Read Microsoft PowerPoint - Partner Conference Competitive Jan 2011 [Compatibility Mode] text version

How To Out Sell the Competition

Andrew Walker-Brown Manager, Systems Engineering Lee Langley Systems Engineer

Competitive Overview

Introduction Competitive Overview

Cisco SA 500 (SMB platform) Netgear PRO Series WatchGuard Checkpoint Juniper Palo Alto Networks Cisco ASA


SonicWALL CONFIDENTIAL All Rights Reserved

Competitive Overview


SonicWALL Differentiation

Application Granularity Configuration SonicWALL NGFWs can configure by Category, Application or Signature where a Category consists of many Applications and each Application may contain multiple signatures for specific functionality Cisco has no capabilities in this area Juniper and Fortinet have only basic application identification SonicWALL provides tremendous granularity and control Creating policy by Categories reduces costs of management since as new signatures for new applications are created, the application is rated and will be placed into the appropriate policy of the user without the user having to interfere


CONFIDENTIAL All Rights Reserved

Cisco SA 500 Series

The easiest of easy targets


Introduced: September 2009 Part of Cisco Small Business Pro Series

Separate from the ASA division

Supported by Small Business Support Center

Separate from regular Cisco Support

Positioned as a "UTM" Appliance Aimed at SOHO/SMB ­ 100 Users or less

SonicWALL CONFIDENTIAL All Rights Reserved

SA 500 Series Overview

Target Market: SMB, Under 100 Users No SA 540W

SA 520

SA 520W

SA 540

MSRP $550

SonicWALL CONFIDENTIAL All Rights Reserved

MSRP $700

MSRP $850

Trend ProtectLink Service Cisco "UTM" = Fake UTM

3rd Party Service Anti-Spam in the cloud based on MX Record Redirection Content Filtering User Count Based No IPS, No Application Control Claims "Anti-Virus and Anti-Spyware Protection (...for email)" Tries to pass Email AV for full strength UTM Anti-Virus and Anti-Spyware occur only for Email

This point requires careful reading of all claims and documentation

Offered on Linksys models (RV082, RV042) with identical messaging

This is *not* a UTM service. Cisco is merely trying to redefine UTM to only include anti-spam and Content Filtering

8 CONFIDENTIAL All Rights Reserved

SA 500 in a nutshell


Not a UTM Appliance No Signatures on the Gateway No IPS No Application Control Linksys Style Product MX Record redirection required More Expensive (with services and without) No Flexibility Choice between Dual WAN and DMZ No 3G Failover Capabilities Relies for 3rd Party service for content security

Effect on Customers

False sense of Security (Worse than no security) A More expensive solution Simplistic, non flexible product No WAN failover and DMZ at the same time Deal with a separate Cisco support center Inferior security compared to products available in the market Inferior support

SA 500 is a step back in security from the aging ASA 5505

SonicWALL CONFIDENTIAL All Rights Reserved

Netgear UTM PRO Secure Series

Product Line Comparison


CONFIDENTIAL All Rights Reserved

Summary of Testing Results

Slow NETGEAR UTM Series suffers from abysmal UTM performance. The maximum performance on the largest device ­ UTM 50, was 5 Mbps. Insecure NETGEAR UTM Series delivers the worst MuSecurity rating that we've seen among our competitors: 1.0%33.3% catch rates. NETGEAR can only scan the HTTP, HTTPS, FTP, SMTP, IMAP, POP3 protocols ­ very likely still port based. Insecure NETGEAR UTM appliances are fundamentally insecure with file size limits of 2 MB and 10MB. The best part is that the administrator guide advises against the 10 MB limit Annoying NETGEAR UTM devices suffer from very slow User Interface (3040 second response times). Inadequate SonicWALL TZ 210 features full Application Intelligence & Control with traffic visualization for application traffic analysis and throttling of over 3,000 applications, unlike the NETGEAR UTM firewalls which claim control over only 6 (six) applications: MSN Messenger, Yahoo Messenger, mIRC, Google Talk, BitTorrent, eDonkey and Gnutella. This means, among other things: No video throttling, no gaming blocking, no partial application blocking (block file transfer, allow chat)

12 CONFIDENTIAL All Rights Reserved

Summary of Testing Results

Inadequate NETGEAR UTM devices do not offer WAN Failover on the lower end devices and do not offer 3G failover at all. Inadequate Single SignOn is available on the highest UTM 50 only, unlike on all SonicWALL appliances. Inadequate NETGEAR UTM Series has no wireless capabilities ­ neither integrated nor external options like SonicPoints Inadequate NETGEAR UTM Series has no security certifications such as FIPS 1402 and Common Criteria EAL4+ Bad Value ­ While the SonicWALL TotalSecure products may be slightly more expensive, they actually deliver on promised features and actually perform at speeds expected today, unlike the NETGEAR ProSecure UTM products Conclusion: Customers looking at NETGEAR should think twice about spending money on an incomplete and underperforming product that lacks many features available from any established UTM vendor, and especially from SonicWALL.


