Magic Quadrant for Intrusion Prevention Systems

16 December 2013 ID:G00253078
Analyst(s): Adam Hils, Greg Young, Jeremy D'Hoinne

VIEW SUMMARY

The network intrusion prevention system market has undergone dynamic evolution, increasingly being absorbed by next-generation firewall placements. Next-generation IPSs are available for the best protection, but the IPS market is being pressured by the uptake of advanced threat defense solutions.

Market Definition/Description

The network intrusion prevention system (IPS) appliance market is composed of stand-alone appliances that inspect all network traffic that has passed through frontline security devices, such as firewalls, secure Web gateways and secure email gateways. IPS devices are most often deployed in-line, and perform full-stream reassembly of network traffic. They provide detection via several methods — for example, signatures, protocol anomaly detection, behavioral monitoring or heuristics. When deployed in-line, IPSs can also use various techniques to block attacks that are identified with high confidence. The capabilities of IPS products need to adapt to changing threats, and next-generation IPSs (NGIPSs) have evolved incrementally in response to advanced targeted threats that can evade first-generation IPSs (see "Defining Next-Generation Network Intrusion Prevention").

This Magic Quadrant focuses on the market for stand-alone IPS products; however, IPS capabilities are also delivered as functionality in other network security products. Network IPSs are provided within a next-generation firewall (NGFW), which is the evolution of enterprise-class network firewalls and includes application awareness and policy control, as well as the integration of network IPSs (see "Magic Quadrant for Enterprise Network Firewalls"). IPS capability is also available in unified threat management (UTM) "all in one" products that are used by small or midsize businesses (see "Magic Quadrant for Unified Threat Management"). In the near term, we will start to see basic IPS functionality being increasingly provided by network advanced threat defense prevention vendors.

Magic Quadrant

Figure 1. Magic Quadrant for Intrusion Prevention Systems
Figure 1.Magic Quadrant for Intrusion Prevention Systems

Source: Gartner (December 2013)

Vendor Strengths and Cautions

Cisco

This section does not include an analysis of the recently acquired Sourcefire IPS line — that is evaluated separately in the Sourcefire (Cisco) section. Cisco has a broad network security product portfolio. It also has stand-alone IPS available in the 4300 (750 Mbps to 2.4 Gbps), 4200 (up to 4 Gbps) and 4500 (up to 20 Gbps) Series appliances, as well as the IDS Services Module 2 switch blade when loaded with its IPS Sensor Software. In addition, Cisco has IPS available for the Adaptive Security Appliance (ASA) 5500-X Series firewalls (via an add-in hardware module for the 5500 Series and the 5585-X), and software-based IPS within Internetwork Operating System (IOS)-based routers and Integrated Services Routers (ISRs). However, this analysis is focused on the stand-alone devices. Cisco has Web and email security gateway products as part of its security product line. The IPS Manager Express is for smaller deployments (up to 10 devices), and Cisco Security Manager (CSM) is for larger or enterprise deployments.

Strengths
  • Enterprises that are already using Cisco network infrastructure or firewall products are familiar with the management and monitoring model, and can leverage single-console management for multiple Cisco products. In addition, IPS can be delivered as part of the infrastructure.
  • Cisco has wide international support, an extremely strong channel and broad geographic coverage. Enterprises that already have a significant investment in Cisco security products, or that use CSM, often consider Cisco IPS as a possible solution.
  • Cisco's Sourcefire acquisition denotes an increased focus on intrusion prevention and advanced threat defense.
  • In 2012, Cisco had the largest market share for specialized IPS appliances (see "Market Share: Enterprise Network Security Equipment and Routers, Worldwide, 2012"). With the addition of Sourcefire's IPS sales, Cisco accounts for approximately one-third of worldwide IPS sales.
Cautions
  • Cisco is showing up less frequently on IPS shortlists, and is not mentioned by IPS vendors as a top competitive solution. This translates into slower growth than the market average.
  • Gartner clients report that Cisco's current IPS management consoles do not score well in shortlist competitions against most leading IPS products.
  • Cisco's IPS innovation has lagged the overall industry's. In our assessment, this is attributable to factors such as increased value-added contextual features from NGIPS competitors, Cisco's lack of focus on network security and advanced targeted attacks (but this was recently jump-started by the Sourcefire acquisition), and replacement by NGFWs. Customers that are interested in advanced threat defense should demand clarity from Cisco regarding its advanced threat road map. While the vendor is showing increased focus on the IPS market, the acquisition of Sourcefire should trigger questions from prospects on existing Cisco IPS technology (see "Cisco Commits to Security With Sourcefire Buy, but Alignment Will Take Time"). The Sourcefire acquisition adds another layer of product selection complexity to an already broad product line.

