But that's now the exception, says Young. Today, 95 percent of next-gen purchases are firewall replacements, as the newer technology has proven its value and the vendor selection has widened.
Driving the next-gen firewall market: Consolidation and cost come first
Application-based controls and security provide the flash and the coolness factor, but the business case most often relies on the savings and reduced management overhead that come with consolidating several security products into an integrated platform that meets the needs of highly demanding enterprise networks.
"It became apparent that we could consolidate a lot of the technologies we were looking at," says David Rahbany, director of enterprise IT infrastructure at Hain Celestial Group. Hain purchased and deployed Fortinet next-gen appliances when it consolidated connectivity among its distributed sites and corporate data centers from Internet-based VPN to a multiprotocol label switching (MPLS) network.
"The driver was really the costs associated with the MPLS deployment. "We could focus our gateway security perimeter on a handful of sites, for which next-generation products better suited our needs." Rahbany also cited better management control for a relatively small IT staff.
The end of a normal refresh cycle for perimeter devices is a logical time to look at replacement, but a case can be made for off-cycle next-gen deployment if the savings and benefits are compelling. For example, 24-Hour Fitness, a Palo Alto Networks customer, had a year left in the depreciation write-off for its existing firewalls, but found that the savings in purchasing sooner rather than later more than offset the lost depreciation.
"It was smarter to combine everything -- firewall, malware detection, Web filtering, threat management -- at a lower cost," says Jason Kwong, director of IT operations and security. "The justification wasn't hard."
But although consolidation and cost savings are paramount, application awareness and control (what Gartner's Young calls the "sizzle") are a key driver as well. next-gen appliances enable enterprises to create policies and rules that reflect the modern Web-based IT business environment, including the growing use of Web 2.0 for both business and personal use. Just as significantly, the technology can be used to monitor and enforce compliance with these policies. It also provides the ability to identify thousands of individual applications and establish rules governing not only which are allowed, but under what circumstances and by whom.
So, for example, peer-to-peer applications might be prohibited, but Skype might be authorized for users who have a legitimate business need for it (see Skype: Is it safe for business?). All users might be allowed to use Facebook, but might be blocked from accessing the site's applications.
From a security perspective, next-gen appliances provide much stronger filtering and threat detection than the combination of traditional firewalls, standalone IPS and other security products, such as URL filtering. If the appliance is performing deep packet inspection on the firewall, it can more effectively reduce the traffic to authorized applications and users, and simplify detection of potential attacks by focusing on what still gets through. The single-pass inspection up front allows the product to correlate and analyze various security engines.
"In many ways, this is a call for a better IPS that's aware of protocols and applications," says Rick Moy, president and CEO of NSS Labs. "Now it's imperative for the firewall to know more about the applications because it has to work in conjunction with IPS to provide context for IPS to do its job."