Firstly, I really like debating elements with Ptacek. Heâs a really, really smart guy. Somewhat misguided, but a really, really smart guy. I’m honored that he picks on me. Really.
He picked on Bejtlich the other day. Given this association, I believe I have solved the Poincaré conjecture which has something to do with math, intractability and doughnuts. Mmmmm. Doughnuts.
Here, he mentions in response to my post regarding my Chicago presentation, that Cisco will crush Crossbeam. Privately he gave me a date and time, but I told him that I wouldn’t repeat when because it might affect his Cisco stock value.
Secondly, I can only giggle about Thomasâ choice for his blog entry title ("Cisco can kill Crossbeam any time it wants…") relating how Cisco will assimilate us allâŠI remember that same Borg-like prediction about how Microsoft would crush the Linux movement and how no other OS would stand a chance.
I believe Thomas is still using a Mac todayâŠ
At any rate, I started with Crossbeam almost exactly a year ago. The funny thing about crossing over from a security practitioner to working for a security vendor is that all your credibility goes out the window instantly.
I get this, itâs part of the game, but I refuse to bow to the notion that the last 15 years of my life and the credibility it has earned is erased by this singular event, so I go on assuming that my opinions count as they always have â like the paper theyâre written on.
Almost always, I end up arguing with people who have either only been a vendor or an analyst and short of securing their home networks have never actually been a CISO of a company whose assets have monetary value with the word âbillionsâ preceeding it. I have. I argue from that point and the beliefs that come from that perspective. Yes, I am biased. I was before I came to Crossbeam, too.
The one thing that makes it difficult to sort out addressing someone who is as long-winded as I am is figuring out which parts of the debate are religious, marketing, technical or dogma.
Thomas is obviously reacting to my post playing the role of Ciscoâs VP of Marketing, despite his disclaimers to the opposite. I will answer disguised as a cabaret dancer from Ohio. I hope thatâs not confusing. If nothing I say makes sense, Iâll just ask you to rent the movie âShowgirlsâ and youâll forget all about this security nonsense.
So Iâve read his retort to my post/presentation, and Iâm going to respond to the things I think are worth responding to because a good chunk of his posting doesnât really address my points â they defend Ciscoâs misses. Yet I digressâŠ
Ptacek starts out all right, doing a good job of summarizing the sentiment of both my post and my presentation:
Chrisâ argument has three salients:
- Ciscoâs Self-Defending Network Architecture (the successor to SAFE) is just marketecture.
- Cisco hasnât put its money where its mouth is on integration of security into its mainline platforms (the Cat and routers).
- Security belongs at a âservice layerâ, virtualized over the entire network, not as point-deployed boxes (IPS) or embedded into the infrastructure (IPS blade).
I really could just stop here because Iâve yet to find anyone (besides Thomas) who would actually disagree with any of those points, so why continue? đ
But, he did, so I willâŠ
1. Is SDNA âmarketectureâ? Of course it is. SDNA is code for âsole-source network security from Ciscoâ. Sniping at SDNAâs credibility is as silly as sniping at the Cisco SAFE architecture in 2001: absolutely nobody designs networks according to these âschemesâ. SDNA is a âwhy we did itâ story that is retrofit onto Ciscoâs evolving product lines to make it seem like they have strong management and a real vision.
Roger that. SDNA = marketing. Being opportunistic marketing-wise = vision. Check.
But Chrisâ argument isnât about SDNA. Itâs about whether enterprises should sole-source from Cisco, with around $1b in security sales, or consider vendors like Crossbeam that post sales less than 8% of that.
Thatâs right, my argument is that you shouldnât sole-source your security solutions from a single vendor who claims competency in 15+ categories of security without demonstrating it, ever, except with a checkbook.
Also, just to double-check, Thomas, in Cisco math, a $200,000 Cat6500 switch with two FWSM blades is still $200,000 of âsecurity sales,â right? Uh-huh. How about those ânegative marginâ dealsâŠ
Thatâs a fine argument to make, but if youâre going to build it on Ciscoâs inability to run a real playbook, you canât cherry pick Ciscoâs weakest messages. SDNA may be meaningless. NAC isnât. Even if it doesnât work yet, itâs actionable and itâs changed the way people think about securing their network, and when Cisco buys the company that can really deliver on it for large enterprises, NAC is going to cause Crossbeam huge headaches.
Cherry-pick their weakest message? SDNA is their message, Thomas! DVVM and Quad-play is dependent upon this underlying message that âsecurity is the network.â I didnât make this up, Cisco did.
