Rational Survivability

I was talking to Andy Jaquith (please buy his book, I’m tired of buying him drinks) tonight at BeanSec! and recalled an ad hoc conversation I had with Rothman the other day in regards to just how damned boring the security space has become in the last year.

I know it’s not just me (now) that senses an overall slow down in the amount of forward motion our industry is making.  This isn’t suggesting that there isn’t innovation and technology movement, it’s just that we seem to be solving the same set of problems from twenty years ago and perfuming a pig.

I walked through RSA this year and short of Veracode’s booth (OK, they offered me beer) it may as well have been a Shriner’s convention.

How many NAC vendors does it take to fill an RSA conference?  None, because according to Art (he’s on Crossbeam’s board, but I respectfully disagree) there aren’t going to be any independent security companies.  Yet I digress.

"Sadly," we haven’t really had an exciting worm or virus outbreak recently.  Patch Tuesdays are almost non-events and unless someone releases a zero-day remote exploit  for controlling the UHF output on a Commodore 64, I think I’m just going to die of boredom.  Snore.

Help me out here.  Redeem our industry and help me regain my will to live.  Pop some comments on your perspectives of what’s worth looking at from a security perspective — I mean cool, unique, innovative and problem-solving focused security solutions to really complex business problems.

Please.

/Hoff

It’s no great secret that from a strategic perspective (or a tactical implementation slant, either) I am not a fan of Cisco’s security vision or execution.  Right, wrong or indifferent, I simply don’t believe that Cisco is a security company and just because security can (and will continue to) make its way deeper into the network fabric doesn’t mean it should.

Yawn.

I have consistently focused on the fact that pushing more and more security into the network will lead to a security monoculture and last week’s multiple vulnerabilities across Cisco’s network and security products was further indication that I think we’re heading for a car crash of epic proportions one day soon.  This is where a single vendor’s version of the truth is a bad thing as defense in breadth is not the same as defense in depth.

</doomsday_prediction off>

On a related topic, I think Tim Wilson from Dark Reading also summed up Cisco’s security strategy (or lacking parts thereof) quite nicely:

The takeaway, I think, is that no single tool vendor comes
at security without a bias. You can hardly blame Cisco from approaching
security at the network level, just as Microsoft approaches it from the
desktop level. When you listen to vendors talk about "enterprise
security," then, it pays to read between the lines. Sometimes what they
don’t say is as important as what they say.

But that’s just it — approaching security from the network level only (from the bottom up) without a coherent strategy on how to approach it from the data and application perspective (top down) means you get a disjointed and purely mechanical threat and vulnerability-focused set of security "tools."

I think it’s a fair thing to say that all vendors (even *gasp* me) are biased, but I think Tim’s article nicely summed up how lacking Cisco’s "end-to-end" strategy is:

• Data/Database Security
• Portable Device Security
• Security Research/Threat Analysis
• Application Security
• Multi-factor Authentication

I don’t think there is any vendor who has this straight, but for some reason folks have a predilection towards suggesting that Cisco — due mostly to port coverage — does. 

Security is more than an L2 access switch ports or router shipments or n acquisition or ten and a cram-down of commoditizing functions into switches.  I’m not arguing that Cisco doesn’t have a strategy, but can’t we just all admit that bumping around in the dark and "investing" in incoherent and non-consolidated solution sets does not a robust security play make?

Why do I keep harping on this?  Because someone has to and more and more customers are really starting to question the big green monster’s competencies.

Speaking of which, Cisco announced today it’s acquisition of Reactivity — an XML security play the likes of which competes with Datapower and Forum Systems.

Mike R. commented on the deal with the following:

They announced yet another acquisition of Relativity this morning (release here).
Only $135 million for this one, on what is probably minimal revenue.
This continues Cisco’s assault on security, moving up the stack.
Relativity makes an XML gateway (yes, it’s a box) that does some
hygiene on XML traffic (encryption, filtering, authentication,
acceleration, etc.). Of course, this market is really early and there
were only maybe 2 or 3 other players (Forum and Vordel come to mind).
But let’s be very clear, Cisco intends to be a player at the
application layer. And they are flexing their checkbook to get there.

