overall effectiveness of the sales channel. Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor’s history of responsiveness. Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message in order to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This “mind share” can be driven by a combination of publicity, promotional, thought leadership, word-of-mouth and sales activities. Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements, etc. Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Completeness of Vision Market Understanding: Ability of the vendor to understand buyers’ wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen and understand buyers’ wants and needs, and can shape or enhance those with their added vision. Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. Sales Strategy: The strategy for selling product that uses the appropriate network of direct and indirect sales, marketing, service and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Offering (Product) Strategy: The vendor’s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature set as they map to current and future requirements. Business Model: The soundness and logic of the vendor’s underlying business proposition. Vertical/Industry Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including verticals. Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.

More Related Content

What's hot (20)

PDF
F5 Networks: The Internet of Things - Ready Infrastructure
F5 Networks
 
PDF
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...
IRJET Journal
 
PDF
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
InnoTech
 
PDF
Crush Cloud Complexity, Simplify Security - Shield X
Prime Infoserv
 
PPTX
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Bruno Caseiro
 
PDF
G05.2013 gartner top security trends
Satya Harish
 
PDF
ISSA: Cloud data security
Ulf Mattsson
 
PPTX
GTB DLP - Content Aware Security Suite
VCW Security Ltd
 
PPTX
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Positive Hack Days
 
PDF
The_Forrester_Wave_DDoS_S 2015Q3.PDF
Dominik Suter
 
PPTX
RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.
Cristian Garcia G.
 
PDF
6 Ways to Fight the Data Loss Gremlins
Intronis MSP Solutions by Barracuda
 
PDF
jn_fs_tech_insider_march_032516
Tony Evans
 
PDF
GitHub: Secure Software Development for Financial Services
Debbie A. Everson
 
PDF
Knowledge brief securonix-ueba-market_2018-spark-matrix
Prachi Joshi
 
PDF
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
EnterpriseGRC Solutions, Inc.
 
PDF
Darktrace white paper_ics_final
CMR WORLD TECH
 
PPTX
Critical Capabilities for MDR Services - What to Know Before You Buy
Fidelis Cybersecurity
 
PDF
Comodo SOC service provider
paulharry03
 
PDF
How to Choose the Right Security Information and Event Management (SIEM) Solu...
IBM Security
 
F5 Networks: The Internet of Things - Ready Infrastructure
F5 Networks
 
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...
IRJET Journal
 
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
InnoTech
 
Crush Cloud Complexity, Simplify Security - Shield X
Prime Infoserv
 
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Bruno Caseiro
 
G05.2013 gartner top security trends
Satya Harish
 
ISSA: Cloud data security
Ulf Mattsson
 
GTB DLP - Content Aware Security Suite
VCW Security Ltd
 
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Positive Hack Days
 
The_Forrester_Wave_DDoS_S 2015Q3.PDF
Dominik Suter
 
RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.
Cristian Garcia G.
 
6 Ways to Fight the Data Loss Gremlins
Intronis MSP Solutions by Barracuda
 
jn_fs_tech_insider_march_032516
Tony Evans
 
GitHub: Secure Software Development for Financial Services
Debbie A. Everson
 
Knowledge brief securonix-ueba-market_2018-spark-matrix
Prachi Joshi
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
EnterpriseGRC Solutions, Inc.
 
Darktrace white paper_ics_final
CMR WORLD TECH
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Fidelis Cybersecurity
 
Comodo SOC service provider
paulharry03
 
How to Choose the Right Security Information and Event Management (SIEM) Solu...
IBM Security
 

Viewers also liked (6)

PPTX
Leaders of Gartner Magic Quadrant 2014 for Secure Web Gateways
Tarek Nader
 
PPTX
2013 Security Threat Report Presentation
Sophos
 
PDF
G01.2012 magic quadrant for endpoint protection
Satya Harish
 
PDF
Symantec Brightmail Gateway 9
Symantec
 
PDF
Institucional proofpoint
voliverio
 
PDF
Presentation cisco iron port email & web security
xKinAnx
 
Leaders of Gartner Magic Quadrant 2014 for Secure Web Gateways
Tarek Nader
 
2013 Security Threat Report Presentation
Sophos
 
G01.2012 magic quadrant for endpoint protection
Satya Harish
 
Symantec Brightmail Gateway 9
Symantec
 
Institucional proofpoint
voliverio
 
Presentation cisco iron port email & web security
xKinAnx
 
Ad

Similar to Report Gartner Magic Quadrant For Security Web Gateway 2011 En (20)

PDF
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
Andris Soroka
 
PDF
Hp - 9febr2012
Agora Group
 
PPT
Next Generation Security
neoma329
 
PPTX
Junos Pulse Mobile Security Suite Launch
Juniper Networks
 
PDF
Plugging Network Security Holes Using NetFlow
NetFlow Analyzer
 
PPTX
When where why cloud
sallysogeti
 
PPTX
When Where Why Cloud
reshmaroberts
 
PPTX
When where why cloud
reshmaroberts
 
PDF
Master ppt v10 ulevitch-print
agershon
 
PDF
Umbrella Webcast: Redefining Security for the Nomadic Worker
OpenDNS
 
PDF
New Security: A $4-Billion Market in 2011 - Changing the Game: Monthly Techno...
Capgemini
 
PDF
Peter Wyatt_
IPv6 Summit 2010
 
PDF
IBM Tivoli Endpoint Manager - PCTY 2011
IBM Sverige
 
PDF
Bull Open Source Feedback OW2con11, Nov 24-25, Paris
OW2
 
PDF
Identity in an API Economy KuppingerCole Webinar Sponsored by Layer 7
CA API Management
 
PDF
Bi cloud saa_s
Yustinus Malawau
 
PDF
Datasheet stonegate fw-allinone
Multibyte Consultoria
 
PPTX
Vfm palo alto next generation firewall
vfmindia
 
PPTX
1. introduzione a TMG
Fabrizio Volpe
 
PDF
Secure Web Gateway Ds Lr[1]
DeepNines Technologies
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
Andris Soroka
 
Hp - 9febr2012
Agora Group
 
Next Generation Security
neoma329
 
Junos Pulse Mobile Security Suite Launch
Juniper Networks
 
Plugging Network Security Holes Using NetFlow
NetFlow Analyzer
 
When where why cloud
sallysogeti
 
When Where Why Cloud
reshmaroberts
 
When where why cloud
reshmaroberts
 
Master ppt v10 ulevitch-print
agershon
 
Umbrella Webcast: Redefining Security for the Nomadic Worker
OpenDNS
 
New Security: A $4-Billion Market in 2011 - Changing the Game: Monthly Techno...
Capgemini
 
Peter Wyatt_
IPv6 Summit 2010
 
IBM Tivoli Endpoint Manager - PCTY 2011
IBM Sverige
 
Bull Open Source Feedback OW2con11, Nov 24-25, Paris
OW2
 
Identity in an API Economy KuppingerCole Webinar Sponsored by Layer 7
CA API Management
 
