Alan and I normally are close enough on our positions that I don’t feel it necessary to argue with him.
I certainly don’t feel compelled to come to the defense of a competitor that Alan’s unloading on, but I’m really confused about his interpretation of what TippingPoint’s Chief Architect, Brian Smith, is communicating and where Alan suggests that he and StillSecure’s position lays.
To re-cap, Brian Smith was quoted in an SC Magazine Article as describing his views on how security ought to be positioned in the network thusly:
"Brian Smith, the chief architect of 3Com and a
founder of TippingPoint, says his first-ever RSA keynote will focus on
integrating solutions such as network access control, intrusion
prevention and behavioral anomaly detection to create an intelligent
"I can do all of these sorts of synergies and when you trace it
out, what ends up happening is you’re able to debug network problems
that you were never able to do before, get an unprecedented level of
security, and also lower the total cost of ownership," Smith says.
"They have to talk to each other. If we can pull all of these solutions
together, I think that’s going to be the trend over the next five to 10
years. It’s a natural evolution in the technology cycle."
Smith says he also plans to emphasize the benefits of the
bump-in-the-wire network approach to deploying security solutions.
Rather than embedding solutions into switchers and routers, Smith plans
to suggest overlaying solutions to allow for a more converged, cheaper
way to add intelligence to the network."
Amen to that. But lest you think I am intimating that we should all just toss appliances willy-nilly across the network (in fact, that’s the opposite of what I think,) please read on…
Apparently it was the third (boldfaced) paragraph that got Alan’s goat and provoked him into a state of up-chuckedness. Specifically, it seems that it is repugnant to Alan that someone who works for a "switch" company could suggest that overlaying security can be facilitated as a "bump-in-the wire." I guess that depends upon your interpretation of "bump-in-the-wire."
I’m guessing that Alan thinks that means individual appliances being inserted between network segments with one "goesinta" and one "goesouta" cable and yet I can’t figure out why "…virtualizing some of this stuff and putting it on blades and so forth" has to be within the router or switch and not on an extensible services platform?
I have a feeling I’m going to hear the typical "not everyone can afford big iron" as a response…but if you can generalize to prove a point, I can become surgical and suggest that it’s not fair to treat the Global 2000, Carriers, Service Providers and Mobile Operators as an exception rather than the rule when it comes to describing security trends and markets, either.
Summarily, it appears that the "convergence" of networking and security in Alan’s eyes means that security functionality MUST be integrated into routers and switches in order to be successful and that adding security functionality on top of or in conjunction with the network is a lousy idea.
Strange comments from a guy whose company takes generic PC appliances with security software on them and deploys them as bumps in the wire by sprinkling them across the network — usually at the cursed perimeter and not at the core. Confused? So am I.
Alan goes on:
Most of the guys who do the bump in the wire are trying like hell to
move up the stack and the network to get away from the edge to the
core. You may be able to do IPS as a bump in the wire at the core if
you have the horsepower, but you are going to be forced to the edge for
other security stuff if you insist on bump in the wire. Single point
of failure, scalability and cost are just working against you.
Eventually you have to turn to the switch. I just don’t get where he is
coming from here.
So you’re saying that your business model is already dead, Alan?
The final piece of irony is this:
Has selling big-ass, honking ASIC boxes to do IPS for so long totally
blinded them to virtualizing some of this stuff and putting it on
blades and so forth inside the switch and network.
Um, no. Again, not like I feel any inclination to defend Tippingpoint, but it’s apparent that Alan is not aware of TippingPoint’s M60 which is a huge multi-gigabit LAN switching platform (10-14 slots) with integrated IPS (and other functionality) that can either replace a typical switch or connect to existing switch fabrics to form an overlay security service. It’s about a year overdue from the last announcement, but the M60 is an impressive piece of iron:
Each blade in the M60 acts as a stand-alone IPS device, similar to
TippingPoint’s T-series appliances, in which network connectivity and
IPS packet processing are done on the hardware. (The exception is with
10G interfaces; the M60 uses 3Com’s 8800 dual-port 10G blades, which
connect to TippingPoint IPS blades through the switch’s backplane.)
The blades run 3Com’s TippingPoint IPS device operating system and use the vendor’s Digital Vaccine updating service, letting the device identify the latest threat signatures and vulnerabilities.
This was one of the results of the Huawei joint venture with 3Com. I believe that THIS is really what Brian Smith is talking about, not device sprinkling appliances. It’s a switch. It’s an IPS. That’s bad, how?
What has me confused is that if Alan is so against hanging security services/functions OFF a switch, why did StillSecure do the deal with Extreme Networks in which the concept is to hang an appliance (the Sentriant AG) off the switch as an appliance instead of "inside" it like he suggests is the only way to effectively demonstrate the convergence of networking and security?
So, I totally get Brian Smith’s comments (despite the fact that he’s a competitor AND works for a switch vendor — who, by the way, also OEM’d Crossbeam’s X-Series Security Services Switches prior to their Tippingpoint acquisition!)
The model is valid. Overlaying security as an intelligent service layer on top of the network is a great approach. Ask me how I know. 😉