CONFIDENTIAL All Rights Reserved


Fortinet GAV/AS Limitations

Checkpoint FW-1


Industry leaders for many years Seen as the "de-facto" standard and benchmark Highly regarded by technical community Broad product set Large install base Strong channel

17 CONFIDENTIAL All Rights Reserved


Very complex to install and manage Slow to innovate over recent years Expensive initial costs Very expensive renewals in comparison to other vendors UTM was never really delivered


CONFIDENTIAL All Rights Reserved

And for Next Generation Firewall?

Database licensed from Facetime, not CKPTs own intellectual property : who's going to maintain/update and work on that signature database. Complex to manage/maintain 50,000 signatures. (45,000 of those are just web widgets!!) How is performance going to be affected with all those enabled. Hardware/operating system not optimised for application control. Will be at least as bad as when IPS is enabled. 40+ signatures just to identify BitTorrent!! How difficult is it going to be to manage that. Need to configure non-standard ports for each signature. Massive management impact. SmartCentre is the Active Directory connection for user identification. Big piece of complex software that must be installed for it to work. How will failover work if agent goes down? AppControl blade is not shipping and no customer deployments No visualisation, no easy way to see what is occurring....need to sift through logs No solution for SSL encrypted traffic No bandwidth management of applications No ability to scan content with applications e.g file types, file content etc. No custom signature creation in the software blade

19 CONFIDENTIAL All Rights Reserved


Incomplete solution Complex Expensive Unsatisfactory Unproven

.....Even the biggest and brightest are.... ....finding it difficult to get NGFW right....

20 CONFIDENTIAL All Rights Reserved


Oh dear.....where to begin


Privately held Little information available about current earnings etc. However, we know they're shedding staff within Watchguard and within biggest distributors Made a loss every quarter during public listing


CONFIDENTIAL All Rights Reserved

What the analysts say..

Cautions WatchGuard has been less likely to be first to market with features demanded by Gartner clients, although this situation appears to be improving. It conducts little or no real independent testing (outside of magazine reviews) for a company pushing into the small enterprise market. It has a confusing and cluttered product line.


CONFIDENTIAL All Rights Reserved

This is what Watchguard say....

"XTM appliances are now on dual core processors with enhanced memory and flash disk. Besides, we have tie-ups with the best of breed products in the industry -- with Surfcontrol and Websense for URL filtering mechanism and AVG for gateway antivirus signatures. For intrusion prevention system, we have joined hands with Endeavour Security which provides the IPS signature database and use Com Touch for our anti spam engine."


CONFIDENTIAL All Rights Reserved

What we say..

Buy in much of their UTM features. No intellectual property, not tightly integrated into platform, poor performance. Aging technology

Still based upon Intel.....everyone moving away (even Netgear)...Cavium Still tied into inefficient proxy technology....PaloAlto built from scratch and chose stream based scanning.....funny, we've done that for years

Have announced but not delivered on NGFW feature set...significant delays Will never match ours or the like of PA on performance, scalability, flexibility etc...

25 CONFIDENTIAL All Rights Reserved

What we've proven..

1. Limited File Size and Port Scanning ­

XTMs can't scan files greater than 20 MB; SonicWALLs can

6. Limited Distributed Wireless ­ Only the

XTM 2 Series integrates wireless and not XTMs support WLAN access points; All SonicWALLs support and/or integrate 802.11n wireless

2. Poor UTM Performance ­ Testing using

Ixia IxLoad showed a substantial loss in performance on tested XTMs running Gateway AV and IPS; SonicWALL showed no degradation

7. No Enforced Client or Server AV

Support ­Unlike SonicWALL Enforced Client/Server AV, WatchGuard's client and server AV solutions are not gateway enforced

3. No Application Intelligence and Control ­

No application level bandwidth control and blocking on XTMs

8. Advanced Features Cost More ­ Over

half of the XTM models require the Fireware Pro upgrade for advanced OS features; SonicOS includes every feature