Bi cloud saa_s
Yustinus Malawau
 
Datasheet stonegate fw-allinone
Multibyte Consultoria
 
Vfm palo alto next generation firewall
vfmindia
 
1. introduzione a TMG
Fabrizio Volpe
 
Secure Web Gateway Ds Lr[1]
DeepNines Technologies
 
Ad

Report Gartner Magic Quadrant For Security Web Gateway 2011 En

  • 1. Magic Quadrant for Secure Web Gateway Gartner RAS Core Research Note G00212739, Lawrence Orans, Peter Firstbrook, 25 May 2011, V3RA1 05272012 The growing malware threat continues to drive the SWG market. Solutions for detecting malware vary widely in sophistication, ranging from basic signature-based to advanced heuristics- based analyses. The market is still dominated by on-premises solutions, but cloud services are growing rapidly. WHAT YOU NEED TO KNOW Anti-malware capabilities should be the most heavily weighted criterion when evaluating secure Web gateways (SWGs). Bidirectional protection (blocking inbound malware and analyzing outbound traffic to detect compromised endpoints) is critical. Organizations that need the most advanced security protection should evaluate solutions that use non- signature-based techniques capable of detecting targeted malware. Organizations that have more basic security requirements can consider solutions that primarily rely on signature- based malware detection. MAGIC QUADRANT Market Overview The Web 2.0 phenomenon and associated malware threats continue to drive the SWG market. Large and small enterprises now understand that they need perimeter-based anti- malware protection, and many organizations seek more granular policy controls for dealing with social networking. The market has responded with a range of options that broadly fits into two categories: on-premises equipment and cloud-based services (also known as “SWG as a service”). Each category includes diverse technology options. For example, on-premises equipment can be architected as a proxy (usually deployed to inspect only Web traffic) or as an in-line solution (deployed to inspect all traffic). The emerging SWG-as-a-service market also presents several architectural options for dealing with important functions such as authentication and traffic redirection. The vendors in the Magic Quadrant represent a broad spectrum of choices in this rapidly evolving market. After assessing the SWG solutions in today’s market, Gartner makes the following observations: • Malware detection is the key differentiator in the SWG market. Most solutions provide a “cocktail approach,” which includes traditional reactive techniques such as signature- based malware analysis and detection of known bad Web destinations, along with real- time techniques for detecting new and targeted threats. Site reputation analysis and real- time code analysis that look for common malware techniques in Web code (for example, JavaScript) are the most common approaches. The depth of these techniques varies considerably among solutions.
  • 2. 2 • Strong capabilities for detecting outbound Figure 1. Magic Quadrant for Secure Web Gateway malicious traffic are rare. The ability to detect compromised endpoints, to block challengers leaders their outbound communications to a malicious command-and-control center, and to generate reports are important features for combating malware. • URL categorization is an important market differentiator and should not be regarded as a commodity service. The ability to Cisco Blue Coat Systems ability to execute dynamically classify URLs is an important feature due to the exploding growth of Symantec Websense the Web. Also, language support and Trend Micro McAfee Barracuda Networks Zscaler geographical focus remain significant differentiators. M86 Security Sophos ContentKeeper Technologies • Application control and social media Webroot Actiance policies have become higher priorities Sangfor for enterprises. There are two types of SafeNet Web applications: those that can be Clearswift Cymphonix identified by URL (for example, FarmVille) Optenet and those that use unique protocols and Phantom Technologies client applications (for example, Skype). URL-based applications can be identified and classified, allowing for easy blocking or more granular control. The ability to niche players visionaries block or manage applications such as Skype and instant messaging (IM) requires broader port/protocol inspection and completeness of vision special network traffic signatures. As of May 2011 • Reporting and ease of management, Source: Gartner (May 2011) which vary significantly among vendor solutions, remain important decision criteria for SWG buyers. • Future requirements will focus on protection and control for an (software as a service — SaaS) are growing rapidly, primarily ever-increasing array of mobile devices and non-PC computing in organizations that have multiple distributed gateways, large platforms. Interest in data leak prevention (DLP) capabilities percentages of roaming workers, and organizations that are and the protection and management of corporate cloud-based attracted to the ease of implementing SaaS. applications (for example, salesforce.com) is growing, but remains low. • We continue to see very little interest in SWG and firewall integration, although all the major enterprise firewall vendors • Form factor is also an important consideration. Most of the and unified threat management (UTM) vendors have started to solutions in this analysis are hardware-appliance-based. incorporate SWG functionality. We have observed growing interest in virtual appliances. Awareness and market share of solutions delivered as a service © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website, http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp
  • 3. 3 Market Definition/Description • Vendors must have at least 50 production enterprise The SWG market includes on-premises solutions and cloud-based installations. SWG-as-a-service offerings. In 2011, we attempted to eliminate single-purpose proxy servers and URL revenue in our market- Added sizing estimates to get a more accurate reflection of the pure SWG market without the weight of legacy point products. Using • Phantom Technologies has been added, due to its growing this analysis, we estimate that, in 2010, the SWG market reached presence in the SMB market. $817 million, a growth of 17% over 2009. The five-year compound annual growth rate is approximately 15%. In 2011, we estimate • Sangfor has been added, due to its strong market position in that the market will grow approximately 17% to just under $1 China. billion. The market is still dominated by the on-premises solutions (approximately 90%), with SWG as a service representing the • Actiance replaces FaceTime Communications (the company remainder of the market (approximately 10%). However, the SWG- renamed itself in 2010). as-a-service segment is the fastest-growing segment (Gartner expects that it will grow 55% in 2011). • Due to improvements made to its appliance-based SWG, The SWG market is rapidly evolving into a segmented market, Sophos now meets our inclusion criteria and has been added to with some solutions optimized for small and midsize businesses the Magic Quadrant. (SMBs) and others optimized for large enterprises. SMB solutions are optimized for ease of use and cost-effectiveness, and provide Dropped security protection against basic threats. Large-enterprise solutions provide protection against more advanced security threats, and • CA Technologies has been dropped. It does not offer an some include the capability to detect targeted threats. independent SWG offering (although its CA Gateway Security solution bundles e-mail and Web security into one solution). Inclusion and Exclusion Criteria Vendors must meet these criteria to be included in this Magic Other Vendors That We Considered Quadrant: • St. Bernard Software acquired Red Condor in 2010 and rebranded as EdgeWave, repositioning the company with • The solution must include the core requirements of an SWG: a stronger focus on security and broader delivery models, URL filtering, malware protection and application control. The including cloud-based services. Gartner will reconsider vendor must own the technology for at least one of these EdgeWave for inclusion in the 2012 Magic Quadrant for Secure components. Other components may be licensed from an Web Gateway. original equipment manufacturer (OEM). • Microsoft has informed Gartner that it does not plan to ship • Gartner analysts have a generally favorable opinion, based on another full version release of its SWG product, the Forefront analysis, about the company’s ability to compete in the market. Threat Management Gateway (TMG). The product is effectively in sustaining mode, with Microsoft continuing to ship Service Pack (SP) updates; the next one, SP2, is planned for 3Q11. • SWG products that offer firewall functionality — for example, Microsoft will also continue to support TMG for the standard multifunction firewalls (also known as UTM devices) — are support life cycle — five years of mainstream support and five outside the scope of this analysis. These devices are traditional years of extended support. In the SWG category, TMG will network firewalls that also combine numerous network security become less competitive over time, since Microsoft’s goal is not technologies — such as anti-spam, antivirus, network intrusion to compete head-to-head with other vendors in that space. We prevention system (IPS) and URL filtering — into a single box. believe that Microsoft will repurpose TMG technologies in other Multifunction firewalls are compelling for the SMB and branch products and services as part of its overall cloud strategy. office markets; however, in most circumstances, enterprise buyers do not consider multifunction firewalls as replacements for SWGs. Examples of vendors with multifunction firewall • As a next-generation firewall, Palo Alto Networks offers some solutions include Astaro, Check Point Software Technologies, SWG functionality. However, as noted above, this analysis Fortinet and SonicWall. excludes solutions that are primarily firewalls. In “Next- Generation Firewalls and Secure Web Gateways Will Not Converge Before 2015,” Gartner predicts that the evolution of • Vendors that rebrand and sell complete SWG solutions are not complex threats will drive the need for separate network firewall included. For example, Google resells Cisco/ScanSafe. Google and Web security gateway controls for most organizations is not included in this analysis, but Cisco/ScanSafe is included. through 2015. • The solution must integrate with a directory (for example, Active Directory) so that policies may be enforced on a role basis, and so that behavior can be monitored and reported on a per-user basis (as opposed to IP addresses).
  • 4. 4 • The OpenDNS Enterprise cloud offering provides a DNS-based Completeness of Vision URL-filtering solution. It is popular with consumers, school The Completeness of Vision (see Table 2) axis captures districts, some SMBs and other cost-conscious organizations, the technical quality and completeness of the product and but it does not have the enterprise-class reporting features to organizational characteristics, such as how well the vendor be included in this analysis (that is, it does not integrate with understands this market, its history of innovation, its marketing and Active Directory). Gartner will reconsider OpenDNS for inclusion sales strategies, and its geographic presence: in the 2012 Magic Quadrant for Secure Web Gateway. • In the market understanding evaluation, we ranked vendors Evaluation Criteria on the strength of their commitment to the SWG market in the Ability to Execute form of strong product management, their vision for the SWG Vertical positioning on the Ability to Execute (see Table 1) axis was market and the degree to which their road maps reflect a solid determined by evaluating these factors: commitment of resources to achieve that vision. • Overall viability: The company’s financial strength, as well as the • In the offering (product) strategy evaluation, we ranked vendors SWG business unit’s visibility and importance for multiproduct on these capabilities: companies. • Malware filtering: The most important capability in this • Sales execution/pricing: A comparison of pricing relative to the analysis is the ability to filter malware from all aspects market. of inbound and outbound Web traffic. Signature-based malware filtering is standard on almost all products evaluated. Consequently, extra credit was given for non- • Market responsiveness and track record: The speed with which signature-based techniques for detecting malicious code as the vendor has spotted a market shift and produced a product it crosses the gateway (in real time), as well as for the range that potential customers are looking for, as well as the size of of inspected protocols, ports and traffic types. Products that the vendor’s installed base relative to the amount of time the can identify infected PCs, identify the infection by name and product has been on the market. enable prioritized remediation also received extra credit. • Customer experience: The quality of the customer experience • URL filtering: Databases of known websites are categorized based on input from discussions with vendor references and by subject matter into groups to enforce acceptable use Gartner clients. and productivity, and to reduce security risks. To displace incumbent URL-filtering products and “steal” allocated • Operations: Corporate resources (in other words, management, budgets, SWG vendors will have to be competitive in this business facilities, threat research, support and distribution capability. Quality indicators — such as the depth of the infrastructure) that the SWG business unit can draw on to page-level categorization, the real-time categorization of improve product functionality, marketing and sales. uncategorized sites and pages, the dynamic risk analysis Table 1. Ability to Execute Evaluation Criteria Table 2. Completeness of Vision Evaluation Criteria Evaluation Criteria Weighting Evaluation Criteria Weighting Product/Service No Rating Market Understanding High Overall Viability (Business Unit, High Marketing Strategy No Rating Financial, Strategy, Organization) Sales Strategy No Rating Sales Execution/Pricing Standard Offering (Product) Strategy High Market Responsiveness and Track High Business Model No Rating Record Vertical/Industry Strategy No Rating Marketing Execution No Rating Innovation High Customer Experience High Geographic Strategy No Rating Operations Standard Source: Gartner (May 2011) Source: Gartner (May 2011)
