Checkpoint Buys Their Way Into Last Place
Thomas Ptacek | December 20th, 2006 | Filed Under: Industry Punditry, Uncategorized
Checkpoint is paying 20MM for last-place IDS/IPS vendor NFR.
Some scattershot punditry:
NFR has taken VC rounds bigger than 20MM. At a reasonable 5x trailing valuation, that says NFR made less money last year than niche startups like Lancope and Mazu, not to mention indie consultancies like Neohapsis, despite having a “full stack” decoding IPS implementation.
Checkpoint is merging their (failed) Interspect product line with NFR Sentivist. One possible outcome: NFR’s technology becomes the basis for yet-another-NAC-in-a-box product like Consentry
Speaking of hardware: will Checkpoint maintain NFR’s hardware OEM? You may not have noticed, because you hadn’t looked at an NFR box in 7 years, but Sentivist now runs on an OEM’d multiprocessor, custom-bus, blade-based appliance that looks suspiciously like SourceFire’s.
The Checkpoint/Sentivist platform is exactly the hardware platform Steinnon has been nagging them to chase. It’s within Checkpoint’s power to buy the OEM supplier. That would be dumb: Checkpoint needs to think about what tomorrow’s hardware problem is, not what NFR and (perhaps) SourceFire thought it was a year ago.
NFR’s spec sheet also posts thoroughly disappointing stats for the heat those boxes generate.
Regardless, Checkpoint claims NFR’s OEM’d hardware as a “core technology” asset.
Much as I dislike the NAC premise, the story I like most here is that the NFR purchase revitalizes Interspect and creates a three-way race between Juniper, Checkpoint, and Cisco. In terms of port density (though not cost), a Checkpoint Sentivist NAC box would lead the majors. I hear Nevis and Consentry aren’t setting the world on fire; maybe they get chopped up between CSCO and JNPR.
Some blog reactions:
Alan Shimel calls this a further example of consolidation. I disagree: nobody goes to Checkpoint for the IPS budget item, and I imagine that for the past 2 years, very few people have gone to NFR either. We don’t have fewer IPS offerings, and we don’t have two IPS offerings competing within a single vendor; what we have now is (slightly) enhanced credibility for a languishing (and underrated) also-ran.
Richard Bejtlich misses Intrusion in his list of IPS vendors, which I mention so as to point out that INTZ probably had more revenue than NFR in 2005. I strongly disagree with his prediction that Cisco will buy SourceFire; Cisco’s IPS gets a ferociously bad rap among the pundits but, from what I can tell, a lot of love internally. I’ll also point out that MCAF is one of the top 3 IPS vendors.
Dan Weber
December 20th, 2006 3:05 pmArbor’s competitors are now called “niche startups”?
Sweet sweet spin.
Thomas Ptacek
December 20th, 2006 4:25 pmSure. Two answers and a statement.
1. Arbor likely does a full order of magnitude more revenue than either Mazu or Lancope.
2. Arbor’s Lancope/Mazu-facing product is also a niche product.
Finally: I have no financial interest in Arbor Networks whatsoever.
PaulM
December 20th, 2006 5:45 pmI like my headline better: “Check Point buys NFR. I laugh. Marty Roesch cries into a big pile of money.”
Re: Richard Bejtlich predicts Cisco will buy Sourcefire.
Of the network security megavendors, Cisco is the only one without an established IPS product that can afford to by Sourcefire. Since the Sourcefire IPO, this seems unlikely any time soon.
Personally, I think the biggest mistake that Cisco made was reusing the 4200 model numbering scheme for its IPS product, invoking the spirit of their previous IDS appliance. People naturally turn away in disgust, expecting a Solaris/x86 NetRanger box that now sends ICMP host-unreachable packets out “inline.” Cisco marketing forgot to flush that turd, IMNSHO.
Thomas Ptacek
December 20th, 2006 5:53 pmThe only gap I see in Cisco’s product line is a hardware accelerated version of the IPS.
They can’t get that from SourceFire anyways.
dre
December 20th, 2006 6:11 pm…Arbor likely does a full order of magnitude more revenue than either Mazu or Lancope … The only gap I see in Cisco’s product line is a hardware accelerated version of the IPS
Wanwall -> Riverhead -> http://cisco.com/go/ddos = ( Revenue > Arbor + Mazu + Lancope + Radware + Captus ) ?
Also you got it all wrong. Symantec, Nortel, or Lucent will acquire TopLayer in 2007 therefore buying their way into last place.
Thomas Ptacek
December 20th, 2006 10:55 pmI doubt Riverhead does more DDoS revenue than Arbor, and that’s not all Arbor does.
Captus is dead, by the way.
Chris
December 20th, 2006 11:10 pmThere’s a good possibility that riverhead (now cisco) sells more than arbor, they have more (I believe) guard XT’s in the field than arbor does SP appliances. Cisco would have to deploy about 3x the appliances and that doesnt’ seem too out of the realm of possibility.
There are scaling reasons both vendors in question have issues, atleast Arbor addressed managebility to some extent with their product. Also note, they fill 2 distinct and very different market slots (detection vs mitigation).
(I also don’t have any financial stake in either, though I have used both products at one point or another…)
alan shimel
December 20th, 2006 11:24 pmThomas- you are right, I don’t know if I would call this consolidation, maybe more of a mercy killing. However, what NFR does on their Bivio boxes (same ones Sourcefire OEMs) is not a form of NAC. It is good old fashioned IDS/IPS and I am not sure how good it is at that. I agree that they must have had little revenue to justify a 20m price. That being said, I dont think any of the NABD type of guys have anywhere near the revenue of the larger IPS guys (sourcefire, tipping point, McAfee, Cisco).
Thomas Ptacek
December 21st, 2006 1:40 amI led development on the DoS product, so I guess I have an emotional stake.
Someone from Arbor is going to chide me for getting this wrong, but, Riverhead boxes are little inline things. Arbor boxes soak up NetFlow from multiple core routers. The Riverhead boxes cost substantially less, and a single deployment involves more boxes.
A fair, if tangential, point is that Riverhead sells to enterprises, and Arbor SP sells almost exclusively to service providers.
Certainly reasonable people could have different guesses as to whether Cisco or Arbor does more revenue on DDoS; I don’t think dre’s argument that Cisco’s DDoS revenue dwarfs Arbor’s will withstand scrutiny though.
Thomas Ptacek
December 21st, 2006 1:46 amI think it’s naive to pretend like “old fashioned IDS/IPS” is something drastically different from NAC. In the real world, NAC-in-a-box products are just IPS boxes with more 100bT ports, a Tenable license, and (maybe) some authentication and captive proxy code.
Checkpoint was first to this market with Interspect.
Kyle C. Quest
December 22nd, 2006 3:01 pmSourceFire and NFR both use the same hardware for their high end systems. It all comes from Bivio (bivio.net). At one of my previous companies I got a chance to take a look at it
It’s not too bad, but I didn’t like the architecture. It looks like several boxes in one case… and the idea is that the traffic or the processing is suppose to be load balanced inside between those “internal” boxes. This is a simplified description, of course…
$20M indicates that NFR pretty much made no sales whatsoever and their investors are so tired of waiting that they just want a way out.
Barry Silber
January 24th, 2007 7:30 amYou mention you don’t think that Checkpoint acquiring NFR is an example of consolidation, and I’m with you. I have recently written about my view of consolidation in the industry — and why people in different roles are concerned about different issues. Coincidentally, I use Marcus Ranum’s article “Dog Eat Dog” from a few years ago as a starting point for much of the discussion. I’d welcome your comments. Also, I wonder how Bivio is doing these days?
Leave a reply