Readers Respond: F5 Firewall Challenges Cisco, Check Point
Andrew Conry Murray
February 06, 2013
Recently F5 announced it was rolling out homegrown firewall software to run on its Big-IP platform. The move puts F5 in direct competition with security stalwarts such as Check Point, Cisco, Juniper and others. As I wrote in a Network Computing newsletter:
So does the world really need another firewall? F5 wants to capture customers that have already bought into Big-IP with a consolidation story: add our software and spare yourself the hassle of running separate boxes from another vendor. I'm all for competition in the tech market, and I think F5's pitch may resonate. That said, there's always a good argument for not putting all your eggs in one basket (even if that basket runs in a high-availability cluster). Cisco, Check Point and other competitors also won't sit quietly at the thought of customers being poached. What's your take on F5's approach? Are they on to something, or do you feel more comfortable running separate tiers of devices?
- Crime Prediction and Prevention: A Safer Public through Advanced Analytics
- Preventing Security Risks in Real Time
- Best Practices: Using Apple's Global Proxy to Boost Mobile Security
- Strategy: Cybersecurity on the Offense
We got some interesting responses from readers. Check out what they had to say.
One reader responded: I'm not a security expert, but have been in WAN/LAN networking for the last 17 years working with customers and partners, so I have a sense of how this might go. The one consistent theme you hear from the security folks is "layered security." I don't see existing customers of any other product pulling out stuff just to put in F5's product, even if it's great. On new F5 installs, I CAN see customer's considering the FW option IF it might save them some money AND they're not hugely invested in another product. I can't see F5 pushing this too hard, though, in Cisco shops, since they've found a very comfortable niche in what I'll call the 'Cisco ecosystem.'
The minute Cisco starts seeing any measurable impact to their share, you can bet they will be hammering their loyal VARs to quash this (and they are the most loyal foot soldiers in the land) before it gains too much steam. All in all, impact will be fractional percentages of market share, mainly at the expense of other firewall-only vendors. Cisco's channel is way too formidable for this to be a concern. Now if only HP had a true firewall product, there you might see more impact. They should have picked up Sonic Wall before Dell did. Perhaps they'll wake up and look at Fortinet.
One last thought: enterprises that are compromised for rack space, particularly in remote office deployments, might find this F5 product attractive.
[ Join us at Interop Las Vegas for access to 125+ IT sessions and 300+ exhibiting companies. Register today! ]
Reader Gonzalo Cervantes was more bullish on F5's move:
I think F5 is going in the right direction. Layer 7 firewalls go hand-in-hand with the application delivery controller functions. For the most part, if you are trying to balance some application, you may want to protect it while you're at it, and F5 is packaging those functions. It comes down to: Will F5 do it right? A10 is coming out with similar code for their AX platform, but the question is the same: Will it be done right?
I agree with the 'putting all the eggs in one basket' argument, but HA clustering allows you to deal with a single point of failure.
Frank Antico, who works for Cisco Systems, also had an opinion.
This is because they are going after a consolidation approach for virtualization. Cisco is the only vendor in the market that can deliver Hyper-V bypass with its Nexus 1000v for VMware virtual environments, with our Nexus switching for the data center and vpath and rise API, we can apply firewall and load balancing at network speeds to a virtual environment.
I would imagine F5 is trying to compete with us, but it is hard when they don't have the network footprint and the level of integration we bring for virtual environments.
You can join in the conversation any time by commenting below, or by reaching out to Network Computing on Twitter at @networkcomputing. Click here to subscribe to the newsletter.