UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
WASHINGTON, D.C. 20549
FORM 10-K
(Mark One)
x ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE
SECURITIES EXCHANGE ACT OF 1934
For the Fiscal Year Ended September 30, 2003
OR
¨ TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE
SECURITIES EXCHANGE ACT OF 1934
For the transition period from to
Commission File Number 0-33387
NETSCREEN TECHNOLOGIES, INC.
(Exact Name of Registrant as Specified in Its Charter)
| Delaware | 77-0469208 | |
| (State or Other Jurisdiction of Incorporation or Organization) |
(I.R.S. Employer Identification No.) | |
| 805 11th Avenue, Building 3, Sunnyvale, California | 94089 | |
| (Address of Principal Executive Offices) | (Zip Code) | |
(408) 543-2100
(Registrant’s Telephone Number, Including Area Code)
Securities registered pursuant to Section 12(b) of the Act: None
Securities registered pursuant to Section 12(g) of the Act:
Common Stock, $0.001 Par Value Per Share
(Title of Class)
Indicate by check mark whether the Registrant: (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the Registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes x No ¨
Indicate by check mark if disclosure of delinquent filers pursuant to Item 405 of Regulation S-K is not contained herein, and will not be contained, to the best of Registrant’s knowledge, in definitive proxy or information statements incorporated by reference in Part III of this Form 10-K or any amendment to this Form 10-K. ¨
Indicate by check mark whether the Registrant is an accelerated filer (as defined in Exchange Act Rule 12b-2). Yes x No ¨
The aggregate market value of the voting and non-voting common equity held by non-affiliates of the Registrant (based upon the closing price of the Registrant’s common stock on March 31, 2003 of $16.78 per share) was $945,038,978.
The number of shares of the Registrant’s common stock outstanding as of December 15, 2003 was 92,231,362.
DOCUMENTS INCORPORATED BY REFERENCE
Portions of Registrant’s definitive proxy statement to be delivered to stockholders in connection with the Registrant’s 2004 Annual Meeting of Stockholders, which is required to be filed within 120 days of Registrant’s fiscal year end, are incorporated by reference into Part III of this Form 10-K.
NETSCREEN TECHNOLOGIES, INC.
ANNUAL REPORT ON FORM 10-K
FOR THE FISCAL YEAR ENDED SEPTEMBER 30, 2003
| PART I | Page | |||
| ITEM 1: |
4 | |||
| ITEM 2: |
15 | |||
| ITEM 3: |
15 | |||
| ITEM 4: |
15 | |||
| PART II | ||||
| ITEM 5: |
Market for the Registrant’s Common Equity and Related Stockholder Matters |
16 | ||
| ITEM 6: |
17 | |||
| ITEM 7: |
Management’s Discussion and Analysis of Financial Condition and Results of Operations |
18 | ||
| ITEM 7A: |
39 | |||
| ITEM 8: |
39 | |||
| ITEM 9: |
Changes In and Disagreements with Accountants on Accounting and Financial Disclosure |
40 | ||
| ITEM 9A: |
40 | |||
| PART III | ||||
| ITEM 10: |
41 | |||
| ITEM 11: |
41 | |||
| ITEM 12: |
Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters |
42 | ||
| ITEM 13: |
42 | |||
| ITEM 14: |
42 | |||
| PART IV | ||||
| ITEM 15: |
Exhibits, Financial Statement Schedules, and Reports of Form 8-K |
43 | ||
| 47 | ||||
| 48 | ||||
| 76 | ||||
NetScreen, the NetScreen logo, NetScreen Technologies, GigaScreen, Neoteris and our product names are trademarks or registered trademarks of NetScreen Technologies, Inc. in the United States and other countries. Each trademark, trade name or service mark of any other company appearing herein belongs to its holder.
2
FORWARD-LOOKING STATEMENTS
This annual report on Form 10-K contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. These forward-looking statements may be identified by the use of words such as “can,” “allow,” “enable,” “expect,” “anticipate,” “intend,” “believe,” “estimate,” “will,” “may,” “continue” and similar terms. These forward-looking statements include our expectations about our business strategy, revenue, cost of revenues and various operating expenses. Our actual results may differ significantly from those projected in the forward-looking statements as a result of many factors, including the risks and uncertainties discussed in the section “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” and the section entitled “Factors That May Affect Our Business and Future Results of Operations and Financial Condition” and elsewhere in this report. You should also carefully review the risks described in other documents we file from time to time with the Securities and Exchange Commission, including the quarterly reports on Form 10-Q or current reports on Form 8-K that we will file in 2003 or 2004. You are cautioned not to place undue reliance on the forward-looking statements, which speak only as of the date of this report. We undertake no obligation to update any forward-looking statements for any reason, except as required by law, even if new information becomes available or other events occur in the future.
3
PART I
Overview
NetScreen develops, markets and sells a broad family of high performance, cost-effective, purpose-built network security solutions. Our security solutions integrate key security technologies in appliances and systems that can be deployed at multiple points in the network. These solutions provide the layers of network and application level security to implement secure network-to-network, user-to-network and user-to-user communication with encryption, access control, authentication and attack detection and prevention.