…a couple of comments:

1) The only thing I think that this is an assault on is the further dilutive effect this will have on the XML gateway "market" as it becomes a feature rather than a market via acquisition.  Up or down the stack, Cisco isn’t early to this game, they are late…by about 2 years.

2) The XML gateway market isn’t early at all.  It’s waning as the "market" becomes a feature and this technology is absorbed into the convergence of the web application firewall (WAF) and application delivery controller (ADC) markets.

The adoption of XML security products at large has been hindered by the complexity of the SOA architectures into which most of these products were/are intended for deployment.  Most security companies (integrators, resellers, consultants) don’t have a clue about how or who to speak to in regards to XML.  Most can barely spell it.

3) Cisco intends to be a player in every market else they wouldn’t enter it.  They’ll just botch it up and stumble their way through mediocrity and claim success as measured by drawing a circle around their feet as victory and a well executed strategy.

However, they’re not infallible and as I’ve said before, just look at the cracks in the armor.  AON — which was supposed to replace the middle tier and collapse the complexity of SOA — has itself collapsed and become absorbed into the fringes of a converged security strategy.

Yeah, yeah, I know.  They’re Cisco.  Get over it Hoff.

/Hoff

One of the benefits of living near Boston is the abundance of amazing museums and historic sites available for visit within 50 miles from my homestead.

This weekend the family and I decided to go hit the Museum of Science for a day of learning and fun.

As we were about to leave, I spied an XP-based computer sitting in the corner of one of the wings and was intrigued by the sign on top of the monitor instructing any volunteers to login:

Then I noticed the highlighted instruction sheet taped to the wall next to the machine:

If you’re sharp enough, you’ll notice that the sheet instructs the volunteer how to remember their login credentials — and what their password is (‘1234’) unless they have changed it!

"So?" you say, "That’s not a risk.  You don’t have any usernames!"

Looking to the right I saw a very interesting plaque.  It contained the first and last names of the museum’s most diligent volunteers who had served hundreds of hours on behalf of the Museum.  You can guess where this is going…

I tried for 30 minutes to find someone (besides Megan Crosby on the bottom of the form) to whom I could suggest a more appropriate method of secure sign-on instructions.  The best I could do was one of the admission folks who stamped my hand upon entry and ended up with a manager’s phone number written on the back of a stroller rental slip.

(In)Security is everywhere…even at the Museum of Science.  Sigh.

/Hoff

[I have a backlog of blog posts due to my 2 weeks on the road.  Excuse my trip into last week.]

During our UTM Smackdown panel @ RSA, Alan Shimel from StillSecure
kept hinting (okay, yelling) about StillSecure’s upcoming product
announcement regarding their bringing a UTM solution to market.

Firstly, I think that’s great, because as I agreed, the natural
evolution of (Enterprise) UTM includes the integration of functionality such as NAC, VA/VM, etc., and StillSecure’s
products are top-notch, so I expect another excellent product from the
boys from Colorado. 

I also know that Alan and Mitchell really know
their market well and do a fantastic job with product management and
marketing within this space.  But Alan/Mitchell’s announcement has me puzzled because there’s some serious amount
of verbiage being tossed about here that’s ignoring a whole lot of reality that even the best marketing distortion field can’t obfuscate.

I found it interesting on Alan’s blog
that actually what he meant to say is that StillSecure intends to bring
a “new” type of product to market that isn’t described as UTM at all –
in fact, Mitchell Ashley (StillSecure’s CTO – and hopefully he won’t
get mad when I call him a friend) is attempting to define both a new paradigm and market segment that they call Unified Network
Platform, or UNP.  See here for Mitchell’s whitepaper and description of UNP.

UNP should not, however, be confused with UPN, the television network that brought you such hits as “Moesha.“

UNP is defined as "…a new paradigm for addressing the needs of network and security functions.  Breaking the mold of the proprietary vendor hardware appliance solution, UNP provides an open platform architecture consisting of open software and general purpose hardware, enabling the convergenceof network applications."

