Home > De-Perimeterization, General Rants & Raves, Networking, Unified Threat Management (UTM) > Getting “defensive” about security strategy?

Getting “defensive” about security strategy?

81152612s
Uncle Mikey thinks I’m backward and defensive.  He’s referring to my post last night about the yawns I continue to experience regarding Cisco’s approach to the "self-defending network."  I’ll make no bones that more and more security will make its way into the network…that wasn’t the point.  Just because it’s there, doesn’t mean it’s worth using or actually works.  That *is* my point.

Here’s his post:

Every time Chris Hoff writes something, I wonder if he’s back. It’s
been months since he’s consistently been involved in the conversation,
and I’ve missed his participation. This piece though strikes me as a
bit defensive and backwards looking. I guess Chris just had the
epiphany that Cisco’s "Self-Defending Network" is a marketecture. Of
course it is. And yes, it’s in Cisco’s best interest to have security
everywhere, OVER TIME. I understand that your business is to sell a
"virtualized best of breed security as a service layer" stuff, but to
think that the trend is not towards having security capabilities
embedded within the fabric of the network suffers from a bit of tunnel
vision. Maybe you don’t like Cisco’s plan to get customers there, but
they will get there. To be clear, I’m not talking about right now, this
is a path that we’ll follow for the next 5-7 years. But at that time,
it’ll be about how to most effectively MANAGE the embedded
capabilities. So your "virtualized service layer" morphs into a
management layer. But I suspect you already know that, but it’s more
fun to bang up Cisco and talk about arm bars.

So he’s right.  I am backward — more specifically contrarian. I am also "defensive" because I could give a shit if big is the new small, purple is the new black or men wearing lipstick is socially acceptable.  What *I* care about is solving security and survivability problems TODAY…that same marketecture that you call out is taking place over 5-7 years supposedly started 5-7 years ago according to John Chambers!

How many decades are you willing to wait just to say "I told you so" in regards to your prophetic exclamation that security will become more integrated into the network?    Convenience and cost aren’t all they’re cracked up to be.  Sometimes the stuff actually has to work!

It’s not like you have to be Ms. Cleo to see what Cisco’s doing, but you don’t have to pretend to be blind and accept that it’s the cure for world hunger, also.

This piece though strikes me as a
bit defensive and backwards looking. I guess Chris just had the
epiphany that Cisco’s "Self-Defending Network" is a marketecture. Of
course it is. And yes, it’s in Cisco’s best interest to have security
everywhere, OVER TIME. I understand that your business is to sell a
"virtualized best of breed security as a service layer" stuff, but to
think that the trend is not towards having security capabilities
embedded within the fabric of the network suffers from a bit of tunnel
vision.

No, I didn’t *just* have this epiphany, it’s been the bane of my (and almost everyone else I talk to) existence for years.  I didn’t say  that security isn’t trending into the network, Mike.  What I said is that it’s a flawed approach with an even more flawed  genesis.  Here’s a turets-inspired outburst for you:

You don’t need security everywhere, all the time.  The network will never have the intelligence to make decisions on content in context.  The balance of delivery versus security will ALWAYS swing to the former in Cisco’s world.  CISCO IS NOT A SECURITY COMPANY.

The entire corner piece for Cisco’s SDN strategy for the last few years has been on CSA — software running on damned host!  Like Stiennon says, relying on the health of the very end-point you’re trying to protect to ensure the basis of your network’s viability and survivability is freaking ludicrous.  NAC is important, but up until last year, that was it in terms of the self-defending network — leave it to the host.  Now you can send telemetry to build dynamic ACL’s.   There’s a giant step forward.

Oh, but network vendors are from venus and security folks will use MARS — is that it?

Slapping together a bunch of stuff from acquisition is security in breadth not security in depth.

Maybe you don’t like Cisco’s plan to get customers there, but
they will get there. To be clear, I’m not talking about right now, this
is a path that we’ll follow for the next 5-7 years. But at that time,
it’ll be about how to most effectively MANAGE the embedded
capabilities. So your "virtualized service layer" morphs into a
management layer. But I suspect you already know that, but it’s more
fun to bang up Cisco and talk about arm bars.

You know what, Mike?  Kindly define "there" for me.  Because if you define "there" as a cobbled together bunch of appliances, routers and switches trying to effect security dispositions across an infrastructure and security monoculture without being able to make decisions on content and context, then I totally agree with you.

Screw waiting for this stuff, Mike.  They are the biggest networking company on the planet and it’s already been 5 years.  They keep announcing strategies like they’re a special on aisle 7 and then putting them on the discount shelf when they don’t pan out.

Take AON for example.  I always used to joke it would take an EON for AON.  I’m right.  That whole thing was a crock of…and now it’s, um, moved sideways to be integrated into yet another "strategy" because architects are smart enough to detect a polished turd when they see one.

Cisco is not the answer to life, the universe and everything else.  People are NOT willing to bet their business, reputation and company’s health on another marketecture.  People also are fed up with a single vendor’s version of the truth.  That’s why there are 600+ vendors in the network security space.

Does Cisco have huge marketshare?  In networking, yes.  But over 70% of security dollars spent DO NOT GO TO CISCO.

Will Cisco "get there."  Sure.  I wonder, however, if "there" is where people really care about being.

I don’t.  My customers have problems they need solved today that overlay and work synergistically with very reliable, fast, available and robust network plumbing.  In the data center, protecting the things that matter most, good enough is NOT good enough.

At the SMB perimeter, it is.

I think, quite honestly, that you’re the one with the myopic lens — all you see is a freight train heading towards you not realizing all you have to do is jump tracks. 

All aboard!

  1. No comments yet.
  1. No trackbacks yet.