Content Inspection security technology, led by anti-virus AV) and intrusion detection systems (IDS), is converging on network firewalls. This research note looks at the technology trend of firewalls supporting anti-virus solutions across Small and Medium Businesses (SMB), large enterprises, and service provider markets.
Firewalls have long been known for providing perimeter security and for terminating VPN connections. Research by the Yankee Group shows that firewall and anti-virus solutions account for 78 percent of an enterprise’s security product and services spend in 2002.
The Yankee Group forecasts the primary responsibility for AV solutions will shift to service provider networks within 5 years. We expect the first ISPs to offer AV services to subscribers by the end of 2003 as a way to generate incremental revenue. We foresee three phases:
Phase 1: Firewalls redirect mail traffic to a daisy chain of AV products. Enterprises often deploy AV products from three or more vendors in hopes that one of them will catch a virus or worm. This is the favored solution of the leading firewall vendors for large enterprises such as Check Point, Cisco, Netscreen, Nortel, and Symantec, which route e-mail traffic through Network Associates, Sophos, Symantec, and Trend Micro Anti-Virus gateways.
Phase 2: Firewalls check registry settings for the status of the endpoint against security policy for AV update levels before allowing traffic through. This is a popular solution for SMB businesses and remote offices with endpoints that are exposed to non-corporate networks (ISPs from home or on the road).
Phase 3: Firewalls perform AV operations before delivering traffic. While the firewall has the packets reassembled, custom ASICs remove viruses before allowing the message onto the network. This yields the cost savings of a single point of management for SMBs, and provides high performance for ISPs. Security increases as all network traffic can be scanned for viruses, not just email.
- The firewall presents a single point for filtering undesirable traffic. A common administrative interface is used for multiple security functions of firewall, VPN, and AV.
- The firewall is optimized to perform at high levels. Vendors achieve high performance levels with custom-built ASICs, such as Fortinet’s, or with larger processors in the appliances, such as ServGate, and Symantec’s.
- An extra layer of AV protection reduces risk for the enterprise. Anti-virus products are interchangeable when matching signatures, but vary in their abilities to detect new virus strains and scrubbing infected files.
- A firewall with integrated AV and VPN features is ideal for SMB and ROBO markets because of limited administration requirements.
- The additional performance also makes integrated firewalls well suited for ISPs.
- The integrated firewall solution requires enhancements to protect laptops connecting to the network. Remote users connecting to other networks (such as a personal account at an ISP), still require host based AV to ensure integrity.
- Integrated firewall solutions provide a redundant layer of AV protection, which may have less value for larger enterprises that already run e-mail through a Symantec, Trend Micro, and McAfee gauntlet.
- ISPs do not promote anti-virus scanning as an essential Internet service with a predictable revenue stream. Once this occurs, then endpoints can expect AV coverage regardless of corporate or public network connectivity.
The positioning of integrated firewall technology with anti-virus is shown in Exhibit 1, where a solid circle denotes a good fit and a hollow circle denotes a poor fit.
Phases in Consolidating Firewalls and Anti-Virus
Source: the Yankee Group, 2003
| ||Vendors ||SMB ||Enterprise ||Service Providers|
|Phase 1 |
Firewall redirects AV traffic
|Check Point |
|Too expensive for SMB markets |
|Allows best of breed choice for multiple layers of AV |
|Allows best of breed choice for multiple layers of AV|
|Phase 2 |
Firewall manages endpoint AV
|Lowers TCO if endpoints travel off the network |
|Insufficient value with multiple AV vendors deployed |
|Scales to very large community of endpoints|
|Phase 3 |
Firewall consolidates AV
|Lowers TCO if endpoints are tethered to the network |
|Extra layer of AV defense for an extra layer of expense |
|Performance supports AV subscription revenue services|
Delivering commodity content inspection services in network devices continues to be driven by cost of ownership. AV and firewall vendors can use subscriptions to gain market intelligence on the installed customer base that have been hidden behind the clouds of tiered-distribution partners. Vendors will embed AV engines in larger scale firewalls to generate update subscription revenues.
- Keep solutions simple for SMBs with fewer than 50 employees and home office penetration. This market does not have IT management, reduce feature creep that adds to management complexity.
- Security Service Providers should offer management services combining firewall, VPN, and AV. Total cost of ownership is your mantra.
- Go off box when it makes sense. Innovations, such as anti-spam techniques and Web Services features, will be available in software before they mature for hardware implementations.
There’s no reason for any business accessing the Internet not to have firewall and anti-virus protection. Enterprises should evaluate the most cost-effective method of protection.
The Yankee Group originally published this article on 28 April 2003
- Small and Medium Businesses as well as Remote Office/Branch Office markets with mostly tethered desktops should install low-cost integrated firewalls. The Yankee Group recommends products from Fortinet, ServGate, or Symantec to fulfill this need.
- SMB as well as ROBO sites with mostly laptops that connect to foreign networks should install firewalls that also manage desktop AV signatures. The Yankee Group recommends either SonicWALL or WatchGuard for these businesses.
- Internet Service Providers should look to build revenue generating AV services for home users and SMBs. Use the high performance of custom-built ASICs that enable firewalls to clean e-mail for an incremental fee before delivering to a subscriber.