Magic Quadrant for SSL VPNs
 
15 December 2009

John Girard

Gartner RAS Core Research Note G00172407
 

Secure Sockets Layer virtual private networks continue to lead the remote-access VPN segment for competitive growth and innovation.





What You Need to Know



Remote access creates continuous market demand for new virtual private network (VPN) products and services. Every company is working through upgrade and replacement cycles that bring opportunities to replace legacy remote-access VPNs, as well as in-between cycle projects, such as business continuity and telework. IPsec VPNs are still popular for remote access, but the most interesting and visible market innovations continue to center on using Secure Sockets Layer (SSL) VPNs as replacements or augmentations for legacy VPNs. IPsec VPN products have never caught up with SSL in terms of ease of implementation, policy and network access controls, and the ability to deliver security protections on demand. SSL VPNs are easy to set up in their default role as application portals, and offer decent performance for tunneled Layer 3 traffic. SSL VPNs are evaluated in a Magic Quadrant because they have, for many years, been the focal point for innovations in remote access. Clients cite SSL and browser-based VPNs as key decision factors in new VPN investments, and the market revenue and product penetration can be differentiated and tracked.

Gartner ranks vendors in the SSL VPN Magic Quadrant (see Figure 1) based on performance for calendar year 2008 through the end of September 2009, and on client reviews received up to October 2009. The Magic Quadrant considers which vendors likely will dominate remote-access VPN sales and influence technology directions through 2014, as well as which vendors are most visible among clients, generate the greatest number of requests for information and contract reviews, and account for the most new and ongoing installations in Gartner's client base.

After reading this Magic Quadrant report:

  • Consider the merits of all the vendors in the report. All the vendors that Gartner tracks in the SSL VPN market have products that will meet the needs of most buyers.
  • Consider your incumbent networking and application delivery vendors. There can be benefits for not adding another contract, avoiding a new console and conducting new training. If an additional vendor is the best choice, then be prepared to justify your claims.
  • If you plan to use both IPsec and SSL VPNs, then weigh the administrative convenience of a single vendor against differentiating and superior features from a second vendor.
  • Look for differentiating features based on your business requirements, such as network access control (NAC), high-end scalability, SSL acceleration and load balancing, management interfaces, security certifications, endpoint security, smartphone support, business continuity management strategies, and partnerships.
  • Consider vendor ratings, strengths and challenges in adjacent markets, such as WAN optimization, application delivery, Web conferencing, Web access management (WAM) and enterprise single sign-on (ESSO).
  • Ask for and contact customer references.
  • Demand a comprehensive working demonstration in the RFP phase. SSL VPNs are easy to set up. Make the vendors prove their worth, and you may get the first prototype of your eventual production system for free in the bargain.
  • Decide what you are willing to pay. Negotiate your initial purchase price based on a future commitment, and include no-penalty escape clauses in case the product and the vendor fail to deliver service levels.
  • When pricing SSL VPNs, consider the ease of setup and administration, on-demand security, granular access policies, and other features that characterize products in this market. These aspects will lower the cost of ownership — even if your initial purchase is more expensive than a default IPsec VPN.





Magic Quadrant



Figure 1. Magic Quadrant for SSL VPN

Figure 1.Magic Quadrant for SSL VPN

Source: Gartner (October 2009)
 



Market Overview

SSL VPNs are persistent encrypted connections between user systems and VPN gateways using the SSL protocol. SSL was originally conceived to secure protocol Layer 7 for browser sessions, but it has expanded to provide a broader range of access ranging from Layer 7 for applications down to Layer 3 for access to networks. SSL VPNs are most characterized by the fact that the user can start a VPN session from a Web browser, although nearly all vendors now offer a nonbrowser client alternative. SSL VPNs feature a menu-driven front end to provide a default greeting to a remote user. The menu and resources offered to the user can be altered by runtime rules that react to the user's access status with respect to a variety of factors, including remote system health and the user's method of authentication.

SSL VPNs make it easy for users to start a VPN from any system. For example:

  • Browsers are found on every standard user platform (desktop, laptop and smartphone).
  • All browsers contain embedded encryption (SSL) and certificate authentication.
  • SSL is optimized to facilitate application delivery over unreliable network connections.

SSL VPNs have, of course, evolved beyond basic browser access. The basic value proposition for SSL VPNs has been made stronger because of several critical capabilities:

  • The VPN can be established without a formally installed client beyond the browser. If desired, nonbrowser SSL VPN clients are available for fully managed and legacy workstations, to give users a similar Layer 3 tunnel experience to legacy IPsec VPNs, while preserving the resilience of SSL.
  • Sessions can survive multiple interruptions, and can reconnect and roam across networks without preserving an Internet Protocol (IP) address. This resilience can be enhanced by a WAN optimization controller, but originates largely with the client. Actual results will vary, and require tuning and experience.
  • The strength of SSL encryption conforms to current encryption standards.
  • Security applets can be downloaded to end-user systems during session establishment. Browser mechanisms that download executable code on demand (ActiveX, Java and browser helper objects) provide SSL VPNs with the ability to perform extensive health checks and to alter the security of the remote system, even on completely unmanaged systems, without formally installing additional software.
  • Unlike IPsec, SSL VPNs shield the user from direct access to the network by default, and tunnels that support routing are opened only by policy choices. These policies can be set dynamically based on gateway rules that evaluate the user, device and location. On the other hand, an IPsec VPN connection is an "all or nothing" bridge to a company's internal network. User systems, by default, have full visibility into the internal network. IPsec default tunnel access is realistic on a corporate-managed device; however, on an unmanaged device, remote security controls may not be possible, and often administrators run the risk of network exposure, even if they make trade-offs between usability and the productivity of remote users.