  • 5. 5 of uncategorized sites and pages, and the categorization of • Innovation: This criterion includes product leadership and the search results — were considered. ability to deliver features and functions that distinguish the vendor from its competitors. Advanced features, such as the ability to perform on-box malware detection of dynamic content • Application control: Granular policy-based control of Web- (for example, JavaScript code), and the ability to pinpoint based applications — such as IM, multiplayer games, Web compromised endpoints by analyzing outbound traffic, were storage, wikis, peer-to-peer (P2P), public voice over IP rated highly. (VoIP), blogs, data-sharing portals, Web backup, remote PC access, Web conferencing, chat and streaming media — is still immature in most products and represents a significant Leaders differentiator. We considered the number of named Leaders are high-momentum vendors (based on sales and “mind applications that can be effectively blocked by checking share” growth) with established track records in Web gateway a box on the application category or a specific named security, as well as vision and business investments indicating that application. The ability to selectively block specific features they are well-positioned for the future. Leaders do not necessarily of applications and the presence of predeveloped policies to offer the best products and services for every customer project; simplify deployment were given extra credit. however, they provide solutions that offer relatively lower risk. • Manageability/scalability: Features that enhance the Challengers administration experience and minimize administration Challengers are established vendors that offer SWG products, but overhead were compared. Extra credit was given to do not yet offer strongly differentiated products, or their products products with a mature task-based management interface, are in the early stages of development/deployment. Challengers’ consolidated monitoring and reporting capabilities, and a products perform well for a significant market segment, but may role-based administration capability. Features such as policy not show feature richness or particular innovation. Buyers of synchronization between devices and multiple network Challengers’ products typically have less complex requirements deployment options enhance the scalability and reliability of and/or are motivated by strategic relationships with these vendors solutions. rather than requirements. • Delivery models: We analyzed deployment options for Visionaries on-premises solutions and SWG-as-a-service offerings. Visionaries are distinguished by technical and/or product For vendors that offer both deployment options (otherwise innovation, but have not yet achieved the record of execution in known as “hybrid”), we considered the level of integration the SWG market to give them the high visibility of Leaders, or they between the two approaches (for example, the ability to lack the corporate resources of Challengers. Expect state-of-the- manage policies from a unified console). For on-premises art technology from Visionaries, but buyers should be wary of a proxy-based solutions, we evaluated the breadth of proxy strategic reliance on these vendors and should closely monitor their features, including protocol support, Secure Sockets viability. Given the maturity of this market, Visionaries represent Layer (SSL) termination capabilities, and interoperability good acquisition candidates. Challengers that may have neglected with third-party antivirus and content-aware DLP scanners technology innovation and/or vendors in related markets are likely (for example, Internet Content Adaptation Protocol [ICAP] buyers of Visionaries’ products. Thus, these vendors represent a support). For on-premises bridge-based offerings, we slightly higher risk of business disruptions. evaluated the solution’s capabilities for packet filtering and the features that it enables, such as bandwidth control and outbound traffic analysis of non-HTTP/S traffic (which Niche Players is used for malware detection). For SWG-as-a-service Niche Players’ products typically are solid solutions for one of the offerings, we considered the options for redirecting traffic three primary SWG requirements — URL filtering, malware and to the cloud provider (for example, virtual private network application control — but they lack the comprehensive features of [VPN], Generic Routing Encapsulation [GRE] tunnels, Visionaries and the market presence or resources of Challengers. proxy chaining and other approaches) and authentication Customers that are aligned with the focus of a Niche Players options (for example, support for Security Assertion Markup vendor often find such provider offerings to be “best of need” Language [SAML]). solutions. Niche Players may also have a strong presence in a specific geographic region, but lack a worldwide presence. • Related investments: We gave minor credit to vendors with related investments, such as e-mail integration and native Vendor Strengths and Cautions content-aware DLP capability. Native DLP capability shows Actiance technical prowess and can be useful in tactical situations; however, integration with e-mail and/or dedicated DLP Actiance was called FaceTime Communications in our previous solutions is a more strategic feature. Magic Quadrants, but transferred the name and trademark to Apple for its video calling application. Actiance is a privately held company, based in California, that has branched out from its start — selling IM security to North American financial institutions — to
  • 6. 6 the broader SWG market. In 2010, the company introduced an • Multiple USG appliances can be clustered to share a database, innovative offering, Socialite, as a module in its SWG for controlling, which then allows for a shared repository of configuration and monitoring, recording and approving corporate social networking reporting for multiple, geographically dispersed USG appliances. participation. Actiance is a good candidate for organizations looking A separate reporting module can also provide for centralized for fine-grained Web 2.0 application controls and social media reporting for multiple USG appliances. monitoring tools. • Customers can choose between two URL-filtering databases. Strengths Actiance’s URL-filtering policy is average, but includes some advanced features, such as a coaching option for soft blocking, • Actiance has strong dashboard and reporting capabilities, custom categories and custom URL additions. Enforcing safe as well as a flexible and scalable object-based policy engine. search on popular search engines (Bing, Google and Yahoo) is The dashboard is fully customizable, and administrators can also available. create their own look and feel, adding virtually any report as a dashboard element. All dashboard elements are hyperlinked to Cautions reports and log data detail. The console also offers a unique, fully customizable heat map dashboard element that enables • Actiance’s biggest challenge is improving its visibility and administrators to visualize traffic and events rapidly. mind share against increasingly larger and more strategic competition. Despite an early focus on this market and a decent • Actiance has its own malware and application research growth rate, it has failed to achieve a significant market share. capabilities, which are combined with malware databases from It needs to rapidly expand its channel partners and client base, GFI Software (which acquired Sunbelt Software in July 2010). because it is at risk of becoming a Niche Player in the social Actiance’s Unified Security Gateway (USG) appliance can be network controls or the financial services market. deployed by connecting to a Switched Port Analyzer (SPAN)/ mirror port, can be deployed in line and can also interface with • Actiance’s licensed URL-filtering capability does not offer the proxies via ICAP. When deployed in line, the USG can proxy ability to dynamically classify uncategorized websites. URL- HTTP/S, FTP and traffic from common IM services. filtering updates default to daily, but can be customized to update as often as required. • Actiance has the broadest visibility and controls for Internet applications, with more than 5,000 named applications, • Actiance’s content-aware DLP capability is weak and comes including IM, P2P, anonymizers, IP television, gaming software, at an extra cost from the base license. Its keyword-filtering multimedia, remote administration tools, virtual worlds, VoIP, capability can be used to classify pages, but there is a shortage Web-based IM and Web conferencing. In particular, Actiance of predefined DLP lexicons, and users have to create and fine- offers the strongest control for Skype. A special plug-in to tune their own categorization policies. Skype clients enables it to detect and block malicious URLs within Skype IMs. • Actiance’s log search functionality is weak, and it is difficult to search on or isolate search terms. • Reporting on outbound threats is one of the best in this analysis, and includes specific detailed information on the malware (for example, name, threat rating and more) and links • Actiance relies on signature engines or known bad URLs to Actiance’s Web-based reference sites, spywareguide.com for malware detection, and has limited on-box capability to and applicationsguide.com. dynamically inspect Web pages for malicious intent. • Actiance offers archiving capabilities for IM traffic, social • Actiance provides Web content caching on proxies, but does media and HTTP/S traffic (such as Web mail and blog posts). not offer bandwidth quality of service (QoS) options to improve For example, policies can be enabled to control and log all the performance of priority applications. outbound content for Web 2.0 sites, including blog posts and social networking sites, and also for Web mail traffic. Policy Barracuda Networks options include taking a screen shot of the Web page for which Barracuda Networks offers the Barracuda Web Filter — a range the content-aware DLP policy is triggered. The logging can also of inexpensive proxy-based appliances (hardware and virtual) that be triggered by a lexicon match (for example, log all credit card leverages open-source technologies — as well as the Barracuda numbers posted to a social networking site). DLP capabilities Web Security Flex (“Flex”) product, which allows any combination can also be exploited for dynamic content-level blocking of of SWG-as-a-service offerings and appliances. The company offensive text content. enjoys high mind share in the SMB market, due to its focus on the needs of this demographic, extensive marketing and effective sales • The Socialite module provides specific social network feature channel management. It continues to experience solid growth, and controls, preapproved content controls (moderation), and is starting to move upmarket to larger enterprises. Barracuda Web archiving for LinkedIn, Twitter and Facebook. Socialite is Filter appliances are candidates for organizations seeking “set and available as a module for Actiance’s USG or through a SaaS forget” functionality at a reasonable price. option.
  • 7. 7 Strengths Cautions • The Barracuda Web Filter’s Web graphical user interface • The Barracuda Web Filter appliance lacks some enterprise-class (GUI) is basic and designed for ease of use. Deployment is capabilities for management and reporting. The dashboard is simplified; all settings are on a single page with easily accessible not customizable. It offers only a single administration account and suggested configuration settings, and contextual help. and does not support role-based administration. Some policy The dashboard includes a summary of top reports, including features, such as file type blocking, are very manual rather than infection activity, hyperlinked to the detailed reports. Real-time menu-driven, and the overall workflow is feature-based instead log information can be filtered by a number of parameters for of task-based. The appliance can only store six months of easy troubleshooting. data; longer-term data storage or aggregated reporting across multiple boxes requires the Barracuda Control Center. Security threat reporting does not provide any guidance on the severity • Malware protection is provided by open-source Clam AntiVirus of a particular threat, nor does it provide links to more detail on and by in-house-developed signatures. The management the threats. Although the solution saves searched keywords in console includes optional infection thresholds that can kick off the log, it is difficult to search the logs for this information or to alerts or launch a malware removal tool. Barracuda offers basic report on it. It does not offer real-time dynamic classification of content-aware DLP functionality at no extra cost. URLs. • Application controls include a fair number of IM networks, • Barracuda uses open-source databases for URL and antivirus software updaters, media stores, remote desktop utilities, filtering (Sourcefire/Clam AntiVirus), supplemented with toolbars and Skype. Barracuda’s own research labs. However, Barracuda Labs is still relatively small. It does not offer any other third-party anti- • Bandwidth quotas can be leveraged to limit resource usage per malware engines. Real-time analysis of Web threats is limited in day or per week. the appliance-based solution. • The Barracuda Web Filter is one of the most economically • The Barracuda Flex offering still needs to mature to compete priced solutions in this Magic Quadrant, and annual updates are against the more established vendors in this space. The priced per appliance rather than per seat. management interface is missing some enterprise options, such as expansive role-based administration, customization • The Flex service component (formerly “Purewire”) provides a of dashboard elements, quick links to tasks, and full policy very clean and well-organized policy and reporting interface that administration audit reporting. Security threat reporting is simple and logical. All dashboard elements offer a consistent, would be improved with more inspection methods to detect hyperlinked drill-down into three levels of increasingly granular outbound threats, more information such as severity, and data. All security protection methods are included in the base more detailed information about specific threats. Reporting is price. In addition to using several signature and blacklist-based very basic and could be improved with more customization filters, the Web security service performs numerous advanced options. Predeveloped reports are too narrow and lack a single security checks, including page analysis, URL reputation, management summary report on activity. Log data can only exploit kit detection, JavaScript analysis and bot detection. URL be stored in the cloud, not on the local devices. Barracuda filtering is driven by the Barracuda database. does not offer a zero-client footprint option with transparent authentication. The Flex service only offers an uptime service- level agreement (SLA). It does not support SAML authentication • Advanced options for Flex include coaching and password- integration. The service does not have a global footprint and protected bypass with custom blocking pages for each rule. currently only has data centers in the U.S., the U.K. and The solution also allows quotas based on connection bytes Germany. and time limits. Application control includes several dozen named applications in four categories — browsers, IM, P2P file Blue Coat Systems sharing and streaming media — that are based on request and response headers and traffic signatures. The content-aware While Blue Coat Systems remains the overwhelming installed DLP capability includes five static libraries/lexicons and SSL base leader in the enterprise proxy market, it faces a number of scanning by category. challenges. It was late with SWG as a service (launched in April 2011). In January 2011, it introduced an appliance, ProxyOne, targeted at SMBs, although Blue Coat must demonstrate that it can • Redirecting traffic to the service component of the Flex offering build an SMB-focused value-added reseller (VAR) partner channel is optionally enabled with an on-premises Barracuda Web Filter that is capable of distributing the product. Blue Coat has a new appliance that caches traffic and provides for on-premises CEO (as of August 2010). With its Mach5 products, Blue Coat also authentication, a Microsoft Internet Security and Acceleration competes in the WAN optimization controller market. Blue Coat’s (ISA) 2006 plug-in, and a variety of direct connect and Active ProxySG is a very good candidate for most enterprise customers. Directory configurations. The Flex service also offers a tamper- SMBs that are willing to take the risk on a new appliance can now proof software client for roaming laptop users that enforces consider the new ProxyOne. remote/roaming traffic through a cloud service.
