Archive

Archive for the ‘Unified Threat Management (UTM)’ Category

If it walks like a duck, and quacks like duck, it must be…?

April 2nd, 2007 5 comments

Blackhatvswhitehat
Seriously, this really wasn’t a thread about NAC.  It’s a great soundbite to get people chatting (arguing) but there’s a bit more to it than that.  I didn’t really mean to offend those NAC-Addicts out there.

My last post was the exploration of security functions and their status (or even migration/transformation)  as either a market or feature included in a larger set of features.  Alan Shimel responded to my comments; specifically regarding my opinion that NAC is now rapidly becoming a feature and won’t be a competitive market for much longer. 

Always the quick wit, Alan suggested that UTM was a "technology" that is going to become a feature much like my description of NAC’s fate.  Besides the fact that UTM isn’t a technology but rather a consolidation of lots of other technologies that won’t stand alone, I found a completely orthogonal statement that Alan made to cause my head to spin as a security practitioner. 

My reaction stems from the repeated belief that there should be separation of delivery between the network plumbing, the security service layers and ultimately the application(s) that run across them.  Note well that I’m not suggesting that common instrumentation, telemetry and disposition shouldn’t be collaboratively shared, but their delivery and execution ought to be discrete.  Best tool for the job.

Of course, this very contention is the source of much of the disagreement between me and many others who believe that security will just become absorbed into the "network."  It seems now that Alan is suggesting that the model of combining all three is going to be something in high demand (at least in the SME/SMB) — much in the same way Cisco does:

The day is rapidly coming when people will ask why would they buy a box
that all it does is a bunch of security stuff.  If it is going to live
on the network, why would the network stuff not be on there too or the
security stuff on the network box.

Firstly, multi-function devices that blend security and other features on the "network" aren’t exactly new.

That’s what the Cisco ISR platform is becoming now what with the whole Branch Office battle waging, and back in ’99 (the first thing that pops into my mind) a bunch of my customers bought and deployed WhistleJet multi-function servers which had DHCP, print server, email server, web server, file server, and security functions such as a firewall/NAT baked in.

But that’s neither here nor there, because the thing I’m really, really interested in Alan’s decidedly non-security focused approach to prioritizing utility over security, given that he works for a security company, that is.

I’m all for bang for the buck, but I’m really surprised that he would make a statement like this within the context of a security discussion.

That is what Mitchell has been
talking about in terms of what we are doing and we are going to go
public Monday.  Check back then to see the first small step in the leap
of UTM’s becoming a feature of Unified Network Platforms.

Virtualization is a wonderful thing.  It’s also got some major shortcomings.  The notion that just because you *can* run everything under the sun on a platform doesn’t always mean that you *should* and often it means you very much get what you pay for.  This is what I meant when I quoted Lee Iacocca when he said "People want economy and they will pay any price to get it."

How many times have you tried to consolidate all those multi-function devices (PDA, phone, portable media player, camera, etc.) down into one device.  Never works out, does it?  Ultimately you get fed up with inconsistent quality levels, you buy the next megapixel camera that comes out with image stabilization.  Then you get the new video iPod, then…

Alan’s basically agreed with me on my original point discussing features vs. markets and the UTM vs. UNP thing is merely a handwaving marketing exercise.  Move on folks, nothing to see here.

’nuff said.

/Hoff

(Written sitting in front of my TV watching Bill Maher drinking a Latte)

John Thompson’s (Symantec) Ironic warning of “Conflict of Interest”

March 19th, 2007 3 comments

Drivethrubeer
Infoworld ran an interesting article on John Thompson’s recent CeBIT keynote in which he took a shot at Microsoft by suggesting that there is an inherently "…huge conflict of interest for one company to provide both an operating platform and a security platform."

I suppose that opinion depends upon whether or not said company suggests that their security controls are all that are needed to secure said operating system or that defense in depth is not needed.

Here’s why I find this statement interesting and I am going to twist it by agreeing with the statement within the context of the same argument pertaining to Cisco as an extension to the many, many articles I have already written on this topic.

Given just the last rash of vulnerabilities in Cisco’s routing, switching and security products a few weeks ago, I believe it’s also a mistake (you can read "conflict of interest" if you desire) for Cisco (le fox) to protect the network (le chicken.)  That’s the same argument of the "operating system" and the "security platform."

I think it’s simply not relevant or appropriate to simply shrug off issues like this just because of Cisco’s size and the apparent manifest destiny associated with security "going into the switch" — just because it does and more than likely will — does not mean it should and does not mean that people will settle for "good enough" security when the network consistently fails to self-defend.

I don’t disagree that more and more security *will* make it’s way into the network switches, much like I don’t disagree that the sun will rise in the east and set in the west, but much in the same way that folks don’t just give up and go to sleep once the sun goes down, the lightbulb that goes on in my head suggests there is a better way.

/Hoff

The semantics of UTM messaging: Snake Oil and Pissing Matches

March 14th, 2007 No comments
Captainobvious
Those of you who know me realize that no matter where I go, who I work for or who’s buying me drinks, I am going to passionately say what I believe at the expense of sometimes being perceived as a bit of a pot-stirrer. 

I’m far from being impartial on many topics — I don’t believe that anyone is truly impartial about anything —  but at the same time, I have an open mind and will gladly listen to points raised in response to anything I say.  I may not agree with it, but I’ll also tell you why. 

What I have zero patience for, however, is when I get twisted semantic marketing spin responses.  It makes me grumpy.  That’s probably why Rothman, Shimmy and I get along so well.

Some of you might remember grudge match #1 between me and Alex Niehaus, the former VP of Marketing for Astaro (coincidence?)  This might become grudge match #2.  People will undoubtedly roll their eyes and dismiss this as vendors sniping at one another.  So be it.  Please see paragraphs #1 and 2 above. 

My recent interchange with Richard Stiennon is an extension of arguments we’ve been having for a year or so from when Richard was still an independent analyst.  He is now employed as the Chief Marketing Officer at Fortinet. 

Our disagreements have intensified for what can only be described as obvious reasons, but I’m starting to get as purturbed as I did with Alex Neihaus when the marketing sewerage obfuscates the real issues with hand-waving and hyperbole. 

