Abstract

This was originally a for-fee, licensed document. The Tolly Group released it to the general public for historical reasons in 2025. 

In this report detailing results of a survey of 52 enterprise network architects conducted during December 2002, The Tolly Group captures a snapshot of the technology choices users plan to make in their deployment of network security technologies across enterprise networks.

Here’s a concise summary of the 2003 Tolly Group “Re-Engineering Enterprise Network Security” survey (Doc#203400):

Overview

The Tolly Group interviewed 52 enterprise network architects in December 2002 across end-user companies, universities, and government agencies to capture planned security technology adoption and organizational readiness. Respondents skewed toward North America (68%, with 59% U.S.) and represented sites mostly over 1,000 users. Most had direct responsibility: 84% controlled VPN/firewall/security plans and 77% designed enterprise-wide security strategy. Security spending was significant—73% devoted >10% of IT budgets to security, and >75% expected increases in 2003. 

Key findings

• Best-of-breed wins: ~80% favored multi-vendor best-of-breed over suites, yet ~80% also rated integrated management as important/very important. On campus, 100% used anti-virus, 96% firewalls, and 79% IPSec VPNs and access controls, with lower use of content filtering and IDS. 

• Architecture & resilience: Preference leaned to hardware-based security (63.5%) over software (36.5%). Scalability (80%) and fault tolerance (86.5%) were critical, reflecting the reality that security devices sit in the traffic path. 

• End-to-end gap: Despite deployments, 67% did not encrypt data between application tiers, leaving an internal security gap. 

• Remote office risk & needs: 36–37% viewed branch data as vulnerable. Desired measures were comprehensive: VPN encryption for all site-to-site/remote access (75%), stateful firewalls at each remote office (73%), and IDS monitoring (58%). Challenges cited were lack of personnel/expertise (54%), solution complexity (52%), management cost (42%), and overall cost (37%). 

• SSL VPN momentum: Interest was strong but knowledge uneven. 30% said they didn’t know enough to deploy SSL-based VPNs; 26% cited app support and security concerns. Still, 71% believed browser-based SSL would replace IPSec for remote access within two years, with use cases spanning Web services (67%), extranets/eBusiness (54%), and partner/employee access (50%). 

• VPN requirements: 83% used or planned to use digital certificates; QoS mattered even more—98% rated QoS very/somewhat important for secure VPNs. 

• Algorithms & directories: 71% would support 3DES alongside AES or continue 3DES. LDAP/Active Directory was favored for policy storage (73%); 45% already ran AD, with 26% planning within a year and 14% within two years. 

• Outsourcing stance: 49% would not outsource any security; 24% would outsource ~25%; the rest would outsource 50–100%. 

Bottom line

Enterprises in 2003 were investing more in security, standardizing on best-of-breed components while demanding unified management, and starting to eye SSL VPNs for broader remote access. However, skills gaps, complexity, and an internal encryption shortfall—especially across application tiers and remote offices—were the most pressing obstacles to truly end-to-end security.