  • 8. 8 Strengths • Blue Coat offers an endpoint agent (free of charge) that provides URL-filtering support (and application acceleration) for mobile workers on Windows platforms. • The ProxySG product is well-tested for scalability and performance in the demanding large-enterprise market, and includes numerous advanced proxy features, such as support • Blue Coat sends uncategorized URLs to its cloud-based for a long list of protocols, extensive authentication and WebPulse service for dynamic categorization and malware directory integration options, raw policy scripting capabilities, analysis. WebPulse’s dynamic classification capabilities a command line interface, a GUI, SSL decryption, support categorize all URLs, not just those that match a subset of for ICAP, and centralized management and reporting. The inappropriate URL categories. Some malware may be detected company has one of the largest development and support in real time, whereas other malware checks are done in the organizations in this market. background and the results are stored in the WebPulse cloud. • ProxySG supports nine URL-filtering databases, including its Cautions own (Blue Coat WebFilter), and four antivirus engines on its ProxyAV platforms — the most options of any vendor in the • Blue Coat must deliver on its SWG-as-a-service offering and market. demonstrate that it can compete against security services from other cloud-based services, many of which have a head start • Content-aware DLP support is available via an appliance of two years or more. Blue Coat must demonstrate that its based on technology licensed from a third party. The appliance partners can sell its service, and it must also demonstrate that it interfaces with the ProxySG via ICAP. has the operational expertise to manage a cloud-based service. • The Blue Coat Reporter provides flexible capabilities to create • Blue Coat must demonstrate that it can build an SMB- custom reports, and enables multiple ProxySG products to focused VAR partner channel that is capable of distributing the report log information back to an aggregated log database. Log ProxyOne appliance. search functionality is very good and easily allows searching for specific search terms. • Blue Coat lacks an e-mail gateway — all other SWG cloud providers in this Magic Quadrant own a cloud-based e-mail • In addition to signature scanning, ProxySG uses a URL gateway. database (owned by Blue Coat) to detect known malicious URLs, and has static policy triggers to validate or limit active • The ProxySG does not support on-box antivirus. A separate content (for example, ActiveX controls or Java applets). appliance, the ProxyAV, is necessary to perform antivirus ProxyAV has limited active code analysis to detect unknown scanning. malware. • The WebPulse “cloud assist” approach, which requires Blue • Blue Coat ProxySG appliances proxy (that is, they fully Coat to actively probe suspect websites, can be bypassed terminate and can apply policy to) popular IM services, P2P by attackers who recognize a request from WebPulse. A applications, streaming media protocols, FTP, Telnet, DNS sophisticated attacker will know how to respond to Blue Coat and SOCKS v.4/v.5. Many competing solutions can only proxy (and other “cloud assist” security vendors’ probes) with good HTTP/S traffic. content, but will respond to typical end-user Web requests with malicious content. Blue Coat would benefit from more on-box • Bandwidth management policies can be specified per protocol malware detection, as offered by several of its competitors. (for example, streaming media) and can be applied to users The WebPulse cloud assist limitation only applies to ProxySG or groups. The ProxySG also optimizes bandwidth by stream implementations, not to Blue Coat’s SWG-as-a-service offering splitting and caching. (the concept of cloud assist does not apply to a cloud-based service). • Blue Coat WebFilter is often one of the least expensive URL- filtering options. Its pricing model is based on a one-time • Blue Coat cannot monitor all network traffic (which is helpful for perpetual license fee plus annual maintenance charges. detecting outbound malware) in its most commonly deployed proxy mode (known as explicit proxy), but it can be configured in other modes to monitor all traffic. • Blue Coat’s SSL termination capabilities (via an optional card on ProxySG) enable Blue Coat to terminate and decrypt SSL content and hand it off (via ICAP) to third-party devices, such as content-aware DLP scanners (Blue Coat partners with five DLP vendors), for further analysis.
  • 9. 9 Cisco • Customers commented on the ease of deployment in Cisco offers appliance-based SWGs (IronPort S-Series) and cloud- migrating to the ScanSafe service. The graphical dashboard is based SWG services (via its 2009 acquisition of ScanSafe). Also, in hyperlinked to filtered log views. The service offers a real-time 2009, Cisco acquired its own URL-filtering database (previously, it classification service to classify unknown URLs into a small had licensed Websense’s SurfControl database), and developed its set of typically blocked categories (for example, pornography own reporting capabilities so that its customers no longer needed or gambling). URL filtering is enhanced with some advanced to use a third-party package (Sawmill). In addition, Cisco offers functionality, such as bandwidth and time-based quotas, and a hosted e-mail services under the IronPort brand. Cisco’s strategy “search ahead” feature that decorates search engines with URL is to develop an integrated Web and e-mail cloud-based security classifications. service with a single console that would also manage its IronPort appliances. Currently, these components are not integrated, and • Cisco provides native support for SAML in the IronPort S-Series each has its own management console, although they do share and in ScanSafe. The S-Series creates SAML assertions to a common URL-filtering database. Cisco’s IronPort S-Series federate identity from the enterprise to SaaS applications. The appliances are very good candidates for most midsize and large ScanSafe service consumes SAML assertions and enables a enterprises, and the ScanSafe service is a good candidate for all transparent authentication process for organizations that have enterprises. already implemented SAML single sign-on solutions. Strengths • ScanSafe SWG as a service offers simple outbound content- aware DLP functionality (dictionary keyword matching, named • The S-Series provides good on-box malware detection. It file detection and preconfigured number formats), and file hash also provides parallel scanning capabilities across multiple matching can integrate with some enterprise DLP vendors. verdict engines for inbound as well as outbound security and content scanning. Signature databases are offered from • Cisco’s AnyConnect 3.0 client integrates ScanSafe’s agent. McAfee, Sophos and Webroot, and two of these can be run Cisco’s large installed base of VPN customers will now have simultaneously. Non-signature-based detection includes exploit ready access to the ScanSafe cloud (provided they migrate to filters that proactively examine page content, site reputation, the 3.0 version of AnyConnect). Using AnyConnect 3.0, traffic is botnet network traffic detection, transaction rules and Cisco- SSL-encrypted from the client to the ScanSafe cloud. generated threat center rules. The S-Series also uses a mirroring port (SPAN) network interface card for out-of-band traffic analysis to detect evasive outbound phone-home traffic • Cisco’s channel strength should help it ramp up some SWG or application traffic. The S-Series is one of the few products opportunities. It has enabled all IronPort and Cisco partners that include a full native FTP proxy and SSL traffic decryption. to resell the ScanSafe cloud Web security service. Also, Cisco has included IronPort products as a core part of the standard certification for all Cisco security partners. • IronPort has numerous features to enhance the scalability of the S-Series for demanding large-enterprise needs, including Cautions native active-active clustering and centralized management for up to 150 servers. S-Series appliances can support up to 1.8TB of storage with hot-swappable serial attached SCSI • Cisco needs a unified management console for its on-premises (SAS) drives, RAID 10 configuration and RAID 1 mirroring, IronPort appliances and ScanSafe cloud services to ease and six 1GB network interfaces, as well as a fiber option. In migration for customers that are interested in hybrid addition, the security scanning is enhanced by stream scanning, deployments. which enables scanning for larger or long-lived objects without creating the bottlenecks associated with buffer-based scanning. • The IronPort management console needs improvement for highlighting and investigating infected endpoints. While it • The S-Series provides good content-aware DLP functionality reflects the top malware threats that have been detected in the with the combination of integrated, on-box data security policies environment, it does not provide a correlated and prioritized and the choice of advanced DLP content scanning through malware effects report or dashboard widget that would help ICAP interoperability with third-party DLP solutions RSA and desktop administrators track down and remediate potentially Symantec/Vontu. Policy options include the capability to block infected machines. Also, it does not provide severity information “posting” to Web-2.0-type sites. for the threats that it has detected. • Application control on the S-Series is very strong, with the • The S-Series is one of the most expensive SWG appliances in ability to identify and block 13,000 Web-based applications. the market, and Cisco charges extra for the Cisco IronPort Web The Traffic Monitor feature enables the S-Series to connect Reputation Filters. to a port-mirroring switch port, and to detect and block port- hopping applications. Granular control is provided for social • Log search functionality is weak on the S-Series, and it is networking applications, such as blocking posts to Facebook. difficult to search on or isolate search terms. ScanSafe, however, does provide the ability to search on search terms.
  • 10. 10 • Application control is weak with ScanSafe. Popular applications • In 2010, the company brought 24/7 customer support back like Skype, IM and other common P2P applications cannot be in-house and built a new support portal. Clearswift also lowered controlled with policies. its pricing scheme, moving to subscription-based pricing. • ScanSafe lacks bandwidth control capabilities. Cautions • ScanSafe’s content-aware DLP support is weak. Administrators • Clearswift remains primarily an EMEA brand, with a growing can use basic dictionaries to monitor and alert on text strings, presence in Japan, but it does not enjoy significant brand but the solution lacks more sophisticated data detection recognition in North America. Its SWG revenue growth rate and techniques, and lacks predefined dictionaries and policies. market share remain very small. Clearswift • Malware detection is primarily limited to signatures and only in HTTP/S traffic. Although the solution provides some data on Clearswift is a veteran secure e-mail gateway vendor with a potentially infected machines inside the organization, it is not high profile in EMEA. It has integrated its proxy-based SWG correlated or prioritized, nor does it have enough information on — Clearswift Web Appliance — with its e-mail security solution the suspected threat for quick remediation. to provide cross-channel policy and consolidated reporting. Clearswift does not provide an SWG-as-a-service offering. Overall, Clearswift’s primary advantages are its integration with its e-mail • Although the interface is simple enough to be used by solutions and the provision of content-aware DLP across both nontechnical users, it is limited in detail for more technical channels, making the vendor a candidate for existing e-mail enterprise users. The dashboard offers very limited customers or EMEA buyers seeking both solutions from the same customization. Reports are not linked to dashboard elements. vendor. Although the solution can edit existing reports, there is limited capability to create totally new reports. It does Strengths not have extensive role-based management and cannot limit administrative access to specific groups. Log search functionality is weak, and it is difficult to search on or isolate • Clearswift offers a clean, logical, browser-based interface for users’ Internet search keywords for investigative analysis. policy development and reporting for Web and e-mail that is easy to use, even for nontechnical users, with lots of context- sensitive recommendations and help functions. Multiple devices • Application control is limited to blocking URL destinations (and/ can be managed from any machine. or streaming protocols) and file type blocking. It is possible to detect and block specific applications, but it requires the creation of custom rules within the appliance to identify and • Policy development for content-aware DLP is very good, and block based on the specific characteristics of the application several policy constructs — Sarbanes-Oxley Act, Gramm- found in the HTTP content. It cannot filter or manage evasive Leach-Bliley Act, Payment Card Industry Data Security applications, such as Skype. It does not offer any bandwidth Standard, U.S. Securities and Exchange Commission, controls, except limiting file sizes. accounting terms and stock market terms — are included. The same policy can be applied to Web and e-mail, and it is possible to intercept and copy/archive Web mail and IM traffic • The proxy does not support ICAP or WCCP, and it does not that trigger the DLP policy. Clearswift also provides strong support in-line/bridge mode deployments. policy audit and printable policy summaries for troubleshooting. • Considering how long Clearswift has been offering DLP • Clearswift offers good reporting capability. All machines in a capability, it has not advanced to best-in-class capability, cluster are capable of local or consolidated reporting. Reports and continues to lack a comprehensive compliance workflow are active and include a hyperlink drill-down of details. Malware management interface. filtering is provided by Kaspersky Lab and GFI Software (which acquired Sunbelt Software in July 2010). It is augmented with ContentKeeper Technologies some in-house, preconfigured, policy-based code analysis. ContentKeeper Technologies is based in Australia, where it has The Clearswift Web Appliance is capable of SSL certificate many large government and commercial customers. It offers validation, decryption and inspection. URL categorization a family of SWG appliances that deploy as in-line bridges. is provided by the RuleSpace database (now owned by The company maintains its own URL-filtering database, and it Symantec), augmented by real-time dynamic classification of provides a choice of third-party antivirus engines that run on the uncategorized sites that would likely be blocked by liability ContentKeeper appliance. It provides its own SWG-as-a-service concerns. plan and offers cloud-based e-mail protection through a partnership with Webroot. ContentKeeper is a candidate for organizations • Clearswift offers a good array of form factors, including a seeking URL-filtering capability and signature-based malware dedicated hardware appliance, a “soft” appliance for installation detection in supported geographies. on any hardware, or as a virtual appliance for VMware, and has a native ability to “peer” a cluster of appliances together.