I called Richard out recently for what I believed to be complete doubletalk on his stance on UTM and he responded here in a comment.  Comments get buried so I want to bring this back up to the top of the stack for all to see.  Don’t mistake this as a personal attack against Richard, but a dissection of what Richard says.  I think it’s just gobbledygook.

To be honest, I think it took a lot of guts to respond, but his answer makes my head spin as much as Anna Nicole Smith in a cheesecake factory.  Yes, I know she’s dead, but she loved cheesecake and I’m pressed for an analogy.

The beauty of blogging is that the instant you say something, it becomes a record of "fact."  That can be good or bad depending upon what you say. 

I will begin to respond to Richard’s retort wherein he first summarily states:

Here is where I stand. I hate the huge bucket that UTM has become.  Absolutely every form of gateway security can be lumped in to this
category that IDC invented. We discussed this at RSA on the panel that
Mr. Rothman so graciously hosted.

I also assume that this means Richard hates the bit buckets that Firewall, IPS, NAC, VA/VM, and Patch Management (as examples) have become, too?   This trend is the natural by-product of marketers and strategists scrambling to find a place to hang their hat in a very crowded space.  So what.

UTM is about solving applied sets of business problems.  You can call it what you like, but the only reason marketeers either love or hate UTM usually depends upon where they sit in the rankings.  This intrigues me, Richard, because (as you mention further on) Fortinet pays to be a part of IDC’s UTM Tracker, and they rank Fortinet as #1 in at least one of the product price ranges, so someone at Fortinet seems to think UTM is a decent market to hang a shingle on.

Hate it or not, Fortinet is a UTM vendor, just like Crossbeam.  Both companies hang their shingles on this market because it’s established and tracked.

When trying to classify a market you
look for common traits and, even better, common buying patterns, to
help lump vendors or products in to a category. But for Crossbeam,
Fortinet, and Astaro to be lumped together has always struck me as a
sign that the UTM "market" was not going to work.

You’re right.  Lumping Crossbeam with Fortinet and Astaro is the wrong thing to do.  😉

Arguing the viability of a market which has tremendous coverage and validated presence seems a little odd.  Crafting a true strategy of differentiation as to how you’re different in that market is a good thing, however.

I much prefer the Gartner view (as I would) of Security Platforms.
These are devices that are able to apply security policies using a
bunch of different methods and they can loosely be thrown on to a grid…

So what you’re saying is that you like the nebulous and ill-defined blob that is Gartner’s view, don’t like IDC, but you’ll gladly pay for their services to declare you #1 in a market you don’t respect?

Now, yes, I did join a company that IDC considers to be a major UTM
player- leading in volume shipments in those parts of 2006 that they
are reporting. But, I was an independent analyst and I NEVER classified
Fortinet as a UTM play.

You mean besides when you said:

"By all accounts the so called UTM market is doing very well with players like Fortinet, Barracuda, Sonicwall, Astaro, and Watchguard, evidently seeing considerable success" 

Just in case you’re interested, you can find that quote here.   There are many, many other examples of you saying this, by the way.  Podcasts, blog entries, etc.

Also, are you suggesting that Fortinet does not consider itself a UTM player?  Someone better tell the Marketing department.  Look at one of your news pages on your website.  Say, this one, for example — 10 articles have UTM in the title and your own Mr. Akomoto (VP of Fortinet, Japan) says "The UTM market was pioneered by us," says Mr. Okamoto, the vice-president of Fortinet Japan. Mr. Okamoto explains how Fortinet created the UTM category, the initial
popularity of UTM solutions with SMBs…" 

Heck, in the 24 categories for the security
market that I maintained I did not even track UTMs. As I tracked
Fortinet over the years I considered them a security platform vendor
and one that just happened to be executing on my vision for the network
security space.

Yes, I understand how much you dislike IDC.  Can you kindly show reference to where you previously commented on how Fortinet was executing on your vision for Secure Network Fabric?  I can show you where you did for Crossbeam — it was at our Sales Meeting two years ago where you presented.  I can even upload the slide presentation if you like.

As you know Chris I have always been a big fan of Crossbeam and in
the interest of full disclosure, Crossbeam was a client while I was a
Gartner analyst and my second client when I launched my own firm. Great
people and a great product.

Richard, I’m not really looking for the renewal of your Crossbeam Fan Club membership…really.

Crossbeam is the security platform of
choice for running legacy security apps.

Oh, now it’s on!  I’m fixin’ to get "Old Testament" on you!

Just so we’re clear, ISV applications that run on Crossbeam such as XML gateways, web-application firewalls, database firewalls and next generation network converged security services such as session border controllers are all UTM "legacy applications!?" 

So besides an ASIC for AV, what "new" non-legacy apps does Fortinet bring to the table?  I mean now.  From the Fortinet homepage, please demonstrate which novel new applications that Firewall, IPS, VPN, Web filtering and Antispam represent?

It must suck to have to craft a story around boat-anchor ASICs that can’t extend past AV offload.  That means you have to rely on software and innovation in that space.  Cobbling together a bunch of "legacy" applications with a nice GUI doesn’t necessarily represent innovation and "next generation." 

Now let’s address the concept of running multiple security defenses
on one security platform. Let’s take three such functions, Firewalling,
VPN, and IPS. Thanks to Checkpoint, firewalls and VPN are frequently
bundled together. It has become the norm, although in the early days
these were separate boxes. Now, you can either take a Snort
implementation and bolt it on to your firewall in such a way that a
signature can trigger a temporary block command ala Checkpoint and a
bunch of other so called IPS devices or you can create a deep packet
inspection capable firewall that can apply policies like: No Worm
Traffic. To do the latter you have to start from scratch. You need new
technology and several vendors do this pretty well.

It’s clear you have a very deluded interesting perspective on security applications. The "innovation" that you’re suggesting differentiates what has classically been described as the natrual evolution of converging marketspaces.  That over-played Snort analogy is crap.  The old "signature" vs. "anomaly detection" argument paired with "deep packet inspection" is tired.  Fortinet doesn’t really do anything that anyone else can’t/doesn’t already do.  Except for violating GPL, that is.

I suppose now that Check Point has acquired NFR, their technology is crap, too?  Marcus would be proud.