Enterasys Networks (Extreme Networks)

Headquartered in the Northeast U.S., Enterasys Networks is a networking infrastructure company, acquired in 2013 by Extreme Networks, with security products that include IPS, security information and event management (SIEM), a mobile identity and access management solution, and network access control (NAC). The Enterasys Intrusion Prevention System (also known as Dragon IPS) has in-line sensors that range from 100 Mbps to 10 Gbps of throughput. Enterasys also has a virtual version of the network IPS, host sensors, an event flow manager that is used to consolidate event information from large numbers of Enterasys sensors, and its Distributed Intrusion Prevention System. For large or complex deployments, the Enterasys Dragon Event Flow Processor (EFP) can be used to aggregate event information and report it up to the Dragon Enterprise Management Server (EMS). Enterasys does not have its own firewall, secure Web gateway or secure email gateway products.

Strengths
  • The Enterasys IPS is well-suited for deployment in front of a server farm, or where other Enterasys networking products are in place.
  • Customers rate its technical and overall support highly, and they like its ability to observe and identify anomalous network traffic.
  • Enterasys has a faithful customer base that is willing to stick with the brand for the particular monitoring-oriented IDS use cases it addresses.
  • Acquisition by Extreme Networks has provided Enterasys with a larger networking infrastructure customer base to sell to.
Cautions
  • Gartner continues to see the Dragon product rarely used for in-line blocking, and instead mostly used in IDS detect-only mode. Customers report that Enterasys yields a slightly greater than expected rate of false positives.
  • Gartner rarely sees Enterasys on IPS shortlists, and no vendor listed Enterasys as a top-three competitive threat.
  • Enterasys has not communicated any plans to introduce NGFW capabilities to its platform.

HP

HP is a large, global, broad-based IT and service vendor. It has retained the TippingPoint brand name from the hardware IPS product line, which now includes the NX NGIPS product line. This runs up to 20 Gbps of inspected throughput, and has IPS blades that run in HP networking switches (which are not evaluated here). The software version is the HP TippingPoint Secure Virtualization Framework. HP does not have its own secure Web gateway or secure email gateway products. HP introduced an NGFW in 3Q13, but has a very small market share.

Strengths
  • Customers continue to cite ease of installation as a positive in product evaluations, especially for deployments with many devices.
  • Customers cite good signature quality and painless weekly signature updates.
  • HP has strong channel support, and is carried by most midsize to large security channel players. Customers can benefit from HP's strong channel partner support.
  • The TippingPoint IPS products have a broad model range of purpose-built appliances, and are known for low latency and high throughput.
Cautions
  • While HP has released an NGFW, it has not articulated a strategy for addressing advanced targeted attacks beyond what it has in its NGIPS platform.
  • Gartner has observed HP's placement of TippingPoint as part of the larger Enterprise Security Products group in its Enterprise Software business unit (as opposed to the HP Networking business unit), thereby raising go-to-market and innovation concerns in selling to the network operations buying center.
  • HP tied for the company that is most often replaced by surveyed vendors.

Huawei

Huawei is a large networking infrastructure provider based in Shenzhen, China. In addition to firewall, UTM, anti-distributed denial of service (DDoS) and mobile security solutions, Huawei has shipped its Network Intelligent Protection (NIP) product line since 2004. The NIP platform's inspected throughput ranges from 600 Mbps to 30 Gbps, and multiple devices can be managed separately by NIP Manager software. Huawei does not offer a secure Web gateway or secure email gateway, and has no virtual IPS appliance.

