StillSecure, After All These Years

The folks over at Cisco Subnet (not sure if this is still my friend Brad Reese writing this over there) had an interesting blog yesterday about an announcement we made here at Interop. We announced that we will throw our support behind Cisco's AXP. That is the blade extension to turn a Cisco ISR into a Linux app server. You may remember that I blogged on this earlier here and here in relation to an article by Don Marti on LinuxWorld. Well this announcement, as the Cisco subnet article points out, put our money where our mouth is on this one.

As the subnet article points out as well, I think the real question is not whether we in IT are going to run more apps on our router boxes, but whether or not these "God boxes" will be expensive, proprietary black boxes like Cisco routers or low-cost standards based off the shelf hardware. With this announcement, we are covering all of our bases and saying you pick the platform of your choice, we will support it. That is the StillSecure way.

Dmarti's blog over on LinuxWorld has an article up titled "Dumbest networking vendor idea since Network Access Control", which talks about what a dumb idea it is for Cisco to allow Linux apps to run on their ISR routers. Besides the fact that the title of the article alone is enough to make me want to tear this one apart, the underlying logic of the authors argument is just weak.

On one hand he talks about why would someone want to run Linux apps on a router, it is potentially bad design. On the other hand he says it is better to run them on a cheaper router alternative like Vyatta and than spouts some PR by Vyatta about their price/performance advantage over Cisco.  They back up this advantage with "3rd party testing".  Turns out the testing is by Tolly Group.  Oh, now that changes everything.  Have any of you ever had a Tolly evaluation done? Anytime you submit a form that contains what you would like to see the testing show in the final report and the final report shows it, well you know what I am saying. But seriously if it is good for Vyatta, why would it not be also good for Cisco?

Here is the real issue though that the author misses.  We live in an age of convergence!  The idea of having a stand alone box that only does routing is history and when Cisco themselves acknowledge it, you know it is fact.  People want more functionality out of their hardware.  Now that is not to say that your router should be your database server or mail server.  But there are certainly network functions that make sense to put on a router. Security is a no brainer to start. IPS, VPN, firewall, gateway AV- easy.  What about network functionality like DHCP, DNS, Radius, etc.  How about some next gen network stuff like WAP and VOIP?  That would make sense. By embracing Linux on the router all of these things and more are possible.  By the way you can do all of this now with our own Cobia platform.

That's right, we had this idea 2 years ago and have been working on it since.  With the convergence of networking, security, VOIP and wireless technologies, why wouldn't you want a multi-use box that can deliver all of this.

Well if your Cisco it does.  At least as it relates to security bugs involving IOS software according to this article in The Register. Taking a page out of Microsoft Cisco will release regular security fixes on the fourth Wednesday of March and then again in September.  So I guess mark your calendars. Of course Cisco reserves the right to release updates and fixes out of cycle if the severity and risk warrant it.  They will also continue their regular security advisories for products other than IOS.

Cisco says they did this to provide predictability to its customers. I just feel that twice a year is so infrequent, why bother. If a bug comes to light, lets say in April, I don't want to be waiting for the fourth Wed in September to get the fix and begin testing it.  That just does not seem like good business to me.

Good article by Neil Roiter from Information Security Magazine on NAC moving ahead as the hype subsides. For a change from other articles we have read recently, Neil gives a true to life, no holds barred assessment of where NAC is in the market.  I think some of the comments from Lawrence Orans over at Gartner are right on.  However, one he misses is in talking about the Cisco-Microsoft NAC partnership. I think the TCG-Microsoft partnership has replaced that one and Cisco is going to join that party through the NEA. 

For me though the quote of the article was this one by Brendan O'Connell, Cisco's product line manager for NAC, "NAC is an Easter egg hunt. Policy lives in a lot of different places .."  So does that make Cisco the NAC Easter Bunny? Seriously, policy does live in a lot of different places.  I think eventually the answer lies in marrying network based admission control policies with endpoint based configuration policies.  This is an area that is ripe for interaction and integration.  I also think that Symantec talking about customers want a NAC solution, but not another console or another agent was a bit ironic.  Just because you lump your agents together doesn't mean you have not added yet more overhead to the equation.  Anyone who has used Symantecs new Endpoint Security with all of the mods turned on can talk to you about overhead and resource use. Whether the agent is separate or not, it is what the overhead is that counts.

