Results and Analysis of ISA Server 2000 Appliance Survey
by Thomas W Shinder, M.D.
The results of the ISA Server 2000 appliance survey are now in! First, I want to thank everyone who participated in the the survey. We had a total of 109 responses in just one week. That's an amazing response rate for a survey that didn't have any "push" (I didn't send out any spam asking you to participate). Just goes to show that the ISAServer.org community is one of the most interactive and most professional IT communities on the Internet.
First I'll present the results and my analysis of each one and at the end I'll present my conclusions and announce the winner of the book.
Question 1
| Would you be interested in firewall appliance that runs ISA Server 2000 on a pre-hardened version of Windows Server 2003? | ||
| Response | Number | Percentage |
| Yes | 85 | 83% |
| No | 5 | 4% |
| Maybe | 13 | 13% |
Question 1
ANALYSIS:
These results definitely speak for themselves. Its clear that the concept of an ISA Server 2000 appliance built on a Windows Server 2000 operating system is a hands down winner. Over 80% gave the idea a thumbs up while less than 5% said no way. About 13% said it depends on a number of factors. The most common reason people gave for not being sure if it was a good idea was a concern that the level of flexibility in configuration would be lost. Several people mentioned that they think it would be a good thing, but that features should not be removed and that it must retain the exact functionality. Most of them would not be adverse to the idea of "add on" features, but the majority said that any add-on's would have to be "certified".
Many people included comments to this question. What was interesting was that no one mentioned any special "security certification" by any particular vendor or "certifier". Everyone who did bring up the subject of system hardening said that it was extremely important that the system hardening process was fully documented. I suspect this is in response to issues that came up after running the current ISA Server 2000 system hardening Wizards. These Wizards were not very well documented and unexpected results often occurred after running the Wizards.
Question 2
| If yes, Does the vendor of the appliance make a difference? Would you be less likely to purchase such an appliance from an unfamiliar hardware vendor instead of Dell or HP? | ||
| Response | Number | Percentage |
| Yes | 50 | 47% |
| No | 32 | 30% |
| Maybe | 25 | 23% |
Question 2
ANALYSIS:
There didn't seem to be an overarching demand for a "well-known" vendor, but there was a strong tendency in this direction. Almost 50% of respondents said the hardware vendor does make a difference and that they would be less likely to purchase an ISA Server 2000 appliance from an unknown vendor. The impression I received from reading the comments was that higher end users were more concerned about a well known vendor. These vendors had established service and support offerings that the higher end admins had confidence in. Admins in smaller shops were more concerned about the price than the vendor. Although 50% preferred a well-known vendor, a good 30% felt that it did not matter.
Almost 25% weren't sure if the vendor made any difference. The consensus was that if they could get a good price and a decent support contract from a lesser known vendor, then they would be willing to take a chance. However, if the price wasn't compelling, or the hardware seemed "low end", they would either not purchase an appliance at all, or get one from a Dell, Celestix or HP.
Question 3
| What do you think a reasonable price for such an appliance would be? Sure, we would like everything to be free :) But what would you consider a reasonable price for an ISA Server 2000 based firewall appliance? | ||
| Response | Number | Percentage |
| $1500US | 34 | 31% |
| $3000US | 35 | 32% |
| $5000US | 17 | 16% |
| $6500US | 6 | 5% |
| None of the above (explain) | 17 | 16% |
Question 3
ANALYSIS:
I thought this was the most interesting question. The percentage of respondents who thought $1500US (31%) was good was just about the same as the percentage of respondents who thought $3000US (32%) was good. A good percentage were willing to tolerate a $5000US price tag, while only a select few (5%) could deal with a $6500US price on an ISA Server 2000 appliance.
The comments were very clear in terms of distinguishing between the $1500US and $3000US responses. Those in the lower end were from smaller shops that were very price sensitive. Many of these respondents stated that given the current state of the economy, it would be hard for them to pay much more. On the other hand, the people who selected the $3000US option considered it a fair price in light of how much they pay for competing products (such as PIX or Checkpoint) that don't do as much and cost much more.
The "none of the above" people felt the price needed to be flexible based on the hardware and the prices charged by the competition. The general impression was that with very moderate hardware, a price of $2500US - $3000US could easily be supported. What was surprising was the number of comments regarding 6-8 thousand dollar range appliances. However, these people were focused on heavy duty hardware such as HP DL380 rack mounts with GB's of RAM and multiple large SCSI drives.
Question 4
| If such an appliance that meets your needs in questions 1, 2 and 3, were available TODAY -- when would you buy it? | ||
| Response | Number | Percentage |
| Right now! | 22 | 21% |
| 1-2 months | 18 | 17% |
| 3-6 months | 22 | 21% |
| 6-12 months | 18 | 16% |
| None of the above (explain) | 27 | 25% |
Question 4
ANALYSIS:
There was no clear pattern for when the respondent would purchase such a box. However, if we add up the first three options, it shows almost 60% would buy the ISA Server 2000 appliance within the next six months. Only 18% would put the decision off after that. However, the largest single answer was "none of the above" and the consistent response from those selecting that answer said it depends on their budget. If the budget would allow more timely purchase, they would get such an appliance right away. Many said that the current economy made it difficult to justify a new hardware device, even a firewall.
Conclusions
Based on the results of this survey two things are abundantly clear:
- The concept of an ISA Server 2000/Windows 2003 appliance is a hugely popular one
- The appliance would have to be priced at under $3000US to maintain that popularity
The vendor doesn't seem to matter quite as much, although it does look like more people would prefer an established hardware vendor like Dell, Celestix or HP. I would have to agree with this, since its important that high quality and reliable hardware be included in this firewall appliance. It also appears that people would like to buy the appliance as soon as their budgets will allow them.
I think the appliance concept is the right direction for ISA Server 2000. A standard box with standard hardware with drivers that are proven to work with ISA 2000 and Windows Server 2003 will take a lot of anxiety out of working with ISA 2000. If you were to add on to that some sort of "logo" or "certification" program third party apps would have to pass to insure they work correctly with ISA 2000 and Windows Server 2003, then you've got a killer firewall. Let's hope the right eyeballs at Microsoft see these survey results and run with them!
Now for what you've all been waiting for -- the winner of the book prize! There were 109 responses. I put all of these emails in the same folder and sorted them by date order, with the first response on top and the last response on Friday at the bottom. I then went to http://www.random.org/nform.html and put in the bottom number as 1 and the top number as 109. Then random number generated was 46. The winner, number 46 is Sohail Tareen. Congratulations Sohail!
If you want to discuss the results of this survey, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=009516 and let us know what you think. Thanks again! --Tom.