Strengths
  • Huawei's NIP products consistently receive positive end-user and channel-partner remarks on ease of use and configuration.
  • Huawei provides cost-effective IPS that enables adoption in cost-sensitive organizations and carriers.
  • Huawei has a large presence in the fast-growing China and larger Asia/Pacific market, especially in the carrier space.
Cautions
  • Almost all sales are within Asia/Pacific. Potential customers outside that region should demand visibility into Huawei's support plan and equipment replacement turnaround times.
  • No preconfigured compliance reporting is available. Clients and partners mention reporting quality and central management as weaknesses in the Huawei IPS solution, thereby limiting enterprise uptake.
  • NIP does not come in virtual appliance form.
  • Huawei has undertaken significant steps to address concerns about relying on technology developed in China; however, for many prospective customers in the U.S., those problems remain.

IBM

The IBM Security Network Intrusion Prevention System is positioned within a larger security business unit, which includes SIEM technologies, and headed by the former Q1 Labs CEO. Security Network IPS is available in nine models of appliances within the GX Series, with inspected throughput ranging from 200 Mbps to 20 Gbps. IBM recently released the XGS 3100, 4100 and 5100, which incorporate NGIPS capabilities at up to 5 Gbps of inspected throughput. The virtual network security platform is available in a VMware virtual appliance. IBM does not have its own firewall or secure Web gateway.

Strengths
  • In 2H13, IBM introduced the XGS platform, thereby bringing an NGIPS platform to market.
  • In 2013, IBM received positive third-party security effectiveness test results.
  • IBM has a wide sales and distribution network, and customers with a strong IBM relationship are generally pleased with the IPS support they receive.
  • Clients have remarked on IBM's thorough reporting and level of security event detail for event-level drill-down.
Cautions
  • IBM Internet Security Systems' (ISS's) presence on the IPS shortlists of Gartner customers has been low. Many Gartner clients do not perceive IBM as a strategic supplier of network security products.
  • In the Magic Quadrant survey to vendors, IBM and one other company were cited as the most frequently replaced.
  • While 2013 revenue results indicate the beginnings of a turnaround, IBM needs to sustain its renewed focus on the IPS market and technology over time to completely restore buyer confidence, and to exceed the capabilities of competitors' technologies.

McAfee

McAfee was a pure-play security vendor with a large product portfolio across network and desktop security, and has been a subsidiary of Intel since its acquisition in 2011. The McAfee Network Security Platform (NSP) is the stand-alone IPS model line, with single-appliance models that range from 100 Mbps to 40 Gbps of throughput. In addition, McAfee acquired Stonesoft in 2013, which provided another IPS product and an enterprise-ready NGFW. For the purposes of this Magic Quadrant, we are evaluating Stonesoft's technology separately as it transitions into McAfee's portfolio. McAfee also has IPS within the McAfee Firewall Enterprise; however, this is primarily legacy IPS from Secure Computing, and is not within the scope of this Magic Quadrant.

Strengths
  • Clients rate manageability and ease of use extremely well. McAfee's IPS console scores well in competitive selections and independent tests.
  • McAfee's mature NGIPS capabilities can make it attractive to enterprises that are using other McAfee security products.
  • The addition of Stonesoft NGFW will strengthen McAfee's network security posture. Gartner expects McAfee to layer Stonesoft's anti-evasion technology into the NSP platform.
  • McAfee is highly visible on Gartner client IPS shortlists, especially in government markets. It was the vendor listed most often in the survey to vendors regarding their greatest IPS competitor.
Cautions
  • Gartner anticipates that the Stonesoft acquisition may prove to be distracting as McAfee works to integrate a Northern European product team, build a new unified road map, and rationalize three different IPS products across its portfolio.
  • The McAfee brand is known more widely for desktop security offerings, and often isn't perceived by enterprises and channel partners as a strong network security provider.
  • McAfee has not had a virtualized software appliance version of the NSP IPS product until its limited-availability offering was announced in August 2013.

NSFOCUS Information Technology

Headquartered in Beijing, NSFOCUS also has wholly owned subsidiaries in the U.S. and Japan. It has been selling IPS in Asia/Pacific since 2005, and also has products in the Web application firewall, anti-DDoS and vulnerability management categories. The company has 12 models ranging from 200 Mbps to 10 Gbps of throughput. NSFOCUS does not have its own secure Web gateway or secure email gateway products.