You just contradicted yourself hugely. In the first paragraph you said that ââŠabsolutely nobody designs networks according to these âschemesââ but somehow thatâs affected the way in which folks secure their networks!? Youâre rightâŠthey take a look at the Cisco method and realize it doesnât work and look for other solutions.
Also, I just love the ââŠyou just wait until Cisco buys something that actually worksâ sentiment!
By the way, Crossbeam doesnât have to fear when Cisco gets NAC working (which is the most hysterical comment youâve made,) because we can simply get a best-of-breed partnersâ NAC application running on our platformsâŠno cash, no development, no fuss. In fact, we are already in the process of doing that.
Furthermore, when you say NAC, you mean CNAC. But which CNAC are you referring to? The one that didn’t completely pan-out (CSA) or the new-and-improved Clean Access? You know, the same Clean Access that requires ANOTHER appliance to be added to the network to function and is purdy much a Cisco-only solution…
2. If youâre an indie network security vendor with a pulse, the idea of Cisco embedding IPS and firewalls into every Cat switch and access router puts you in a cold sweat. Is Cisco full of shit about this plan? Reasonable people will disagree, but the answer will be ânoâ.
See, I donât think theyâre full of shit. I just think theyâre not a security company and arenât executing on their vision in a manner consistent with the customers they serve outside of the SMB. The Enterprise strategy is showing cracks and they are very distracted across an immense portfolio. They’re trying to re-group on the convergence front, but there’s pressure there, too. All the while, security plods on.
First, the existence proof: the ISR. Large enterprises buy them by the hundreds. Itâs one of Ciscoâs most successful products ever. And itâs a direct threat to the branch/satellite-office market that is the primary revenue multiplier for indie perimeter security vendors â- Crossbeamâs bread and butter.
The ISR is fantasticâŠand if youâre a branch/satellite-office company Iâd suggest itâs a very good product â still only provides limited security functionality and thatâs why Cisco sells ASAâs with them.
Also, if youâre suggesting that the SMB/Branch perimeter is Crossbeamâs âbread and butterâ you are completely and absolutely incorrect. 90% of our revenue comes from Large enterprise data center consolidation and service provider/MSSP/mobile operator customers. Your definition of the âperimeterâ needs work as does your understanding of what we do…again.
Cisco does more than $10b a year in Cat switching alone; by revenue, their grip on that market is comparable to Microsoftâs lock on operating systems. All it takes for Cisco to launch completely integrated network security is a credible ASA blade for the Cat6k. How far out can that be? Enterprises already buy the Firewall Switch Module.
Actually, the ASA isnât their answer to the aging FWSM, the ACE and VSA areâŠand itâs got a long way to go. By the way, who said that Iâm suggesting weâre out to crush Cisco? Beating them where they do a lousy job is a very nice living by your own math above. How far out? You’ll have to ask them.
The 6500 series is old in the tooth and if you read Gartner’s recent 2006 MQ for Campus LAN, their darling Cisco takes some serious knocks. That includes the security piece. Gasp!
And finally thereâs the obvious point to be made about NAC and Cisco Security Agent, the alien larvae Cisco is trying implant into host security. NAC is a lot of bad things, but âun-integratedâ is not one of them.
You’re right, but you forget that "un-integrated (?)" does not equal âfunctional.â Youâre also a couple of months late on this argument alreadyâŠplease see above. I think your a little out-of-date on where Cisco is with CNAC…please see the report above for a very interesting look at the Gartner report.
Basically, every indie vendor has a talking point about how Cisco should just stick to the connectivity that theyâre good at. This stuff all sounds good at first, but câmon. Cisco doesnât own connectivity because they make the best routers and switches. To claim that their routing (perimeter) and switching (internal) real estate doesnât give them a dominant position in security is to claim that the perimeter and internal networks arenât implicated in security. Delusional.
A dominant position or an advantage in hocking their wares because thereâs some box that might be a platform to deploy it someday or today in pieces? Iâd say the latter. Where is my bottle of Zoloft, anyway?
I agree, they havenât done it yet, but Iâll make a statement thatâs sure to get me yelled at: as soon as Cisco decides itâs ready, it can end companies like Crossbeam, Checkpoint, and SourceFire within 18 months. Isnât not doing that, and running security as a totally seperate business unit, one of the big mistakes they made in the 90s?
