If it walks like a duck, and quacks like duck, it must be…?

Blackhatvswhitehat
Seriously, this really wasn’t a thread about NAC.  It’s a great soundbite to get people chatting (arguing) but there’s a bit more to it than that.  I didn’t really mean to offend those NAC-Addicts out there.

My last post was the exploration of security functions and their status (or even migration/transformation)  as either a market or feature included in a larger set of features.  Alan Shimel responded to my comments; specifically regarding my opinion that NAC is now rapidly becoming a feature and won’t be a competitive market for much longer. 

Always the quick wit, Alan suggested that UTM was a "technology" that is going to become a feature much like my description of NAC’s fate.  Besides the fact that UTM isn’t a technology but rather a consolidation of lots of other technologies that won’t stand alone, I found a completely orthogonal statement that Alan made to cause my head to spin as a security practitioner. 

My reaction stems from the repeated belief that there should be separation of delivery between the network plumbing, the security service layers and ultimately the application(s) that run across them.  Note well that I’m not suggesting that common instrumentation, telemetry and disposition shouldn’t be collaboratively shared, but their delivery and execution ought to be discrete.  Best tool for the job.

Of course, this very contention is the source of much of the disagreement between me and many others who believe that security will just become absorbed into the "network."  It seems now that Alan is suggesting that the model of combining all three is going to be something in high demand (at least in the SME/SMB) — much in the same way Cisco does:

The day is rapidly coming when people will ask why would they buy a box
that all it does is a bunch of security stuff.  If it is going to live
on the network, why would the network stuff not be on there too or the
security stuff on the network box.

Firstly, multi-function devices that blend security and other features on the "network" aren’t exactly new.

That’s what the Cisco ISR platform is becoming now what with the whole Branch Office battle waging, and back in ’99 (the first thing that pops into my mind) a bunch of my customers bought and deployed WhistleJet multi-function servers which had DHCP, print server, email server, web server, file server, and security functions such as a firewall/NAT baked in.

But that’s neither here nor there, because the thing I’m really, really interested in Alan’s decidedly non-security focused approach to prioritizing utility over security, given that he works for a security company, that is.

I’m all for bang for the buck, but I’m really surprised that he would make a statement like this within the context of a security discussion.

That is what Mitchell has been
talking about in terms of what we are doing and we are going to go
public Monday.  Check back then to see the first small step in the leap
of UTM’s becoming a feature of Unified Network Platforms.

Virtualization is a wonderful thing.  It’s also got some major shortcomings.  The notion that just because you *can* run everything under the sun on a platform doesn’t always mean that you *should* and often it means you very much get what you pay for.  This is what I meant when I quoted Lee Iacocca when he said "People want economy and they will pay any price to get it."

How many times have you tried to consolidate all those multi-function devices (PDA, phone, portable media player, camera, etc.) down into one device.  Never works out, does it?  Ultimately you get fed up with inconsistent quality levels, you buy the next megapixel camera that comes out with image stabilization.  Then you get the new video iPod, then…

Alan’s basically agreed with me on my original point discussing features vs. markets and the UTM vs. UNP thing is merely a handwaving marketing exercise.  Move on folks, nothing to see here.

’nuff said.

/Hoff

(Written sitting in front of my TV watching Bill Maher drinking a Latte)

  1. April 2nd, 2007 at 11:41 | #1

    I'm not sure why Alan is over here trying to poke you in the eye with a blunt stick again. I guess he just loves the pursuit of it even if the gain isn't what any of us are after.
    Anyway, Chris, I respect your opinion about such matters. Maybe I'm off base with this but I believe that UNP running on Crossbeam is a very interesting proposition. Just my view of things.
    If you see Alan hanging around over here again, just tell him that "his boss" Mitchell says it's time to come home now. That'll get his attention redirected to a different fight. Then maybe you and I can talk business. :)

  2. April 2nd, 2007 at 14:38 | #2

    You guys know I love you both.
    I poked him first, so it's only fair.
    I know why I am reacting this way as it was pointed out by someone else. I'll cover that offline with you.
    Let me just say that I think the world of Cobia and the idea from the convergence and utility perspective, but the security dweeb in me is having fits.
    Great thing about blogging is that I get a lot of perspectives that can often have me reconsider not necessarily WHAT I think, but WHY.
    Anyway, back to NAC being a feature…

  3. April 2nd, 2007 at 17:08 | #3

    Just so you know, Alan's sensitive about the "Mitchell's my boss" thing. I'm sure you'll know the right moment to bring that one up with him. lol. :)

  4. April 2nd, 2007 at 20:19 | #4

    Chris "Obi Wan" Hoff wants to rely on the force to make Cobia dissapear

    I know we must be on to something if Hoff is relying on the force to make you not pay attention to Cobia. Now he wants to wave his hands and tell us to move on, nothing to see here.

  5. June 27th, 2007 at 06:00 | #5

    NBA – Can it be the star of the show?

    No, I am not talking about Kobe, Shaq, Tim Duncan and the rest of the athletes over at the National Basketball Association. I refer of course to Network Behavior Analysis. The estimable Mr. Rothman in his daily rant laments the

  1. No trackbacks yet.