Strengths
  • NSFOCUS offers good integration between its IPS line and its other network security products.
  • Enterprises based in China and other Asia/Pacific countries often shortlist NSFOCUS IPS.
  • Gartner has observed that NSFOCUS IPS is often selected when cost-effectiveness is weighted highly.
Cautions
  • Current sales are almost all within Asia/Pacific. Potential customers outside that region should demand visibility into NSFOCUS' support plan and equipment replacement turnaround times.
  • Virtual versions of the IPS have been on NSFOCUS' road map, but have not appeared in the product. Customers requiring virtual deployment options should validate that NSFOCUS will deliver that functionality within the time required.
  • Many countries outside Asia/Pacific remain hesitant to buy security technology from Chinese vendors, fearing interference by the Chinese government. NSFOCUS has alleviated some concerns about its anti-DDoS tool by releasing vulnerability test results from a U.S. application testing vendor, but has yet to release similar test results for its IPS appliance.

Radware

Headquartered in Mahwah, New Jersey, Radware is a data center infrastructure vendor that offers IPS, network behavior analysis (NBA), anti-DDoS and Web application firewall products. The DefensePro IPS supports throughput of up to 40 Gbps. Radware does not have its own firewall, secure Web gateway or secure email gateway products.

Strengths
  • Organizations that require IPS with strong anti-DDoS mitigation capabilities sometimes select Radware. Clients cite DefensePro's Behavioral Denial of Service (BDoS) engine as an important differentiator.
  • Enterprises that already have an investment in other Radware products often leverage Radware IPS to benefit from centralized management.
  • Gartner clients cite advanced threat defense as a DefensePro IPS strength.
Cautions
  • Radware customers cite lack of granular centralized management as an operational weakness.
  • Radware customers mention weak historical reporting as a challenge.
  • Radware's visibility with Gartner clients is low, and it has limited channel support compared with most competitors in the IPS market.

Sourcefire (Cisco)

Headquartered in Maryland, the former pure-play security vendor Sourcefire was acquired by Cisco earlier in 2013. Historically, IPS was its primary market, and Sourcefire was well-known for being the commercial manager of the Snort open-source security products. The Sourcefire IPS has appliance models that provide up to 40 Gbps of throughput. The FirePOWER hardware can be a transition to include NGFW capabilities for incumbent Sourcefire IPS customers. Sourcefire also sells the Advanced Malware Protection (AMP) portfolio, which contains its advanced threat defense capabilities, to its customer base.

Strengths
  • Sourcefire has leading NGIPS capabilities. It has also added network advanced targeted attack (ATA) detection with its FireAMP product, which can potentially add malware intelligence to the NGIPS.
  • The FirePOWER hardware platform scores well on client shortlists. The FireSIGHT management console scores well in competitive selections and independent tests. Sourcefire is highly visible on Gartner client IPS shortlists, especially in the government market.
  • Virtual IPS is available for the VMware, Red Hat KVM and Xen platforms.
  • Sourcefire IPS products are now available to Cisco's skilled sales force and dedicated partner ecosystem. Eventually, this will give Sourcefire customers and prospects the ability to gain pricing negotiation leverage within Cisco's overall enterprise contracts.
Cautions
  • Sourcefire may become distracted during the Cisco integration process, thereby diluting R&D and security research resources.
  • Legacy Sourcefire customers and potential prospects are worried about the future of the FirePOWER product lines. Cisco Sourcefire customers should demand explicit road maps that outline the future of the FirePOWER platform.

Stonesoft (McAfee)

In May 2013, McAfee announced its intention to acquire Stonesoft, which is based in Finland, and the deal closed in 4Q13. Stonesoft products include NGFW, IPS and Secure Sockets Layer (SSL) VPN. StoneGate IPS appliances support throughput from 1 Gbps to 30 Gbps. Stonesoft IPS is available in software, a virtual edition to run on the VMware ESX Server, and the appliance version. New features and updates are included as part of support and maintenance.