  • 11. 11 Strengths Cymphonix Cymphonix, a privately held Utah-based company, was founded • ContentKeeper offers a series of five appliances, the largest in 2004. The Cymphonix Network Composer is an appliance- of which is based on IBM blade server technology, which based product that is mostly deployed as an in-line transparent ContentKeeper states has a maximum throughput rate of 14 bridge, but it can also be deployed as a proxy. Cymphonix licenses Gbps. The appliances “fail open” due to a high-availability malware signatures from GFI Software (which acquired Sunbelt hardware module. In addition to supporting in-line bridge mode, Software in July 2010) and Clam AntiVirus. The URL-filtering the appliances also proxy SSL traffic and provide decryption database is licensed from RuleSpace and enhanced through capabilities. ContentKeeper provides basic IPS protection internally maintained updates. In 2010, Cymphonix released a through a combination of third-party and internally developed new line of appliances with higher throughput to target midsize signatures. enterprises. Cymphonix is a candidate for SMBs seeking an SWG with advanced bandwidth management capabilities at a reasonable price. Its ability to detect and block proxy anonymizers • The Advanced Reporting Module (ARM) is an optional solution (used to bypass URL filtering) makes it a good candidate for the that provides good graphical analysis of log information, kindergarten through Grade 12 education environment. including the option to display data in bar and pie charts. The ContentKeeper appliances can be set to export data to Strengths the ARM in real time or on a periodic basis. The ARM may be deployed on the ContentKeeper appliance or off-box. Real-time monitoring and alerting are achieved through the • Cymphonix offers one of the strongest bandwidth control ContentKeeper Monitor package. capabilities in the SWG market. Its bandwidth-shaping policies can be nested within one another for more granular control. For example, users in a particular role can be assigned a maximum • ContentKeeper can dynamically classify unknown URLs. of 30% of available bandwidth for an Internet connection. This group can be further shaped so that 10% of its bandwidth • ContentKeeper provides a choice of three antivirus engines is assigned to IM, while 70% is reserved for mission-critical (BitDefender, Kaspersky and The Last Line of Defense), in applications. Bandwidth shaping can be performed at a broad addition to internally developed signatures that are included with level for virtual LANs, IP ranges and Active Directory groups, the base system. or at a very precise level down to a specific host media access control (MAC) address or IP address, Web category, specific • ContentKeeper provides application control for more than 90 URL, file type, MIME type, and user. applications. • The Network Composer includes more than 650 application Cautions signatures that can be used to build network policies for blocking or allowing applications. Applications can also be prioritized in terms of relative importance, using the bandwidth • Malware detection and control are limited. Outbound malware control capabilities described. detection lacks detail. It shows which malware-infected websites have been blocked, and provides a link to Google to display more information, but — unlike some other solutions • Cymphonix offers a series of seven appliances, the largest of — does not contain severity indicators or detailed information which the company states has a maximum throughput rate of about infections. 1 Gbps. The appliances can be configured to “fail open.” In addition to supporting the in-line bridge mode, the appliances also proxy SSL traffic and provide decryption capabilities. • The SWG-as-a-service offering, which is agent-based and Cymphonix also offers a useful free network utility that enables primarily targeted at SMBs, provides a limited capability to organizations to identify rogue and bandwidth-hogging dynamically inspect Web pages for malicious intent. application traffic on their networks. • Data from geographically distant gateways is not aggregated in • The Web GUI is simple and easy to use, and the reporting real time. However, real-time data can be obtained from each capability is good. Tabs provide easy navigation to a collection appliance, and syslog files can be imported from appliances on of reports that can be modified, saved and scheduled, and a scheduled basis to generate reports. reports provide hyperlink drill-downs that show more details. Policy management is easy to use and includes numerous • The URL database needs more granularity. It only supports 32 advanced functions to combine application-shaping and categories, while most competitors support more than twice as content-control policies to individuals or groups. many categories (although custom categories can be added). • The Network Conductor appliance aggregates log data and centralizes policy management, report generation and policy management for multiple, geographically dispersed Network Composer products.
  • 12. 12 Cautions languages for malicious intent. It has very good capability for stripping or neutralizing the offending threats rather than blocking the entire page, which reduces help desk complaints. • Although Gartner believes that Cymphonix is growing faster It can even block nonmalicious, but potentially unwanted, than the SWG market, it remains one of the smallest vendors in objects that have been downloaded from Web pages. this Magic Quadrant, and still has low market share and brand recognition. • Although the solution offers on-box reporting, larger enterprise customers will prefer to use the more scalable appliance-based • Although the solution can edit existing reports, there is limited reporting engine, which can support log consolidation of up capability to create custom reports. to 32 enforcement nodes and 12TB of data on the largest appliance. The reporting engine is easily customized and • Non-signature-based malware detection is limited. provides an extensive collection of predeveloped reports, as well as an ad hoc reporting capability to create new reports. • The solution has no ability to block posts to social networking Searching the log is easy to do, and the solution saves user sites. search terms. It also stores transaction IDs that are presented to users via blocked pages, and allows the help desk to quickly isolate events. • Application control is somewhat limited. For example, file transfers cannot be blocked from IM services. • M86 is launching an innovative offering that allows customers to create a custom YouTube portal that is limited to approved M86 Security content only. The Secure Web Gateway has a zero post policy While there is still work to do, in 2010, M86 Security made very option that enables “read only” access to selected website or good progress converging its various acquisitions into a cohesive Web categories to prevent posting to social media or other product offering and company, while retaining much of the interactive websites. The solution includes limited content- acquired talent and bringing aboard new management to move the aware DLP capability, including the ability to detect content company to the next level. M86 offers an appliance-based solution in attachments and perform lexical analysis on files and posts that can be augmented with a virtual server hosted by M86 for across HTTP/S or FTP. roaming users. The company just released a new version (v.10) of the Secure Web Gateway solution (formerly the Finjan solution), Cautions as well as the Security Reporter v.3. The combination of these products continues to be a good candidate for security-conscious • M86 continues to be challenged by addressing the needs organizations. of its very diverse customer base, which ranges from SMBs to very large enterprises across multiple industry segments, Strengths geographies and product interests. M86 is consolidating its product code base to deliver more integrated and seamless • The Secure Web Gateway (based on technology from the Finjan functionality across the product suite. Although growth has acquisition) is a proxy-based appliance solution (hardware and accelerated in 2010 and early 2011, the combined company virtual appliances). It has a native Web-based management market share over the past five years has been flat in a rapidly interface for policy, configuration and reporting. M86 also growing market. M86 must continue to improve its channel and offers an advanced consolidated reporting engine in a separate recover best-of-breed mind share or risk being overshadowed dedicated reporting appliance (from the 8e6 Technologies by rapidly improving and more strategic competitors. acquisition). The solution has a number of advanced enterprise features, such as administration roles that can limit visibility into • M86’s solutions are clearly still integrating, and the look and data, audit logs, policy summaries and syslog integration. Policy navigation are inconsistent. The collection of management development is object-oriented and can allow for very detailed interfaces has many different windows and applications that are policies. M86 Secure Web Gateway benefits from its own URL- not consolidated in a single portal. The reporting engine and filtering database. Policies can block posting to categorized dashboard on Secure Web Gateway are completely different websites (for example, social networks), and provide a limited from the capabilities of Security Reporter, and Security Reporter capability to block some Web applications by name. M86 offers is an extra cost. Administrative access rights capabilities are a hosted version of its virtual appliances in four data centers inconsistent and uncoordinated across both devices. for use by remote access users in supported geographies when they’re off the corporate network. This provides unified management of policies and reporting for on-premises and • Although Security Reporter provides some data on potentially mobile users. infected machines inside the organization, it is not correlated or prioritized, nor does it have enough information on the suspected threat for quick remediation. Secure Web Gateway • The M86 Secure Web Gateway combines standard malware console has better information than Security Reporter. signatures — from a choice of Kaspersky, Sophos or McAfee — with very strong unknown-malware detection based on real- time code analysis, which scans an array of Web programming
  • 13. 13 • Secure Web Gateway lacks more innovative features, such • MWG includes SSL decryption, which will combine well with as dynamic URL classification, page reputation analysis, McAfee’s strong, native, content-aware DLP capability. bandwidth control, advanced content-aware DLP identifiers, and predefined policies and lexicons. • In addition to its standard appliances, MWG is also available as a virtual appliance and as a Blade Server form factor. • Bandwidth prioritization is on the road map, but for now, Secure Web Gateway is only able to restrict applications or Cautions URLs by time-of-day conditions. • McAfee hasn’t significantly expanded its market share in the • The M86 Secure Web Gateway has the ability to block or SWG market since the Secure Computing acquisition, and it allow IM clients covering AOL, ICQ, MSN Messenger, Yahoo does not show up on Gartner client shortlists as often as we Messenger and Skype, but not to control specific features of would expect, given McAfee’s channel reach. these applications. Port evasive applications require network firewall assistance to force these applications through the • McAfee still has a lot of work to do to integrate ePO with its gateway for control and monitoring. DLP, e-mail and endpoint solutions to deliver the security and deployment advantages of a single solution. Although McAfee is • Content-aware DLP capabilities are limited to keyword analysis a major DLP solution provider, DLP capabilities across the three and do not include predefined policies, dictionaries, or lexicons, SWG products is inconsistent, and integration with enterprise nor do they offer much workflow support for compliance DLP is still a work in progress. Also, there is no meaningful officers. coordination between the SWG product line and the McAfee Endpoint Protection Platform (EPP) client. McAfee McAfee has three SWG solutions: the McAfee Web Gateway • Hybrid integration between the SWG-as-a-service appliance (MWG) appliances, SaaS Web Protection service, and its legacy and the MWG appliance is still a work in progress; currently, the Email and Web Security Appliance. This analysis focuses mainly on integration consists of the URL categorization engine, the same the flagship MWG product, which remains a very good candidate McAfee signature antivirus engine, the same Gateway Anti- for most enterprise customers, especially those that are already Malware Engine, the same Global Threat Intelligence network, McAfee ePolicy Orchestrator (ePO) users. The Web Protection and report consolidation via McAfee’s Web Reporter. service is a candidate in supported geographies. • MWG does not provide a correlated and prioritized malware Strengths effects report or dashboard widget that would help desktop administrators track down and remediate potentially infected • The MWG Ajax/Web-based management interface is well- machines inside the organization. organized, is easy for technical users to navigate and deploy, and offers numerous advanced management features, such as • MWG’s management features are still maturing; however, granular role-based administration, data “anonymization,” FTP the product does not offer dynamic classification of content command filtering, object-oriented policy, native centralized in unknown sites beyond the security risk analysis. Some management and user quotas. MWG is now integrated with commands can only be executed via a command line interface, McAfee’s ePO management platform. MWG has a reporting and some changes require a server reboot. The dashboard application that offers tiered administration and ships with the cannot be customized; it lacks a good raw log search Enterprise Edition of MySQL, or integrates with Microsoft SQL capability. Also, the policy change audit log is very basic. Server or an Oracle Database. • Consolidated and advanced reporting functions require Web • McAfee has a solid antivirus research team. MWG has strong Reporter, which is a separate application with a different on-box malware protection through use of the McAfee Gateway look and feel from the management interface, and it does Anti-Malware Engine, which uses McAfee’s signature engine as not have hyperlinks from the dashboard logs or reports on well as real-time code analysis technology that scans a broad the appliance. The basic Web Reporter version is included array of Web programming languages for malicious intent, and with MWG; however, the premium version is required for offers optional use of a third-party antivirus signature engine advanced features, such as delegated administration and from Avira. ad hoc reporting. The number of canned reports is low, and some reports do not have obvious features, such as pie graph • MWG includes several advanced URL-filtering policy features, options. Some customers have complained about the scalability such as progressive lockout, which senses multiple bad URL of the reporting interface. requests and locks out Internet access. Bandwidth quotas, coaching and soft blocking are also available. MWG offers • The SaaS Web Protection service lacks enterprise features integrated IM proxy functionality to block and control IM, and and the global reach of the leaders in this space because it provides granular control of the posting of content to Web 2.0 only has eight data centers. McAfee’s clientless transparent sites. authentication only records IP addresses for reporting (rather
