StillSecure, After All These Years

Saw this story today about Citrix leading a $10 million dollar round of investment in Vyatta.  This is on top of the $18m they had raised previously.  While I think an open source router that runs on x86 platform and can be virtualized and run along side security apps is a great idea (Can you say Cobia?), I am not sure what would drive Citrix to this.  Are they so incensed about the Cisco/VMware relationship that they think that Vyatta is actually an option? Why not go strike a deal with Juniper and save the money?  Maybe because Xen has its roots in open source, so Vyatta is a nice compliment?

On the other hand, getting a company to make a strategic investment in this climate is not an easy thing, so good for Vyatta. Could this be the opening move in Citrix buying Vyatta and building in routing to the Xen virtual environment and some of their Netscaler stuff?  Time will tell.

Here at Interop the show floor was pretty dead yesterday.  I had a chance to sit in the audience on a panel on NAC hosted by Mike Fratto.  Mike had 5 panelists including a few friends of mine. It was pretty much the usual NAC panel.  Steve Hanna from Juniper/TNC touting the standards that his group offers, Cisco saying they will support standards, HP ProCurve always loves standards, Microsoft actually being very pragmatic and then there was JJ.  My friend Jennifer Jabbusch was her usual self talking as she sees it and giving quote fodder to the journalists like Michael Sean Kerner who wrote about the panel in this article.

Of course the media loves to jump on any angle as to why NAC has not brought world peace and helped cure cancer.  So Kerner’s article screams that authentication is where we screwed up.  He says the audience demanded to know when NAC is going to deliver on the promise. How can we have a standard without Cisco. Well I was in the audience too and had all I could to bite my tongue and not say anything.  But hey that is why I have a blog. So let me respond here:

1. Authentication is where we screwed up.  Who said NAC was about authentication?  Listening yesterday you would think that 802.1x authentication was a direct result of NAC needing a secure authentication process.  Guys lets not put the cart in front of the horse.  802.1x offers a lot of other features and advantages besides NAC authentication. In fact it is the other way around.  NAC vendors adopted 802.1x because it offered some distinct advantages.  It was widespread in wireless networks.  However, JJ is right.  It is complex. There are a lot of moving parts. If you have not done everything right to implement 802.1x on your network, don’t bother trying  to use it for NAC.  But if you had, it does work like a charm. As I have said  before it is not for the faint of heart.

But back to my original comment.  Originally NAC/NAP was not the authentication.  NAC rode on top of your existing authentication. We as an industry have issues around easy to use, robust authentication methods.  So this became NAC’s problem?  A good NAC solution should be able to use the authentication system you are using.  Authentication sucks?  Look to the folks developing authentication.  Hint: it is the same network vendors sitting on the panel.  But lets not saddle NAC with albatross.

2. Searching for the mythical NAC Unicorn. Fact is there was one member in the audience who was quite vocal (no not me) and kept insisting that NAC would not be real until everyone adopted one standard, that no matter what network we log into, no matter what different software I had, NAC would solve it all because “a big database” would contain all of this information. Yeah, all right.  I wanted to ask the guy if he still leave out cookies and milk for Santa Claus.  From what I understand this particular individual makes a habit of doing this at NAC panels.

The guy from Microsoft said it best. It is OK if NAC does not give you all of this, it is still valuable.  Stop trying to make it all things to everyone and take it for what it is. It is not the answer to authentication, it is near impossible to treat heterogeneous network environments like they were homogenous, but that is  not what it is about.  Stop looking for Unicorns and make use of what you have to work with!

No sooner had President Obama announced plans to close down some loopholes that allow US based companies to defer and in some cases not pay taxes on income earned out of country, a group calling themselves the Silicon Valley Leadership Group voiced their objections. They claim that many of the largest tech companies like HP, Google, Microsoft and Cisco earn half or more of their money from foreign markets.  They pay the usually lower taxes in those countries and as long as they don’t take that money back in the US, they should not have to pay the higher US tax rate on it.  The group further argues that if these poor tech companies had to pay that tax, it would make them uncompetitive and wind up costing jobs. 