So, given a new way to firewall (payload inspection instead of
stateful inspection) what enterprise would choose *not* to use IPS
capability in their firewall and use a separate device behind the
firewall? See the trouble? A legacy firewall is NO LONGER BEST OF
BREED! The best of breed firewall can do IPS.

Oh come on, Richard.  First of all, the answer to your question is that many, many large enterprises and service providers utilize a layered defense and place an IPS before or after their firewall.  Some have requirements for firewall/IDS/IPS pairs from different vendors.  Others require defense in depth and do not trust that the competence in a solutions provider that claims to "do it all."

Best of breed is what the customer defines as best of breed.  Just to be clear, would you consider Fortinet to be best of breed?

If you use a Crossbeam, by the way, it’s not a separate device and you’re not limited to just using the firewall or IPS in "front of" or "behind" one another.  You can virtualize placement wherever you desire.  Also, in many large enterprises, using IPS’s and firewalls from separate vendors is not only good practice but also required.

How does Fortinet accomplish that?

Your "payload inspection" is leveraging a bunch of OSS-based functionality paired with an ASIC that is used for AV — you know, signatures — with heuristics and a nice GUI.  Whilst the Cosine IP Fortinet acquired represents some very interesting technology for provisioning and such, it ain’t in your boxes.

You’re really trying to pick a fight with me about Check Point when you choose to also ignore the fact that we run up to 15 other applications such as SourceFire and ISS on the same platform?  We all know you dislike Check Point.  Get over it.

I have spent eight of the last 12 weeks on the road meeting our
large enterprise clients in the Americas, Asia, and EMEA. None of them
shop comparatively for UTM appliances. Every single customer was
shopping for firewall upgrades, SSL VPN, spam or virus filtering
inline, etc.

Really?  So since you don’t have separate products to address these (Fortinet sells UTM, afterall) that means you had nothing to offer them?  Convergence is driving UTM adoption.  You can call it what you want, but you’re whitewashing to prove a flawed theorem.

During the sales process they realize the benefit of
combined functionality that comes with the ability to process payloads
and invariably sign up for more than just a single security function.
Does that mean UTM is gaining traction in the enterprise? To me the
answer is no. It means that the enterprise is looking for advanced
security platforms that can deliver better security at lower capex and
opex.

…and what the heck is the difference between that and UTM, exactly?  People don’t buy IPS, they buy network level protection to defend against attack.  IPS is just the product catagory, as is UTM. 

I would lay off the Bourbon Chris. Try a snifter of my 16 yr old
Lagavulin that I picked up in London this Friday. It will help to
mellow you out.

I don’t like Scotch, Richard.  It leaves a bad taste in my mouth…sort of like your response 😉

When Blogging goes bad…

March 3rd, 2007 3 comments

Funnypicturesfootinmouthtlu
Hey, do you remember reading this little snippet as a quote from a certain industry personality we all know and love in regards to his lack of love for UTM?

"I have a problem with the idea of Universal Threat Management
appliances.  Leaving aside the horrible terminology (Who wants to
manage threats? Don’t you want to block them and forget about them?)
the question that I always ask is: If best-of-breed is the standard for
large enterprises why would it be good practice for a smaller entity to
lump a lot of security functions such as firewall, email gateway, spam
filter, anti-virus, anti-spyware, IDS, IPS, and vulnerability
management all in one under-powered device?"

I’ll give you a hint.  It was posted here by the original author and I responded to it, here.

That’s right!  It was my buddy, Richard Stiennon — lambasting Universal (sic) Threat Management appliances…like those of Fortinet, before they offered him a job.  Perhaps Fortinet doesn’t count because they make Unified, not Universal, Threat Management devices?

Don’t hate the player, baby, hate the game!  (i.e., be careful what you blog, it could come back to hire haunt you.)

Sorry, Rich.  3 Bourbons and a long week make Johnny a lit boy.  Couldn’t help myself.  Fire Away!

/Hoff

UNP = Unecessary New Paradigm?

February 21st, 2007 6 comments

Unp [I have a backlog of blog posts due to my 2 weeks on the road.  Excuse my trip into last week.]

During our UTM Smackdown panel @ RSA, Alan Shimel from StillSecure
kept hinting (okay, yelling) about StillSecure’s upcoming product
announcement regarding their bringing a UTM solution to market.

Firstly, I think that’s great, because as I agreed, the natural
evolution of (Enterprise) UTM includes the integration of functionality such as NAC, VA/VM, etc., and StillSecure’s
products are top-notch, so I expect another excellent product from the
boys from Colorado. 

I also know that Alan and Mitchell really know
their market well and do a fantastic job with product management and
marketing within this space.  But Alan/Mitchell’s announcement has me puzzled because there’s some serious amount
of verbiage being tossed about here that’s ignoring a whole lot of reality that even the best marketing distortion field can’t obfuscate.

I found it interesting on Alan’s blog
that actually what he meant to say is that StillSecure intends to bring
a “new” type of product to market that isn’t described as UTM at all –
in fact, Mitchell Ashley (StillSecure’s CTO – and hopefully he won’t
get mad when I call him a friend) is attempting to define both a new paradigm and market segment that they call Unified Network
Platform, or UNP.  See here for Mitchell’s whitepaper and description of UNP.

UNP should not, however, be confused with UPN, the television network that brought you such hits as “Moesha.

UNP is defined as "…a new paradigm for addressing the needs of network and security functions.  Breaking the mold of the proprietary vendor hardware appliance solution, UNP provides an open platform architecture consisting of open software and general purpose hardware, enabling the convergenceof network applications."

The Model is illustrated graphically by this diagram which looks surprisingly similar to the Carrier Grade Linux group’s model and almost identical to the Crossbeam X-Series architecture:

Tcnmodel_3Clever marketing, for sure, but as I pointed out to Alan at the
Smackdown, short of the new title, neither the model nor the approach
is new at all.  In many aspects of how Alan described his new product line, it’s exactly what we do @ Crossbeam.  I was intrigued, for sure.

Apart from some semantic issues surrounding the use of open source
to the exclusion of COTS and swearing off any potential benefits of optimized hardware, Mitchell’s definition of UNP attempts to
re-brand concepts and a technology approach that’s quite familiar to me.