4. Costly Anti-Spam Installation ­

SpamBlocker must be installed on a separate server; SonicWALL Comprehensive Anti-Spam Service is run directly on the firewall

9. Lack In-house UTM Expertise ­ XTMs

rely on 3rd parties for Gateway AV, IPS, Anti-Spam and Content Filtering

5. Minimal Protocol Inspection ­ XTMs scan

only 7 protocols and scanning on nonstandard ports requires each port to be configured separately as a new rule; SonicWALLs scan everything

10. Increased Management and Cost for 3G

Wireless ­ XTMs can't run onboard 3G wireless without purchasing an extra device


CONFIDENTIAL All Rights Reserved



SonicWALL CONFIDENTIAL All Rights Reserved


Company Overview Strong international presence Well established in the industry, especially the routing market Strong in enterprise and carrier class Very strong training platform and certification


SonicWALL CONFIDENTIAL All Rights Reserved


Product Range (2009-2010) Low End SSG 5, 20, 140 Mid Level SSG 320, 350, 520, 550 High End ISG 1000/2000 Carrier Class Netscreen 5200/5400 SRX 5600/5800

29 SonicWALL CONFIDENTIAL All Rights Reserved


How to sell against them Price, modules and licenses Generally considered a stateful firewall, lacks real AV,IPS and especially application control IPS and GAV only available on some platforms Limited protocol scanning (5 protocols against our 54) File based engine limited to a buffer of 20MB


SonicWALL CONFIDENTIAL All Rights Reserved


How to sell against them continued May require a RAM upgrade to enable these features Shift from Netscreen OS (good) to JUNOS (routing) Partner confusion on what to sell, old vs new Lack of next generation features Massive shift towards the switching market, noticeable change in effort Change in non gold partner management, many partners upset


SonicWALL CONFIDENTIAL All Rights Reserved


Where have we beaten them? Generally education and local government Beaten on price/performance Confusion on products Lack of next generation features Don't see them that often in the same deals 2/10


SonicWALL CONFIDENTIAL All Rights Reserved

Palo Alto


SonicWALL CONFIDENTIAL All Rights Reserved

Palo Alto

Company Overview 6 Employees in the UK Touted as the pioneers of next generation firewall Ex-checkpoint and Netscreen founders Heavy marketing Same CPU engine as SonicWALL products Strong backing from Gartner


SonicWALL CONFIDENTIAL All Rights Reserved

Palo Alto

Product Range (2009-2010) Low End PA 500 Mid Level PA 2020, 2050 High End PA 4020, 4050 Pricing is from $8,000- $80,000+


SonicWALL CONFIDENTIAL All Rights Reserved

Palo Alto

How to sell against them Cost Recommendation to place behind existing firewall UK presence, 6 employees Heavy HEAVY reliance on distribution ­ Support and sales "Land grab" approach to sales, confusion for customer Lack of accreditation such as EAL4


SonicWALL CONFIDENTIAL All Rights Reserved

Palo Alto

How to sell against them continued Rigid custom application engine ­ can require technical support Performance issues as more signatures are added 3rd Party services, already seen a shift from OEM web filtering agreements. Rigid custom application engine ­ can require technical support Lack of SMB offering ­ this has lost them deals!


SonicWALL CONFIDENTIAL All Rights Reserved



SonicWALL CONFIDENTIAL All Rights Reserved


Company Overview The biggest player in the networking industry World wide presence Good training platform


SonicWALL CONFIDENTIAL All Rights Reserved


How we sell against them? PIX end of life but still a lot out there ASA based on similar tech as PIX, use of Intel processors, performance Typically a stateful firewall only, add-ons for GAV and IPS You cannot operate GAV and IPS at the same time on a single unit


SonicWALL CONFIDENTIAL All Rights Reserved


How we sell against them continued Cost (obviously) Overly complicated interface, slow web management Internal competition between security blades and ASA products No Application control or visibility


SonicWALL CONFIDENTIAL All Rights Reserved


Thank You


CONFIDENTIAL All Rights Reserved


Microsoft PowerPoint - Partner Conference Competitive Jan 2011 [Compatibility Mode]

42 pages

Report File (DMCA)

Our content is added by our users. We aim to remove reported files within 1 working day. Please use this link to notify us:

Report this file as copyright or inappropriate


You might also be interested in

Microsoft PowerPoint - Partner Conference Competitive Jan 2011 [Compatibility Mode]