I think they talk out of both sides of their mouth.  I think the present system of letting them avoid taxes by not bringing dollars into the country incents them to keep their money and their employees and spending out of the country!  These countries often get their start by building a US presence. Yes they need to compete internationally but it is high time that we close the loopholes that allow these companies with billions in profit from paying their fair share.  As it is now if a company pays foreign income tax, they can take that as a deduction even though they do not take that income or revenue into the US and pay taxes on it.  Additionally they can deduct from their US taxes money they use to build foreign operations, while again not paying taxes on the money they earn from those operations.

Everyone wants our economy to do better and have more jobs here.  That means we need to put the incentives in place for these companies to hire Americans in America. It is very hard to feel sorry for these tech companies crying with two loaves of bread under their arms.

I was reading the news yesterday about IBM oem’ing Foundry/Brocade switches. Watching the machinations of companies vying for dominance in this space is like watching continental drift over geologic time periods. It seems the same old masses are in constant motion - combining, breaking up and recombining in infinite configurations. Cisco dominated the data center network infrastructure. HP had servers and storage. IBM competed with HP but dominated in services.  HP buys EDS competes with IBM in services. Cisco makes blade servers, competes with HP. HP heavily promotes its ProCurve line to compete with Cisco.  IBM oem’s Foundry/Brocade, competes with HP and Cisco.  Round and round she goes, where it stops nobody knows. Hey what is Microsoft going to do? As much as it goes around, it seems at the end of the day it is the same old big giants that dominate and are constantly trying to steal each others cheese.

I do know that there are billions of dollars at stake.  With stakes that high, it will be a fight to the finish.  However, sooner or later equilibrium will set in. Every side will find its niche. I don’t think any of these guys are going out of business or anything. In the meantime it could create opportunity too for smaller vendors to run between the legs of these giants and deliver solutions that customers need.  By the same token I am sure that this new jostling will lead to a new round of acquisitions as well.  Same old same old in the tech business!  The faces change, but the names stay the same!

Today’s lesson comes courtesy of my friend JJ.  For those who don’t know JJ was born and raised around her parents integrator business down in North Carolina. Yesterday JJ sent out this very funny video she found based on the “what do I want to be when I grow up” theme.  There is some mildly offensive language that I doubt any of you will mind.  While watching though remember that for most of us, vendor or user – the integrator, VAR, channel  partner is the key distribution and delivery vehicle that is responsible for much of our security and IT in general. 

I have some other good articles below, so be sure to continue on after the video. Have a good day!

Browser Wars continued? – Couple of articles today about browser security wars.  And here I thought the browser wars ended when Marc Andreessen left Netscape! First Brian Krebs has a good article about a report from Secunia. The report details two metrics. One is how many security flaws were reported and fixed over the past year. The second and as Brian points out much more important metric, was how long on average it took to fix.  On the first metric, believe it or not Mozzila far outpaced other browsers in the number of vulnerabilities fixed with over 100. This was like 4 times more then IE for example.  But again as Brian says, the key thing was that Mozzilla fixed their holes on average in 43 days versus over 100 days for the Redmond team.  Me, I think these are both too much. Of course I want to see less vulnerabilities found, but that is a pipe dream.  Quicker response times is the key and I would like to see them both under 30 days!

Browser Wars continued part 2- A new version of the Opera browser was released to address some security flaws. Who cares?  Between IE, Firefox, Safari and Chrome, all being free, is their any room for another browser? If there is how does Opera make enough money to keep the lights on against these competitors that give it away?

Cisco discovers SaaS for email security – where is the innovation? – The Cisco marketing machine was out in all of its super heavyweight force this week with the announcement that its IronPort email security division was rolling a hybrid SaaS model.  Even I got spammed by the PR folks.  While I think it noteworthy that even Cisco is joining the SaaS/Managed security market, I have to agree with Eric Ogren (who I rarely agree with), what is so unique about this offering? Is there anything that Google/Postini doesn’t offer? For that matter is there anything that Symantec or Websense or any number of other vendors don’t offer.  Don’t look like it.  I also had a thought about all of those Cisco powered MSPs out there.  How do they feel about Cisco going into direct competition with them? Its bad enough that most Cisco partners would cut each others throats for an extra 2 or 3 points, how do they compete with Cisco itself in offering managed email security?

