Revisiting the Early Firewall Days
Submitted by Mike Rothman on Fri, 2006-04-21 11:13.
Having to jog my memory to remember the inventor of the firewall got me thinking about the early days of the network security market. As I'm writing this, I'm not exactly sure where it's going to end up. I'm thinking that providing some firewall history will help folks understand today's market dynamics a bit better.
The first thing that is abundantly apparent is that the world is far more complicated today. Way back when, customers had to worry about strong authentication and firewalls. That was about it. I guess you could count mainframe security, but that was more of the data center guys than the network guys that I dealt with daily. Nobody really thought about enterprise security, it was really focused on domains like network and host.
In terms of examining the two spaces, they couldn't be more different. Security Dynamics (now RSA) dominated the authentication space because they had built their agent into every remote access product out there. The other folks (Enigma Logic, LeeMah Datacom) couldn't compete. RSA still enjoys a huge market share position today.
The firewall market was brutal. You had DEC initially, but they couldn't get out of their own way. Then you had Trusted Information Systems, Raptor, Secure Computing, and Check Point trying to get established. So very similar to today, you had a bunch of companies that were chasing the same market, telling roughly the same story and making every deal a blood bath.
So when I say I've seen the movie about today's market dynamics, I'm not kidding. There are more moving pieces and product cycles are a lot faster, but things are roughly the same.
Now TIS was an interesting company. To my knowledge, they were the first company that offered a security product for free over the Internet (the Firewall toolkit) and then sold a more functional and polished commercial version on top of that. I think a couple of company's have made that model work since then, eh?
Ultimately one company survived the firewall war, and it was Check Point. Why? They had better distribution and marketing. Check Point's approach was different (stateful inspection vs. application proxy) and they played that up. They vilified application proxies as slow and the wrong approach.
At the same time, Check Point nailed down a distribution deal with Sun, so an entry level version of Firewall-1 shipped on every internet server that Sun sold - and that was a lot. Check Point also got very good at getting the Sun direct reps to bundle in the upgraded version as part of the deal. The cost of sales on these deals was minimal, Sun did all the work. That's why Check Point had gross margins like Microsoft and net margins over 50%.
Interestingly enough, Raptor tried a similar deal with Compaq. That went over like a lead balloon. Basically, Compaq didn't sell much of anything - their channel did. Raptor just couldn't get Compaq's channel interested in upgrading the firewall. There were too many other things to do.
Check Point also started OPSEC, their partnership program, positioning their firewall as a platform, not a product. Once they built an ecosystem around their stuff, it was a lot harder for the other guys to compete.
But all of the firewall companies were able to go public and all benefited from the rising tide for a while. Then economic reality set in. Secure Computing used their overvalued currency to acquire a bunch of other companies and then hit the wall big time. They almost went down during the bubble, and ceased to become a firewall player. They are still in the business and even acquired what was left of TIS after the Network Associates deal, but they never regained their luster in the space.
Speaking of TIS, they sold out to Network Associates and then watched as CEO Bill Larsen's dream of a suite of security and management products turned out to be a few years premature. They tried to be big when small was still cool.
Then, of course, a little company called Netscreen started doing a firewall packaged as a secured appliance. I remember meeting with them when they were first launching the company. I couldn't believe what a dumb idea it was. Didn't they realize that Check Point owned the firewall market? Who wants it on a box anyway? Not one of my shining analytical moments.
So what? I ask that question all the time. Who cares about this ancient history? Well, I think every user needs to because history has a way of repeating itself. If you pay attention to the signs and recognize the patterns, you can save yourself a lot of heartburn. Vendors lose their edge, they don't navigate product or market transitions very effectively and many customers are left holding the bag.
Look at your current stable of "key" security vendors. Are you comfortable with their strategy? As big becomes the new small, are they poised to prosper? Are they willing to acquire the right products and partner to build a broader product set? Are they financially stable and have the resources to keep investing ahead of the next threat?
If you are not comfortable with any of the answers to those questions, it's time to start building a contingency plan. You don't need to pull the trigger too early, but you should give some thought to what you'd do if one of your key vendors is acquired or doesn't keep pace with the rate of change.