Growth/sales opportunities for SSL VPNs include:

  • Pursuit of high-value use cases:
    • Protecting access connections used by contractors
    • Providing secure and private ad hoc connections in the event of business continuity disruptions, such as natural disasters and disease outbreaks
    • Integration with emergency notification systems (ENSs) to facilitate emergency VPN access
    • Increasing opportunities for traditional VPN vendors to compete with vendors in adjacent markets, such as Web application delivery, multichannel access gateways for mobile devices, and Web application firewalls
    • Better integration with major applications and independent software vendors (ISVs) — better integration means better performance
    • Integration with the ENS — i.e., the ENS could do capacity estimates in advance, and in-use monitoring for user sessions and will be used to authorize new user access, for example; it also could validate geolocation, available connections for use in optimizing the VPN connection and enforcing access controls based on, for example, country
  • Convergence with trusted portable personality devices to develop more-secure portable desktops by use of on-demand security tools originating with SSL VPNs
  • Improvements in WAN optimization via acceleration, load balancing, traffic shaping and caching
  • Improved support, including on-demand security (for example, malcode scans, version checks and tunnel control) features for wider ranges of desktop, laptop and mobile devices, and operating systems (Oss), as well as better support for quarantine/virtual sessions and virtual machines
  • General improvements to the interoperability of on-demand security, especially more effort to make these features work on unmanaged systems, such as home PCs and kiosks
  • VPN on click — if a user clicks on an internal URL, then he or she automatically gets a VPN for the duration of the request
  • Marketing differentiation from Microsoft DirectAccess, Microsoft ActiveSync and Web Application Firewalls
  • Externally managed VPN services — most clients and nearly all Magic Quadrant end-user survey responders choose to run their VPNs in-house, suggesting that the service market still has plenty of room

SSL is sufficiently versatile and secure to completely replace remote IPsec VPNs, and many companies have done so. However, Gartner is no longer anticipating that SSL VPNs will eliminate the use of IPsec:

  • IPsec is deeply embedded in networking products, such as routers and firewalls, and, therefore, has a lower incremental session cost in gateways.
  • IPsec is easier on battery life in handheld devices, requiring less power to set up and tear down sessions.
  • The major handheld device OSs include mobile IPsec clients. Several major and specialty ISVs offer mobile VPNs based on IPsec and proprietary protocols. The low barrier to entry to start with these products delays consideration for SSL VPNs.

The SSL VPN market has been affected by the recession. Among vendors that answered surveys for this research, the average growth for individual vendors in their SSL VPN lines of business in 2008 was better than 25%, based on SSL VPN products and related services. However, a wider analysis of the collective revenue in the SSL VPN equipment market returns a more somber view. Dataquest results based on a more comprehensive sample put market performance in 2008 at about 8% growth over 2007. But the equipment revenue forecast for 2009 appears to be down by 4% to 8% over 2008.

Seat sales or penetrations (usable VPN session seats, counted in sales of license numbers or estimated by the normal session capacity of the gateways sold) in the SSL VPN market reported by the 12 surveyed vendors, as well as historical data, are estimated to claim more than 6.8 million seats in 2008, up 19% from 5.7 million by vendors in this report in 2007. Average seats delivered in 2008 are approximately 524,000, with a median of 336,000. The first two quarters of 2009 are already estimated at 4.8 million. Products are moving, but vendors are making less profit, and that condition opens up another opportunity for a shakeout. Cumulative seats reported in the survey counted from 2006 through 2008 exceed 15 million.

Many companies are still working through their investment life cycle of legacy VPNs, and upgrade/replacement opportunities will continue through the coming years as companies reach end of life on their legacy VPNs and seek easy ways to expand new VPN connections. Dedicated VPN appliances have a useful life of more than five years, as long as Windows Vista, Windows 7, Apple and Linux can be accommodated, and the vendor does not declare end of life for support. All vendors can pick up new business as the cycles retire, but vendors' selling skills will be tested to qualify buyers at the right time and place.

Other types of VPNs will continue to play roles for remote access and will fill specific roles. Examples include:

  • Secure Shell (SSH) was originally developed for secure remote console access and secure file transfers. Several companies have extended SSH to provide application layer access through the browser, as well as tunnel support. One of those companies, AppGate, appears in this research.
  • Proprietary Wireless Transport Layer Security and User Datagram Protocol VPNs are offered through various companies that specialize in mobile VPNs. These tend to be niche products that compete based on aggressive WAN optimization.
  • Microsoft's DirectAccess (DA) creates a new type of always-on/always-managed VPN access method based on IPsec. The use case is similar to legacy IPsec VPNs, and best suited to fully managed PCs. A key benefit is that corporate IT can rapidly patch company PCs over the Internet. DA itself is part of Windows 7 and the Windows 2008 R2 server, and is designed for IPv6. Because IPv6 is not yet widely available, a variety of transition technologies are required to address all use cases, and Microsoft is providing technologies, configuration templates, wizards and its UAG product to provide a smooth transition. These technologies include 6 to 4, IP over HTTPS, Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), NAT64 and Teredo (adoption is still in its infancy). IT planners should evaluate potential tunneling vulnerabilities and Teredo security advisories. Gartner clients calling in for remote access inquiries do not indicate a high priority for early adoption.



Market Definition/Description

Products in the SSL VPN market provide secure and private connections for individuals to reach company gateways via the Internet using the SSL protocol from a workstation, such as a desktop, laptop or a smaller, end-user computing device, such as a PDA or smartphone. This Magic Quadrant evaluates SSL VPN products that are sold for purchase and use within enterprises.

All companies that sell IPsec remote-access VPNs were asked about their experiences in selling the two different types of VPNs. IPsec vendors report that SSL VPNs are providing important current and future growth opportunities. The contribution of IPsec remote-access VPN revenue proved impractical to quantify as an execution differentiator because, as mentioned, IPsec is embedded in router and firewall appliances, and the purchasing decision can no longer be separated for competitive analysis.