Strengths
  • With its acquisition, Stonesoft customers gain access to McAfee's robust threat research labs and customer support organization.
  • The Stonesoft firewall and IPS share a common hardware and software platform, providing a means to transform a placement from IPS to NGFW, or the reverse.
  • Stonesoft's advanced evasion-of-threats research, as well as its capabilities to protect against these threats, has increased its presence on the shortlists of enterprises in which advanced targeted threats are of concern.
  • Gartner clients cite a robust high-availability/clustering solution among the reasons for selecting Stonesoft.
Cautions
  • Because of legal requirements surrounding the acquisition of a Finnish company, McAfee and Stonesoft have not been able to communicate a joint road map to partners or customers. As McAfee and Stonesoft rationalize their joint road map, Gartner expects the Stonesoft IPS to take a secondary role to the McAfee IPS.
  • Stonesoft, even under McAfee leadership, has limited presence to build outside Western Europe.
  • Stonesoft's R&D and security research teams may become distracted during the McAfee transition period.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.

Added

  • Huawei

Dropped

  • Juniper Networks does not meet the revenue selection criteria.
  • Corero no longer actively markets stand-alone IPS products. Rather, it is focused on its anti-DDoS products.

Inclusion and Exclusion Criteria

Only those products that met these criteria were included:

  • Meet Gartner's definition of network IPS.
  • Operate as an in-line network device that runs at wire speeds.
  • Perform packet normalization, assembly and inspection.
  • Apply rules based on several methodologies to packet streams, including (at a minimum) protocol anomaly analysis, signature analysis and behavior analysis.
  • Drop malicious sessions — they don't simply reset connections. The drop must not be a block of all subsequent user traffic.
  • Have achieved network IPS product sales during the past year of more than $7 million within a customer segment that is visible to Gartner, and have at least 1,300 devices deployed under paid support with customers.
  • Sell the product as a stand-alone IPS.

Products and vendors were excluded if:

  • The company did not meet the inclusion criteria.
  • The company has minimal or negligible apparent market share among Gartner clients, or it is not actively shipping products.
  • The company is in other product classes or markets (such as NBA or NAC products), is not IPS, and is covered in other Gartner research.
  • The company hosts IPS software on servers and workstations, rather than on an in-line device on the network.

Evaluation Criteria

Ability to Execute

  • Product or service and customer satisfaction in deployments: Performance in competitive assessments and having best-in-class detection and signature quality are highly rated. A vendor should compete effectively to succeed in a variety of customer placements.
  • Overall business viability: This includes overall financial health and prospects for continuing operations.
  • Sales execution/pricing: This includes dollars per Gbps, revenue, average deal size, installed base and use by managed security service providers (MSSPs).
  • Market responsiveness/record: This includes delivering on planned new features.
  • Marketing execution: This includes delivering on features and performance, customer satisfaction with those features, and those features beating competitors in selections. Delivering products that are low latency and multi-Gbps, have solid internal security, behave well under attack, have high availability, and have available ports that meet demands are rated highly. Speed of vulnerability-based signature production, signature quality and dedicating internal resources to vulnerability discovery also are highly rated.
  • Customer experience and operations: This includes management experience and track record, as well as depth of staff experience, specifically in the security marketplace. Also important are low latency, rapid signature updates, overall low false-positive and false-negative rates, and how the product fared in attack events. Postdeployment customer satisfaction, where the IPS is actively managed, is another key criterion.

Winning in highly competitive shortlists versus other IPS vendors is also highly weighted.

Table 1. Ability to Execute Evaluation Criteria

Evaluation Criteria

Weighting

Product or Service

High

Overall Viability

High

Sales Execution/Pricing

Medium

Market Responsiveness/Record

Medium

Marketing Execution

Medium

Customer Experience

High

Operations

Medium

Source: Gartner (December 2013)