We believe we offer our customers the most comprehensive and effective set of network security solutions delivering core security technologies such as virtual private networking, firewall and denial of service protection, intrusion detection and prevention, and antivirus technologies. Our breadth of product offerings allows us to address the needs of a wide range of customers and networks from single user environments, to high capacity, geographically dispersed enterprise deployments, to large-scale, carrier class networks. Our broad family of products also enables our end customers to cost-effectively address their security needs across the network using stateful inspection and what we call Deep Inspection firewall technologies, IPSec and SSL VPNs, denial of service protection, antivirus and Intrusion Detection and Prevention solutions from a single vendor, reducing implementation complexities and accelerating deployments.
IP security protocol (IPSec) VPNs provide secure, encrypted connectivity between networks by tunneling traffic across untrusted networks such as the Internet. Secure sockets layer (SSL) VPNs leverage the SSL technology in a standard web browser to provide remote users and business partners with secure access to enterprise resources and applications from an Internet-enabled device without requiring the installation of client software on the remote device. Both IPSec VPNs and SSL VPNs protect against malicious eavesdropping and/or data manipulation by encrypting data to provide confidentiality and authenticating data to provide data integrity. Our stateful inspection firewalls help prevent unauthorized network access by establishing a perimeter defense between two networks, such as an enterprise’s network and the Internet. These firewalls enable users to establish security policies designed to permit only authorized traffic into and out of a connected network. Deep Inspection firewalls, delivered as part of our ScreenOS version 5.0 operating system, use stateful inspection capabilities and add intrusion detection and prevention technologies to protect against application level attacks at the network perimeter. Intrusion detection and prevention (IDP) appliances detect network and application level attacks using sophisticated detection methods and, once an attack is identified, can alert internal IT staff or drop the packets or connection associated with the attack. Antivirus protection provides application layer defense by reassembling data packets at the network perimeter to detect malicious code or worms embedded in files being transferred across the network.
The NetScreen Solution
Using our products, enterprises, carriers and government entities can facilitate a variety of security and network protection objectives including securing communication over the Internet, enforcing network access policies and protecting against worm and virus outbreaks as well as sophisticated intrusion attempts by hackers. Our solutions are deployed in cost sensitive branch offices and remote sites as well as in mission-critical environments such as enterprise central sites, corporate extranets, major e-business Web sites and carrier network infrastructures. Our solutions can be purchased and operated by enterprises and can also be used by carriers to secure their infrastructure or deliver managed security services to their enterprise customers.
We provide two classes of firewall and VPN products: high performance chassis-based systems and fixed configuration appliances. Our firewall and VPN system products include the NetScreen-5400, NetScreen-5200 and NetScreen-500. These products are high capacity, high availability, flexible configuration, network security platforms. These chassis-based systems allow users to deploy multiple configurations that best suit their network
4
environment. Our firewall and VPN appliance products include the NetScreen-208, NetScreen-204, NetScreen-50, NetScreen-25, NetScreen-5XT, NetScreen-5GT and NetScreen-5XP. These appliances provide a fixed configuration solution that greatly simplifies customer installation and can be deployed to address specific network requirements. Our firewall and VPN systems and appliances deliver integrated firewall, VPN and denial of service protection capabilities in a single device using our proprietary application specific integrated circuits (ASICs), which we refer to as the GigaScreen and GigaScreen II ASICs. Our NetScreen-5GT firewall and VPN appliance uses a reduced instruction set computer (RISC) processor with an embedded hardware accelerated encryption engine, and includes gateway-based antivirus functionality. All of our firewall and VPN systems and appliances use our embedded security operating system and applications, which we call ScreenOS, enabling flexible security and network configurations to meet the needs of a wide variety of network environments.
We provide three IDP appliances: the NetScreen-IDP 500, NetScreen-IDP 100 and NetScreen-IDP 10. These products detect attacks and prevent intrusions to reduce or eliminate the impact of a broad range of sophisticated network and application level attacks. These IDP appliances provide efficient attack detection, reducing the number of false alarms and missed attacks, and attack prevention, by dropping the packets or connection associated with the attack. These IDP appliances can be deployed as an enforcement point, or in-line, in the network to stop attacks that may have otherwise been missed by other security systems or otherwise have reached their intended network targets. Our IDP appliances run a secure version of the Linux operating system and use proprietary software and multiple detection methods to identify network and application attacks and prevent them from reaching mission-critical resources. With this platform, our IDP appliances incorporate multiple methods of detection, such as Stateful Signatures, protocol anomaly detection and backdoor detection, in a single device. These detection methodologies monitor the data traffic and connection requests on a network, in order to identify and stop attacks based on known patterns of attack, suspicious traffic or protocol anomalies.
We provide three Secure Access appliances: the NetScreen-SA 5000, NetScreen-SA 3000, and NetScreen-SA 1000. Our SSL VPN products, which we refer to as our Neoteris Secure Access Appliances, are based upon our Instant Virtual Extranet (IVE) platform, a hardened application security gateway that can easily be integrated into an enterprise’s existing security infrastructure and authentication systems. With this platform, our Secure Access products provide SSL VPN capabilities to allow secure access to enterprise resources and applications without the need to deploy, configure or maintain client software on end systems. Our Secure Meeting appliance, the NetScreen-SM 3000, leverages this functionality to enable online meetings and user-to-user collaboration.