The model as defined by Mitchell seems to lay claim to an operational and technology integration
model that has been defined already as the foundation for Next
Generation Networks (NGN) that is at the core of the designs
IMS/converged network working groups (and VMWare’s virtual appliance
model for that matter) and call it UNP.

I really don’t get the novelty here.

Virtualization? Check.  Software is the key?  Check.  "Proprietary" hardware versus OTS hardware?

Who gives a crap!?  If the cost of a product and its positioning within the network is justified by the performance, scale, availability of software choice as defined by the user and the appropriate reduction of risk, then it seems to me that the only people who need to make the argument complaining about "proprietary" hardware are those that don’t have any…

I agree that the advance of OTS hardware and multi-core technology is yielding amazing value for the dollar spent and much of the hardware solutions today are commoditized at birth, but I maintain that there is a point of diminishing returns at which even today’s multi-core processors experience limits of memory and I/O (not to mention the ability of the software itself to take advantage of) that is specific to the market into which solutions are designed to operate.

You’ll get no argument from me that software is the secret sauce in the
security space and even in Crossbeam’s case, the hardware is a means to
an end, so if integrating FPGA’s and optimized network processing
hardware provides for hyper-performance of standard Intel reference
designs, ‘splain to me how that’s a bad thing?

I suggest that UNP is an interesting perspective and sheds light
on the “convergence” of security functionality and virtual appliances
for the SME/SMB market, but new it ain’t, and this sort of solution does not fly in the large enterprise, service provider or mobile operator.  It’s also a little odd and
naive to suggest that this is a “network” platform approach that will
rival dedicated networking functions at anything but the SME/SMB level.

Now, I’m not trying to assail Mitchell’s efforts or creativity here,
nor am I suggesting that this is not an interesting way to try and
distance StillSecure from the other 1000 me-too FW, nee IPS nee
small-office UTM fray, but there’s also a danger in trying to create
distinction in an already acronym-burdened industry and come off
looking like your doing something completely new.

I had a point-by-point response to Mitchell’s summary points of his whitepaper, but as I reviewed it I realized that this would come across as one of those enormous Hoff posts — not to mention it read as a Crossbeam versus StillSecure manifesto…and given that Alan’s into his kinder, gentler stage, I reckoned I’d give it a go, too.

…we’ll see how long that lasts.

/Hoff

Freddy Got Fingered…

November 30th, 2006 2 comments

FreddypianoFreddy Got Fingered is probably one of the most disgustingly funny movies I’ve ever seen.  It’s truly sick.  In the first 10 minutes, Chris Elliot Tom Green (thanks, Zach!) performs unnatural acts on a farm animal and plays a Brahms concerto on an electronic keyboard with pieces of meat strung from overhanging pulley systems that move up and down as he plays.

Weird.

What the hell does this have to do with what Martin McKeay wrote about my blog entry welcoming Richard Stiennon to the ranks of the UTM vendor pool?  Nothing, really.  Except for the fact that I got "fingered" (ew!) by Martin as he pegged my post for what I said it was — an un-objective "Welcome to the Jungle" message to Richard who in our last exchanges didn’t seem to believe in UTM. 

Now he does.  What a difference a day makes.

I started thinking about Richard’s comment about how in his new position he’s not going to become a "defender of the product" — somehow rising above it all and not getting dirty debating the "merits" because he’s the Chief Marketing Officer.  At first I dismissed his comments and blew him a kiss given how early in the game it is for him @ Fortinet, but I, like Martin, sure as hell hope that he’s not going to hide under a title because he doesn’t want to debate openly.

We’ve called each other out — sort of. 

I respect Richard’s opinions.  I don’t happen to agree with all of them and unfortunately I seem to be violating some unwritten rule that suggests it’s out of bounds to say so?  I guess that’s why I don’t consider myself in marketing.  Ptacek would call me on that one because everyone — including my plumber — he considers in marketing 😉

When Mr. S. was an analyst he thought fit to be able to debate and agree/disagree with anything I said.  Because he was "independent?"  Now that he’s not, he can’t?

Perhaps I missed the memo, but I think it’s a cop-out to essentially "take the fifth" when doing a 180.  I just don’t subscribe to the fact that there’s some secret code that suggests that when roles change so do opinions and the exposure that comes with articulating them.

If I went to work for Cisco tomorrow, based upon my comments and opinions in the past, I’d sure as hell expect that people would question me on it and expect to debate the "merits" one way or the other.  I’d also feel compelled to ‘splain.  But that’s just me.

Also, I’ll take any advice anyone has — whether the topic is fly fishing, chainsaw juggling or branding.  I’m an equal opportunity opinionist that expects to receive as much as I give. 😉

Enough.  This is getting to sound like I’m trying to pick on Richard.  I’m not.  Well, OK.  I am.  But that’s what all you people pay to see, right?

Rich — whaddya say we rent those inflatable Sumo suits @ RSA and do a true UTM grudge match!?  I expect that you’ll take Ken Xie’s place on Rothman’s UTM panel?

Hoff

Crossbeam To Exit Security Market — Will Re-focus On Selling Pet Supplies On-line

November 5th, 2006 1 comment

Ptacek
Firstly, I really like debating elements with Ptacek.  He’s a really, really smart guy.  Somewhat misguided, but a really, really smart guy.  I’m honored that he picks on me.  Really. 

He picked on Bejtlich the other day.  Given this association, I believe I have solved the Poincaré conjecture which has something to do with math, intractability and doughnuts.  Mmmmm.  Doughnuts.

Here, he mentions in response to my post regarding my Chicago presentation, that Cisco will crush Crossbeam.  Privately he gave me a date and time, but I told him that I wouldn’t repeat when because it might affect his Cisco stock value.

Secondly, I can only giggle about Thomas’ choice for his blog entry title ("Cisco can kill Crossbeam any time it wants…") relating how Cisco will assimilate us all…I remember that same Borg-like prediction about how Microsoft would crush the Linux movement and how no other OS would stand a chance.

I believe Thomas is still using a Mac today…

At any rate, I started with Crossbeam almost exactly a year ago.  The funny thing about crossing over from a security practitioner to working for a security vendor is that all your credibility goes out the window instantly.