  • 14. 14 than user names). It does not offer transparent authentication Cautions for mobile devices. Only mobile devices that accept proxy settings and VPN clients are supported. SaaS Web Protection • Optenet has a very small market share that is primarily only offers an uptime SLA, and it does not yet support SAML centered in Southern Europe and Latin America, but it has for directory integration. little brand recognition or presence in other markets. It has a development and sales presence in the U.S., but expansion Optenet into the U.S. market has been very slow. Although the company Optenet is a private company that was spun off from the University has many small enterprise customers, the solution’s primary of Navarra’s Engineering Faculty and San Sebastian’s Research advantage is multitenancy support that appeals primarily to Centre in San Sebastian, Spain. It provides its customers with telecommunications companies and large enterprises seeking to a multitenant SWG, the Optenet WebSecure (that is, it enables deliver MSSP-type service solutions to their clients. service delivery to multiple customers using shared infrastructure), and an e-mail infrastructure solution primarily for carriers, managed • Log search functionality is weak, and it is difficult to search on security service providers (MSSPs) and large enterprises that or isolate search terms. want to create service offerings for their own clients. Optenet is a candidate for large organizations and service providers that plan on delivering a multitenancy SWG. • Optenet provides a unified policy management console that includes firewall and IPS functions. Policies have the same Strengths structure, which simplifies administration. However, the inclusion of some firewall and IPS-specific configurations in the management policy can cause some confusion for SWG • Optenet’s Ajax-based dashboard and management interface is customers. Moreover, few of Optenet’s customers use Optenet the same for Web and e-mail solutions. It is very customizable, WebSecure as a primary firewall or IPS. enabling users to add different reports in numerous combinations. Hyperlink drill-downs allow fast movement from the dashboard into active reports and log data. Most report • Application control is good for client applications, such as P2P, elements can be right-clicked for context-aware options. Role- and it supports the capability to create custom filters using based management includes four roles. Policy auditing and firewall rules or custom URLs, but it would benefit from more policy review capabilities are very good. Optenet also offers a predefined application controls. command line interface and direct policy script editing for more proficient users. • Optenet has the capability to create custom filters to effect some content-aware DLP functionality, but it does not include • The solution can be deployed in bridge and proxy/cache any predefined content or DLP workflow. mode or WCCP and ICAP, and provides malware filtering for HTTP/S, FTP, POP, SMTP and MMS on a variety of platforms, Phantom Technologies including Crossbeam Systems and Linux (Red Hat), as well Phantom Technologies, a privately held company based in San as appliances. Optenet also offers a full client that does local Diego, is a new entrant in this Magic Quadrant. Its proxy-based filtering for malware and URL policy, and is synchronized with iBoss Web-filtering solution is available as a family of appliance- on-premises appliances. based platforms. Phantom owns its URL-filtering database. More than 95% of its customers are in North America. iBoss is a • Optenet augments Kaspersky, Sophos and Snort, with its candidate for organizations that are based in North America. own security analysis for emerging threats. Outbound threat reporting includes a severity indicator in a graphical format. Strengths • Application control includes numerous named applications • iBoss includes a unique autorecord feature (up to three detected via network signature detection. The solution also minutes) that enables a video playback for a sequence of offers bandwidth management and QoS features, as well as events. Organizations can customize the event that triggers a good network analyzer that provides network application the autorecord feature. The capability can be used to confirm visibility. intentional versus unintentional user violations. • URL filtering is provided with Optenet’s own URL database, • Log search capabilities are strong. Search engine requests are which is augmented by a dynamic categorization engine. SSL highlighted clearly in the log (for example, Bing, Google, Yahoo decryption enables dynamic classification of encrypted content. and YouTube), and the actual text string entered by the user is Spanish URL categorization, in particular, is strong. It also has stored and can be easily searched. an image analyzer for pornography detection. • Bandwidth controls are very flexible. Bandwidth quotas can be • Optenet is very attractively priced. applied to a specific organizational unit in Active Directory, and they can also be assigned to a specific domain.
  • 15. 15 • iBoss provides application control for popular IM services and • Application controls are above average and include an extensive some P2P applications. list (nearly 600) of potentially unwanted applications. eSafe also supports blocking IM file attachments and enforcing acceptable browser types. eSafe provides basic content-aware • Reporting capabilities are strong, particularly the ability to DLP protection with consistent policies across e-mail and Web create custom reports. The reporting tool includes some unique traffic. It can monitor, log and alert on files attempting to leave features aimed at executive management, such as calculating the organization, and it supports archiving of outbound content the hourly cost of using the Web. for investigative purposes. Cautions Cautions • Malware detection capabilities are limited. Snort rules and • eSafe continues to struggle with brand awareness, especially in Clam AntiVirus are used to detect problems and trigger alerts, North America, and overall with its SWG product mind share, but Phantom only has limited resources (a small team of and growth is slower than the overall market. researchers) to develop its own signatures. • SafeNet’s strategy of combining the eSafe SWG with encryption • Phantom’s non-signature-based approach to malware detection and identity and access management is unique, and although is very limited. these are some of the components of an enterprise data security program, very few enterprises consider these domains • Although the solution provides some data on potentially together when making purchasing decisions. eSafe lacks many infected machines inside the organization, it is not correlated enterprise-class, content-aware DLP features. or prioritized, nor does it have enough information on the suspected threat for quick remediation. • Despite significant improvements in the management interface and reporting engine, some enterprise features are still lacking. • Uncategorized URLs are not classified in real time. They are The dashboard is not customizable, and with the volume of sent for classification to one of two data centers (New York reports available, it would be beneficial to have a “favorites” tab. and Los Angeles), and the results are pushed out to the iBoss installed base of appliances. The process can take several • Policy creation is not object-oriented and will be difficult to scale minutes. for organizations with numerous policy exceptions. SafeNet • Policies for establishing time usage quotas are limited. SafeNet targets the SMB market with its appliance-based eSafe Web Security Gateway solution, which is part of the company’s Enterprise Data Protection (EDP) strategy. This approach combines • Although the solution provides some data on potentially encryption and multifactor authentication with the SWG and its infected endpoints, it is not correlated or prioritized, nor does native, content-aware DLP capability. SafeNet moved into the it have enough information on the suspected threat for quick Niche Players quadrant (from the Visionaries quadrant) in 2011, remediation. primarily due to its SMB focus and some product shortcomings, as noted below. The eSafe solution is a candidate for midmarket Sangfor enterprises in supported geographies. Sangfor is a new entrant in this Magic Quadrant. It is a network equipment vendor based in China, and its 2010 revenue was Strengths approximately $50 million (according to U.S. accounting standards). Sangfor states that 55% of its revenue comes from its SWG • The dashboard has extensive information in a graphical format products, and the remaining revenue comes from its VPN, WAN with hyperlinked drill-down into detailed report information. The optimization controllers and application delivery controller products. reporting engine contains more than 240 predefined reports, Sangfor’s SWG is a proxy-based solution that comes in a hardware including graphical end-user activity reports. Incident analysis appliance form factor. All the company’s revenue comes from the is easy with strong log file search functionality and drop-down Asia/Pacific region, although it has goals to compete globally in pick lists of potential search terms. 2011 and beyond. Sangfor has two versions of its Web-based console — a Chinese version and an English version. Features and enhancements are added to the Chinese version first, followed • Due to its merger with Aladdin Knowledge Systems in 2009, by the English version at a later date. Sangfor is a candidate for SafeNet has strong malware-filtering capabilities, including organizations that are based in China. in-memory code emulation for analyzing suspicious code, vulnerability shielding, script analysis, active content policy options and SSL decryption. SafeNet offers an optional Kaspersky engine. The eSafe Web Security Gateway solution is usually deployed as an in-line bridge, allowing it to see all network traffic, but it can also function as a proxy.
  • 16. 16 Strengths Sophos Sophos, a leader in the enterprise endpoint protection platform • Sangfor provides flexible and granular bandwidth control (EPP) market, is gradually improving the features of its hardware capabilities. For example, utilization parameters can be specified appliance and virtual appliance SWGs to appeal to larger enterprise for uplink and downlink traffic. customers. Ambitious management has resulted in company growth and geographic expansion from its European base to the North American and global enterprise markets. Sophos is • Basic content-aware DLP functionality is performed on box. a candidate for SMBs seeking simple management and policy Several preformatted dictionary templates are included (some capabilities with good security. are specific to the Chinese market), and organizations can create their own keyword-based custom DLP policies. Strengths • The URL-filtering database will appeal to Chinese customers, • Sophos is an established player in the malware detection since 80% of its entries are Chinese URLs. Sangfor plans to market, and the Sophos Web Appliance (SWA) uses Sophos’ offer an English-based URL-filtering list in 2011 via a partnering Behavioral Genotype technology to detect previously unknown agreement. malware by performing a pre-execution analysis of all downloaded code, including binary files and JavaScript. Sophos • For antivirus support, organizations can choose from F-Prot or also provides increasing integration with its endpoint solution. Sophos (both via an OEM agreement). Today, it offers client-based URL protection from malicious websites. Future offerings (due in 1Q12) will provide full Web • Sangfor’s application signature database lists more than 600 policy filtering at the endpoint, using cloud services to provide entries, including gaming, IM and P2P applications. live URL lookups and policy synchronization. • Sangfor has a large distribution channel in China, with more • Sophos provides very simple products to understand and than 300 resellers and 25 distributions in large cities and most manage. The management interface provides “three clicks provinces. to anywhere” navigation. SWA is very easy to set up, with automated network and directory discovery, contextual help functions and simple to understand policy configuration. Cautions Sophos even optionally monitors customers’ appliances and provides proactive assistance for critical conditions (for • Although the solution provides some data on potentially example, disk failures, overheating and power issues). infected machines inside the organization, it is not correlated or prioritized, nor does it have enough information on the • Security URL classification is supplied by SophosLabs and suspected threat for quick remediation. augmented with SurfControl URL categorization data provided by Websense. • The appliance lacks a hardware SSL accelerator. • SWA offers very good log search capability, including the ability • The proxy does not support ICAP, thereby limiting its capability to search for groups of keywords used in Google and other to send content to third-party scanners (such as DLP sensors searches, and isolates search terms in reports for clarity. In or antivirus scanners). addition, SWA has a completely ad hoc reporting capability to create totally new reports, which is also very good. • The English version of the Web interface lacks the capability to customize the dashboard. However, the dashboard of the • Sophos continues to have a strong reputation for support and Chinese version can be customized. service from customers and its channel. • The English version of the URL-filtering database lacks the • Full inspection of encrypted HTTPS content and sessions is capability to dynamically categorize unknown URLs. However, supported for all modes of deployment, including explicit proxy, the Chinese version of the database does have this capability. transparent, WCCP and bridged modes of deployment. • The process of combining reports from various geographically Cautions distant gateways into a single report is difficult. The data cannot be viewed in real time because of the manual process involved • Sophos has been gaining momentum in this market in recent with exporting data from each gateway. years; however, its growth is mainly in the sub-1,000 seat level. It still doesn’t appear often in hotly contested large enterprise deals. It needs to improve its marketing message and its product to gain more recognition among midsize to large enterprises.