All of our products are based on industry standard communication protocols so they can be integrated easily into networks and will interoperate with other network and security infrastructure solutions, including other IPSec security devices, routers, switches, management applications and directory and authentication solutions. Our security systems and appliances can be centrally managed with flexible management software. For our firewall and VPN systems and appliances running ScreenOS version 4.0 and later versions of ScreenOS, our NetScreen-Security Manager provides centralized, end-to-end management control of device configuration, network settings and security policies across a network. NetScreen-Global PRO and Global PRO Express enable secure, scalable monitoring of devices, network traffic and security events and policy administration for devices running ScreenOS version 4.0 and earlier versions of ScreenOS. For our IDP appliances, our NetScreen-IDP Manager gives administrators control over which traffic the IDP appliance should examine and how it should respond when intrusions are detected, and provides sophisticated logging and analysis functions to aid in identifying attacks. Our SSL VPN appliances include embedded management functionality in each device.
5
Products
Firewall and VPN Systems and Appliances
Our firewall and VPN systems and appliances consist of the following products:
| Throughput |
IPSec Tunnels(1) |
Maximum Concurrent Sessions |
List Price(2) | |||||||
| Product |
Firewall |
VPN |
||||||||
| Security Systems |
||||||||||
| NetScreen-5400 |
12 Gbps | 6 Gbps | 25,000 | 1,000,000 | $99,000–$310,000 | |||||
| NetScreen-5200 |
4 Gbps | 2 Gbps | 25,000 | 1,000,000 | $69,000–$269,000 | |||||
| NetScreen-500 |
700 Mbps | 250 Mbps | 10,000 | 250,000 | $25,000–$84,600 | |||||
| Security Appliances |
||||||||||
| NetScreen-208 |
550 Mbps | 200 Mbps | 1,000 | 128,000 | $14,995–$20,800 | |||||
| NetScreen-204 |
400 Mbps | 200 Mbps | 1,000 | 128,000 | $9,995–$14,300 | |||||
| NetScreen-50 |
170 Mbps | 50 Mbps | 100/400 | 64,000 | $5,995–$7,795 | |||||
| NetScreen-25 |
100 Mbps | 20 Mbps | 25/100 | 16,000 | $3,495–$4,500 | |||||
| NetScreen-5GT |
75 Mbps | 20 Mbps | 10 | 2,000 | $495–$1,245 | |||||
| NetScreen-5XT |
70 Mbps | 20 Mbps | 10 | 2,000 | $695–$1,500 | |||||
| NetScreen-5XP |
20 Mbps | 13 Mbps | 10 | 2,000 | $495–$1,300 | |||||
| (1) | A tunnel is an encrypted link between two devices. Where indicated, the second number indicates additional dial-up VPN tunnel capacity. |
| (2) | Price depends on configuration and customer location. |
Firewall and VPN Systems. The NetScreen-5400, NetScreen-5200 and NetScreen-500 products are high performance security systems designed to provide integrated firewall, VPN and denial of service protection capabilities for enterprise environments and carrier network infrastructures. Each can be deployed in high bandwidth environments and can be used to deliver managed security services. Our firewall and VPN systems allow unique security policies to be enforced for multiple virtual local area networks, or VLANs, allowing a single system to secure multiple networks. Our security systems also allow for the creation of multiple Virtual Systems, each providing a unique security domain with its own virtual firewall and VPN and dedicated management interface. These features enable enterprises, carriers and government entities to use a single security system to secure multiple networks and enable carriers to deliver security services to multiple customers. For example, the NetScreen-5000 product family supports 4,000 VLANs and up to 500 Virtual Systems. The NetScreen-500 supports 100 VLANs and up to 25 Virtual Systems. The NetScreen-500 supports an optional upgrade designed to enable wireless carriers to secure General Packet Radio Service (GPRS) and 3G Universal Mobile Telephone Service (UTMS) networks.
Firewall and VPN Appliances. The NetScreen-208, NetScreen-204, NetScreen-50, NetScreen-25, NetScreen-5GT, NetScreen-5XT and NetScreen-5XP security appliances are fixed configuration products of varying performance and capacity characteristics that offer integrated firewall, VPN and denial of service protection capabilities. These fixed configuration appliances are designed to greatly simplify customer installation and can be deployed to address specific network requirements. Our security appliances can be deployed to provide small to medium-sized businesses and enterprise remote locations with secure Internet access and communication. Our NetScreen-5GT appliance can be deployed with antivirus capabilities to stop virus outbreaks, including blended attacks, at the corporate gateway before they reach users’ desktops.
6
Intrusion Detection and Prevention Appliances
Our IDP products consist of the following:
| Product |
Throughput |
Maximum Sessions |
List Price(1) | |||
| NetScreen-IDP 500 |
500 Mbps | 220,000 | $34,995-$45,495 | |||
| NetScreen-IDP 100 |
200 Mbps | 70,000 | $16,495-$21,450 | |||
| NetScreen-IDP 10 |
20 Mbps | 10,000 | $7,995-$10,395 |
| (1) | Price depends on configuration and customer location. |
Our IDP appliances detect attacks and prevent intrusions using Multi-Method Detection (MMD) which utilizes eight intrusion detection methods to increase the attack detection accuracy and which we believe provide the broadest attack detection coverage available. These attack detection mechanisms include protocol anomaly, backdoor, traffic anomaly, IP spoofing, Layer 2 and SYN-flood detection, a network honeypot and a technique called Stateful Signature Detection. Stateful Signature Detection uses signatures that look for attack pattern matches only in the relevant portions of the traffic where an intrusion can be perpetrated. Our IDP appliances provide fast and efficient traffic processing and alarm collection, presentation and forwarding. Once an attack is detected, our IDP appliances prevent the intrusion by dropping the packets or connection associated with the attack, reducing or eliminating the effects of the attack. Our IDP appliances can also alert the IT staff to respond to the attack. Our IDP appliances can be clustered to provide high availability and reduce the risk associated with a single point of failure.