Oh, OK. They haven’t because instead of feeding the hungry, bestowing Linksys DSL routers to everyone in Kentucky or donating to stop the killing in Darfur, they’ve instead decided to give kindly by not destroying their competitors.
Jesus, I had no idea! Thanks for clearing that up.
Security is now under Jayshreeâs organization which is routing/switching, and I don’t believe it has ever been a separate unit. It should be. That way if it doesn’t pan out they can just scrap-heap it and say that it’s a feature, not a market.
3. Does it make sense to deploy security uniformly across the whole network, defending secretary desktops the same way you defend iSCSI servers or server-agent management consoles? No. Security should be focused on assets.
Hey, that’s a great point. I think I made it! Please tell me how they do that?
But exactly what does this have to do with network architecture? Read Chrisâ slides and it seems to mean âthe way to architect your network is to hang Cisco boxes off of a couple Crossbeams in your coreâ.
Not quite, but your extreme-isms are starting to have me think you should write for Al-Jazeera. How about quoting what I actually talked aboutâŠyou know, like build a fast, reliable, resilient and responsive network infrastructure and overlay security as a combination of security services which provides the absolute best-of-breed security in combination where you need it, when you need it and at a price tag where the risk justifies the cost.
But thatâs what you meant, right? đ
The points Thomas pins his venom on below are from a single slide in the preso which is basically a Lettermanâs top-10 spoof. Some of them are purposely meant to incite, others are humorous, some are leverage points for the rest of the discussion that the audience and I had.
Iâll respond to some of them because many of Thomasâ objections are out of context and some are just to silly to respond to. If you really, really want a line-by-line, Iâll do it. Yâall just let me know đ
2. Whenâs the last time a network guy could perform a byte-level forensic trace of a Botnet C&C channel or a security guy troubleshoot a nasty BGP route-reflector distribution problem?
I donât know. You might try asking Dug Song at Arbor, Kirby Kuehl at Cisco, or any of the Team Cymru guys. Whenâs the last time a security guy bought a Cisco product? Hint: it happened 5 times while you read this sentence.
UmmmmâŠI was referring to the average security and network practitioner in a stove-piped Enterprise or service provider, not the rest of the crew from your Saturday afternoon flag-football squad đ
These guys, like you, are not representative of the typical folks who have to actually use the stuff weâre talking about.
You know, customers.
3. Managing threats and vulnerabilities is not the same as managing risk; networks donât understand the value of the data traversing it..how can they protect it accordingly?
Cisco is not an ethernet cable. âThe networkâ is whatever your vendor says it is. In Crossbeamâs case, âthe networkâ is Cisco and âsecurityâ is everything else, including Checkpoint and SourceFire, both of whom sell products that Cisco has pin-compatible substitutes for.
Do any of these companies âunderstand the dataâ? No, I agree, they donât. Is âunderstanding the dataâ important? Then letâs suspend the conversation until Cisco buys Vontu and Crossbeam partners with Vericept.
Pin-compatible? Label-compatible, perhaps. I think this is exactly the divergence thatâs at the crux of the debate here, as the âqualityâ of the individual security solutions on their own (appliance or embedded) versus how they work as part of an architecture is the issue. Thatâs my point, but itâs not a bullet-in-a-list sort of answer.
Also, I donât care about Cisco buying Vontu, but what makes you think that weâre not already talking (and havenât been for some time) to an extrusion prevention/IP Leakage vendor like Vericept?
Crossbeam doesnât suffer from having to wait to acquire technology and then spend 18 months butchering it to get it to work within the existing platforms (or build yet another point-solution appliance.) We do our research in advance and when the time is right â and the customers desire it â we bring a partnerâs application(s) onto the platform.
4. Just because two things are branded with the same name doesnât mean they can communicate or interoperate well; just ask my wife
Howâs that SourceFire/Checkpoint CPMI integration coming then? You got ISS using Snort signatures yet, or vice versa? Does anyone do app-level integration well?
Nope, and we’re not going to. Neither will Cisco because they have no reason to if the entire network — and all the security components within — is theirs. In fact, it’s within their interests to not have this happen. If it did, it would just make your arguments weaker.
Iâm just dinging the message and the messenger. Our âapp-level integrationâ is approached from a different perspective that starts first with consolidation of functions, virtualization of transport, application and policy then with the capability to flexibly pass flows through combinations of these virtual security stacks managed by the discrete parties charged with their care. Best of breed functions that can be added to in an open platform without the need for a bunch of point solutions.