I get this, it’s part of the game, but I refuse to bow to the notion that the last 15 years of my life and the credibility it has earned is erased by this singular event, so I go on assuming that my opinions count as they always have – like the paper they’re written on.

Almost always, I end up arguing with people who have either only been a vendor or an analyst and short of securing their home networks have never actually been a CISO of a company whose assets have monetary value with the word “billions” preceeding it.  I have.  I argue from that point and the beliefs that come from that perspective.  Yes, I am biased.  I was before I came to Crossbeam, too.

The one thing that makes it difficult to sort out addressing someone who is as long-winded as I am is figuring out which parts of the debate are religious, marketing, technical or dogma.

Thomas is obviously reacting to my post playing the role of Cisco’s VP of Marketing, despite his disclaimers to the opposite.  I will answer disguised as a cabaret dancer from Ohio.  I hope that’s not confusing.  If nothing I say makes sense, I’ll just ask you to rent the movie “Showgirls” and you’ll forget all about this security nonsense.

So I’ve read his retort to my post/presentation, and I’m going to respond to the things I think are worth responding to because a good chunk of his posting doesn’t really address my points – they defend Cisco’s misses.  Yet I digress…

Ptacek starts out all right, doing a good job of summarizing the sentiment of both my post and my presentation:

Chris’ argument has three salients:

  • Cisco’s Self-Defending Network Architecture (the successor to SAFE) is just marketecture.
  • Cisco hasn’t put its money where its mouth is on integration of security into its mainline platforms (the Cat and routers).
  • Security belongs at a “service layer”, virtualized over the entire network, not as point-deployed boxes (IPS) or embedded into the infrastructure (IPS blade).

I really could just stop here because I’ve yet to find anyone (besides Thomas) who would actually disagree with any of those points, so why continue? 😉

But, he did, so I will…

1.    Is SDNA “marketecture”? Of course it is. SDNA is code for “sole-source network security from Cisco”. Sniping at SDNA’s credibility is as silly as sniping at the Cisco SAFE architecture in 2001: absolutely nobody designs networks according to these “schemes”. SDNA is a “why we did it” story that is retrofit onto Cisco’s evolving product lines to make it seem like they have strong management and a real vision.

Roger that.  SDNA = marketing.  Being opportunistic marketing-wise = vision.  Check.

But Chris’ argument isn’t about SDNA. It’s about whether enterprises should sole-source from Cisco, with around $1b in security sales, or consider vendors like Crossbeam that post sales less than 8% of that.

That’s right, my argument is that you shouldn’t sole-source your security solutions from a single vendor who claims competency in 15+ categories of security without demonstrating it, ever, except with a checkbook.

Also, just to double-check, Thomas, in Cisco math, a $200,000 Cat6500 switch with two FWSM blades is still $200,000 of “security sales,” right?   Uh-huh.  How about those “negative margin” deals…

That’s a fine argument to make, but if you’re going to build it on Cisco’s inability to run a real playbook, you can’t cherry pick Cisco’s weakest messages. SDNA may be meaningless. NAC isn’t. Even if it doesn’t work yet, it’s actionable and it’s changed the way people think about securing their network, and when Cisco buys the company that can really deliver on it for large enterprises, NAC is going to cause Crossbeam huge headaches.

Cherry-pick their weakest message?  SDNA is their message, Thomas!   DVVM and Quad-play is dependent upon this underlying message that “security is the network.”  I didn’t make this up, Cisco did.

You just contradicted yourself hugely.  In the first paragraph you said that “…absolutely nobody designs networks according to these “schemes”” but somehow that’s affected the way in which folks secure their networks!?  You’re right…they take a look at the Cisco method and realize it doesn’t work and look for other solutions.

Also, I just love the “…you just wait until Cisco buys something that actually works” sentiment!

By the way, Crossbeam doesn’t have to fear when Cisco gets NAC working (which is the most hysterical comment you’ve made,) because we can simply get a best-of-breed partners’ NAC application running on our platforms…no cash, no development, no fuss.  In fact, we are already in the process of doing that.

Furthermore, when you say NAC, you mean CNAC.  But which CNAC are you referring to?  The one that didn’t completely pan-out (CSA) or the new-and-improved Clean Access?  You know, the same Clean Access that requires ANOTHER appliance to be added to the network to function and is purdy much a Cisco-only solution…

2.    If you’re an indie network security vendor with a pulse, the idea of Cisco embedding IPS and firewalls into every Cat switch and access router puts you in a cold sweat. Is Cisco full of shit about this plan? Reasonable people will disagree, but the answer will be “no”.

See, I don’t think they’re full of shit.  I just think they’re not a security company and aren’t executing on their vision in a manner consistent with the customers they serve outside of the SMB.  The Enterprise strategy is showing cracks and they are very distracted across an immense portfolio.  They’re trying to re-group on the convergence front, but there’s pressure there, too.  All the while, security plods on.

First, the existence proof: the ISR. Large enterprises buy them by the hundreds. It’s one of Cisco’s most successful products ever. And it’s a direct threat to the branch/satellite-office market that is the primary revenue multiplier for indie perimeter security vendors —- Crossbeam’s bread and butter.

The ISR is fantastic…and if you’re a branch/satellite-office company I’d suggest it’s a very good product – still only provides limited security functionality and that’s why Cisco sells ASA’s with them.

Also, if you’re suggesting that the SMB/Branch perimeter is Crossbeam’s “bread and butter” you are completely and absolutely incorrect.  90% of our revenue comes from Large enterprise data center consolidation and service provider/MSSP/mobile operator customers.  Your definition of the “perimeter” needs work as does your understanding of what we do…again.

Cisco does more than $10b a year in Cat switching alone; by revenue, their grip on that market is comparable to Microsoft’s lock on operating systems. All it takes for Cisco to launch completely integrated network security is a credible ASA blade for the Cat6k. How far out can that be? Enterprises already buy the Firewall Switch Module.

Actually, the ASA isn’t their answer to the aging FWSM, the ACE and VSA are…and it’s got a long way to go.   By the way, who said that I’m suggesting we’re out to crush Cisco?  Beating them where they do a lousy job is a very nice living by your own math above.  How far out?  You’ll have to ask them.