Secure Access and Secure Meeting Appliances
Our Secure Access products consist of the following:
| Product |
Maximum Concurrent Users |
List Price(1) | ||
| NetScreen-SA 5000 |
2,500 | $39,995-$114,995 | ||
| NetScreen-SA 3000 |
1,000 | $29,995-$69,995 | ||
| NetScreen-SA 1000 |
250 | $9,995-$24,995 |
| (1) | Price depends on configuration and customer location. |
Our Secure Meeting product consists of the following:
| Product |
Maximum Concurrent Users |
List Price(1) | |||
| NetScreen-SM 3000 |
250 | $ | 14,995-$44,995 | ||
| (1) | Price depends on configuration and customer location. |
Our Secure Access appliances provide a wide range of enterprise-class scalability, high availability, and security functionality for customers seeking to provide secure access to network resources over a public network. These appliances can provide direct access to network resources or application-layer and user-specific access to network resources in an easy to deploy appliance. Our Secure Access appliances also provide network administrators detailed auditing and reporting capabilities to monitor network access. Additionally, these appliances provide SSL VPN capabilities to allow secure access to enterprise resources and applications without the need to deploy, configure or maintain client software on end systems. Our Secure Meeting product leverages this functionality to enable online meetings and user-to-user collaboration.
7
Software
NetScreen-Security Manager. NetScreen-Security Manager is our next generation management platform which provides centralized, end-to-end management control of device configuration, network settings and security policies for up to 1000 NetScreen firewall and VPN systems and appliances. NetScreen-Security Manager allows enterprise IT departments and carriers to delegate appropriate levels of administrative access to specific administrators for a wide range of tasks, ranging from read-only to full-edit capabilities. It can provide or restrict information to different individuals or constituencies within the organization, allowing enterprise administrators to make role-appropriate decisions, and allowing carriers to manage security for multiple customers using a single management platform. NetScreen-Security Manager provides a single, integrated management interface to control device parameters from a centralized location and high performance log storage mechanism that allows administrators to collect and monitor detailed information on key network criteria such as network traffic, device status, and security events. With integrated configuration, logging, monitoring and reporting in a single, unified interface, and powerful role based administration, NetScreen-Security Manager enables members of an IT organization to work together to manage security on the network. NetScreen-Security Manager supports all of our firewall and VPN security systems and appliances running ScreenOS version 4.0 or later. The list price for NetScreen-Security Manager management software is between $5,995 and $72,800 depending on the number of devices to be managed and customer location.
NetScreen-Global PRO and NetScreen-Global PRO Express. Our NetScreen-Global PRO products are management applications that provide centralized network and security management for devices running our ScreenOS version 4.0 operating system software and earlier versions of ScreenOS. NetScreen-Global PRO and NetScreen-Global PRO Express manage all of our firewall and VPN systems and appliances and can be delivered as a pre-installed application on a third party server to simplify deployment. NetScreen-Global PRO is designed to allow for role-based device configuration, policy management, real-time monitoring and historical reporting of network traffic and security logs. NetScreen-Global PRO Express is an entry-level version of our management application that manages up to 100 devices. The list price for NetScreen-Global PRO management software and the server is between $16,995 and $55,995 depending on the number of devices to be managed and customer location. NetScreen-Global PRO Express has a list price between $4,995 and $25,995 depending on the number of devices to be managed and customer location.
NetScreen-IDP Manager. NetScreen-IDP Manager provides centralized, policy-based management for our IDP appliances. Using the NetScreen-IDP Manager, customers can manage up to 100 IDP appliances from a single management console. Administrators create individual rules to establish a security policy. This gives administrators control over which traffic the IDP appliance should examine and how it should respond when attacks or intrusions are detected. NetScreen-IDP Manager capabilities include a policy editor, log viewer, integrated security incident management and reports to provide our customers useful tools to manage security by using our IDP application. Customers can manage up to 10 IDP appliances using NetScreen-IDP Manager at no cost. The list price for an upgrade to the NetScreen-IDP Manager management software and the server is between $8,495 and $17,495 depending on the number of devices to be managed and customer location.
NetScreen-Remote Client software. NetScreen-Remote is a line of two client software products that provide mobile or remote users with security capabilities. NetScreen-Remote VPN Client is used to establish VPN connections from personal computers. It is based on IPSec client software licensed from a third party. The list price for NetScreen-Remote VPN Client is up to $12.50 per license. NetScreen-Remote Security Client is used to establish VPN connections as well as integrated client-based firewall capabilities. It uses software licensed from a third party. The list price for NetScreen-Remote Security Client is up to $44.50 per license.