SSL VPN products combine browser security enhancement software with a VPN gateway that may be delivered as a stand-alone gateway appliance or as software to be installed on a user-supplied gateway server. The market is dominated by appliances; however, pure software products are becoming more popular through virtualization, which makes it easy to develop drop-in, scalable, plug-and-play solutions for gateway production systems, as well as to evaluate presale demonstrations. Menu-driven, "point and click" browser access to programs and resources characterize the default interface for an SSL VPN; however, several companies offer nonbrowser clients to more closely imitate an IPsec VPN, and a few companies omit the menu interface altogether.

SSL VPNs support the strong authentication and logging desired for VPN protection, as well as application access audits, and support the roaming required for mobile users.




Inclusion and Exclusion Criteria

Inclusion Criteria

SSL VPN companies that meet the market definition and description were considered for this research under these conditions:

  • Gartner analysts have a generally favorable opinion about the company's ability to compete in the market.
  • Gartner clients generate inquiries about the company.
  • The company causes clients to change or delay their procurement plans for competing products.
  • Competitors regard the company as a serious threat.
  • The company regularly appears on shortlists for final selection.
  • The company demonstrates a competitive presence and sales to Gartner analysts.
  • Gartner analysts consider aspects of the company's product execution and vision important enough to merit inclusion.
  • For 2009, minimum thresholds for seat sales and revenue have been applied:
    • A qualifying vendor needed to earn at least $1 million in revenue in calendar year 2008 in the worldwide line of business for SSL VPNs. The median calculated for the 12 ranked vendors was $21 million, and no ranked vendor earned less than $2 million.
    • A qualifying vendor needed to account for at least 100,000 cumulative concurrent user sessions in play for 2006, 2007 and 2008. The median calculated for the 12 ranked vendors was more than 1.1 million, and no ranked vendor reported less than 100,000.

Exclusion Criteria

SSL VPN companies not included in the 2009 Magic Quadrant might have been excluded for one or more of these conditions:

  • The company did not have a competitive product on the market for a sufficient time during calendar year 2008 and the first half of 2009 to establish a visible, competitive position and track record.
  • The company was invited to participate, but did not reply to an annual request for information and did not otherwise meet the inclusion criteria. Alternate means of assessment, particularly client requests and competitive visibility, did not meet the inclusion criteria.
  • The company had a minimal or negligible apparent market share and market inquiry interest among Gartner clients, or had no products shipping.
  • The company sells the product as an application firewall or other specialized interface that is not competing directly within the larger SSL VPN product/function view.
  • The company sells Web-enabled personal remote-control products that are not true multiuser access gateways.

Services built from the products and offered by third parties are considered additive to the product vendor ranking, but the service vendors are not ranked. Managed network services of all types are separate markets.

Other Companies

Companies that have products in the market but are not ranked include, but are not limited to, Barracuda Networks, Fortinet, HOB, Palo Alto Networks, Stonesoft and WatchGuard.




Added
  • AppGate has been added to the Magic Quadrant this year. A relatively small company, AppGate's market share and other criteria were sufficient for inclusion. AppGate also gained consideration because of its unusual implementation, which provides function, look and feel highly similar to a typical SSL VPN but uses SSH as the underlying transport layer. This is acceptable because some Gartner clients are interested in SSH for VPNs.



Dropped
  • Nortel has been temporarily removed pending the completion of sales of its enterprise networking business resources, likely to Avaya. The current uncertainty surrounding the sale of its assets makes it difficult for Gartner analysts and clients to evaluate the product road map. However, Avaya has publicly stated that, for data products, it expects to adopt the Nortel investment plan and road map. Nortel's products will be re-evaluated for 2010 under new ownership, when there is more certainty about its future direction. Nortel's legacy VPN products are of high quality. Companies that are using Nortel's products and do not require immediate purchases, upgrades or enhancements should adopt a wait-and-see policy toward replacement.



Evaluation Criteria

Ability to Execute

Execution considers factors related to getting products sold, installed, supported and in users' hands. Companies that execute strongly generate pervasive awareness and loyalty among Gartner clients, as well as a steady stream of inquiries to Gartner analysts. Execution is not primarily about company size and income; however, as the market matures, larger companies tend to have a greater influence on the market. We track influence on buyers through revenue and seat sales. We track influence among vendors in the market through client feedback about shortlist decisions, as well as on comments from each vendor about its peer group, including perceived threats and competitive self-assessment. For example, Juniper Networks, Cisco and Citrix were voted the most serious competitive threats among vendors that were surveyed for this report. The level of concern for other vendors is considerably diminished.

Product/Service: Compares the completeness and appropriateness of core SSL VPN products sold for use in the enterprise remote-access market. The SSL VPN market defined in this Magic Quadrant is product-focused, but related service areas may contribute, including consulting services and managed service resellers. A strong product focus is critical to demonstrating that the vendor can generate market awareness.

Overall Viability (Business Unit, Financial, Strategy, Organization): Considers the company's history and its demonstrated commitment in the SSL VPN market, as well as the difference between a company's stated goals for the evaluation period versus actual performance, as compared with the rest of the market. The growth of the customer base and the revenue derived from sales are considered. All vendors were asked to disclose comparable market data, such as SSL VPN revenue, the number of unique companies under contract and information about seats sold year by year. Seats are defined as concurrent active license seats deployed on sold products. Where companies have moved to an unlimited license model, active seats are estimated from the normal capacity limits of the platforms sold.

Some vendors do not report portions of competitive information in the format requested for comparison. In these situations, other quantitative sources of Gartner information were considered, but qualitative evidence from client feedback and peer analyst feedback become more important. Indirect measures of product penetration, such as "boxes shipped," were not used to measure execution in this Magic Quadrant. Instead, we considered concurrent seats sold, licensed and accessible to the buyer as evidence that the products are being used. Vendors were asked to convert to the concurrent seat formula as necessary, and the actual numbers reported were treated as guidance, rather than as hard facts.