Completeness of Vision

  • Market understanding and marketing strategy: These include providing the correct blend of detection and blocking technologies that meet and are ahead of the requirements for IPS. Innovation, forecasting customer requirements, having a vulnerability rather than an individual exploit product focus, being ahead of competitors on new features, and integration with other security solutions are highly rated. Also included is and understanding of and commitment to the security market — and, more specifically, to the network security market. Vendors that rely on third-party sources for signatures, or have weak or "shortcut" detection technologies, score lower.
  • Sales strategy: This includes prepurchase and postpurchase support, value for pricing, and providing clear explanations and recommendations for detection events.
  • Offering (product) strategy: This includes emphasis on product road map, signature quality, NGFW integration and performance, and a clear advanced targeted attack strategy. Successfully completing third-party testing, such as the NSS Group IPS tests and Common Criteria evaluations, are important. Vendors that commonly reissue signatures, are overreliant on behavioral detection and are slow to issue quality signatures do not score well.
  • Business model: This includes the process and success rate of developing new features and innovation. It also includes R&D spending.
  • Vertical/industry strategy and geographic strategy: These include the ability and commitment to service geographies and vertical markets (for example, MSSPs and the financial sector).
  • Innovation: This includes R&D and quality differentiators, such as performance, management interface and clarity of reporting. Features that are aligned with the realities of network operators, such as those that reduce "gray lists" (for example, reputation and correlation), are rated as important. The road map should include moving IPS into new placement points and better-performing devices, as well as incorporating advanced malware detection. NGIPS features are highly weighted.
Table 2. Completeness of Vision Evaluation Criteria

Evaluation Criteria

Weighting

Market Understanding

Medium

Marketing Strategy

Low

Sales Strategy

Medium

Offering (Product) Strategy

High

Business Model

Medium

Vertical/Industry Strategy

Low

Innovation

High

Geographic Strategy

Medium

Source: Gartner (December 2013)

Quadrant Descriptions

Leaders

Leaders demonstrate balanced progress and effort in all execution and vision categories. Their actions raise the competitive bar for all products in the market, and they can change the course of the industry. To remain Leaders, vendors must demonstrate a track record of delivering successfully in enterprise IPS deployments, and in winning competitive assessments. Leaders produce products that embody NGIPS capabilities, provide high signature quality and low latency, innovate with or ahead of customer challenges (such as providing associated ATA technologies to make enriched IPS intelligence) and have a range of models. Leaders continually win selections and are consistently visible on enterprise shortlists. However, a leading vendor is not a default choice for every buyer, and clients should not assume that they must buy only from vendors in the Leaders quadrant.

Challengers

Challengers have products that address the typical needs of the market, with strong sales, large market share, visibility and clout that add up to higher execution than Niche Players. Challengers often succeed in established customer bases; however, they do not yet fare well in competitive selections, nor do they have robust NGIPS or ATA capabilities.

Visionaries

Visionaries invest in leading-edge/"bleeding"-edge features that will be significant in next-generation products, and that give buyers early access to improved security and management. Visionaries can affect the course of technological developments in the market, especially new NGIPS or novel anti-threat capabilities, but they lack the execution skills to outmaneuver Challengers and Leaders.

Niche Players

Niche Players offer viable solutions that meet the needs of some buyers, such as those in a particular geography or vertical market. Niche Players are less likely to appear on shortlists, but they fare well when given the right opportunities. Although they generally lack the clout to change the course of the market, they should not be regarded as merely following the Leaders. Niche Players may address subsets of the overall market (for example, the small or midsize business segment, or a vertical market), and they often do so more efficiently than Leaders. Niche Players frequently are smaller enterprises, and do not yet have the resources to meet all enterprise requirements.

Context

  • Current users of network IPSs highly prioritize next-generation network IPS capabilities at refresh time.
  • Current users of NGFWs look at a next-generation network IPS as an additional defense layer and expect best-of-breed signature quality.
  • Enterprises with traditional network IPS and firewall offerings should build and plan to execute migration strategies to products that can identify and mitigate advanced threats.

Market Overview

According to Gartner market research, the worldwide IPS market in 2012 for stand-alone appliances grew approximately 6.1% to $1.21 billion, whereas, overall, the network security equipment market grew by 7.7% (see "Market Share: Enterprise Network Security Equipment and Routers, Worldwide, 2012"). Data collected from vendors for this Magic Quadrant (independently from the market report we cited above) validates this range. Factors driving those estimates include the following:

  • The threat landscape is currently aggressive, but major IPS vendors were slow to address botnet and advanced targeted threats. Some spending that would have gone to IPS products instead went to advanced threat detection and network forensics products (see "Network Security Monitoring Tools for 'Lean Forward' Security Programs" and "Five Styles of Advanced Threat Defense").
  • NGFWs are negatively impacting the stand-alone IPS market as NGIPSs are absorbed into firewall refreshes and become part of NGFWs.
  • As market penetration advances, growth as a percentage will flatten.