8
Services
Product Support Offerings
We provide a range of hardware and software support options for our firewall and VPN systems and appliances, IDP appliances, Secure Access appliances, Secure Meeting appliances and for our NetScreen-Security Manager, NetScreen-Global PRO, NetScreen-Global PRO Express and NetScreen-IDP Manager applications. These options include extended hardware maintenance, faster hardware replacement for defective units, software maintenance and world-wide technical support with access 24 hours a day, seven days a week. These service offerings can be purchased as a bundle to provide comprehensive service and support for the covered product or as separate support offerings. The software maintenance provides our end customers with updates and upgrades during the period of coverage purchased by the customer.
Professional Services and Training Offerings
To facilitate the sale, customer installation and use of our security products, we provide our customers with fee-based, hands-on training classes, testing and certification, and professional services such as network design, product installation and configuration, and security assessments. These services can be sold by our resellers and can be delivered directly by our personnel or by authorized training and service partners.
Alliances
We have established formal and informal commercial relationships with networking, security and application development companies to provide low cost, high performance network security solutions to our customers. We expect these alliances to verify and demonstrate the interoperability of our security products with other networking equipment and technologies. We also expect these alliances to help facilitate the introduction of new features, solutions and product enhancements.
Through our Global Security Alliance program, end customers can select scalable and comprehensive network security solutions to secure their networks. Solutions offered through this program combine the features of our systems and appliances, such as firewall, VPN, denial of service protection and IDP, with the features of our alliance members’ products that provide additional complementary technologies and services, to provide comprehensive end-to-end security for an end customer’s network infrastructure. Some of the complementary security alliances today address antivirus filtering, application security, security event management, multi-device management, content filtering, route optimization and authentication. Within our alliance program, we work with alliance members to architect solutions and verify the compatibility and integration of such solutions. In most cases, where applicable, we have integration documentation and other tools for successful implementation. Joint solutions also address certain network environments like 3rd Generation wireless data networks (GPRS, CDMA, UMTS), IP telephony and voice-over IP, wireless LANs, and broadband.
Customers
Distributors, Resellers and Carriers
Domestically, we sell directly to major carriers and primarily indirectly to enterprise and other end customers through value-added resellers and a distributor. Internationally, we sell primarily through distributors, who, in turn, sell to value-added resellers. Sales through distributors and value-added resellers represented 92.1% of our total revenues in the fiscal year ended September 30, 2003.
End Customers
Our end customers, include small, medium and large businesses, large carriers such as traditional local and long distance telephone companies, Internet carriers, managed security service providers, and government entities.
9
In fiscal 2003, 2002 and 2001, no customer accounted for 10% or more of our total revenues.
Technology
Our firewall and VPN security systems and appliances are built on a technology core that consists of our proprietary GigaScreen or GigaScreen-II ASICs, RISC processors and our ScreenOS, which integrates a security operating system and other software applications. Our NetScreen-5GT firewall and VPN appliance uses a RISC processor and ScreenOS. Our ASICs and ScreenOS have been designed specifically for the unique requirements of high performance security processing. The NetScreen-5000 series of systems uses GigaScreen-II ASICs and an innovative system architecture to deliver high performance security processing. We incorporate our Virtual Systems capability and high availability technology into the NetScreen-5400, NetScreen-5200 and NetScreen-500. We incorporate our high availability technology into the NetScreen-208, NetScreen-204, NetScreen-50, NetScreen-25 and the NetScreen-IDP appliances. The NetScreen-SA 5000, NetScreen-SA 3000, NetScreen-SA 1000 and NetScreen-SM 3000, are based upon our IVE platform, a hardened application security gateway. The NetScreen-IDP 500, NetScreen-IDP 100 and NetScreen-IDP 10 appliances offer MMD which utilizes eight intrusion detection methods for efficient attack detection and intrusion protection, making it capable of dropping an attack and reducing or eliminating its impact on the network. We have also developed scalable, centralized management software to allow our end customers to manage large numbers of security devices.
GigaScreen-II ASIC and NetScreen-5000 Series Hardware Architecture
The NetScreen-5000 series of systems use up to six GigaScreen-II ASICs and a distributed system architecture for high performance security processing. The GigaScreen-II ASIC contains multiple powerful processing engines, each responsible for a portion of data flow processing. Examples of these processing functions include packet parsing, classification, fragmentation, reassembly, encryption, decryption, network address translation and session lookup. The GigaScreen-II ASIC’s high performance packet input-output capability and controls are designed to integrate with modern hardware packet switching technology.