Sales Execution/Pricing: Compares the strength of vendors' sales and distribution operations, as well as their discounted list pricing for systems supporting as few as 25 concurrent users up to more than 10,000 concurrent users. Pricing was compared in first-year, cost-per-concurrent-active-license seats, including the cost of all hardware and support.

Low pricing does not guarantee high execution or client interest, and the market, as a whole, did not move to commodity status in 2008, although Cisco continued a multiyear expansion in low-cost seat sales. Buyers want good results more than they want bargains, and they respond more strongly to sales techniques led by case studies and return-on-investment projections.

Market Responsiveness and Track Record and Marketing Execution: Rates competitive visibility as the key factor, including which vendors are most commonly considered the top competitive threats during the RFP process and which are considered the top threats by each other. In addition to buyer and analyst feedback, this rating considers feedback from clients, analysts and the vendors themselves. Strong ratings mean that a company has demonstrated to Gartner analysts that the enterprise can get listed in RFPs early and can win a large percentage of competition with other vendors. Marketing execution in this report is considered an aspect of market responsiveness and track record rather than a separate criterion.

Customer Experience: Is subjectively rated from clients' feedback to analysts; the opinions of Gartner analysts in security; network and platform research groups; and vendor-supplied references, where needed. Intense interest in SSL VPNs from Gartner clients provided a year's worth of ample feedback to frame the market.

Operations: Considers the ability of a vendor to pursue goals in a manner that enhances and grows its influence in all execution categories.

Table 1 provides an overview of the evaluation criteria for the Ability to Execute.


Table 1. Ability to Execute Evaluation Criteria

Evaluation Criteria
Weighting
Product/Service
Standard
Overall Viability (Business Unit, Financial, Strategy, Organization)
Standard
Sales Execution/Pricing
Standard
Market Responsiveness and Track Record
Standard
Marketing Execution
Standard
Customer Experience
Standard
Operations
Standard

Source: Gartner (December 2009)

 



Completeness of Vision

In 2009, the range of vision-differentiating activities by vendors was more narrow than past years. The SSL VPN market is mature in terms of its core definition, and most vendors are building out functions and features that make them more similar rather than more distinguished among peers. As a result, there is less contrast in vision rankings than in past years.

Market Understanding and Marketing Strategy: Assessed through direct observation of the degree to which a vendor's products, road maps and mission anticipate leading-edge thinking about buyers' wants and needs. Gartner makes this assessment subjectively by several means, including interaction with vendors in briefings and by reading planning documents, marketing and sales literature, and press releases. Incumbent vendor market performance is reviewed year by year against specific recommendations that have been made to each vendor and against future trends identified in Gartner research. Vendors cannot merely state an aggressive future goal; they must put these plans in place, show that they are following the plans and modify the plans as market directions change.

Sales Strategy: Examines vendors' strategies for communicating their product messages. This ranking factor is the bridge between marketing execution and product strategy.

Offering (Product) Strategy: Is ranked through an examination of the breadth of functions, platform and operating-system support for the SSL client, the VPN gateway OS and features, and the investments made by the vendor to optimize and support applications accessed through the gateway. R&D investments are credited in this category.

Business Model: Takes into account a vendor's underlying business objectives for its products and its ongoing ability to pursue R&D goals in a manner that enhances all vision categories.

Vertical/Industry Strategy: Considers a vendor's ability to communicate a vision that appeals to specific industries and vertical markets.

Innovation: Takes into consideration the degree to which vendors invest in core requirements for the successful use of their products. Criteria include a vendor's internal investments in value-added security tools and technology road maps, as well as external efforts to expand interoperability, alliances and partnerships with companies in related security markets. A vendor with a strong vision creates communities with other companies, and this, in turn, helps other companies, as well as buyers, view the SSL VPN vendor as a necessary component of larger business solutions.

Geographic Strategy: Takes into account a vendor's strategy to direct its resources, skills, products and services in multiple geographies. Geographic strategy is not scored separately in this report but taken into account in the business model.

Table 2 gives an overview of the evaluation criteria for Completeness of Vision.


Table 2. Completeness of Vision Evaluation Criteria

Evaluation Criteria
Weighting
Market Understanding
Standard
Marketing Strategy
Standard
Sales Strategy
Standard
Offering (Product) Strategy
Standard
Business Model
Standard
Vertical/Industry Strategy
Standard
Innovation
Standard
Geographic Strategy
Standard

Source: Gartner (December 2009)

 



Leaders

Leaders demonstrate balanced progress and effort in all execution and vision categories. Their actions raise the competitive bar for all products in the market, and they can change the course of the industry. To remain in the Leaders quadrant, vendors must excel in performance, scalability and protection, and must dominate in sales. However, a leading vendor is not a default choice for all buyers, and clients are warned not to assume that they should buy only from the Leaders quadrant. To stay on the right side of the chart, leaders (and visionaries) must follow courses that are competitively disruptive, not only ahead of the curve, but offering features that remove significant roadblocks to vendor sales and buyer implementations. One example of a competitively disruptive activity might include, but is not limited to, delivering a superior smartphone client in terms of capability, user experience and user adoption that could significantly stimulate new smartphone VPN deployments.

Vendors that have pursued new technologies but have not changed the course of buyer decisions and implementations, and companies that add features to make their product more complete in comparison to the same features offered by other vendors, are not creating competitively disruptive situations. Examples include, but are not limited to:

  • Offering a virtual desktop client for the SSL VPN. Through 3Q09, usable offerings have been scarce and have not been reported to Gartner as a primary product decision factor in the general market for VPNs.
  • Adding federated identity/SAML support. This is a core feature for IAM, but few Gartner clients cite this as a decision factor, and several vendors report little interest from their client bases.
  • Selling mainly into an existing client base, but not showing the ability to compete directly with other vendors when the installed base is not taken into account.

In a mature VPN market, leaders sell broad network infrastructure product families to buyers, as well as stand-alone VPNs. Buyers of leader products include larger companies and/or projects that often stretch products in ways that uncover problems in scalability and maintainability. Quick response is essential. Larger investments in help and support operations contribute greatly to satisfaction.