In any event, though Neil did not mention StillSecure (tsk, tsk) I thought this article was right on, that despite the naysayers and the inflated hype, NAC is being adopted in the market. It is maturing and most of all it is providing value to customers.

I actually read this earlier this week but did not have a chance to comment. ComputerWorld had this article today that details that Cisco will stop selling its line of PIX firewalls on July 28th of this year.  I don't think this announcement came as a shock to anyone.  They had discontinued their VPN 3000 concentrators a year ago and it was only a matter of time that the PIX boxes went the same way. For me personally the PIX firewalls just seemed to always be there. Yes Checkpoint was the "cool" firewall when I first got into security, but PIX was from Cisco and it seemed like the cornerstone of their security business.  Their IDS was not so good for a long time.  Cisco's other security products were never considered back then (or now for that matter) to be best-of-breed, but PIX was a product that was not a bad product in its class.

What is more important though is what is taking the PIX place. It is the ASA line of UTMs.  This presents living proof that the market is moving away from stand alone appliances like firewalls and IPS and towards UTM type of devices that also offer anti-virus, antispam, etc.  I personally had perplexing experience this week on this very subject. One large analyst firm claims that by 2011, 50% of all network security will be spent on UTM.  Then in speaking to an analyst from an even larger analyst firm, he said their position is that UTM will never catch on in the enterprise.  Even if they buy a UTM box, they will not turn on the other features.  So ASA boxes will just be used for firewall and VPN and perhaps IPS. 

Here is the Shimel analysis for what it is worth. I think the larger analyst firm is wrong. I think they have only thought this half way through. I think what the facts are is that people buy the UTM for just one or two functions.  I think that is true for both the mid-market and the enterprise market.  What happens is after they buy the UTM and set up either the firewall or IPS or what have you, geek nature takes over.  They can't help themselves but to experiment and tinker and see what the other functions can do and how they work.  If these other functions work reasonably well without choking the box, they will slowly but surely use the other functions as well.  So before you know it, that UTM that you bought as a firewall is doing UTM duty.

Anyway, any of you PIX owners out there don't throw out the old boxes just yet, Cisco will support them until 2013.  In the meantime I am sure there will be no shortage of vendors looking to give you a deal to upgrade to the latest box. In the meantime if all you are interested in is a good firewall, don't pay anything.  Go to http://cobia.stillsecure.com and use our community sourced firewall for free and upgrade to UTM down the road.

Hot on the heels of Cisco's announcement of Nexus switch line, Juniper announced its own entry into the high performance Ethernet switch market, with its EX-series of switches.  Junipers entry into the switch market has been rumored for a long, long time. The only question was would they buy an existing switch vendor (for a time Extreme Networks was a rumored target) or would they roll their own.  Well it seems they rolled their own and these EX switches sound pretty hot.  I had heard the name was going to be Hurricane, but maybe that was an internal code name. 

My buddy Chris Harrington over at Infosecpodcast.com reports on this as well and asks what if any effect this will have on their NAC strategy. From the press release, "To mitigate the impact of security risks on network operations, Juniper Networks has integrated its Unified Access Control (UAC) solution with the new EX-series switches to provide businesses with the ability to control user access to mission critical applications and company assets through the enforcement of end-to-end policies."  Sounds to me like the switches fit hand in glove with their NAC. I would imagine they are TCG complaint as well. 

This could be a real boon to Juniper in both security and the bigger switch market. It will be interesting to see how some of the other switch vendors respond to keep up with Cisco and now Juniper.

For many more years than I care to remember the Cisco Catalyst line of switches have defined Cisco's high end best in class switch line. I remember evaluating potential web hosting companies in my days at Interliant and when talking about their data center and connectivity, they defined it by how many 6500's they had.  Over the years the variety of IOS versions was maddening to try and make things work across the board.  Well after three years in development and a mere 250 million in dev costs (according to this article), the blood, sweat and tears of 500 engineers, Cisco gives us Nexus! It sounds like the name of some demonic computer that I remember from an old sci-fi movie. 