Each GigaScreen-II ASIC is capable of supporting 2 Gbps of firewall traffic and 1 Gbps of VPN traffic. The NetScreen-5000 series of systems can utilize multiple GigaScreen-II ASIC processors for security flow processing and a RISC processor for management and control processes. This architecture contains three primary components:
| • | Secure Port (Flow Processing) Modules are based around the GigaScreen-II ASIC and a programmable front-end processor. The programmable element provides flexibility to improve future performance and facilitate scalability. These modules handle every packet as it enters and exits the system, providing packet parsing, classification and flow-level processing for packets of established sessions. Packets requiring processing beyond that provided by the secure port module are handed off to the management module for further attention. |
| • | The Management Module is based around a powerful combination of RISC processors and a GigaScreen ASIC. It handles tasks not supported by the secure port module such as session setup and tear down, IKE negotiation, all management access, and dedicated inter-system, high availability and management interfaces. |
| • | The High Performance Backplane interconnects all the internal system components. Using a multi-bus architecture and a switched fabric, it provides an efficient communication path for control information, data exchange and packet forwarding between modules. |
GigaScreen ASIC and Multi-bus Architecture
For most of our firewall and VPN appliances, our GigaScreen ASIC provides hardware-based acceleration for firewall and VPN functions, such as encryption, authentication, public key acceleration, security policy search engine and network address translation acceleration. Each GigaScreen ASIC performs data encryption
10
using the data encryption standard, or DES, which is an industry standard encryption algorithm, at speeds of up to 1.2 Gbps, or up to 400 Mbps using 3DES encryption. Each GigaScreen ASIC also supports industry standard authentication algorithms, such as MD-5 and SHA-1. The NetScreen-500, NetScreen-208 and NetScreen-204 are based on system-level designs that incorporate a GigaScreen ASIC connected to a RISC processor through a multi-bus architecture to accelerate processing-intensive security functions. This multi-bus architecture uses two independent buses to connect our GigaScreen ASIC and host processor to the packet memory. Our multi-bus architecture increases performance by reducing the bandwidth burden on the packet memory bus.
ScreenOS
Our ScreenOS is a security operating system integrated with a suite of applications designed to offer high levels of security and performance that we have incorporated into all of our security systems and appliances. We have developed ScreenOS to deliver a comprehensive suite of tightly integrated high performance network security functions including firewall, VPN and denial of service protection. ScreenOS is designed to eliminate traditional performance bottlenecks and known security flaws. It cannot be easily analyzed for vulnerabilities by hackers since the source code is not generally publicly available. In addition to providing a secure operating system and key security applications, ScreenOS delivers a robust set of technologies based on industry standard protocols designed to allow our security systems and appliances to be integrated easily into our end customer’s existing networks.
To facilitate network integration, ScreenOS allows our security systems and appliances to be configured to work in one of three modes of operation, route mode, network address translation, or NAT, mode, and transparent mode. In route mode, the network is configured to have different IP networks on each interface of the security product, and our system or appliance enforces security policies as it routes traffic between different networks. In NAT mode, IP addresses on one interface can be translated into different IP addresses as the traffic traverses the device, allowing IP addresses to be hidden from outside view for increased security as well as allowing addresses to be conserved. NetScreen’s transparent mode enables the security device to be integrated easily into a network without any changes to IP addressing of the network. In transparent mode, the device will not be assigned an IP address, which makes it harder for a hacker to detect or attack the security system or appliance.
ScreenOS supports a number of industry standard and specialized protocols to allow our devices to be integrated into existing networks, security environments and network management environments. ScreenOS supports dynamic routing protocols including OSPF, BGP and RIPv2. ScreenOS supports and is compatible with authentication mechanisms including Radius servers, Secured token-based authentication and digital certificates and certificate authorities from VeriSign, Inc., Entrust, Inc., Baltimore Technologies plc, Microsoft Corporation, Netscape Communications Corp. and RSA Security Inc. ScreenOS supports industry standard management protocols including simple network management protocol, or SNMP, syslog, telnet and secure shell, or ssh, protocol, as well as proprietary management interfaces to our central management software and to NetIQ’s WebTrends monitoring application.
ScreenOS version 5.0- Deep Inspection Firewall and Antivirus
Deep Inspection Firewall. ScreenOS version 5.0 incorporates new application-level attack protection using elements of our IDP technology to enable what we call Deep Inspection firewall capabilities on our firewall and VPN security appliances and systems. A Deep Inspection firewall can be deployed at the network perimeter and is designed to prevent application-level attacks aimed at Internet-facing applications, such as Web, e-mail, FTP and DNS. Our Deep Inspection firewall reduces or eliminates application-level attack ambiguities by performing a variety of functions such as converting network packets to the application-level message being transmitted and applying attack pattern matches where attacks are likely to be perpetrated. Our Deep Inspection firewall then decides to accept or deny the traffic based on high impact protocol anomalies or any given attack pattern. The Deep Inspection firewall can block application-level attacks at the Internet gateway so they never reach their destination.
11
Antivirus. ScreenOS 5.0 also enables the embedded antivirus capabilities on our NetScreen-5GT security appliance. With antivirus scanning technology, the NetScreen-5GT with ScreenOS version 5.0 has the ability to stop virus outbreaks, including blended attacks, at the corporate gateway before they reach users’ desktops. Additional features also available in ScreenOS version 5.0 assist with antivirus protection on other NetScreen devices, which facilitate redirection of relevant traffic by NetScreen devices to a third party device for content scanning.
High Availability Technology
The NetScreen-5400, NetScreen-5200, NetScreen-500, NetScreen-208, NetScreen-204, NetScreen-50 and NetScreen-25 incorporate our ScreenOS high availability capabilities, which are based on version 2 of the NetScreen Redundancy Protocol, or NSRPv2. NSRPv2 enables a redundant pair of our security systems to be integrated into a high availability network architecture, with redundant physical connections between the systems and the adjacent network switches. These systems can simultaneously process network traffic, called an “active-active” configuration, and can synchronize system configurations, session states and IPSec tunnel states between the systems using redundant, high availability connections between the two systems. This system synchronization allows a redundant system to take over network traffic processing typically in less than one second after a system or network failure to ensure that network traffic can continue to be forwarded. Using NetScreen’s “active-passive” high availability configuration provides for synchronization of system configuration, session states and IPSec tunnel states between an active appliance and a standby appliance. The NetScreen-50 supports the “active-passive” configuration and the NetScreen-25 provides a feature called HA-Lite that supports the “active-passive” configuration with synchronization of only system configurations. The rest of the NetScreen devices listed above can support both “active-active” and “active-passive” configurations.