Challengers

Challengers have attractive products that address the typical needs of the market with strong sales, visibility and clout that add up to higher execution than niche players. Challengers are good at winning contracts, but they do so by competing on a limited selection of functions or a limited selection of prospect buyers. They may be perceived as a threat by other vendors, but that threat will be primarily focused on a limited class of buyers rather than the VPN market as a whole. Challengers are efficient and expedient choices for defined access problems. Many clients consider challengers to be the conservative, safe alternative to niche players.




Visionaries

Visionaries invest in the leading-edge or "bleeding edge" features that will be significant in next-generation products, and will give buyers early access to improved security and management. Visionaries can affect the course of technological developments in the market, but they lack the execution influence to outmaneuver challengers and leaders. Buyers pick visionaries for best-of-breed features, and for broader network infrastructure investments than niche players. Buyers may obtain more personal attention. Visionaries may take risks on potentially disruptive technologies (see discussion under Leaders section), and often, they do this without the financial reserves of a leader or challenger. Buyers of visionary products may base their selection on specific technology features and by participating in the vendor's road map plans.




Niche Players

Niche players offer viable, dependable solutions that meet the typical needs of buyers and fare well when given a chance to compete in a product evaluation. Niche players respond to market changes and new technologies, but they generally lack the clout to change the course of the market. Niche players may serve conservative and risk-averse buyers more efficiently than leaders. Clients tend to select niche players as stand-alone/point solutions for SSL VPN when stability and focus on a few important functions and features are more important than a wide and long road map. Niche players may target clients who, for various reasons, prefer not to buy from larger network players. Buyers report that niche players tend to provide more personal attention to their needs. Buyers of niche VPN products are generally happy and do not stretch the systems past design parameters. They are unlikely to switch vendors, but they may represent limited upsell opportunities.




Vendor Strengths and Cautions

AEP Networks

In 2004, AEP Systems and Netilla merged, keeping the company name AEP Networks and the Netilla brand. Subsequently, AEP acquired V-ONE and combined all pieces to create its VPN and key management product lines. AEP has emphasized policy-based security.




Strengths
  • AEP Networks has hardware products that are certified to a relatively high cryptographic level: Federal Information Processing Standard (FIPS) 140-2 Level 4.
  • The company's hardware appliance products appeal to departmental and small/midsize buyers that want a small number of seat licenses and to government buyers seeking high levels of certification. Virtual appliances are also offered.
  • AEP's market presence is primarily in Europe, although it is selling in all geographies. Buyer are most strongly interested in business continuity and extranet/contractor access solutions.
  • The company has a steady market presence, long track record, and reliable products that emphasize policy and access controls.



Cautions
  • AEP's revenue for 2008 and 2009 is relatively flat — a sign of the times — but well within the healthy range of execution of a stable niche player and long-established company.
  • AEP follows all the major directions of the market, but does not usually set directions nor force others to react. This mode of operation is in keeping with the vision of a niche player.
  • Its seat penetrations for 2007 through 2009 remain among the lowest reported — in part, due to licensing models that affect tracking — but must be considered in combination with other evaluation factors to reduce market visibility and influence. AEP has opportunities to upsell into existing accounts.



AppGate

AppGate began building secure access solutions for the Swedish defense industry in the late 1990s. The initial design goal required strict control of endpoint security, combined with granular access policies for tunnel access into company networks. AppGate selected SSH instead of SSL as the underlying protocol, but has delivered a product that emulates the features of an SSL VPN.




Strengths
  • AppGate provides a similar look, feel and function set as the SSL VPN vendors but delivers its VPN over SSH. Some clients have indicated an interest in using SSH, and this vendor has delivered a complete business solution that stretches far beyond the original design boundaries of SSH and the typical products from other SSH vendors.
  • SSH server-managed host keys provide an alternative to SSL certificates.
  • AppGate buyers are most interested in extranet/contractor access and IPsec alternative VPNs.



Cautions
  • AppGate's revenue is among the lowest reported but sufficient to cross the threshold. Seat sales are also sufficient for inclusion, but the rate of sales needs to increase substantially for AppGate to be considered for future inclusion in this report.
  • AppGate is too reliant on Scandinavian markets and needs to expand sales globally to gain credibility in the VPN market.



Array Networks

Founded in 2000, Array Networks sells SSL VPN as a universal access method on a stand-alone basis, and as a complement to its application acceleration, load-balancing and desktop access product lines.




Strengths
  • Array has competitive price/performance and scalability for large and demanding access needs, while also offering an affordable, low-end entry point. Array's Universal Access Controller and secure access and application delivery solutions road maps are dedicated to growing a seamless product line with "green" IT values.
  • Array's market presence is primarily in Asia/Pacific (especially China), although it is selling in all geographies and doing about a third of its business in the U.S. Buyers are most strongly interested in VPN alternatives to IPsec.
  • Array added innovative, wireless overlay security management and wake-on-LAN remote control to its product lineup in 2008 — both being popular areas of concern for access control. Its biggest new business stimulus comes from Desktop Direct, a fully managed and secured solution for remote control that supports wake on LAN. Desktop Direct has grown into a new business unit.
  • Revenue was positive for 2008, and seat sales are strong, although below the market average and in line with visionary status.



Cautions
  • Array earned higher visibility in Gartner client inquiries during 2009 but is still not regarded as a competitive threat by peers. Array has not increased the effectiveness of its marketing and communications, and is not cited in head-on competition in Gartner client RFPs with companies ranked as leaders.
  • Array's seat shares grew in 2008 and 2009, but are below the average.



Check Point Software Technologies

Check Point Software Technologies' SSL VPN was developed in-house starting in 2002, as an integral part of its VPN-1 family. The full product release came in 2004, with the announcement of the Connectra Web Security Gateway. Using technology from the Zone Labs acquisition at the end of 2003, it produced a comprehensive suite of on-demand security tools, which were unfortunately limited only to its own SSL VPN. Recent joint work with SanDisk devices now makes these features available independent of the SSL VPN. In 2009, it acquired Nokia's security appliance business and launched the IP appliances integrated with Check Point software licenses and support.