The 6500 series is old in the tooth and if you read Gartner’s recent 2006 MQ for Campus LAN, their darling Cisco takes some serious knocks.  That includes the security piece.  Gasp!

And finally there’s the obvious point to be made about NAC and Cisco Security Agent, the alien larvae Cisco is trying implant into host security. NAC is a lot of bad things, but “un-integrated” is not one of them.

You’re right, but you forget that "un-integrated (?)" does not equal “functional.”  You’re also a couple of months late on this argument already…please see above.  I think your a little out-of-date on where Cisco is with CNAC…please see the report above for a very interesting look at the Gartner report.

Basically, every indie vendor has a talking point about how Cisco should just stick to the connectivity that they’re good at. This stuff all sounds good at first, but c’mon. Cisco doesn’t own connectivity because they make the best routers and switches. To claim that their routing (perimeter) and switching (internal) real estate doesn’t give them a dominant position in security is to claim that the perimeter and internal networks aren’t implicated in security. Delusional.

A dominant position or an advantage in hocking their wares because there’s some box that might be a platform to deploy it someday or today in pieces?  I’d say the latter.  Where is my bottle of Zoloft, anyway?

I agree, they haven’t done it yet, but I’ll make a statement that’s sure to get me yelled at: as soon as Cisco decides it’s ready, it can end companies like Crossbeam, Checkpoint, and SourceFire within 18 months. Isn’t not doing that, and running security as a totally seperate business unit, one of the big mistakes they made in the 90s?

Oh, OK.  They haven’t because instead of feeding the hungry, bestowing Linksys DSL routers to everyone in Kentucky or donating to stop the killing in Darfur, they’ve instead decided to give  kindly by not destroying their competitors. 

Jesus, I had no idea!  Thanks for clearing that up.   

Security is now under Jayshree’s organization which is routing/switching, and I don’t believe it has ever been a separate unit.  It should be.  That way if it doesn’t pan out they can just scrap-heap it and say that it’s a feature, not a market.

3.  Does it make sense to deploy security uniformly across the whole network, defending secretary desktops the same way you defend iSCSI servers or server-agent management consoles? No. Security should be focused on assets.

Hey, that’s a great point.  I think I made it! Please tell me how they do that?

But exactly what does this have to do with network architecture? Read Chris’ slides and it seems to mean “the way to architect your network is to hang Cisco boxes off of a couple Crossbeams in your core”.

Not quite, but your extreme-isms are starting to have me think you should write for Al-Jazeera.   How about quoting what I actually talked about…you know, like build a fast, reliable, resilient and responsive network infrastructure and overlay security as a combination of security services which provides the absolute best-of-breed security in combination where you need it, when you need it and at a price tag where the risk justifies the cost.

But that’s what you meant, right? 😉

The points Thomas pins his venom on below are from a single slide in the preso which is basically a Letterman’s top-10 spoof.  Some of them are purposely meant to incite, others are humorous, some are leverage points for the rest of the discussion that the audience and I had.

I’ll respond to some of them because many of Thomas’ objections are out of context and some are just to silly to respond to.  If you really, really want a line-by-line, I’ll do it.  Y’all just let me know 😉

2.  When’s the last time a network guy could perform a byte-level forensic trace of a Botnet C&C channel or a security guy troubleshoot a nasty BGP route-reflector distribution problem?

I don’t know. You might try asking Dug Song at Arbor, Kirby Kuehl at Cisco, or any of the Team Cymru guys. When’s the last time a security guy bought a Cisco product? Hint: it happened 5 times while you read this sentence.

Ummmm…I was referring to the average security and network practitioner in a stove-piped Enterprise or service provider, not the rest of the crew from your Saturday afternoon flag-football squad 😉

These guys, like you, are not representative of the typical folks who have to actually use the stuff we’re talking about.

You know, customers.

  3.  Managing threats and vulnerabilities is not the same as managing risk; networks don’t understand the value of the data traversing it..how can they protect it accordingly?

Cisco is not an ethernet cable. “The network” is whatever your vendor says it is. In Crossbeam’s case, “the network” is Cisco and “security” is everything else, including Checkpoint and SourceFire, both of whom sell products that Cisco has pin-compatible substitutes for.

Do any of these companies “understand the data”? No, I agree, they don’t. Is “understanding the data” important? Then let’s suspend the conversation until Cisco buys Vontu and Crossbeam partners with Vericept.

Pin-compatible?   Label-compatible, perhaps.  I think this is exactly the divergence that’s at the crux of the debate here, as the “quality” of the individual security solutions on their own (appliance or embedded) versus how they work as part of an architecture is the issue.  That’s my point, but it’s not a bullet-in-a-list sort of answer.

Also, I don’t care about Cisco buying Vontu, but what makes you think that we’re not already talking (and haven’t been for some time) to an extrusion prevention/IP Leakage vendor like Vericept?   

Crossbeam doesn’t suffer from having to wait to acquire technology and then spend 18 months butchering it to get it to work within the existing platforms (or build yet another point-solution appliance.)  We do our research in advance and when the time is right – and the customers desire it – we bring a partner’s application(s) onto the platform.

   4.  Just because two things are branded with the same name doesn’t mean they can communicate or interoperate well; just ask my wife

How’s that SourceFire/Checkpoint CPMI integration coming then? You got ISS using Snort signatures yet, or vice versa? Does anyone do app-level integration well?

Nope, and we’re not going to.  Neither will Cisco because they have no reason to if the entire network — and all the security components within — is theirs.  In fact, it’s within their interests to not have this happen.  If it did, it would just make your arguments weaker.

I’m just dinging the message and the messenger.  Our “app-level integration” is approached from a different perspective that starts first with consolidation of functions, virtualization of transport, application and policy then with the capability to flexibly pass flows through combinations of these virtual security stacks managed by the discrete parties charged with their care.  Best of breed functions that can be added to in an open platform without the need for a bunch of point solutions.

In large networks, the people responsible for FW are different than those responsible for IDS, are different than those responsible for XML, etc.   They’re still very, very vertically-stovepiped.