In large networks, the people responsible for FW are different than those responsible for IDS, are different than those responsible for XML, etc. Theyâre still very, very vertically-stovepiped.
We donât need to boil the ocean and we donât. We still have work to do on providing the overall global view of how traffic moves and is affected through these stacks, but weâre not the one blowing smoke about how this supposedly all works today.
That would be your job đ
6. The dirty little secret of embedding security in the ânetworkâ is that itâs the same as doing it with point-appliancesâŠa single vendorâs set of appliances
Yes, itâs true: if Cisco succeeds in embedding security into its mainline products, you are going to be using Cisco security products. Diversity and consumer choice are valid arguments against Cisco.
But thereâs one way in which using embedded security demonstrably isnât the same as using point products: you donât have to deploy point products to do it.
I call bullshit. If you look at the slides in my preso, I can count over 13 different âpoint solutionsâ that arenât routers and switches which are today relied upon to deploy this supposed âembeddedâ security. The only difference between Ciscoâs approach to embedded security and the appliance model is that the âappliancesâ are all Ciscoâs.
Just because they have a Cisco label on it doesnât make it âembedded.â
7. Modeling the security of the self-defending network after the human immune system and suggesting that itâs the ultimate analog is a crappy idea; people die
Yes. What I hate about Ciscoâs solutions is that you have to let a few machines on your network get infected for them to generate antigens; also, when Ciscoâs security features coagulate around injuries, YouTube gets really slow.
Puff, puff, pass. Puff, puff, pass. You’re f-in up the rotation…man!
Please point me to a single customer in the world who has a self-defending network that functions like this. Oh, thatâs right, itâs the marketecture that you referred to in your first point and forgot that it doesnât, actually, exist. If YouTube being slow was the biggest problem businesses had today, you wouldnât be employed either, T.
8. Security solely by acquisition does not make you a security company⊠just like acquiring lots of security âstuffâ does not make you secure
You sure this is a good argument to make for a company that delivers 99% of its security value prop through partnerships with other companies?
Letâs ask the mean question: using product space names and market position (ie, âthe #5 IPS vendorâ), name some of the companies Crossbeam has turned down as partners? Ciscoâs kind of picky about what it buys, you know.
Itâs absolutely the right argument to make. I guarantee you that the model of being customer-driven to take the best-in-breed security solutions from true security vendors and integrate it into a delivery architecture that is designed to do this rather than being force-fed into a retro-fit, works. Today.
Oh, and #5 is a long way from #1, Mr. T.
"I pity the fool who mess wit Cisco. Unnhnhnhnhh! I want Balboa. Sucka!"
Oh, Iâd be more than glad to email you the list of 15-20 vendors over the last 6 months that weâve said ânoâ to.
Youâre about to hit my threshold trip-limit on how much of our business model you claim inside knowledge toâŠespecially since youâre batting zero at this point.
9. Security in breadth is not the same thing as security in depth; âgood enoughâ security is not good enough in the data center
What aspect of Ciscoâs IPS is not âgood enoughâ for the data center?
âŠthe same one that loses to ISS, Sourcefire, and Enterasys every day. Want to ask the same about DDoS? I believe the answer there would be your own beloved Arbor.
People deploy Ciscoâs solution usually in conjunction with other products or the same function. I think Iâve said enough.
Did you run your original post through the Babelfish English â Cisco parser before you copy/pasted it here, or what?
10. Securing everything, everywhere is not only unnecessary, itâs unachievable
It is if Cisco sells it at 10 points below cost in order to turn the entire network security market into a line-item feature for the Catalyst 6000.
So you admit that this is not about the efficacy of a solution but rather how much shit you have to give away for free to be called a market leader?
Actually, with the example above, Cisco now suggests you buy a completely separate 6509 into which you put all the security functions and turn it into a âsecurity services switchâ that is plugged into the ârealâ switching/routing fabric.
Sound familiar? It does to me.
I know it doesnât sound that way, but Iâm neither a fan of Cisco nor a skeptic about Chris. But his arguments donât take Cisco seriously, and if weâre going to armchair quarterback the security industry, why be nice about that?
Youâre right, it doesnât. I still love you, though.
By the way, Lindstrom and I both looked at each other and laughed when we had lunch together at the show realizing that should you ever figure out we were in Chi-town and didnât call you that youâd be grumpy. (I had no idea you lived in Chicago so it was all Peteâs fault.)
/Hoff
I’m picking on NAC in the title of this entry because it will drive
Recent Comments