Virtual Systems Capability
The NetScreen-5400, NetScreen-5200 and NetScreen-500 also incorporate our patent pending ScreenOS Virtual Systems capability. Used in conjunction with multiple physical interfaces or industry standard VLAN technology, this architecture allows end customers to use a single system to create up to 500 virtual firewalls and VPN gateways, each able to protect a unique security domain. Each Virtual System can have its own address book, policies and management set based on the end customer’s requirements. As a result, our Virtual Systems capability allows enterprises and government entities to implement multiple departmental security systems on a single platform, and it enables Internet data center operators and carriers to deliver managed security services to numerous individual users easily and cost effectively.
IDP MMD Attack Detection
The NetScreen-IDP 500, NetScreen-IDP 100 and NetScreen-IDP 10 appliances offer MMD, which utilizes eight intrusion detection methods to increase the attack detection accuracy and which we believe provide the broadest attack detection coverage available. These intrusion detection mechanisms include protocol anomaly, backdoor, traffic anomaly, IP spoofing, Layer 2 and SYN-flood detection, a network honeypot and a technique called Stateful Signature Detection. Stateful Signature Detection uses signatures that look for attack pattern matches only in the relevant portions of the traffic where an intrusion can be perpetrated.
IVE Platform
The NetScreen-SA 5000, NetScreen-SA 3000, NetScreen-SA 1000 and NetScreen-SM 3000 appliances are based upon our IVE platform, a hardened application security gateway. This platform includes hardware and software features to allow our Secure Access and Secure Meeting products to be securely integrated with the customer’s existing infrastructure. This platform includes a hardened web server, capabilities to allow continuity of policies throughout the enterprise, security certifications to facilitate server authentication functionality, clustering capabilities for high throughput and performance and stateful peering and clustering to increase reliability and high availability of user, system, and session state.
12
Scalable Central Management Software
We have developed our NetScreen-Security Manager, NetScreen-Global PRO and NetScreen-IDP Manager applications to enable secure, scalable monitoring of devices, network traffic and security events, and device configuration and policy administration. The NetScreen-Security Manager management software is our next generation management platform that incorporates a scalable system architecture designed to allow the platform to be rapidly extended to support large numbers of devices, additional ScreenOS features, and additional security technologies in future releases. NetScreen-Security Manager’s architecture is comprised of a device server, a GUI server, and a lightweight user interface (UI). To address the diverse management needs of the IT staff while maintaining flexibility and performance, all device related functions are executed on the device server, while all centralized configuration functions run in the GUI server. This separation of device server and GUI server enables performance and flexibility. Both device and GUI components can reside on the same server where cost and/or simplicity are the primary requirements, or reside on separate servers where performance and deployment flexibility are more important. Independent of the chosen deployment of the device and GUI servers, the UI provides the single point of access for the administrator to all of the information and capabilities of the system. The NetScreen-Security Manager can support multiple simultaneous administrators by supporting multiple GUI instances, powerful role based delegation of administrative rights and object locking that allows multiple administrators to safely modify policies or devices concurrently.
Research and Development
We have assembled a team of engineers with experience in the fields of computing, network system design, Internet routing protocols, Internet security standards, embedded software and network management software. In addition to having the ability to build complex hardware and software systems, our engineering team has experience in developing and delivering large, highly integrated ASICs and scalable security software.
We believe that strong product development capabilities are essential to our strategy of enhancing our core technology, developing and incorporating additional functions, and maintaining the competitiveness of our product offerings. We are building on our proprietary GigaScreen and GigaScreen-II ASICs and continuing to develop next generation technology to support the anticipated growth in network bandwidth requirements. We continue to develop new releases of our ScreenOS, IDP operating system, IVE platform and management software to improve functionality, performance, scalability and the user interface.
Our research and development expenses were $43.9 million for the year ended September 30, 2003, $32.8 million for the year ended September 30, 2002 and $25.6 million for the year ended September 30, 2001.
Manufacturing
We outsource the manufacturing of our systems and appliances. We contract our manufacturing requirements to Flash Electronics, Inc., Solectron Corporation and another third party manufacturer. This contracting activity extends from prototypes to full production and includes material procurement, assembly, test, control and shipment to our customers. We design, specify and monitor all of the tests that are required to meet internal and external quality standards. Our contracting arrangements provide us with the ability to deliver products quickly to customers by using Flash Electronics’ and Solectron’s turnkey manufacturing and drop shipment capabilities. In addition, we can adjust manufacturing volumes rapidly to meet changes in demand. None of the agreements with these manufacturers provide for a fixed term of service. In addition, our proprietary ASICs are fabricated by foundries operated by Toshiba America Electronic Components, Inc.
