By Nicola Leske
NEW YORK (Reuters) - When Cisco Systems Inc decided years ago to drop a network-security project known internally as "Apollo," little did it know it had paved the way for a startup to blossom into a formidable competitor.
That company, Palo Alto Networks, is one of the leaders today in the multibillion-dollar market for corporate Internet firewalls. Founded in 2005, Palo Alto Networks debuts next week in an initial public offering that could value the firm at more than $2 billion.
Cisco and other deep-pocketed vendors may have misjudged how Internet use would balloon with the takeoff of social media, and with it, the need for sophisticated tools to safeguard private data and monitor suspicious activity, analysts say.
Enter self-taught programmer and Palo Alto Networks founder Nir Zuk, whose penchant for pursuing new technologies culminates in 2012's most anticipated market debut since Facebook Inc's IPO in May.
"We anticipate this will be one of the hottest tech IPOs of the year," said ISI group analyst Brian Marshall.
The company coined the term "next generation firewall" (NGFW) to describe its products, which among other things, lets companies tightly control access to Internet applications for specific users. An employee could connect with Facebook, for example, but not play games.
Essentially, NGFW converges multiple security functions such as firewall, intrusion prevention systems and secure Web gateways on a single platform, Lazard Capital Markets said in a note earlier this week.
"Overall, customers get for the first time, a view of the applications and data entering and leaving their networks, such as attachments and zip files," Lazard said.
Palo Alto Networks grew in direct proportion to social networking sites like Facebook, web-based tools like Google Inc's Gmail and the use of Skype for communications.
Its technology made it easier to monitor and secure traffic from social networking platforms than with traditional firewalls offered by Cisco, Check Point Software Technologies and Juniper Networks.
"Juniper is rarely considered by customers looking for an NGFW," research outfit Gartner, which refers to Palo Alto as a "disruptive influence," said in a report.
Palo Alto Networks' success story illustrates how Cisco and Juniper dropped the ball, allowing an upstart to succeed on their turf.
Cisco opted to scrap "Apollo" - which a former employee who worked on the project said would have been a "Palo Alto killer" - in favor of other traditional security features. Network security is now considered among its chief weaknesses, Gartner said.
Around that time, Juniper executives were turning deaf ears to the entreaties of then-chief security technologist Nir Zuk.
Zuk, who taught himself to write computer programs when he was 16, founded Palo Alto Networks after being frustrated by what he called a lack of innovation at Juniper Networks.
He wanted to build a new type of firewall at Juniper but quit his job there in 2005 and persuaded venture capital firms Greylock Partners and Sequoia Capital to provide seed capital for his plans instead.
The Israeli native has a history of forgoing the comforts of working for an established company. Recruited by his country's military as a programmer and then by Check Point, Zuk helped develop the first commercial firewalls at the company.
However, showing the entrepreneurial spirit and a distaste for corporate life that would influence his later decisions, Zuk left Check Point when it became too bureaucratic and co-founded security firm One Secure.
"They (Check Point) were focusing on fixing bugs instead of developing new technologies, and I like to develop new technologies," Zuk, now Palo Alto Networks' Chief Technology Officer, told IT World in 2010.
Zuk's company was then acquired by NetScreen, a firewall vendor that was in turn bought by Juniper. With that transaction, innovation withered, according to Zuk.
"When you start with a small company, everything is great and you can build a product, but then you get acquired by a bigger company, and it becomes too big, and you can't do anything any more," he told IT World.
Now, his company leads the enterprise network firewall market, along with former employer Check Point.
Zuk has said publicly he delights in "kicking Checkpoint's butt" and "kicking Juniper's butt."
Indeed, Zuk's license plate for a while read CHKPKLR - "Check Point Killer." That plate now sits in his office.
"The product is fundamentally revolutionary," said security expert, John Kindervag, at Forrester Research. "All of the big (security) vendors are afraid of Palo Alto. They built it from scratch and they did it in four years."
Rivals like Cisco, Check Point or Juniper Networks would beg to differ, arguing they offer similar products.
"We will give them credit for exploiting a feature gap but I don't lie awake at night worrying about them. We've nailed that now," an executive at a larger rival firm said.
Firewall and virtual private networks (VPN) are the biggest segments in enterprise security, with 31 percent of the total 2011 market of $18.2 billion, Lazard said, adding that the NGFW segment was growing significantly faster than the overall market growth of 9 percent.
According to Gartner the firewall market, including NGFW, was worth $6.3 billion last year, compared with $5.9 billion in 2010 and $5.4 billion in 2009.
"Palo Alto Networks is well positioned to gain share in the network security market and its business model lends itself to significant operating leverage as revenues continue to grow rapidly," Morningstar said in a note.
For the nine months ended April, the company reported net income for the first time of $5.3 million on revenue of $179.5 million, against a loss of $6.5 million on revenue of $78.4 million a year earlier.
The successful public debut of IT software company ServiceNow on June 29 bodes well for investor interest in Palo Alto Networks' road show, which kicked off this week.
Despite Palo Alto Networks' lofty valuation, expected to be as much as $2.4 billion, there are concerns, the most pertinent of which is how long it can sustain its technological edge.
"PA's technological uniqueness is unlikely to last for long, although sticky (or loyal) customers will enable the company to generate recurring revenues for a long time," Morningstar said.
A secondary concern relates to a patent lawsuit filed by Juniper that could potentially force Palo Alto Networks to pay damages for past sales and royalties for ongoing sales.
In a December 2011 lawsuit, Juniper accused Palo Alto Networks - and in particular, Zuk - of infringing upon six patents, a claim Zuk's company has said was "without merit."
A hearing is scheduled for November 11, 2013 and a trial date for February 24, 2014, according to SEC filings.
"That lawsuit is a shadow hanging over them," said IT-Harvest's chief analyst Richard Stiennon.
(Editing by Peter Lauria, Edwin Chan and Bernadette Baum)