A new Mogull? A very big shout out to Rich and his wife and new daughter.  Congratulations! Anyway that is it today.  Its almost 7am and I have a full day of meetings before flying home Fll.  Have a great day!

Now you know things really are tight.  Saw this report today that Juniper has not renewed the contract of Kevin Pope, the guy who makes those edgy cartoons that usually make fun of Cisco.  He has been doing it for 5 years now. Somewhere I have a couple of decks of playing cards with each one another cartoon.  Two of my favorite ones are here:

If you want to see more click here. In many ways this is the end of an era. I wonder what Juniper will do next and wonder what cartoons Pope will work on next.

Last week Cisco came out with news that put HP, Dell and IBM square in their sites. They announced that they were coming to market with a line of data center servers that would leverage virtualization technology.  The aim was to make Cisco a player in the large, lucrative server market.  Well HP wasted little time in firing back.  Today they announced a new line of data center switches and a full partner ecosystem to extend the HP data center functionality.

To be clear this announcement was powered by the folks at HP ProCurve which recently has started getting its fair share of attention from HP itself, as well as the rest of the world. But when even the Wall Street Journal picks it up, you have to say that HP is not making any bones about their desire to go after Cisco. There is no lack of companies that are willing to join up with HP to take a bite out of Cisco either.  They will introduce more partners I am sure very soon.

HP certainly has the muscle to take on Cisco, however I think how successful they will be remains to be seen.  This attack to be successful has to be one for the long haul.  There will be no quick victory to knock Cisco off the perch.  Also, ProCurve has built up a great channel over the years.  But can these channel partners sell to the data center market instead of the market they sell to today?  Can they sell the ancillary lines to pure switching and routing, like acceleration, security, etc.?  Good questions that need answers before anyone can talk about knocking Cisco down as king of the mountain.

Related articles by Zemanta

• With Servers, Now Cisco Fights Partners
• Report: Cisco to elbow into server fray
• HP readies for Cisco's datacenter assault
• Point (Cisco), counterpoint (HP)

Image via Wikipedia

I saw two articles (here and here) today speculating on rumors of Google building a router to handle the mega-gigs of bandwidth they use. Both speculated on Google's ability to build a competitive product to handle the load. I don't think there is any doubt that if they want to, Google can build such a router. Will they open source it a la Android is a good question. 

I have heard similar rumors of them building their own switches.  In fact I think that Google building their own switches was a factor in the recent Force 10-Turin merger. Losing a big customer like Google is tough for a company like Force 10.  Now what effect it would have on Juniper is another story.  I am sure that Google buys lots of Juniper routers, but so do lots of carriers out there.  Big high speed routers is Juniper's game.  I don't see a reason for a run on their stock because they may lose Google as a customer.  Also, I think Google may find that just building the router is a fine first step, but maintaining and continuing development to keep pace with technology may be more than they want and using a COTS solution is just plain cheaper.

Also remember that almost since the beginning Google has built their own servers.  In fact I had heard that Google is actually the 3rd or 4th largest server manufacturer in the world.  That has not taken a bite out of Dell, HP or IBM.  Google doesn't sell servers commercially.  They build them for their own dedicated purposes.  I think we would see the same thing with switches and routers.  So besides losing one big customers, Cisco, Juniper and the like should not have anything to fear.

Now like I said earlier, if Google were to open source the software and hardware designs for their routers, that would be another story all together.  That would enable any number of companies to instantly have a high performance competitor to Cisco or Juniper.  You could see IBM or Dell jumping on that pretty quickly, HP ProCurve as well.  Of course from what I know of routing, Google would have to make sure they don't run afoul of the many patents filed on routing protocols.  This could prevent them from releasing anything commercially as well.  If they used it only internally, how would anyone find out?  Interesting.