The Model is illustrated graphically by this diagram which looks surprisingly similar to the Carrier Grade Linux group’s model and almost identical to the Crossbeam X-Series architecture:

Clever marketing, for sure, but as I pointed out to Alan at the
Smackdown, short of the new title, neither the model nor the approach
is new at all.  In many aspects of how Alan described his new product line, it’s exactly what we do @ Crossbeam.  I was intrigued, for sure.

Apart from some semantic issues surrounding the use of open source
to the exclusion of COTS and swearing off any potential benefits of optimized hardware, Mitchell’s definition of UNP attempts to
re-brand concepts and a technology approach that’s quite familiar to me.

The model as defined by Mitchell seems to lay claim to an operational and technology integration
model that has been defined already as the foundation for Next
Generation Networks (NGN) that is at the core of the designs
IMS/converged network working groups (and VMWare’s virtual appliance
model for that matter) and call it UNP.

I really don’t get the novelty here.

Virtualization? Check.  Software is the key?  Check.  "Proprietary" hardware versus OTS hardware?

Who gives a crap!?  If the cost of a product and its positioning within the network is justified by the performance, scale, availability of software choice as defined by the user and the appropriate reduction of risk, then it seems to me that the only people who need to make the argument complaining about "proprietary" hardware are those that don’t have any…

I agree that the advance of OTS hardware and multi-core technology is yielding amazing value for the dollar spent and much of the hardware solutions today are commoditized at birth, but I maintain that there is a point of diminishing returns at which even today’s multi-core processors experience limits of memory and I/O (not to mention the ability of the software itself to take advantage of) that is specific to the market into which solutions are designed to operate.

You’ll get no argument from me that software is the secret sauce in the
security space and even in Crossbeam’s case, the hardware is a means to
an end, so if integrating FPGA’s and optimized network processing
hardware provides for hyper-performance of standard Intel reference
designs, ‘splain to me how that’s a bad thing?

I suggest that UNP is an interesting perspective and sheds light
on the “convergence” of security functionality and virtual appliances
for the SME/SMB market, but new it ain’t, and this sort of solution does not fly in the large enterprise, service provider or mobile operator.  It’s also a little odd and
naive to suggest that this is a “network” platform approach that will
rival dedicated networking functions at anything but the SME/SMB level.

Now, I’m not trying to assail Mitchell’s efforts or creativity here,
nor am I suggesting that this is not an interesting way to try and
distance StillSecure from the other 1000 me-too FW, nee IPS nee
small-office UTM fray, but there’s also a danger in trying to create
distinction in an already acronym-burdened industry and come off
looking like your doing something completely new.

I had a point-by-point response to Mitchell’s summary points of his whitepaper, but as I reviewed it I realized that this would come across as one of those enormous Hoff posts — not to mention it read as a Crossbeam versus StillSecure manifesto…and given that Alan’s into his kinder, gentler stage, I reckoned I’d give it a go, too.

…we’ll see how long that lasts.

/Hoff

Africa.  Check.

San Francisco.  Check.

Barcelona.  Here I come.

Divorce Court.  Hope not!

I’ll be heading to Barcelona for the 2007 3GSM World Congress.  No speaking engagements, but much to Alan’s delight and to avert more disgust regarding objectifying women in the security industry, we’ve opted not for booth babes, but instead, I’ll be parading around our booth in a thong with a 1990’s Motorola StarTac duct-taped to my head.

I apologize in advance.

If you happen to be in Barcelona or Madrid (later in the week,) please let me know.  I’ll buy you a beer (or Sangria.)

Chris

Back from Africa.  Successfully summited both Mt. Meru and Mt. Kilimanjaro.  Pictures and war stories later.

Now that’s out of the way, I’m back to "work" this week @ the RSA Conference in San Francisco.  I’ll be there all week (from Tuesday on) so pop me an email (choff[at]crossbeamsys.com) or call me and we can get together if anyone likes.