In fact Nexus is more than just one big honking switch. It runs a whole new Cisco OS, the NX-OS. Joy, another Cisco OS to work out compatibility with. It combines Ethernet with Fibre Channel. Nexus is already 10Gbps today but has the chops to go to 40 and even 100 Gbps according to the Cisco folks.  All of this for a mere 75k or so.  As the folks at Cisco say, you need to have a budget to buy this baby. But you can't be on a budget to afford it either. However, it is Cisco and I am willing to bet that this will become the de facto standard in data center switches in the years to come.

What about security you ask? Well it seems that Nexus supports TrustSec. It also supports NAC, though I guess that means Cisco Network Admission Control, and not NAC in the generic sense.  I am sure there will be plans to put cards in for IPS and other security technologies. Whether they will scale to match the throughput of this monster is another thing.

No surprise there. Has Cisco ever come out with a security product that when you peeled back the onion required you to buy newer Cisco networking gear? Here is a quote from an article I was reading in NewsFactor.com, "It can work with Cisco Catalyst 6500 switches equipped with the Supervisor Engine 32 Programmable Intelligent Services Accelerator (PISA) as an overlay .." The article then continues: "TrustSec, however, requires additional hardware and software upgrades to Cisco switches, as well as to a Cisco authentication, authorization, and accounting (AAA) policy server to support the TrustSec switch policy engine for storing and enforcing rolebased access policies."

I don't know about you, but whenever I read about Cisco's security plans, I always see conspiracy theories.  I am not talking about who shot Kennedy conspiracies, but is the whole thing cooked up as a way for Cisco to force customers to upgrade to new switches, routers, etc.  At the end of the day, that is what gets those Cisco reps juices flowing. Can't we just bolt something on to the millions of dollars you have already spent on Cisco gear?

McAfee has been making hay lately with their "triple play" promotions. But the biggest security vendor out there has recently announced a triple play themselves.  I am referring to Cisco of course.  In the past few weeks Cisco has made several announcements that show they are serious about keeping competitive, if not best-of-breed n security. But having best-of-breed is not necessary when you are Cisco. When you control 75+% of the networking market, like Joe Namath said, "if you got it, flaunt it". However, when you take a close look at these announcements and the products they tout, we see t is more of the same from Cisco.  Trying to play catch up to other security vendors and driving more into the switch box to leverage their advantage. Lets have a look.

First up is their the Cisco IPS 4270.  This is touted as a 4GPS IPS for certain types of media traffic.  For more conventional data, it does packet inspection at 2 GPS.  While not as high as the highest rated boxes from ISS/IBM. Tipping Point, McAfee, Sourcefire, etc., it does move Cisco into the multi-gig IPS space.  I am not sure if those "boys with toys" types who go in for these Ferrari IPS's will be satisfied though with less than the highest throughput vehicle though.  In the meantime I am sure there will be plenty of Cisco shops who will be only too happy to fork over the bucks (has anyone been able to get a price on this baby?) for this baby.  Besides speed though, I have always heard that Cisco's IPS is beast to use and is not updated very often.  I don't care how fast it goes, if they have not addressed these issues, who cares about how fast it is. It will be just another useless piece of Cisco gear. I have seen more companies than I can count who paid for Cisco IPS (or they think they got it for free with their network buy, but somewhere along the line they paid) and have the boxes not even plugged in, as they use something out.

I have a bigger issue here that I would like to draw attention to though.  That is what can we do to stop the BS around speed ratings in IPS.  Doing 4 GPS on only certain kinds of traffic is not a 4 GBPS IPS!  Cisco is not alone in this though.  Almost every single vendor is guilty of word games with their speed ratings.  2 GPS of traffic in is touted as 4GPS because it also sends those 2GPS out.  That is not 4GPS either!  I would like to see some vendor come along and blow the lid off of the marketing scam and see real throughput levels.  We need apple to apple comparisons!

Second player in the triple play, is Cisco's move into behavior based detection. Brad Reese (our latest guest on the podcast, coming up this week)on his Cisco Subnet, NetworkWorld blog talks about Cisco moving away from NetFlow to a new ASIC packet inspection card (again in the switch) and working with the Cisco QoS Policy Manager. I don't know enough about this one to say for sure, but I think at a time when the industry leaders (Lancope, Mazu, Arbor, etc. are standardized on NetFlow, Cisco at least according to Brad's article is moving away from it.