We don’t need to boil the ocean and we don’t.  We still have work to do on providing the overall global view of how traffic moves and is affected through these stacks, but we’re not the one blowing smoke about how this supposedly all works today.

That would be your job 😉

6.  The dirty little secret of embedding security in the “network” is that it’s the same as doing it with point-appliances…a single vendor’s set of appliances

Yes, it’s true: if Cisco succeeds in embedding security into its mainline products, you are going to be using Cisco security products. Diversity and consumer choice are valid arguments against Cisco.

But there’s one way in which using embedded security demonstrably isn’t the same as using point products: you don’t have to deploy point products to do it.

I call bullshit.  If you look at the slides in my preso, I can count over 13 different “point solutions” that aren’t routers and switches which are today relied upon to deploy this supposed “embedded” security.  The only difference between Cisco’s approach to embedded security and the appliance model is that the “appliances” are all Cisco’s.

Just because they have a Cisco label on it doesn’t make it “embedded.”

  7.  Modeling the security of the self-defending network after the human immune system and suggesting that it’s the ultimate analog is a crappy idea; people die

      Yes. What I hate about Cisco’s solutions is that you have to let a few machines on your network get infected for them to generate antigens; also, when Cisco’s security features coagulate around injuries, YouTube gets really slow.

Puff, puff, pass.  Puff, puff, pass.  You’re f-in up the rotation…man!

Please point me to a single customer in the world who has a self-defending network that functions like this.  Oh, that’s right, it’s the marketecture that you referred to in your first point and forgot that it doesn’t, actually, exist.  If YouTube being slow was the biggest problem businesses had today, you wouldn’t be employed either, T.

   8.  Security solely by acquisition does not make you a security company… just like acquiring lots of security “stuff” does not make you secure

You sure this is a good argument to make for a company that delivers 99% of its security value prop through partnerships with other companies?

Let’s ask the mean question: using product space names and market position (ie, “the #5 IPS vendor”), name some of the companies Crossbeam has turned down as partners? Cisco’s kind of picky about what it buys, you know.

It’s absolutely the right argument to make.  I guarantee you that the model of being customer-driven to take the best-in-breed security solutions from true security vendors and integrate it into a delivery architecture that is designed to do this rather than being force-fed into a retro-fit, works.  Today.

Mrt

Oh, and #5 is a long way from #1, Mr. T.

"I pity the fool who mess wit Cisco.   Unnhnhnhnhh!  I want Balboa.  Sucka!"

Oh, I’d be more than glad to email you the list of 15-20 vendors over the last 6 months that we’ve said “no” to. 

You’re about to hit my threshold trip-limit on how much of our business model you claim inside knowledge to…especially since you’re batting zero at this point.

9.  Security in breadth is not the same thing as security in depth; “good enough” security is not good enough in the data center

What aspect of Cisco’s IPS is not “good enough” for the data center?

…the same one that loses to ISS, Sourcefire, and Enterasys every day.  Want to ask the same about DDoS?  I believe the answer there would be your own beloved Arbor.

People deploy Cisco’s solution usually in conjunction with other products or the same function.  I think I’ve said enough.

Did you run your original post through the Babelfish English → Cisco parser before you copy/pasted it here, or what?

10.  Securing everything, everywhere is not only unnecessary, it’s unachievable

It is if Cisco sells it at 10 points below cost in order to turn the entire network security market into a line-item feature for the Catalyst 6000.

So you admit that this is not about the efficacy of a solution but rather how much shit you have to give away for free to be called a market leader?

Actually, with the example above, Cisco now suggests you buy a completely separate 6509 into which you put all the security functions and turn it into a “security services switch” that is plugged into the “real” switching/routing fabric. 

Sound familiar?  It does to me.

I know it doesn’t sound that way, but I’m neither a fan of Cisco nor a skeptic about Chris. But his arguments don’t take Cisco seriously, and if we’re going to armchair quarterback the security industry, why be nice about that?

You’re right, it doesn’t.  I still love you, though. 

By the way, Lindstrom and I both looked at each other and laughed when we had lunch together at the show realizing that should you ever figure out we were in Chi-town and didn’t call you that you’d be grumpy.  (I had no idea you lived in Chicago so it was all Pete’s fault.)

/Hoff

Getting “defensive” about security strategy?

November 3rd, 2006 No comments

81152612s
Uncle Mikey thinks I’m backward and defensive.  He’s referring to my post last night about the yawns I continue to experience regarding Cisco’s approach to the "self-defending network."  I’ll make no bones that more and more security will make its way into the network…that wasn’t the point.  Just because it’s there, doesn’t mean it’s worth using or actually works.  That *is* my point.

Here’s his post:

Every time Chris Hoff writes something, I wonder if he’s back. It’s
been months since he’s consistently been involved in the conversation,
and I’ve missed his participation. This piece though strikes me as a
bit defensive and backwards looking. I guess Chris just had the
epiphany that Cisco’s "Self-Defending Network" is a marketecture. Of
course it is. And yes, it’s in Cisco’s best interest to have security
everywhere, OVER TIME. I understand that your business is to sell a
"virtualized best of breed security as a service layer" stuff, but to
think that the trend is not towards having security capabilities
embedded within the fabric of the network suffers from a bit of tunnel
vision. Maybe you don’t like Cisco’s plan to get customers there, but
they will get there. To be clear, I’m not talking about right now, this
is a path that we’ll follow for the next 5-7 years. But at that time,
it’ll be about how to most effectively MANAGE the embedded
capabilities. So your "virtualized service layer" morphs into a
management layer. But I suspect you already know that, but it’s more
fun to bang up Cisco and talk about arm bars.

So he’s right.  I am backward — more specifically contrarian. I am also "defensive" because I could give a shit if big is the new small, purple is the new black or men wearing lipstick is socially acceptable.  What *I* care about is solving security and survivability problems TODAY…that same marketecture that you call out is taking place over 5-7 years supposedly started 5-7 years ago according to John Chambers!

How many decades are you willing to wait just to say "I told you so" in regards to your prophetic exclamation that security will become more integrated into the network?    Convenience and cost aren’t all they’re cracked up to be.  Sometimes the stuff actually has to work!