The first thing that is abundantly apparent is that the world is far more complicated today. Way back when, customers had to worry about strong authentication and firewalls. That was about it. I guess you could count mainframe security, but that was more of the data center guys than the network guys that I dealt with daily. Nobody really thought about enterprise security, it was really focused on domains like network and host.
In terms of examining the two spaces, they couldn't be more different. Security Dynamics (now RSA) dominated the authentication space because they had built their agent into every remote access product out there. The other folks (Enigma Logic, LeeMah Datacom) couldn't compete. RSA still enjoys a huge market share position today.
The firewall market was brutal. You had DEC initially, but they couldn't get out of their own way. Then you had Trusted Information Systems, Raptor, Secure Computing, and Check Point trying to get established. So very similar to today, you had a bunch of companies that were chasing the same market, telling roughly the same story and making every deal a blood bath.
So when I say I've seen the movie about today's market dynamics, I'm not kidding. There are more moving pieces and product cycles are a lot faster, but things are roughly the same.
Now TIS was an interesting company. To my knowledge, they were the first company that offered a security product for free over the Internet (the Firewall toolkit) and then sold a more functional and polished commercial version on top of that. I think a couple of company's have made that model work since then, eh?
Ultimately one company survived the firewall war, and it was Check Point. Why? They had better distribution and marketing. Check Point's approach was different (stateful inspection vs. application proxy) and they played that up. They vilified application proxies as slow and the wrong approach.
At the same time, Check Point nailed down a distribution deal with Sun, so an entry level version of Firewall-1 shipped on every internet server that Sun sold - and that was a lot. Check Point also got very good at getting the Sun direct reps to bundle in the upgraded version as part of the deal. The cost of sales on these deals was minimal, Sun did all the work. That's why Check Point had gross margins like Microsoft and net margins over 50%.
Interestingly enough, Raptor tried a similar deal with Compaq. That went over like a lead balloon. Basically, Compaq didn't sell much of anything - their channel did. Raptor just couldn't get Compaq's channel interested in upgrading the firewall. There were too many other things to do.
Check Point also started OPSEC, their partnership program, positioning their firewall as a platform, not a product. Once they built an ecosystem around their stuff, it was a lot harder for the other guys to compete.
But all of the firewall companies were able to go public and all benefited from the rising tide for a while. Then economic reality set in. Secure Computing used their overvalued currency to acquire a bunch of other companies and then hit the wall big time. They almost went down during the bubble, and ceased to become a firewall player. They are still in the business and even acquired what was left of TIS after the Network Associates deal, but they never regained their luster in the space.
Speaking of TIS, they sold out to Network Associates and then watched as CEO Bill Larsen's dream of a suite of security and management products turned out to be a few years premature. They tried to be big when small was still cool.
Then, of course, a little company called Netscreen started doing a firewall packaged as a secured appliance. I remember meeting with them when they were first launching the company. I couldn't believe what a dumb idea it was. Didn't they realize that Check Point owned the firewall market? Who wants it on a box anyway? Not one of my shining analytical moments.
So what? I ask that question all the time. Who cares about this ancient history? Well, I think every user needs to because history has a way of repeating itself. If you pay attention to the signs and recognize the patterns, you can save yourself a lot of heartburn. Vendors lose their edge, they don't navigate product or market transitions very effectively and many customers are left holding the bag.
Look at your current stable of "key" security vendors. Are you comfortable with their strategy? As big becomes the new small, are they poised to prosper? Are they willing to acquire the right products and partner to build a broader product set? Are they financially stable and have the resources to keep investing ahead of the next threat?
If you are not comfortable with any of the answers to those questions, it's time to start building a contingency plan. You don't need to pull the trigger too early, but you should give some thought to what you'd do if one of your key vendors is acquired or doesn't keep pace with the rate of change.
Recent comments
2 years 4 weeks ago
2 years 4 weeks ago
2 years 5 weeks ago
2 years 6 weeks ago
2 years 7 weeks ago
2 years 7 weeks ago
2 years 7 weeks ago
2 years 7 weeks ago
2 years 7 weeks ago
2 years 7 weeks ago