Strengths
  • Check Point offers wide support for all platforms, desktop, laptop and smartphone for SSL and IPsec VPNs. Check Point sells in all geographies but is strongest in Europe and the U.S., selling SSL as an alternative VPN for mobile laptop users. All its gateway products provide consistent and equivalent support for SSL VPN.
  • Application-level attacks can be detected at the endpoint per updates to Connectra's Endpoint Security on Demand.
  • Check Point and SanDisk partnered to release secure work space technology on a flash drive (Gartner refers to this as a trusted portable personality device) that can use all of Check Point's on-demand security and session quarantine features offline through a session initiated on a flash device. Check Point will soon release the secure work space technology that can be used offline on PCs, making it the first SSL VPN vendor to offer an offline portable desktop that can take advantage of native applications and the native OS on a host PC. Other vendors in the market have quarantine products, but use depends on a VPN connection. This approach is a lightweight and viable alternative to using a virtual machine image to isolate remote user activity.
  • Native support for Exchange has been placed in the VPN gateway so that users do not need a direct connection to an internal Exchange server to synchronize.
  • New competitive features have been added as a result of well-documented client participation in the product road map.



Cautions
  • Business revenue for SSL products is consistently below average since reporting became available in 2007 and would be considered relatively low even if the figures are regarded as extremely conservative.
  • Given the size, visibility and reach of the company, Gartner has expected Check Point's VPN competitive visibility and overall execution to increase for several years.
  • Gartner clients that inquired about SSL VPNs were likely to consider a separate vendor for SSL, even if they use firewalls or IPsec from Check Point. However, Check Point reports that about 80% of its Connectra customers are also running other Check Point gateways.



Cisco

Cisco pondered potential SSL VPN acquisitions in the 2002 time frame and decided to develop SSL internally. The first code was released in 2004 as firmware upgrades for Cisco VPN 3000 Concentrators followed by Internetwork Operating System (IOS) routers. Today, Cisco's SSL VPN capabilities are an embedded option on all Adaptive Security Appliance (ASA) and many IOS platforms. By 2007 the SSL VPN was becoming attractive, and by 2008, it became popular and competitive on function, scale and price. Cisco's universal access vision for VPNs is an evolution of philosophy it inherited from Altiga, an earlier VPN acquisition, and the Twingo Systems acquisition, which provided the baseline technology for the Cisco Secure Desktop.




Strengths
  • Cisco's 2008 revenue performance in the SSL VPN line of business is impressive and among the highest reported, despite the recession, which has disrupted opportunities for many companies that have been in the market for longer periods. Overall seats (estimated per concurrent user) are the highest reported for 2006 through 2008, and, for the first time, Cisco's estimates exceeded Juniper for new concurrent seats activated in a study year (2008). Cisco sells in all geographies for all use cases, and is adept at selling SSL VPN as a total replacement for IPsec, as well as part of a larger infrastructure solution.
  • The SSL VPN entry cost (estimated per concurrent user) is the lowest reported, and Cisco's discount scale is the most aggressive reported, reducing both barriers to entry and barriers to upsell. Ten of the surveyed vendors consider Cisco a major competitive threat, earning Cisco second place after Juniper as a named competitive threat.
  • Client feedback and satisfaction have improved significantly since the last report, due to improvements in gateway software, the Cisco Secure Desktop (CSD) agent and the AnyConnect client.
  • Cisco acquired ScanSafe, a SaaS Web security company that could be used to expand security features to remote access VPN sessions.



Cautions
  • CSD, the on-demand security component, still needs administrative permissions and ActiveX for some of its functions, thus limiting its portability and reach for nonmanaged platforms.
  • Gartner clients continue to report purchasing other vendors' VPNs for specific business projects even when Cisco's products are already installed with SSL licenses, or readily activated. This is a symptom of the disconnect between buying centers for application delivery purchases and pure network access, and may indicate that in some cases SSL is purchased incidentally, rather than intentionally. Cisco needs to escape legacy perceptions that limit buyer awareness of its breadth of product features.



Citrix

Citrix has offered remote access support for many years, starting with several software lines offered early in the decade. In 2004, it acquired Net6, which led to its first low-end SSL appliance. In 2005, it acquired NetScaler, which is the foundation for today's Citrix Access Gateway and NetScaler series products. To provide accelerated secure remote access, in 2006, Citrix acquired Orbital Data for acceleration and WAN optimization technologies. To further enhance secure access with user and application identity, Citrix acquired Caymas Systems in 2007.




Strengths
  • Citrix has the greatest experience of all market vendors in remote, thin-client application delivery. In the 1990s, the company developed the original, protected browserlike client (SecureICA) well ahead of the SSL VPN market. In 2009, Citrix has released a new client called the Citrix Receiver, which improves on the original design and has been ported to a wide range of platforms, including smartphones.
  • Citrix revenue line-of-business performance was second highest in the survey. This is a long way away from Juniper's lead, but more than twice what was reported by all other vendors. Revenue growth in the line of business was better than 23% from 2007 to 2008, and estimates suggest another increase in 2009. Seat penetrations (concurrent VPN sessions) are also among the highest reported. Buyers are most interested in extranet/contractor access, roaming user access and business continuity.
  • Within its vast and profitable installed base for server-based computing, Citrix is a strong competitor with other SSL VPN vendors selling into its installed base. Citrix's concurrent VPN sessions activated in the study year (2008) have approached Juniper, and estimates suggest they will be similar in 2009.