It’s not like you have to be Ms. Cleo to see what Cisco’s doing, but you don’t have to pretend to be blind and accept that it’s the cure for world hunger, also.

This piece though strikes me as a
bit defensive and backwards looking. I guess Chris just had the
epiphany that Cisco’s "Self-Defending Network" is a marketecture. Of
course it is. And yes, it’s in Cisco’s best interest to have security
everywhere, OVER TIME. I understand that your business is to sell a
"virtualized best of breed security as a service layer" stuff, but to
think that the trend is not towards having security capabilities
embedded within the fabric of the network suffers from a bit of tunnel
vision.

No, I didn’t *just* have this epiphany, it’s been the bane of my (and almost everyone else I talk to) existence for years.  I didn’t say  that security isn’t trending into the network, Mike.  What I said is that it’s a flawed approach with an even more flawed  genesis.  Here’s a turets-inspired outburst for you:

You don’t need security everywhere, all the time.  The network will never have the intelligence to make decisions on content in context.  The balance of delivery versus security will ALWAYS swing to the former in Cisco’s world.  CISCO IS NOT A SECURITY COMPANY.

The entire corner piece for Cisco’s SDN strategy for the last few years has been on CSA — software running on damned host!  Like Stiennon says, relying on the health of the very end-point you’re trying to protect to ensure the basis of your network’s viability and survivability is freaking ludicrous.  NAC is important, but up until last year, that was it in terms of the self-defending network — leave it to the host.  Now you can send telemetry to build dynamic ACL’s.   There’s a giant step forward.

Oh, but network vendors are from venus and security folks will use MARS — is that it?

Slapping together a bunch of stuff from acquisition is security in breadth not security in depth.

Maybe you don’t like Cisco’s plan to get customers there, but
they will get there. To be clear, I’m not talking about right now, this
is a path that we’ll follow for the next 5-7 years. But at that time,
it’ll be about how to most effectively MANAGE the embedded
capabilities. So your "virtualized service layer" morphs into a
management layer. But I suspect you already know that, but it’s more
fun to bang up Cisco and talk about arm bars.

You know what, Mike?  Kindly define "there" for me.  Because if you define "there" as a cobbled together bunch of appliances, routers and switches trying to effect security dispositions across an infrastructure and security monoculture without being able to make decisions on content and context, then I totally agree with you.

Screw waiting for this stuff, Mike.  They are the biggest networking company on the planet and it’s already been 5 years.  They keep announcing strategies like they’re a special on aisle 7 and then putting them on the discount shelf when they don’t pan out.

Take AON for example.  I always used to joke it would take an EON for AON.  I’m right.  That whole thing was a crock of…and now it’s, um, moved sideways to be integrated into yet another "strategy" because architects are smart enough to detect a polished turd when they see one.

Cisco is not the answer to life, the universe and everything else.  People are NOT willing to bet their business, reputation and company’s health on another marketecture.  People also are fed up with a single vendor’s version of the truth.  That’s why there are 600+ vendors in the network security space.

Does Cisco have huge marketshare?  In networking, yes.  But over 70% of security dollars spent DO NOT GO TO CISCO.

Will Cisco "get there."  Sure.  I wonder, however, if "there" is where people really care about being.

I don’t.  My customers have problems they need solved today that overlay and work synergistically with very reliable, fast, available and robust network plumbing.  In the data center, protecting the things that matter most, good enough is NOT good enough.

At the SMB perimeter, it is.

I think, quite honestly, that you’re the one with the myopic lens — all you see is a freight train heading towards you not realizing all you have to do is jump tracks. 

All aboard!

Defending the Self-Defending Network

November 3rd, 2006 3 comments

Firewall_breach_jpg
I recently gave a session presentation at TechTarget’s Information Security Decisions show in Chicago.  The topic of my presentation was "Defending the Self-Defending Network with Virtualized Enterprise UTM."  They’re actually making a roaming seminar series out of it.

Must have been the shirts and iPods I gave away?

What’s the presentation summary?  Simple.  "Embedded" network security as proposed by Cisco is a pipe dream.  In fact, it’s nothing more than the aging appliance model with boxes NOT embedded into the routers and switches at all; they’re just a single vendor’s appliances disguised as "security enablers."

The "Self-Defending Network" is a marketecture.  It’s not feasbile, unreasonable, fiscally mis-aligned to (and unaware of) the value of the assets it protects and the worst example of risk management modeling; protecting everything, everywhere, all the time is stupid.

You ought to protect the things that matter most with the best defense possible, where needed, when needed and at a cost where the risk justifies the cost.  Box sprinkling security is so last Wednesday.

You should build a stable, resilient, fast and reliable network.  Stir in some basic "embedded" or appliancized security functionality as acceptable and then overlay virtualized best-of-breed security as a service layer.  See the post regarding SSOA (Security Service Oriented Architectures) below for the full picture.

On a more theatric note…

The wonderful marketing mavens who dreamed up the theme for my session chose football.  I grew up in New Zealand.  I know Rugby.  Moreover, what I really wanted to do was to build a theme around the sport I love most, Mixed Maritial Arts — a’la Ultimate Fighting Championship (UFC.) 

For some reason they thought that using terms such as "Kimora," "Arm bar," "tap-out by submission," and "rear naked choke" would have some sort of negative impact.  I think it’s the perfect model for a network security presentation…so did about 30 of the guys who came back to the booth to discuss the recent UFC match between Rich Franklin and "Spider" Silva…Mui Thai clinches and about 5 knees to the head…awesome!

At any rate, you’ll appreciate my lame attempts at football analogies then.

Here’s a link to the presentation if you’re interested.

Chris

Martin McKeay’s Podcast…

September 8th, 2006 2 comments

Microphone
I don’t know how I forgot to mention this.  I’m an idiot.  I listen to Martin McKeay’s podcasts religiously…and I’ve been lucky enough to participate as part of a Mobcast once before.  Martin’s depth
of knowledge and the breadth of catagories/topics and guests he includes is phenomenal.

On August 29th, Martin was kind enough to have me on his podcast and interviewed me.  I did what I always do…talk too much.  We spoke about risk management, the security landscape, and UTM.

If you’ve got 40 minutes to kill, check out the podcast here.

Chris