  • 17. 17 • Sophos is still missing some enterprise features, such as support SLAs, and customers give it high marks for service and dashboard customization, limitations on log visibility and support. comprehensive audit logs. Role-based administration is on its road map for mid-2011. Sophos also lacks advanced Web • Symantec.cloud recently added usage quotas and expanded management features, such as bandwidth and application the management interface languages (now English, German controls, while features such as blocking social posts (for and Japanese). It has decent reporting capability that includes example, in Facebook) and streaming media controls may not flexible, ad hoc reporting with easy custom group creation. provide sufficient granularity for some enterprises. Malware is filtered with Symantec’s own antivirus scanner as well as the F-Secure engine, and augmented by MessageLabs’ • The URL-filtering feature does not provide dynamic Skeptic malware filters. The Websense URL database has been classification, except for anonymizer proxy sites. replaced with Symantec’s own solution (from the RuleSpace acquisition), which offers limited dynamic classification for 15 types of typically blocked categories. Symantec also recently • Consolidated policy management and reporting across multiple released the “Smart Connect roaming agent,” which forces appliances require Sophos Management Appliances. traffic to the nearest data center. • Although the solution provides some data on potentially • The appliance-based Symantec Web Gateway is most infected machines inside the organization, it is not correlated commonly deployed as an in-line bridge (it may also be or prioritized, nor does it have enough information on the deployed out of band, on a mirrored port), which enables suspected threat for quick remediation. bidirectional malware scanning of most ports and protocols, and provides for simple network implementation. Scale is • Signature-based malware detection is limited to the Sophos achieved by correctly sizing the appliance for the network (up to engine. Some organizations may want to increase the diversity 1 Gbps), or by using a load balancer to deploy multiple boxes of signature-based protection by using different signature to get beyond 1 Gbps. In-line deployment allows for very broad, engines in the gateway and on the desktop. protocol-level application control with binary control (blocking/ allowing) and policy control of a large number of named • Although Sophos has some native DLP capability in the applications, such as P2P, IM, games and remote access. endpoint, it has not transferred that technology to the Web gateway solution, and it does not provide ICAP support for DLP • Symantec Web Gateway has strong management interfaces. integration. Policy creation is done on a single-page view with intelligent options based on previous selections. The dashboard and • Sophos does not yet offer a native method to apply policy and reporting interface are also strong. Most notable is the reporting protection to mobile and off-LAN devices. A client for Windows emphasis on outbound traffic that indicates the presence devices is due in 2011; however, it is integrated into the full of specific malware, the severity and type of the threat, and Sophos EPP client. quick access to more detail. Dashboard data is hyperlinked to relevant reports and logs with granular details (for example, geolocation data, search terms, file names/types and cross- Symantec referencing to aid investigative analysis). Symantec Web Symantec has two offerings in the SWG market: the Symantec. Gateway provides a centralized server for configuration and cloud SWG as a service (formerly MessageLabs) and the Symantec consolidated reporting, as well as long-term storage of log Web Gateway appliance. Symantec.cloud is the foundation for data. Symantec replaced the Sophos and GFI Software (which Symantec’s cloud-based solutions, which also include secure acquired Sunbelt Software in July 2010) scan engines and e-mail gateway, archiving and disaster recovery, as well as hosted remediation tools (previously licensed by MI5) with its own endpoint protection management and backup services. However, scan engine and URL blacklist, while retaining MI5’s network integration between these two SWG offerings is lacking. Symantec. traffic detection techniques, botnet, malware phone-home cloud is a candidate for customers seeking a simple-to-use, detection, and inbound content inspection. Threat intelligence service-based solution, especially if they are also interested in and rule creation have been transitioned to Symantec’s Global secure e-mail gateway security services. Symantec Web Gateway Intelligence Network and Security Technology and Response is a candidate for customers seeking a scalable, in-line appliance teams. The URL database is still licensed from IBM, but we SWG, or for those looking to augment their existing proxy solutions expect this solution to adopt the RuleSpace data in 2011. with better security and application control. Cautions Strengths • Symantec has been very careful not to disrupt the • The Symantec.cloud Web GUI has the same simple and easy- MessageLabs business as a result of the acquisition, and to-use interface as the e-mail and IM security services, making despite the new branding as Symantec.cloud, it continues to it a good choice for customers seeking multiple services. operate relatively independently. We anticipate that this will Symantec.cloud has 10 data centers for the Web security continue; however, the pressure to integrate back-end functions service. The service offers strong antivirus, latency, uptime and will be strong and could potentially increase performance risk.
  • 18. 18 • Integration between the Symantec.cloud, the Symantec Web Trend Micro Gateway appliance, the Symantec Endpoint Protection Client Trend Micro has a long history of focusing on antivirus for the Web and the Vontu DLP platform is still limited. gateway market. As a result, it has a respectable market share with global enterprises. InterScan Web Security Virtual Appliance • Symantec did not increase the global data center footprint (IWSVA) is offered only in software solutions for virtual servers or or management interface localization as aggressively as bare metal installations. However, the company has not sufficiently anticipated, and now finds itself behind several competitors in invested in advanced features that differentiate its SWG offering global reach. and allow it to break into the Leaders quadrant. Trend Micro is a candidate for SMBs that already have a strategic relationship with the company. • The MessageLabs services have suffered from slow feature development to enhance the management interface, especially Strengths for a service provider. The dashboard and reporting features haven’t changed significantly since 2010, and customers have said that reporting needs significant improvement. Reports • The management benefits from a very customizable Adobe Flex are relatively static and do not allow for drill-down and drill- dashboard environment and a significantly improved Advanced up capabilities, log search is not possible in the management Reporting and Management solution. New customized reports interface, and it does not allow restrictions on what group can be created using open-source iReport and added as a data is visible to administrators. Outbound malware reporting dashboard element or in completely new tabs. Dashboards is minimal and does not yet show severity indicators or threat provide quick, hyperlinked drill-down into detailed and details. Links to Symantec’s threat library and correlated data searchable logs. In distributed environments, a centralized showing high-risk PCs would be improvements. The service Advanced Reporting and Management solution instance can only supports relatively simple policies and does not allow act as a consolidated reporting engine/database and remove conditions, which means it takes several rules to create granular a task from the scan engine to improve and consolidate local policy. The URL policy would benefit from advanced options, performance. The solution can redact user names from reports such as self-authorization and coaching. Application control and restrict administrators’ visibility to managed groups. is very limited and based only on URL destination rather than network/protocol signatures; also, it has only a very limited • Policy development and configuration are easy to use and number of named applications for use in building policies. It provide a powerful scripting capability that can be used to block does not offer SAML directory integration. actions such as social network posts or file transfers. • Signature-based malware detection is limited to the Symantec • Malware detection is provided by Trend Micro’s signature detection engine. Some organizations may want to increase database, script analysis, and a reputation service that is the diversity of signature-based protection by using different provided by its in-the-cloud Smart Protection Network. Trend signature engines in the gateway and on the desktop. Micro’s Damage Cleanup Services can provide remote client remediation for known threats. IWSVA offers a quarantine • Symantec Web Gateway’s unique design may cause problems disposition action for parking suspicious files or blocked FTP file for some larger enterprises. For example, it is difficult to types. Suspicious files can be automatically sent to Trend Micro add users to multiple policy groups, and the dashboard is labs for analysis. not customizable and does not integrate with less common directory environments. Symantec Web Gateway does not • Trend Micro offers its own URL categorization database. It also proxy applications or offer a cache; although it was on the offers time of day and time and bandwidth quota policy options. road map for 2010, it will not be delivered until the first half of Application control includes some P2P and IM traffic types that 2011 (currently, it is in public beta). Symantec Web Gateway are detected by network signatures. application control can be improved by blocking social networking and blog postings, and by using granular Web application function control. The solution would benefit from • Total cost of ownership is improved with Trend Micro’s use the IM control capability that Symantec acquired from IMlogic of its software virtual appliance platform, which allows a bare — which is currently in the e-mail gateway. SSL decryption metal install on customer-owned hardware or on VMware ESX/ is still missing; although it was on the road map for 2010, it Microsoft Hyper-V. IWSVA has multiple deployment options will not be delivered until the first half of 2011 (currently, it is including ICAP, WCCP, transparent bridge, and forward and in public beta). Advanced policy options (such as coaching or reverse proxy with automatic policy synchronization across self-authorization, time and bandwidth quota, or bandwidth rate clusters. shaping) are missing.
  • 19. 19 Cautions • The Web management interface provides centralized management of Web and e-mail services, is user-friendly and can be administered by nontechnical users. The graphical view • Despite Trend Micro’s history in this market, it has failed to lead of its SWG URL-filtering policy is especially easy to understand. the market with enterprise-class features. This has allowed its It provides a granular role-based administration rights capability, more aggressive competition to steal mind share, particularly in and good role-based policy and policy audit logs. Log search large enterprises. IWSVA tends to be a suite component add- capability is also very good. Log data includes the search term on, rather than a product that the channel will lead with, and query string and has a link to the search results, which is a we rarely see IWSVA in hotly contested large-enterprise deals. good feature to help understand user intent. Trend Micro needs to invest in advanced product features if it wants to regain momentum in the SWG market. • Policy options include blocking certain files by type and size, and a soft block function that enables users to visit a blocked • IWSVA is software-based and does not offer an SWG hardware category for a certain length of time. Quota-based policies appliance or an SWG-as-a-service solution. There is no native can be configured to limit the amount of bandwidth used capability to protect and manage the Web traffic of off-LAN in a specified time window. The URL filtering provides an devices. anonymous proxy detection capability. • IWSVA solutions are still lacking in numerous large-enterprise • Malware protection is provided by Webroot and a Sophos features, such as advanced role-based administration, policy malware signature database. Nonsignature threat detection summaries and synchronization with multiple different directory capabilities include an anti-phishing engine, client Web solutions. Bandwidth control is limited to quotas only. The application vulnerability scanning, as well as heuristic-based outbound malware detection report lacks severity indicators to attack analysis. Webroot has had considerable experience with enable prioritized remediation. Although the solution can edit and a strong track record in the area of Web-borne malware existing reports, it cannot isolate search keywords in logs or detection, which has been the company’s focus since its reports. It does not offer dynamic classification of URLs. inception in 1997. • Application control is limited to binary blocking of some P2P, • The service provides security warnings and URL categorization IM and URL categorization blocking. Policies to block specific icons on search results pages (Google, Yahoo, Bing and Ask. applications or application features require a high level of com) to warn users of unsuitable links in search results. understanding of the application specifics and are relatively coarse. Trend Micro does not have any SWG DLP, although it does offer an endpoint content-aware DLP solution. Cautions • Signature-based malware detection is limited to the Trend Micro • Webroot has had initial success in the SMB market (fewer engine. Some organizations may want to increase the diversity than 1,000 seats), but has failed to get the attention of larger of signature-based protection by using different signature enterprise customers. It needs to improve its enterprise feature engines in the gateway and on the desktop. set and expand its global footprint and channel to break out of the SMB niche. Although Webroot has done a good job of catching up to the state of the art in the management console Webroot and feature set, it has not yet distinguished itself with any Webroot, which is well-known for its endpoint spyware protection outstanding differentiated feature that would move it into the solutions, has a rapidly growing cloud-based SWG and secure Visionaries quadrant. e-mail gateway (SEG) offering. Webroot is a candidate for SMBs seeking service provider options in supported geographies. • The dashboard is very basic and static, with little customization. There are no hyperlinks to drill down into the detail from Strengths dashboard elements. There is no ability to create ad hoc reports, although administrators can change options on the • HTTP traffic is redirected to Webroot’s cloud via a local proxy or 25 report templates to get different slices of data. Outbound firewall settings, a client proxy setting or a client software agent. threats are in static reports, but not in real-time dashboard The mobile client is easy to use and configurable via the cloud- views, and threat information is restricted to threat types based centralized management console. or names of known threats. There are no links to malware encyclopedia information or severity indicators. There is no user-readable policy summary for auditing or troubleshooting. • In 2010, Webroot acquired URL classification vendor Limited customization capability makes it difficult to create BrightCloud, which provides URL classification, website regional block pages for global companies. The cloud-based reputation and security risk analysis. SWG service does not offer SAML directory integration. • Application control is limited to blocking the URLs of registration servers, and the solution offers no DLP capability.