Finally is Cisco's TrustSec announcement.  I think the Wizard of Syracuse, Mike Fratto has done a good job on his Network Computing blog in calling a duck a duck. When I first heard about TrustSec I though TrustSec was part of the NAC framework. I was surprised to learn it is not. I see TrustSec absolutely competing with NAC.  The fact that one comes from the security group (NAC) and one from the networking group has all the earmarks of a political turf war to me.  In any event like Dom Wilde at Nevis pointed out, identity based access control - BFD. Nothing earth shattering there.  It will be interesting to see hwo TrustSec plays out with NAC when andif it is finally available.

There you have it, 3 new security plays for Cisco.  It certainly keeps it interesting and makes it harder than ever to compete with these guys!

Lt Gen Steven Boutelle was the CIO (or G-6 in Army speak) for the US Army for the past few years.  As such, Gen Boutelle led IT modernization and upgrading of the Army's network.  As is often the case with our military, Gen Boutelle who just retired, today started his new gig as VP of the Global Government Solutions Group at Cisco!  Now I know what you are saying: "Whoa, what is this"?  The guy who was in charge of buying all of the network and security gear goes to Cisco right after retirement and will be back selling Cisco to his friends in the government? What is wrong with that picture?  Well before you go to far, you should know that Cisco did not announce the hiring of Gen Boutelle until shortly after the Senate confirmed his successor.  Well, that makes me feel better.  At least they didn't announce his hiring before someone was appointed taking his place, but I wonder when they actually hired him, not when they announced it.  But that and the whole idea of retired government employees selling into the government can be the subject of another blog, another day.

All of the above was reported by the way, in this article on GCN.  It seems from the article that Gen Boutelle is very excited about one of his tasks which is leading Cisco's internet routing in space initiative or IRIS (you have to love military acronyms, but I thought eEye already had that one).  Supposedly by using IP routing on space communications you can get a 7 to 10 times bump in throughput.  That is nothing to sneeze at and could have huge implications beyond just military uses.  Cisco has already used a modified a router on a NASA satellite in 2003 and is expecting to have a router it will put into orbit (didn't know Cisco had orbital launch vehicles) in the 2nd quarter of 2009.  This could open the floodgates to a major shift to IP based communication in the satellite industry.  

Can you picture William Shatner (surprised Cisco has not hired him too) right now saying., "Space, the final IP frontier.  This is the voyage of the self-defending network, going where no router has gone before."

Another eWeek article I read yesterday was by Brian Prince about Cisco's new Network Admission Control Guest Server (that sounds so new, that not even a marketing person has gotten hold of its name yet).  Mitchell blogged on this one too (now that he is doing his own thing, it is easier for him and I to blog on the same stuff). Mitchell liked the idea of allowing designated users to set up guest access for visitors, but Mitchell questions who will be given this responsibility in many organizations and if they recognize that it literally is the keys to the kingdom.  Mitchell also brings up a good point that the article at least doesn't say anything about whether or not these guests machines are checked for policy compliance or anything like that.  It is just a guest account set up on a portal and allows a user to move on to a guest VLAN or segment.  Their usage and presence on the network is noted, so that there is a trail of their presence.

So here is the Shimel view on this.  While I think the guest server has some limited benefit from an auditing and reporting prospective, I don't think it is what the market wants.  Increasingly I hear from customers about guest access that all they want is this:

1. Identify a guest user from an employee/managed user.
2. Test the managed user/employee and if they pass, give them their regular access
3. Move the guest into a "dirty" guest VLAN that has web and email access and little else.
4. They don't want to test the guest, as long as he is kept off the "real" network and don't care about what he does to other guests.