Competition
The market for network security products is highly competitive, and we expect competition to intensify in the future. Competitors may gain market share and introduce new competitive products for the same markets and customers currently served by our products. We currently compete principally on the basis of product security, performance, reliability, scalability, manageability and cost-effectiveness. We believe that we compete favorably on the basis of these factors.
13
Current and potential competitors in our market include the following, all of which sell worldwide or have a presence in most of the major geographical markets for their products:
| • | firewall and VPN software vendors, such as Check Point Software Technologies Ltd. and Symantec Corporation; |
| • | network equipment manufacturers, such as Cisco Systems, Inc., Lucent Technologies Inc., Nokia Corporation and Nortel Networks Corporation; |
| • | security appliance suppliers, such as SonicWALL, Inc., WatchGuard Technologies, Inc. and Symantec Corporation; |
| • | SSL VPN vendors, such as Cisco Systems, Inc., F5 Networks, Inc. and Symantec Corporation; |
| • | intrusion detection system vendors including Internet Security Systems, Inc., Cisco Systems, Inc., Network Associates, Inc. and Enterasys Networks, Inc.; |
| • | low-cost hardware suppliers with products that include network security functionality; and |
| • | emerging security companies that may position their systems as replacements for our products. |
Intellectual Property
Our success and ability to compete are substantially dependent upon our internally developed technology and know-how. As of December 15, 2003, we have twenty-three patent applications pending in the United States relating to our technologies and the design of our products. We have elected to extend three of these patent applications to other countries. Our engineering teams have significant expertise in ASIC design. Our ScreenOS operating system and applications and our NetScreen-Security Manager, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Global Manager and NetScreen-IDP Manager software were developed internally and are protected by United States and international copyright laws.
While we rely on patent, copyright, trade secret and trademark law to protect our technology, we also believe that factors such as the technological and creative skills of our personnel, new product developments, frequent product enhancements and reliable product maintenance are essential to establishing and maintaining our position. Other companies may develop technologies that are similar or superior to our technology.
Our success depends in part upon our ability to obtain necessary intellectual property rights and protect our intellectual property rights. We may not be able to obtain the necessary intellectual property rights and other parties may contest our intellectual property rights.
Backlog
Our backlog consists of orders that are placed by customers on credit hold, orders awaiting shipment or orders that are subject to other constraints. However, orders may be cancelled by the customer prior to shipment. For these reasons, we believe that our backlog at any given date is not material to an understanding of our business.
Employees
As of September 30, 2003, we had 646 full-time employees, 181 of whom were engaged in research and development, 277 in sales and marketing, 75 in customer service and support and 113 in administration and operations. None of our employees is represented by a labor union. We have not experienced any work stoppages and we consider our relations with our employees to be good.
14
Acquisitions
On November 14, 2003, we completed the acquisition of Neoteris, Inc., a provider of secure sockets layer virtual private networking (SSL VPN) solutions. We paid $20.0 million in cash and issued 9.7 million shares of our common stock for all the outstanding stock of Neoteris. We also assumed all of the outstanding stock options of Neoteris, which were converted into options to purchase 1.2 million shares of our common stock. We have agreed to pay Neoteris stockholders and option holders up to an additional $30 million in cash upon the achievement of certain revenue milestones. Through the acquisition of Neoteris, we added SSL VPN appliances to our broad family of integrated network security solutions. Unless otherwise noted, the results of operations presented in this report do not include the impact of the Neoteris acquisition.
Corporate Information
We were incorporated in Delaware in October 1997. Our principal executive offices are located at 805 11th Avenue, Building 3, Sunnyvale, California 94089, and our telephone number at this location is (408) 543-2100. Our common stock is traded on the Nasdaq National Market under the ticker symbol NSCN. Our primary Web site address is www.netscreen.com. Through a link on our Investor Relations section of our Web site, we make available the following filings as soon as reasonably practicable after they are electronically filed with or furnished to the SEC: our Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and any amendments to those reports filed or furnished pursuant to Section 13(a) or 15(d) of the Securities Exchange Act of 1934. All such filings are available free of charge. The information on our Web site is not incorporated by reference into this annual report.
We occupy approximately 156,000 square feet in Sunnyvale, California pursuant to a lease that will expire on May 13, 2008. We may lease an additional 22,000 square feet in this facility, exercisable at our option anytime through February 14, 2004. We may need to lease additional space to accommodate future growth.
We are subject to legal proceedings, claims and litigation arising in the ordinary course of business. While the outcome of these matters is currently not determinable, we do not expect that the ultimate costs to resolve these matters will have a material adverse effect on our consolidated financial position, results of operations or cash flows.
Item 4. Submission of Matters to a Vote of Security Holders.
Not applicable.
15
PART II
Item 5. Market for Registrant’s Common Equity and Related Stockholder Matters.
Price Range of Common Stock
Our common stock has traded on the Nasdaq National Market under the symbol “NSCN” since our initial public offering of stock on December 12, 2001. Prior to this time, there was no public market for our common stock. The following table presents the high and low sales price per share of our common stock for the periods indicated, as reported on the Nasdaq National Market:
| High |
Low | |||||
| Fiscal Year ended September 30, 2003 |
||||||
| Fourth Quarter |
$ | 27.29 | $ | 19.95 | ||
| Third Quarter |
$ | 24.50 | $ | 16.81 | ||
| Second Quarter |
$ | 20.80 | $ | 15.32 | ||