SonicWall

This month's SearchSMB column talks about UTM, within the context of the SMB market. So, that means "small UTM" just to be clear. If the column seems a bit short, well it is. That's because it was, let's say, heavily edited. Is it better? I don't think so because a lot of my informal vernacular has been gutted out. This is clearly not my style, but whatever. The points are the points, and at least they didn't mess with them.

I've got a unique style of writing, and if you couldn't tell I get a bit burned when it's messed with. But that's part of writing for some of the media outlets. So at the risk of getting into trouble, I'm going to post my original version here.

Of course, you can read the edited version here: http://searchsmb.techtarget.com/tip/0,289483,sid44_gci1205017,00.html

 

The Original:
SearchSMB column/tip – July 7, 2006

UTM is in your future
By Mike Rothman

The network security business has evolved rather incrementally over the years, largely driven by threats – as opposed to thoughtful architecture. First there was the token authenticator, designed to protect all of those crazy employees dialing up into a remote access environment.

Then as direct connections to the Internet hit widespread deployment in the mid-90’s, there was a need to protect those connections with firewalls. But firewalls were rather unsophisticated devices, so products that could detect an attack pattern (intrusion detection) came into vogue. Subsequently we’ve seen gateway anti-virus, anti-spam, web content filtering, anomaly detection, web application firewalls, and a host of other new products emerge to stop very specific threats.

You as a SMB technologist are sick of it. At least the folks I talk to are. All of these products have different management consoles, none work together, and most are marginally effective. We all know that you don’t have extra people or dollars lying around to maintain the status quo. You need to do more with less and you need to do it now.

One of my favorite sayings is “No mas box.” My clients don’t want to see any more appliances; they want integrated solutions or at least the visage of integration anyway. Thus a new product category called unified threat management (UTM) has emerged. Pioneered by folks like Fortinet, SonicWall and Astaro, but more recently being joined by pretty much every security vendor – these devices promise integration, convenience and protection from pretty much every threat out there.

Should you turn off your existing equipment and move to these new platforms? In a nutshell, the answer is most likely yes. Your choices are pretty straightforward, continue to renew the maintenance on your existing device(s) or buy something new. In many cases, given the competitive nature of the UTM market, out of pocket costs may be comparable to upgrade to a new device.

Even if you are talking about a 15-25% increase in year 1 cost for a new box, it’s worth it. You’ll save at least that much time in not having to troubleshoot different equipment when you have a problem and your protection will be broader.

That begs the next question, who do you buy it from? The answer largely lies in your comfort level. Each vendor has strengths and weaknesses. Some are built using mostly open source software; others have proprietary chips to get the job done. Given where the market is now, you should strongly consider your incumbent network security provider. In all likelihood they also offer a UTM device, and you already are familiar with the vendor and the management interface.

At a minimum, you should kick the tires of at least one or two other devices. Only by getting hands-on a few boxes will you figure out what is the best fit for your environment. But for SMB customers, UTM is the shape of things to come.

It's on folks. The battle for the campus infrastructure begins anew. Network Access Control will become the catalyst for a generational upgrade of the LAN switching infrastructure. I'm sure John Chambers is doing his best Dr. Evil impersonation saying, "just as we expected."

Today, ConSentry announced a new line of LAN switches that integrate a lot of their stand-alone NAC functionality in a low cost switch form factor. Release here. This is the first, but it won't be the last. I've already spoken to two other vendors that have updated LAN switching products with lots of security mojo almost ready to go, and there will be more. There always is.

Why is this interesting to customers? First, many of the existing switches are getting tired. Well not really, they move bits just fine. But a lot of the new functionality that integrates security into the core of the network fabric cannot be run on the older switches.

The interesting aspect of this is that some start-ups are going into one of Cisco's strongholds, which are switches in the closet. Is Cisco really exposed here? The answer is no. Cisco has a very good story about why the switches should be upgraded, and upgraded to Cisco hardware at that.

Cisco's only blind spot is price, but I still expect them to get a bulk of that business. But there are lots of other tired LAN switches that are vulnerable and a lower cost alternative will be pretty interesting to them.

I can definitely see how an Extreme and/or Foundry (or even 3Com of the walking dead) add new security capabilities to their switches, selling into their existing base of "anyone but Cisco" customers. But what chance does a start-up have to even move the needle against Cisco?

Basically not much. But that's not the goal. Remember, "big is the new small" and we know that Juniper, probably Symantec and even some smaller public companies like F5, Sonicwall and ISS need to be in the closet. They cannot maintain any kind of enterprise security presence without having equipment in all the enterprise domains, which includes the wiring closets.

So basically, folks like ConSentry are teeing up the exit strategy. Sooner or later Juniper is going to realize their strategy does not get them where they need to be. So their choice is to buy a Foundry or Extreme (and bring the checkbook because that's a multi-billion dollar deal) or take out a start-up with some interesting technology.

Customers should be excited by this. Not because they need to upgrade their switches, though that does tickle the fancy of more than a few network/security admins. But we are going to see serious price competition on these "secure ports" and further commoditization of standard ports.

So thanks to ConSentry for getting the ball rolling. We are going to see a lot of this in the near term, and my early prediction is that the most over-hyped product of RSA 2007 is going to be the "security switch."

SonicWALL (SW) acquires MailFrontier for $31 million in cash. I was actually thinking this morning about how SW should buy Barracuda to both eliminate what will become a significant competitor and also to get exposure to a couple of good markets (email security, anti-spyware). Then figured the price for Barracuda would be too high, given they just took a bunch of VC money. So to see them make this move is interesting for what seems to be a fair price. Couple of things at work here:

1. This is a good deal for MailFrontier - These guys needed to get a deal done. The product works OK (all of the anti-spam gateways work OK), but their outbound filtering story was very weak. They were not competitive at the high end and getting eaten up on the low end by Barracuda. That kind of squeeze makes you less than viable very quickly. This is a good exit for them.
   
   
2. SonicWALL needs more stuff in the bag - SW has done a great job of building up their channel to go after SMB. Readers of Rants know I believe SMB is where all the action is, but the partners need to be able to drive more stuff once they sell the initial UTM box. MailFrontier provides another product, and also has technology that can be integrated into the UTM device over time. This is the same mentality that drove SW to acquire Lasso Logic in the backup space last year. It's a great model, they don't pay a lot for the technology in a hot market and drive it through their channel. That's called leverage folks.
   
   
3. Dance partners are going fast - There are still way too many email security vendors and not enough potential acquirers. You figure Cisco and Juniper need to have something at some point. Maybe McAfee will decide to give up the ghost on making their own stuff work and CA needs something also, but most likely software based. Beyond that, the ranks of interesting buyers get pretty small, so the remaining players in this space should be feeling some heat to get something done. Wait too long and you are standing on the side.
   
   
4. Valuations are going down - Symantec bought BrightMail at about 14x TTR (trailing twelve months) revenue back in 2004. This deal was probably in the 3x range, given IDC's estimate of MailFrontier doing $6.2 million in 2004 and reasonable growth in 2005. Clearly the luster is off the rose in this market space.

If you are a MailFrontier customer, breathe a big sigh of relief. The alternative was MUCH worse. SonicWall customers now have another product to look at, which is a good thing. But most importantly, viability is a CRITICAL selection factor for email security products now. Making a big investment with a marginal vendor will prove to be a big mistake, so choose carefully.