Considering these factors, Gartner forecasts that the end-user total spending for the 2013 IPS market will grow by approximately 3.6% over 2012, and will reach approximately $1.25 billion.

As adjacent platforms continue to integrate better-quality IPS technology, growth in the stand-alone IPS market will continue to slow. By 2015, Gartner expects the stand-alone IPS market to show a slight decline, which will continue as more customers accept NGFWs with IPS incorporated. From 2012 to 2017, stand-alone IPS will have a compound annual growth rate of −2.6%.

NGIPS Is Real

IPS has had two primary performance drivers: the handling of network traffic at near-wire speeds, and the deep inspection of the traffic based on the signatures, rules and policy. The first generation of IPS was effectively a binary operation of "threat or no threat," based on signatures of known vulnerabilities. Rate shaping and quality of service were some of the first aspects that brought context to otherwise single-event views. As inspection depth has increased, digging deeper into the same silo of the traffic yields fewer benefits. This next generation of IPS applies fuller stack inspection, but also applies new sources of intelligence to existing techniques:

  • Correlation — relating events to one another, internal and external to the IPS
  • Context — bringing information to bear to better understand the observations
  • Content — classifying executables

These advances are discussed in detail in "Defining Next-Generation Network Intrusion Prevention." Best-of-breed NGIPS is still found in stand-alone appliances, rather than NGFW. However, the gap is closing as NGFW IPS quality increases rapidly, and as some IPS vendors move to introduce NGFW.

Advanced Threat Detection Is Becoming a Necessary Ingredient for NGIPS

Moving forward, NGIPS vendors need to integrate advanced threat defense capabilities or collaborate with dedicated advanced threat detection technologies to step up their targeted attack detection capabilities — for malware detection and also for outgoing communication with command-and-control servers from infected endpoints.

Gartner also expects that vendors in the specialized advanced threat detection area will evolve their product capabilities to deliver network IPS capabilities to complement their advanced threat solutions. This will bring fresh approaches to the problem of network threat prevention, and will provide clients with more options and new approaches that are being made available in this competitive market.

Market Consolidation Continues

In 2013, McAfee acquired Stonesoft, and Cisco acquired Sourcefire. Both of these acquiring vendors had their own IPS technologies before they made their purchases. Gartner believes both vendors will eventually (and necessarily) streamline their IPS portfolios to offer one stand-alone solution; however, they will be challenged to ensure that the innovations they acquired make it into the portfolios and are not sidelined. As the IPS market flattens its growth rate, we expect the strongest NGIPS providers to grow their market shares, driving weaker players from the market and leaving buyers with a stable set of vendors from which to choose.

More IPS Gets Absorbed by NGFW; However, the Stand-Alone IPS Market Will Persist

With the improvement in availability and quality of the IPS within NGFW, NGFW adoption reduces the need for network IPS in many enterprises. However, the stand-alone IPS market will persist to serve several scenarios:

  1. The incumbent firewall does not offer a viable NGFW option.
  2. Separation of the firewall and IPS is desired for organizational or operational reasons (for example, data center security).
  3. A best-of-breed IPS is desired, meaning a stand-alone NGIPS is required.
  4. Niche designs exist (as in certain internal segmentation scenarios) where IPS is desired, but without a firewall.

Strategic Planning Assumptions

Today, 50% of enterprises have implemented stand-alone IPSs. By year-end 2016, this will decline to 40% due to increased adoption of NGFWs with an embedded IPS capability.

Less than 20% of Internet connections today are secured using NGFWs. By year-end 2017, this will rise to 50% of the installed base.

Evidence

Gartner used the following input to develop this Magic Quadrant:

  • Results, observations and selections of IPSs, as reported via multiple analyst inquiries with Gartner clients
  • A formal survey of IPS vendors
  • Formal surveys of end-user references

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.

Overall Viability: Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products.

Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.

Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.

Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.

Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.

Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.

Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.

Business Model: The soundness and logic of the vendor's underlying business proposition.

Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.