I’m on two panels; both ought to be good given the participants and the moderators.
I’m especially looking forward to the UTM Smackdown session for some reason.  It’s like a fraternity reunion…without the beer.

Virtualization & Security – DEPL107
On Tuesday, February 6th @ 4:10-5:20 in the Burgundy Room

Virtualization technologies promise better utilization of managing and
provisioning computer resources within an organization, but the concept
of virtualization can make security managers nervous. This panel of
experts will discuss security technologies in the “virtualized” world.
Specific topics include: understanding virtual machine technology in
light of security issues and threat models; advances in virtualization
technologies which improve your security posture; case studies of
organizations who have leveraged virtualization successfully; and
strategies for effective compliance in virtualized environments.

UTM Smackdown: Wading Through the Hype to Select the Best Solution – DEF203
On Wednesday, February 7th @ 10:40 AM in the Gold Room 305

With all the UTM choices available, how is an organization supposed to
pick the right solution? This no-holds barred panel assembles four UTM
CTO’s to debate hot buttons, such as the need for purpose-built
appliances, and the role of integrated management. This presentation
will also examine appropriate solutions for small and large enterprises.

Hope to see you there or at the Crossbeam Systems booth.

Chris

Despite Mike completely missing the point of my last point regarding Alan Shimel’s rant on Tippingpoint (he defaults to "Hoff is defending Big Iron blurb,) Mike made a bold statement:

Virtualization hasn’t changed the fundamental laws of network architecture

I am astounded by this statement.  I violently disagree with this assertion.

Virtualization may have not changed the underlying mechanisms of CSMA/CD or provided the capability to exceed the speed of light, but virtualization has absolutely and fundamentally affected the manner in which networks are designed, deployed, managed and used.   You know, network architecture.

Whether we’re talking about VLAN’s, MPLS, SOA, Grid Computing or Storage, almost every example of data center operations and network design today are profoundly impacted by the V-word.

Furthermore, virtualization (of transport, storage, application, policy, data) has also fundamentally changed the manner in which computing is employed and resources consumed.  What you deploy, where, and how are really, really important.

More importantly (and relevant here) is that virtualization has caused architects to revisit the way in which these assets and the data that flow through them, is secured.

And to defray yet another "blah blah…big iron…large enterprise….blah blah" retort, I’m referring not just to the Crossbeam way (which is heavily virtualized,) but that of Cisco and Juniper also.  All Next Generation Network Services are in a low-earth orbit of the mass that is virtualization.

"Virtualization of the routed core. Virtualization of the data and control planes.  Virtualization of Transport.  Extending the virtualized enterprise over the WAN.  The virtualized access layer."  You know what those are?  Chapters out of a Cisco Press book on Network Virtualization which provides "…design guidance" for architects of virtualized Enterprises.

I suppose it’s only fair that I ask Mike to qualify his comment, because perhaps it’s another "out-of-context-ism" or I misunderstood (of course I did) but it made me itchy reading it.

Mike?

As previously mentioned, I’m off to Africa this week to go on a little hiking expedition with some mates of mine.  We’re climbing Mt. Meru, Mt. Kilimanjaro and then going on Safari all across Tanzania.

I’ll be gone for 17 days or so and flying home just in time to drop my bags, kiss the wifey and kids and fly to San Francisco (8 hours later) to get to the RSA show for the UTM smackdown panel I’m on.  If you’re at RSA and see a tatooed, newly-bearded, scruffy and frostbitten guy with a conference badge and an attitude to match, chances are it’s me.  Or Rothman.  He’s prettier than I, or so I hear.

If the altitude, stomach pathogens, or Mosquitoes don’t kill me, the amount of email and work when I return certainly will.

In case Rothman, Shimmy, Stiennon, Ptacek, McKeay or Vet decide to take this opportunity to get cute and sneak in some post that I would otherwise respond to, I hear there is GSM/GPRS service all the way to the top of the mountain.  Be warned. 🙂

Hold down the fort, boys.  I shall return!