Cautions
  • Buyers who are not invested in Citrix's server-based computing tools are unlikely to consider Citrix's SSL VPN, nor to consider Citrix as a networking market player. This view is borne out by client feedback and Gartner analyst consensus. With global execution as strong as Citrix shows, all vendors should have regarded it to be a top competitive threat, but instead Citrix comes in a distant third after Cisco (seventh overall out of 12). Citrix is somewhat vulnerable to other VPN vendors that can present a good case for application delivery, and is not able to compete directly when network vendors sell SSL VPNs in the scope and context of network infrastructure.
  • Citrix needs to improve its on-demand security functions with more-complete signature coverage for anti-malware defense. This concern has appeared in client inquiries and was raised afresh by a survey reference client. Citrix should also make third-party, endpoint security tool integration more visible to customers (a software development kit is available).
  • XenDesktop was presented in the road map last year as a superior alternative for better on-demand endpoint security. However, in 2008 and 2009, Gartner has seen little evidence for the uptake of streaming virtual desktop images as a replacement solution for on-demand, endpoint VPN security. This approach will become important in the future.



F5

F5 saw the opportunity to sell SSL VPNs in the early 2000s because VPN products were being inserted in front of its core business lines (accelerators and load balancers). In a moment of perfect timing, F5 acquired URoam in a turnabout from an almost certain NetScreen buy. The companies turned out to be excellent cultural matches, and F5 rapidly delivered the FirePass product line. F5's main distinguishing characteristics are high performance and reliable gateways. F5 was in a transitional phase of delivering its product road map during the Magic Quadrant review, so customers should expect to see more features in 2010.




Strengths
  • F5 is an attractive and logical sale in the data center. Its strong understanding of Web application deployments within the enterprise and the fact that it is a leading player in the provision of application delivery services count for a healthy vision ranking, and provide a good opportunity to extend to access layer controls, such as SSL VPNs. Entry-level pricing is attractive.
  • F5 has ported SSL VPN capabilities into its entire range of products to the top end of BIG-IP. Several global providers use F5's products to deliver remote-access services. In a related market, F5 has announced Oracle WAM support integrated into BIG-IP.
  • F5's Visual Policy Editor makes access control setups easy for administrators, and iRules scripting language makes it easy for buyers to customize the platform.
  • F5 plans to leverage partnerships, such as Microsoft, in its road map and is planning an expansion of client services ("unified application delivery").



Cautions
  • F5 is cited as a competitive threat by only a third of responding vendors, down from half in 2008 and from three-quarters in 2007. Gartner client VPN inquiries occasionally reference F5.
  • F5's seat penetration and revenue are good, but as reported last year, there is an ongoing gap between F5 and the other vendors ranked as leaders and challengers. F5 is reclassified as a top-end visionary, and sets a tough comparative hurdle for other visionary vendors.



Juniper Networks

Juniper Networks acquired NetScreen Technologies in 2004 and quickly realized that one of the most promising assets was the Neoteris SSL VPN, previously acquired by NetScreen in 2003. Neoteris was one of the most aggressive and competitive of the early companies in this market, and Juniper has maintained the product vision, execution and overall momentum so effectively that it has held a leadership position continuously since the acquisition. Juniper competes on the basis of universal access, broad client platform support, and comprehensive infrastructure.




Strengths
  • Juniper delivers solid multiyear performance with strong sales and revenue in SSL VPNs and IPsec. In general, Juniper can sell more products at a higher incremental revenue than any other company in the market, creating an unchallenged disruptive sales advantage. Juniper's historical revenue is the best in the SSL VPN market and increased in 2008.
  • Juniper is the No. 1 competitive threat cited by all other peer vendors; in fact, all 12 other surveyed vendors named Juniper as a threat. This assessment has persisted for a number of years. Juniper sells in all geographies for all use cases, and two strong demands are selling SSL as a total replacement for IPsec and for extranet/contractor access, in addition to IPsec. The company appears on most shortlists discussed in Gartner client inquiries for medium to large businesses.
  • Year after year, Juniper's products earn a high satisfaction rating and few complaints, given its high degree of market penetration.
  • Juniper's road map includes integrated support for VMware Virtual Desktop Infrastructure (VDI) streamed virtual desktops and further enhancements to its on-demand security tools. The company's vast market penetration, independent of any application delivery environment, should serve to raise future demand for virtual desktops faster than other vendors.
  • More than 17 major global service providers, including carriers and application service brokers, are offering Juniper-powered VPNs.



Cautions
  • Juniper's stated list prices are among the highest in the market, but negotiable. Various competitors are more effective at selling to the small business end of the market because of lower entry prices.
  • Juniper's value proposition for enterprise network access is excellent, but somewhat less compelling in terms of application delivery than Citrix and Microsoft.
  • Being one of the most influential SSL VPN companies for many years, Juniper has fewer "disruptive" improvements to add to its product line than most of its competitors. Other vendors are catching up. In a mature market, it is important to find new ways to create competitive awareness to avoid an eventual threat of attrition.



Microsoft

Microsoft acquired Whale Communications in 2006 and rapidly developed new products by combining features of Internet Security and Acceleration Server (ISA Server) to create its Intelligent Application Gateway (IAG). IAG benefited from Microsoft's global sales and support and a strong road map to help integrate some of Microsoft's scattered remote-access projects. The next product phase, Forefront Unified Access Gateway (UAG) became available on 1 December 2009.




Strengths
  • Microsoft's IAG (based on the Whale Communications acquisition) has proved to be a dependable product, and earns positive client feedback. The VPN market understanding of this particular team in Microsoft is very good.
  • Coupled with Exchange, SharePoint and Windows Terminal Services, Microsoft has a strong single-source solution for application and network access.
  • The 2009 release of UAG continues the relationship that existed between IAG and ISA, and is leveraging TMG for IPv4 and IPv6 firewall inspection (required for DA scenarios), as well as array management capabilities.
  • The UAG team is committed to offer broader support for non-Windows platforms, and has broadened support for Linux and Mac desktops in this release.