  • 20. 20 • The solution does not offer dynamic classification of Web URLs. • Websense’s Defensio technology, which protects blogs and social networking sites from spam, malware and other threats, provides another source of signatures for the ThreatSeeker • Like other SWG SaaS providers, Webroot’s inbound and Network. outbound malware detection is limited to HTTP traffic types that are redirected to the service. • Application control includes more than 150 applications, such as IM and chat, streaming media, P2P file sharing, e-mail and • Webroot’s agentless solution requires a user name and collaboration based on network signatures. password combination to authenticate each Web session. Websense • The acquisition of PortAuthority in 2007 provided Websense with strong DLP technology, which is included in its SWG and Websense offers a wide range of options in the SWG market, from enables granular, content-aware policy and reporting. Data basic URL filtering to software and appliance-based SWGs, and detection techniques are complete, and the product includes a cloud-based services for e-mail and Web security. Websense also broad range of predefined dictionaries and data usage policies. owns DLP technology, which it offers as a stand-alone solution and also as an embedded option with its Web Security Gateway (WSG) solution. Websense is a very good candidate for most enterprise • For its cloud-based service, Websense supports SAML with its customers. included VMware TriCipher solution integration. Strengths • Websense is one of the few vendors that can offer software, appliances, client software and SWG as a service. Websense • Websense has a strong distribution channel that enables it to software solutions can run on Windows, Linux and Solaris, as target large enterprises and SMBs. well as on numerous third-party network hardware platforms (firewalls and proxies). In addition, Websense has partnered with Crossbeam, Celestix Networks, Resilience and HP for • Websense offers a unified console that is capable of managing preinstalled solutions. a hybrid SWG solution (on-premises and SWG as a service). Cautions • Websense owns all the core technology in its products, with the exception of third-party antivirus signatures. • With only two appliances, the V5K and the V10K, Websense’s SWG appliance family is limited. It needs to broaden this • The Websense WSG provides extensive on-box, non-signature- product line and add higher-performing appliances and lower- based methods for detecting malware and advanced persistent performing appliances to provide a stronger fit for a range of threats (APTs). opportunities. • The Network Agent component, which is positioned on a port- • Agentless transparent authentication is not supported for mobile mirroring port, analyzes all traffic on a network segment, which users. They must authenticate to the service by providing their enables Websense to monitor non-HTTP traffic for malware e-mail addresses and a Websense-specific passwords. If a detection. Many organizations use this feature to set and mobile endpoint has the Websense client, then the user will be enforce policies for P2P applications and other undesirable automatically authenticated and traffic will be redirected to the traffic. Websense cloud. • The Websense Triton solution’s management console is one of • Some of Websense’s VAR partners are complacent and the best in the market and is consistent across all its offerings. simply aim to renew traditional URL-filtering licenses, instead of Navigation is task-based, and policy creation is intuitive and upselling more advanced SWG functionality. easy to use. There is a useful, customizable toolbox element that enables common tasks to be consolidated into a single • Although the solution provides some data on potentially menu. The dashboard includes hyperlink drill-downs into more infected endpoints, it is not correlated or prioritized, nor does detailed reporting data. Policy can be developed in a single it have enough information on the suspected threat for quick pane, with extensive parameters and a logical workflow. URL remediation. policy parameters are broad and include options such as bandwidth and time-based restrictions for Web surfing. • In addition to third-party malware signatures and the Websense database of infected URLs, the WSG provides very extensive on-box, real-time malware content analysis to detect suspicious code fragments and other signs of infection.
  • 21. 21 Zscaler • Application control includes numerous named applications that Zscaler is a SaaS provider of SWG and SEG services. The can be blocked using a combination of destination URLs and company is the only one to separate policy administration, reporting some network signature analysis. Companies under pressure to and enforcement, enabling each element to scale independently. liberalize productivity filters can allow Web 2.0/social networking Zscaler moves into the Leaders quadrant in 2011 due to the page views while blocking posting to these sites, as well as demonstrated success of its unique architecture, rapid feature allow optional content-aware DLP, which is adequate for most development, global rollout of enforcement nodes, and impressive organizations’ corporate or government-compliance needs. growth in numerous global markets among small and very large Zscaler offers granular, policy-based control of Web-based enterprise clients. Zscaler is a very good candidate for most applications, such as IM, blogs, streaming and Web mail, enterprise customers. including QoS bandwidth control. Strengths • Zscaler’s unique architecture and highly scalable purpose- built enforcement nodes enable fast global deployments. It already has the largest global footprint of data centers (by far) • The Flash-based management interface for Web and e-mail with a total of 50, and it is adding one new location per month services is easy to use, even for nontechnical administrators. in 2011. It also allows for “private node” and “private cloud” Zscaler is strong in the reporting category. Reports are deployments for very large organizations, service providers, or based on live data and allow very rapid drill-down into organizations in unique geographies. detailed analysis. Custom reports can be created and run instantaneously. User names can be redacted from reports. Zscaler’s NanoLog technology reduces log size by a factor of • Zscaler customer support continues to get high marks from 50, enabling very fast reports and longer retention of detailed customers for fast response rates and a very technically data. The Analyze tool allows an administrator to set filters on knowledgeable support staff. any field and retrieve matching log data in a few seconds, and save views as favorites for repeat queries. Super categories Cautions (liability, productivity, bandwidth and malicious) allow faster usage analysis. The dashboard has a unique “compared to • Zscaler has handled its rapid growth very well so far, but it must industry peers” report, which shows relative data compared continue to invest ahead of demand for customer support. with averages for Zscaler customers. Zscaler is the only solution Although it is one of the fastest growing vendors in this market, that provides latency statistics for each stage of a round-trip it lacks the resources of its larger competitors. Web request, enabling fast troubleshooting as well as SLA- compliance monitoring. • Although its enforcement nodes are widely dispersed geographically, the reporting and policy data resides only in • The policy manager is easy to use and logical. All policy is user- the U.S. and the Netherlands so far, although expansion is based and follows roaming users, allowing immediate service at expected to follow customer demand for local storage. the nearest enforcement node (cloud-based proxy appliance). • The management interface is missing full customization of • Zscaler has several methods for redirecting clients. It was dashboard elements. Although it provides some data on the first vendor to offer authenticated redirection to the cloud potentially infected machines inside the organization, it is not without a software client. Now, it also offers a client-based correlated or prioritized, nor does it have enough information redirection agent for higher security on unmanaged devices. on the suspected threat for quick remediation. While providing It also supports standards-based GRE tunnels, and can host more than 16 different filters, the log filter functionality lacks the customer proxy autoconfiguration (PAC) files. Zscaler also ability to search on or isolate search keywords. supports SAML for directory integration. Juniper Networks’ SRX, ISG and SSG firewalls provide simple interfaces to connect to Zscaler using GRE tunnels. Zscaler also integrates • Not all network devices support GRE tunnels, which is Zscaler’s with Juniper’s Junos Pulse mobile protection solution to preferred method of traffic redirection. For example, Cisco’s connect mobile devices or laptops to Zscaler’s cloud. ASA firewall does not support GRE tunnels, thereby requiring customers to use alternate forwarding techniques or their gateway routers instead of the firewall. Zscaler is in the process • Zscaler offers two levels of security protection. In addition of deploying IP security (IPsec) VPN termination capability to using several signature and blacklist-based filters, Zscaler across its cloud. has numerous advanced security checks, including page analysis, URL reputation and script analysis. Zscaler provides reporting and policy options to enable organizations to block • Clientless PAC file redirection can be disabled by users or unsupported or vulnerable browsers, plug-ins or browser malicious software, and only redirects traffic from applications versions. Zscaler augments its security coverage with feeds (that is, browsers) that use the proxy settings. Evasive client from partnerships with Microsoft, VeriSign, Qualys and others. applications, such as Skype and P2P or malware, may not
  • 22. 22 be forwarded to the Zscaler network on clients that rely on Acronym Key and Glossary Terms PAC files. Zscaler has a client that can enforce proxy PAC file settings, but it does not stop evasive traffic from bypassing DLP data leak prevention the Zscaler network. The new IPsec VPN connection method ePO ePolicy Orchestrator should alleviate this concern in the future. GRE Generic Routing Encapsulation GUI graphical user interface • There are no native FTP application controls, but the service supports stand-alone FTP clients as well as FTP over HTTP. HTTP/S HTTP over SSL ICAP Internet Content Adaptation Protocol • Compared with its larger competitors, Zscaler only has a limited IM instant messaging number of dedicated malware researchers. IP Internet Protocol PAC proxy autoconfiguration • The SWG solution comes in five different packages, and buyers must be aware that capabilities such as content-aware DLP, P2P peer-to-peer bandwidth control, Web 2.0 controls and APT protection are SMB small and midsize business only available in the premium-price packages. SSL Secure Sockets Layer • Dynamic classification of websites is limited to a subset of URL SQL Structured Query Language categories (for example, potential legal liability and malware SWG secure Web gateway hosting sites). USG Unified Security Gateway UTM unified threat management Vendors Added or Dropped We review and adjust our inclusion criteria for Magic Quadrants VoIP voice over IP and MarketScopes as markets change. As a result of these WCCP Web Cache Communication Protocol adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.
  • 23. 23 Evaluation Criteria Definitions Ability to Execute Product/Service: Core goods and services offered by the vendor that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets, skills, etc., whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria. Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includes an assessment of the overall organization’s financial health, the financial and practical success of the business unit, and the likelihood of the individual business unit to continue investing in the product, to continue offering the product and to advance the state of the art within the organization’s portfolio of products. Sales Execution/Pricing: The vendor’s capabilities in all pre-sales activities and the structure that supports them. This includes deal management, pricing and negotiation, pre-sales support and the overall effectiveness of the sales channel. Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor’s history of responsiveness. Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message in order to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This “mind share” can be driven by a combination of publicity, promotional, thought leadership, word-of-mouth and sales activities. Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements, etc. Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Completeness of Vision Market Understanding: Ability of the vendor to understand buyers’ wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen and understand buyers’ wants and needs, and can shape or enhance those with their added vision. Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. Sales Strategy: The strategy for selling product that uses the appropriate network of direct and indirect sales, marketing, service and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Offering (Product) Strategy: The vendor’s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature set as they map to current and future requirements. Business Model: The soundness and logic of the vendor’s underlying business proposition. Vertical/Industry Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including verticals. Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.