« America's CTO | Main | Not Your Father's Data Breach »




You only count Cisco for network market cap. Firewalls, if I recall correctly, are more about protecting the servers (and the operating systems) on the network versus just the network devices. So, add Dell, Lenovo, HP, and Sun into the mix to be far. You could also add IBM, Apple, and Microsoft, too. Their market caps would reduce the magnitude of difference, and probably get closer to that 0.2%, if not pass it.

Gunnar Peterson

Jon - I can add in more networking companies but I think Cisco has a pretty large market share don't you? Care to name any other network companies the size of say SAP, Oracle, or MSFT?

Here is the wikipedia definition of a firewall

"A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system. It is also a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all computer traffic between different security domains based upon a set of rules and other criteria."

I believe there are host firewalls like Zone Alarm but these make a relatively small part of Checkpoint's business. When you said "Firewalls, if I recall correctly, are more about protecting the servers " you make my point perfectly, they should be about protecting servers (more specifically the functionality and data abetted by those servers), but instead they are applied in the network layer, blissfully unaware of any real assets behind their PERMIT/DENY binary world.


this is really a inspiring post. Jon's point is valid. Those firewalls are protecting not only network devices, but also actually most of the applications, devices and boxes inside them.

Ari Takanen

Two quick comments:

1) You cannot do reliable market analysis by looking at the sales of dominant players in the market place. Sometimes people tend to buy more innovative things from smaller players, and in other times they look at consolidated solutions from major vendors. You might want to look at statistics on enterprise and telecoms spending. These statistics are becoming more and more available today.

2) For most, software security products are Quality Assurance tools. For any meaningful results you probably should compare them against other R&D costs and not generic enterprise IT spending. A code auditing tool is not bought to secure the IT network. A fuzzer (black-box tool) is a bit different because it can be used by both QA and IT staff. Static and dynamic security tools are two completely different markets.

Gunnar Peterson

I would be very happy if firewalls protected hosts, however they open up ports to those hosts and blithely pass the attacks along. Let's take the simple case of the OWASP Top Ten, assume you have a big scary network firewall in front of your webapp, you are still vulnerable to every single attack in the OWASP Top Ten. On the plus side you got your network addresses translated.

Marinus van Aswegen

In most cases, firewalls are glorified routers. They are often the problem, since they give you the impression that you have some security capability when in fact they blissfully route packets to your servers. The whole DMZ concept is also broken. The bottom line is that our security architectures have not moved with the times. We are layers behind.


My main point with Gunnar's calculation is on the calculation between network security and software security. My point is that there is overlap between the two. Gunnar included "Hosts" only in the software security protection calculation. I am stating that hosts should also be included in the network protection calculation. That is it. Odd that we digress into what a firewall is or is not, and what it does or does not do. If that is our only discussion point, then I fear for our industry.

For some of the non sequitur replies to my comments, I don't recall talking about how a firewall helps on exposed services. It does not. It helps only on those services not exposed. I don't recall mentioning how much a firewall helps (subtle, but important point). I just recall mentioning it does help protecting servers. If they don't help at all from protecting servers, then tell your CIO, CISO, CEO, or clients to remove them. Go ahead. I'm waiting...

Sadly enough, my point really only addresses a small bit of Gunnar's post. What's sadder is that all the subsequent comments have only focused on my comment, versus the in depth discussion Gunnar posted about. Please truly accept my apologies for the distraction. It did more of a disservice to Gunnar's very good post than a service.

Can someone comment on the rest of Gunnar's post?


I definitely agree that firewalls are protecting not only network devices, but also actually most of the applications.


The comments to this entry are closed.