About a year, year and a half ago there was not a Cisco shop that you went to that didn't talk MARS.  MARS was going to be the control/management app for all of Cisco's security products.  Cisco IPS had a crappy interface you say?  No problem, just take the data into MARS.  Cisco NAC was not a great management tool for reporting?  No problem, soon you could take that data into MARS. Then over the last 6 to 9 months the buzz around MARS seemed to die down.  Almost as if the Cisco machine was just not pushing it anymore.  The IPS interface still stunk.  Cisco NAC still had bad reporting.  But there was no more talk of MARS remedying all of that.

Now Jon Otsik gives us some insight why in this article. It seems MARS was just not all it was cracked up to be.  As a SIEM it was sorely lacking compared to some of the best breed products available.  The log management crowd has them beat hands down. The Q1 product that everyone else seems to OEM is vastly superior. So according to Jon, MARS is a dog with so many fleas that not even the Cisco sales team can make a winner of it.  So not even the Cisco channel is behind the product any more, Jon says. Further, according to Jon Cisco has three choices:

1. Admit defeat and get out. Cisco could bury MARS and partner with others in the industry. GE would take this route but I can't imagine that Cisco will.

I agree with Jon Cisco is just not going to walk away from an entry in this space that they own

2. Double down on MARS development. MARS 6.0 was released earlier this year and it did move the ball forward but the product remains way behind others in the market. Management software has always been a bit of an Achilles' heel for Cisco.

They might stay stubborn and try to make MARS better. But again I agree with Jon this is not really a strong suit for them.  Some die hard Cisco bigots would use it still, but overall it would continue being an also ran.

3. Replace MARS with another acquisition. There are plenty available at bargain prices. Cisco could bid on publicly traded ArcSight, grab a legacy Security Information Management vendor like Intellitactics or NetForensics, pick up a log management player, or take a chance on a wildcard like Nitro or Splunk.

I think this is a very likely scenario. If at first you don't succeed, buy another one.  That is the way of big companies.  I think Splunk would be great for them, but probably too cool for Cisco.  NetForensics or even ArcSight themselves would be conventional.  Maybe Mike Rothmans eIQ Networks even.

The problem is that Cisco needs a MARS for more than just even correlation and management. They need it to fill in the holes of their existing security products to keep them competitive and to sell them to more than just Cisco shops.

Related articles by Zemanta

• Whither Cisco MARS?

Was happy to see this article in the NY Times Technology section today about HP ProCurve shedding its redheaded stepchild status, at least internally in HP. ProCurve for a long time was one of the best kept secrets in technology.  Operating as a company within a company at HP they very quietly went about their business of building the second leading switch business in the market. Now they are finally getting their due, being acknowledged as the second most profitable division in HP and getting some very high visibility within HP's executive team.

Believe it or not, before Mark Hurd took over, HP's service and sales team was comp'ed to sell Cisco products but not ProCurve!  According to the Times article this may have been due to the fact that Carly Fiorina was on Cisco's board at the same time she was CEO of HP.  In any event ProCurve had to make their own way in the world and may very well be stronger for it.

All of that has apparently been placed in the rear view mirror now.  HP's sales force is being compensated to sell ProCurve.  Hurd and legendary EVP Ann Livermore (in charge of the division ProCurve is now part of within HP) are very much involved and interested in seeing ProCurve grow.  They have thrown down the gauntlet, letting Cisco know that they want a bigger piece of the 20 billion dollar network gear market.

ProCurve has some great products, great warranty and great service.  They also have a good strategy around security in the network.  My friend Mauricio Sanchez drives a lot of the vision around security. I just hope that my friends at ProCurve don't find that having the spotlight turned on them somehow messes with their momentum and way of doing things. Otherwise they may just wish that they were that redheaded kid still.

Related articles by Zemanta

• H.P. Results Match Preliminary Numbers
• HP's outlook for next year unchanged despite tough economy
• HP's Ann Livermore keeps eye on 'team'
• HP rides EDS buy through Meltdown
• Deal may turn HP into networking leader