Hoff

Alan and I normally are close enough on our positions that I don’t feel it necessary to argue with him.

I certainly don’t feel compelled to come to the defense of a competitor that Alan’s unloading on, but I’m really confused about his interpretation of what TippingPoint’s Chief Architect, Brian Smith, is communicating and where Alan suggests that he and StillSecure’s position lays.

To re-cap, Brian Smith was quoted in an SC Magazine Article as describing his views on how security ought to be positioned in the network thusly:

"Brian Smith, the chief architect of 3Com and a
founder of TippingPoint, says his first-ever RSA keynote will focus on
integrating solutions such as network access control, intrusion
prevention and behavioral anomaly detection to create an intelligent
network.

"I can do all of these sorts of synergies and when you trace it
out, what ends up happening is you’re able to debug network problems
that you were never able to do before, get an unprecedented level of
security, and also lower the total cost of ownership," Smith says.
"They have to talk to each other. If we can pull all of these solutions
together, I think that’s going to be the trend over the next five to 10
years. It’s a natural evolution in the technology cycle."

Smith says he also plans to emphasize the benefits of the
bump-in-the-wire network approach to deploying security solutions.
Rather than embedding solutions into switchers and routers, Smith plans
to suggest overlaying solutions to allow for a more converged, cheaper
way to add intelligence to the network."

Amen to that.  But lest you think I am intimating that we should all just toss appliances willy-nilly across the network (in fact, that’s the opposite of what I think,) please read on…

Apparently it was the third (boldfaced) paragraph that got Alan’s goat and provoked him into a state of up-chuckedness.  Specifically, it seems that it is repugnant to Alan that someone who works for a "switch" company could suggest that overlaying security can be facilitated as a "bump-in-the wire."  I guess that depends upon your interpretation of "bump-in-the-wire." 

I’m guessing that Alan thinks that means individual appliances being inserted between network segments with one "goesinta" and one "goesouta" cable and yet I can’t figure out why  "…virtualizing some of this stuff and putting it on blades and so forth" has to be within the router or switch and not on an extensible services platform?

I have a feeling I’m going to hear the typical "not everyone can afford big iron" as a response…but if you can generalize to prove a point, I can become surgical and suggest that it’s not fair to treat the Global 2000, Carriers, Service Providers and Mobile Operators as an exception rather than the rule when it comes to describing security trends and markets, either.

Summarily, it appears that the "convergence" of networking and security in Alan’s eyes means that security functionality MUST be integrated into routers and switches in order to be successful and that adding security functionality on top of or in conjunction with the network is a lousy idea.

Strange comments from a guy whose company takes generic PC appliances  with security software on them and deploys them as bumps in the wire by sprinkling them across the network — usually at the cursed perimeter and not at the core.  Confused?  So am I.

Alan goes on:

Most of the guys who do the bump in the wire are trying like hell to
move up the stack and the network to get away from the edge to the
core.  You may be able to do IPS as a bump in the wire at the core if
you have the horsepower, but you are going to be forced to the edge for
other security stuff if you insist on bump in the wire.  Single point
of failure, scalability and cost are just working against you.
Eventually you have to turn to the switch. I just don’t get where he is
coming from here.

So you’re saying that your business model is already dead, Alan?

The final piece of irony is this:

Has selling big-ass, honking ASIC boxes to do IPS for so long totally
blinded them to virtualizing some of this stuff and putting it on
blades and so forth inside the switch and network.

Um, no. Again, not like I feel any inclination to defend Tippingpoint, but it’s apparent that Alan is not aware of TippingPoint’s M60 which is a huge multi-gigabit LAN switching platform (10-14 slots) with integrated IPS (and other functionality) that can either replace a typical switch or connect to existing switch fabrics to form an overlay security service.  It’s about a year overdue from the last announcement, but the M60 is an impressive piece of iron:

Each blade in the M60 acts as a stand-alone IPS device, similar to
TippingPoint’s T-series appliances, in which network connectivity and
IPS packet processing are done on the hardware. (The exception is with
10G interfaces; the M60 uses 3Com’s 8800 dual-port 10G blades, which
connect to TippingPoint IPS blades through the switch’s backplane.)