Cautions
  • Microsoft has made substantial progress and improvement in the path to UAG. However, there are still issues of fragmentation that weaken its vision. For the time being, the Windows Mobile VPN is not part of UAG; it remains under the separate control and management of System Center Configuration Manager. Plans to manage the mobile VPN under UAG have not been announced but are under consideration.
  • In addition to its SSL VPN capabilities, UAG has been described as a solution for extending and scaling DA. However, clients will find that DA can create security vulnerabilities that require a product like UAG for improved defense. DA becomes less of an intrinsic Windows access method and more like yet another VPN, offering some enhancements in flexibility over IPsec, but a server infrastructure is still appropriate to strengthen its security.
  • Microsoft has been successful at selling IAG into small and midsize businesses (SMBs) and can scale to large installations. However, Gartner clients who call with inquiries about larger-scale installations indicate that they are likely to reconsider other vendors. Some clients reported delayed consideration because of confusion over the eventual differences among IAG, Forefront Threat Management Gateway and UAG.
  • Due to Microsoft policies around financial disclosure, Microsoft was not able to provide comparative estimates of penetration. Gartner's assessment based on client feedback and peer analyst review merits a visionary ranking.



NeoAccel

NeoAccel is a relatively new company, founded in 2004 by the former CEO and founder of NetScaler (NetScaler was acquired by Citrix). NeoAccel is a dedicated SSL VPN company selling on the basis of ease of use, bundled functionality and high performance.




Strengths
  • NeoAccel has partnered with major telecom vendors in India to replace high-cost point-to-point leased lines with a secure and high-performing site-to-site SSL-based VPN provided by NeoAccel. NeoAccel provides enhanced compression over site-to-site connections to improve performance and access between remote locations.
  • NeoAccel's market presence is primarily in Asia/Pacific (especially India and China) and the U.S., with a growing presence in Europe. Buyers are most strongly interested in IPsec alternative VPN solutions for mobile PCs and laptops, and for accessing applications in the cloud.
  • The company is positioning to support cloud service providers, drawing on its WAN performance strengths.
  • NeoAccel's Application Triggered Compression Engine provides a dynamic way to deploy and engage application-specific optimizations.



Cautions
  • Private-label/OEM sales have grown to more than 50% of revenue. NeoAccel is using OEM and channel sales as a strategy to reduce internal sales staff overhead. OEM sales expand market presence, but reduce incremental revenue. As a result, NeoAccel's seat shares have grown faster than revenue, when compared with similar-size companies. However, its revenue more than doubled, comparing 2008 to 2007, and 2009 will be another growth year.
  • The company could be an acquisition target — being small, having a complete product and exploiting geographies that could appeal to market players seeking new growth.



PortWise

PortWise (formerly Lemon Planet) was founded in Sweden in 2000 and was among the earliest companies offering SSL VPNs.




Strengths
  • PortWise is a stable vendor with steady sales and a strongly growing OEM business. It has been profitable since 2006.
  • It sells most strongly in Europe and Asia/Pacific geographies, and the primary buying criteria include extranet/contractor access, business continuity management and handheld device support.
  • PortWise is the only tracked vendor that offers in-house, integrated, one-time password tokens in the user interface. Seventy percent of buyers purchase PortWise's strong authentication to supplement the VPN.
  • PortWise has extensive experience in delivering secure services and applications to handheld wireless devices, including a long track record with sensitive applications, including retail banking and credit card terminals, and industrial applications, such as vehicle management.



Cautions
  • Gartner clients have been unlikely to report PortWise as a shortlist candidate; however, verified case studies are of high quality.
  • PortWise's 2008 and 2009 reported seat sales are sufficient for inclusion, but relatively low among surveyed vendors, probably due to OEM discounts and aggressive discounting (PortWise's per-session discounts on large configurations are aggressive). Revenue is viable, and in keeping with a long-term visionary company. PortWise would make a good acquisition target — for example, for a company that wanted baseline technology for secure mobile portals. However, PortWise's OEM approach is an alternative to acquisition.



SonicWALL

SonicWALL sold SSL and IPsec VPNs successfully into SMBs for many years before acquiring Aventail in 2007. The Aventail products continue as a brand and represent the medium to large enterprise end of SonicWALL's VPN product lines.




Strengths
  • SonicWALL sells primarily in North America and Europe, but has a global presence. Buyers target IPsec replacement extranet/contractors, business continuity and IPsec alternative VPN scenarios as the main buying motivations.
  • The company introduced continuous endpoint security scanning in 2009.
  • SonicWALL's seat penetrations are on par with F5, as a point of comparison, with revenue consistent with visionary companies.



Cautions
  • SonicWALL has done an excellent job of integrating Aventail's mind-set, vision and road map with SonicWALL's hardware and distribution experience, but some clients still express concern to Gartner over SonicWALL's long-term role in large VPNs. The company needs to do more to advance its image as a medium to large enterprise vendor.
  • The original SonicWALL VPN products remain separated from the Aventail range of products, causing confusion for new and incumbent buyers. The company should rebrand these systems as a continuum of products and ensure that common interfaces, features and interoperability are being communicated to buyers.

The Magic Quadrant is copyrighted 15 December 2009 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

© 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.





Vendors Added or Dropped




We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.





Evaluation Criteria Definitions





Ability to Execute

Product/Service: Core goods and services offered by the vendor that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets and skills, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.

Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood of the individual business unit to continue investing in the product, to continue offering the product and to advance the state of the art within the organization's portfolio of products.

Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support and the overall effectiveness of the sales channel.

Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message in order to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional, thought leadership, word-of-mouth and sales activities.

Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups and service-level agreements.

Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.


Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen and understand buyers' wants and needs, and can shape or enhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.

Sales Strategy: The strategy for selling product that uses the appropriate network of direct and indirect sales, marketing, service and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.

Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature set as they map to current and future requirements.

Business Model: The soundness and logic of the vendor's underlying business proposition.

Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography — directly or through partners, channels and subsidiaries as appropriate for that geography and market.