Frankly, they view the guest VLAN as almost outside their own network. If they can accurately identify guests, they have no desire to authenticate them, test them or anything else.  They just want to move them to the guest VLAN and forget them. To me what the customer wants is simple white listing/ black listing. Frankly, this was a hard lesson learned by us here.  We kept banging our head on the brick wall of insisting that they check the guests device too.  But people don't want that additional effort.  So as usual the market wins and we have made it easier than ever to set up guest VLAN access for our NAC product.  I am not sure I would call this out though as a separate server.  Clearly this is just a feature.  But I guess from Cisco's prospective it is another SKU they add to the quote, with another dollar amount in the column.

Steve Taylor and Jim Metzler over on the WAN newsletter at Network World have a good article up called Where's David. In the article both of them lament the fate of several competitors who over the years seemed to be worthy competitors to Cisco, but have fallen by the wayside to become detritus under the feet of the networking Goliath. They then look at the usual suspects and wannabes to play David today to Cisco's Goliath. Their take is Foundry and Extreme have nice technology, but nice or better technology alone is not going to fell Goliath.  They think HP tries really hard to keep it a secret that they are the 2nd leading switch vendor (not sure some of my friends at HP ProCurve would appreciate that).  They think Nortel and Juniper could be Cisco rivals, but they have not exhibited the stones (no pun intended) to do it yet.  They are going to continue the conversation in future newsletters.  One commenter, Bryan Ruhf said he fears that a monolithic Cisco culture will only fall when a chink in the armor of Cisco's technology is exploited and the results may be catastrophic for networks the world over.

My take on this is that the David to slew Cisco is not among the current cast of contenders.  Much like no one knew much about the young David in King Saul's army until he fought Goliath, the David of the networking world is probably not recognized today as being the potential giant killer.  The other thing is the new David needs his own slingshot.  That will be the key.  You are not going to beat Cisco by outselling them, out marketing them or out spending them.  You need a better slingshot.  What new technology in networking or other advantage can someone come up with that will make the CIOs of Fortune 1000 companies say that they are willing to look at non-Cisco solutions and hit Cisco right between the eyes.  Also, whoever comes up with this better slingshot obviously becomes acquisition bait for Cisco or one of the other big boys to buy.  Can a David arise out of the ranks of the smaller players, resist the temptation to cash out quickly and become strong enough to fell Goliath?  Honestly, I don't know, but if they did they would certainly deserve the title of King.

In reading Michelle McLean's blog today I was led to a great article by Jim Duffy over at Network World.  For a long time I have said that though the old adage of "no one ever got fired for buying Cisco" may be true, I also question whether anyone gets promoted for buying Cisco.  Jim takes a similar tact asking "can someone get fired for staying with Cisco?" 

Jim's article highlights two schools who have recently switched out some Cisco gear for other vendors. One school in NC seems to have taken out some Cisco switches for NAC switches from ConSentry.  Interestingly, though the school apparently had a terrible experience with Cisco's Clean Access (now called NAC appliance, and frankly who hasn't) and was given a cold shoulder by the Cisco team, they still have only replaced a fraction (about 20%) of their network switches with ConSentry gear (still a sizable deal for ConSentry and proving the adage that some NAC vendors can get fat with the crumbs from Cisco's table). In fact the school still considers itself a "Cisco shop" and their IT guys says "I wouldn't give up Cisco, especially at the core. I don't think there is anything out there that could beat a Cisco router and a lot of the core switches".  I ask, how many times do you have to be burned before you wake up and smell the coffee.  They take your money and charge a premium, deliver products that don't work and don't give you great support unless you spend more and you are still committed to them?  After this guys experience, why isn't he looking at substitutes for the rest of his Cisco gear? I guarantee he will find them. And if he doesn't look at other options, why isn't his job in jeopardy?

In fact the 2nd school highlighted does exactly that. St. Francis High School is replacing virtually all of its Cisco equipment with HP ProCurve gear.  In case you don't know, HP ProCurve is probably the fastest growing vendor in the network market and is clearly positioned as number 2 to Cisco.  What got the St. Francis folks to finally give up the ghost on Cisco was ProCurve's lifetime warranty, industry standard, open architecture, support and price.  They are going to be 95% ProCurve.

These two studies show the problem in competing against Cisco.  Too many folks are just too willing to put up with less and take the perceived "safe way" out to stay with Cisco.  There are too many good choices out there for anyone to have to settle for less and it is time the IT world realizes it!