The blades run 3Com’s TippingPoint IPS device operating system and use the vendor’s Digital Vaccine updating service, letting  the device identify the latest threat signatures and vulnerabilities.

This was one of the results of the Huawei joint venture with 3Com.  I believe that THIS is really what Brian Smith is talking about, not device sprinkling appliances.  It’s  a switch.  It’s an IPS.  That’s bad, how?

What has me confused is that if Alan is so against hanging security services/functions OFF a switch, why did StillSecure do the deal with Extreme Networks in which the concept is to hang an appliance (the Sentriant AG) off the switch as an appliance instead of "inside" it like he suggests is the only way to effectively demonstrate the convergence of networking and security?

So, I totally get Brian Smith’s comments (despite the fact that he’s a competitor AND works for a switch vendor — who, by the way, also OEM’d Crossbeam’s X-Series Security Services Switches prior to their Tippingpoint acquisition!)

The model is valid.  Overlaying security as an intelligent service layer on top of the network is a great approach.  Ask me how I know. 😉

Chris

Alan Shimel is commenting here on his blog in this post titled "People are not appliances they’re flexible."  In this entry he muses on about vocational "flexibility" and what appears to be the "cosmic humanity" of folks in the IT/Security space.

He also keeps talking about the need to keep buying COTS hardware appliances…he’ll never learn!

Specifically, Alan’s argument (which is orthogonal to the actual topic) is that as specialized appliances proliferate, he disagrees with the fact that the operators and administrators of said appliances must also specialize.  In fact, he waxes on about the apparent good-natured ebb and flow of utilitarian socialism and how ultimately we’re all re-trainable and can fluidly move from one discipline to another irrespective of the realities and vagaries of culture and capability.

Using that as an example it seems that a help-desk admin who deploys patches from one appliance can just pick up and start doing IDS analysis on another?  How about that same  "appliance" technician reading PCI for dummies and starting to manage firewall appliances doing policy manipulation?  Sure, they’re re-trainable, but at what incidental cost?  Seems a little naive of a statement for my tastes.

Mike Murray from nCircle on the other hand suggests that Enterprises inherently gravitate toward silos.  I totally agree — emphatically as we speak about larger Enterprises.  Operationalizing anything within a big machine means that you have political, operational and economic silos occuring naturally.  It’s even a byproduct of compliance, separation of duties and basic audit-output mitigation strategies.  Specializing may be "bad" but it’s what happens. 

Appliances don’t cause this, the quest for money or the love of what you do, does.

Even if Alan ignores the fact that you don’t have to keep buying individual appliances (you can consolidate them) the fact is that different elements within the organization manage the functions on them.   Even on our boxes…when you have firewall, IDP and AV in an X80 chassis, three different groups (perhaps more) manage and operate these solutions.  Silos, each and every one of them.

Nature of the beast.

That being said, this doesn’t mean I don’t disagree that I’d *like* to see more cross-functional representation across solution sets, but it’s just not reality:

Evolution teaches us that too specialized a species is a recipe for
extinction. That is what we need from our appliance models, flexibility
and adaptability, not more silos!  We need to break down the silos and
have interaction among them to improve productivity.

One could take that argument and extrapolate it to explain why people are so polarized on certain issues such as (for example) security and its ultimate place in the Enterprise: in the network or in specialized appliances.   

Innovation, specialization and (dare I say) evolution suggests that survival of the "fittest" can also be traced back to the ability to not just "survive" but thrive based upon the ability to adapt in specificity to what would otherwise be an extinguishing event.  Specialization does not necessarily infer it’s a single temporal event.  The cumulative or incremental effect of successive specialization can also provide an explanation for how things survive.  Take the platypus as an example.  It ended up with a beaver’s tail and a duck’s bill.  Go figure. 😉

What’s important here is the timing of this adaptation and how the movie plays forward.

Hoff