StillSecure, After All These Years

Its easy to dismiss Don Dodge's asking "Do you really want your data in the cloud" as a Microsoft guy defending their turf. Don uses some recent uptime problems at Amazon, Twitter, Disqus and Typepad to show that keeping your information in the cloud and relying on the net to deliver your applications gives you less control, less security, less scalability and less reliability.

Don has a point, even though net access and SaaS services are much more mature than they were in the past, there is always the times when it does not work. For that matter, cell phones, blackberries, and cable TV don't always work either. An indication of how vital something has become is how much we miss it if it is not available. But to the point, I remember when the personal computer first came into being. The idea of your data and the applications being "portable" to your device was revolutionary. The idea of keeping your data on those big floppy discs was so empowering. But even than, problems accessing data on a disk or an application not behaving or security problems could render you just as frustrated on your non-networked device as an Amazon or twitter being down does now.

Ultimately I think these things go in cycles and we are entering a centralized cycle now. However, I think this turn of the cycle could be different. Never before has net access been so ubiquitous. Never before have we seen the depth of optimized applications for the net. The infrastructure is finally in place to recognize the dreams of many of "thin clients" and net terminals. But I think the best model is a hybrid model. I like the Microsoft solution where I can work on stuff online and off line on my computer, than sync up later. Ultimately when it comes cloud versus local computing, I want my cake and eat it too.

In response to my article yesterday about network convergence, Don Marti over at LinuxWorld responds that he is all for convergence.  But he argues, why not converge on a 2 to 4k box, rather than a 10k Cisco box.  Amen to that Don! On the Network Cisco Subnet blog, after rehashing Don's and my positions, the point made is that:

The point of convergence is to save money, as well as to ease administration. At the point where it costs more money or requires more admin than the "old way" of doing things, network pros will have a hard time swallowing it.

I guess they are referring to converging more functionality on one box, you could make administration more complex thereby negating the potential cost savings. I agree.  That is one of the biggest things we have been working on the Cobia platform. How to make managing these diverse applications easier and more efficient.

Back to Don Marti's comments on cheaper boxes though.  There are actually a few rising tides that are floating the convergence boat.  The vastly increased power of off the shelf hardware at those prices is the true enabling technology. Having a cheap box does no good if it doesn't have the horsepower to get the job done.  At the end of the day, that is what kills the 10k Cisco box.  There is no need to pay 10k for the power that the box has when more powerful boxes are cheaper.  The caveat though is, how long do you think it is going to take Cisco to realize that too?

We have contemplated all of these factors in our strategy around Cobia.  We think virtualization is another key driver in this convergence revolution.  Also, by distributing source code with the product, allowing for 3rd party innovation and collaboration, we can leverage a wider community to speed development.

Linux as the common OS underlying much of the convergence trend is a key driver, but there are other forces at play that ensure that we will continue to see consolidation and convergence in the months and years ahead.

Well it should be a busy week in the news with Interop going on.  This morning has already seen a flood of announcements and articles.  Should be fun.  Will try to keep you all updated from out in Vegas. As well as talk about some cool news we will be announcing there as well.

One thing I read I did want to bring up though.  Jon Oltsik had a good article up in his C/Net blog on the fast/dumb pipes versus intelligent network debate. While I don't pretend to know as much as about this one as Chris Hoff or am nearly as passionate about it, I do find it interesting. I have to agree with Jon.  I think due to Moore's Law delivering ever increasing horsepower to off the shelf CPU's, we are seeing more and more intelligence on the network.  But I think Jon has it right, we need to have a "crack once, process many" model.  That is we inspect a packet once and use that for multiple purposes (IDS, AV, etc.).

HP ProCurve announced two products that will further networking and security convergence today.  According to this article by Matt Hamblen at ComputerWorld, ProCurve (which is 2nd in networking port shipments globally) will release ProCurve Network Immunity Manager. It sounds like some sort of IDS type of detection, maybe behavior and signature based that works with ProCurve switches to throttle or stop bad traffic from its origin.  The second product due out in the 3rd quarter, is called ProCurve Network Access Controller 800.  It sounds like a NAC device that works hand in hand with ProCurve's Indentity Driven Manager.  Very interesting.  ProCurve CTO Paul Congdon is this weeks guest on the podcast and he may have a thing or two to say about this.  If you get a chance listen in.

Interestingly, Rob Whiteley of Forrest-er and "network NAC is dead" infamy, says that this network based NAC seems to be a good thing.  Geez Rob, why didn't you say anything about PERM?  Isn't that the future and this network based access control stuff history?  I can't imagine what would make you seem to change position on this.

It has been a while since I disagreed with Mike Rothman publicly on the blog.  Fact is I usually find myself on the same side of the fence as him and frankly there are easier marks then him to pick on.  But with the long holiday weekend, the news is slow and we all need something to ponder, so let me dig in on Mike's recent searchsmb column in Techtarget.  Mike returns to his tired (not tried) but not necessarily true, "big is the new small" thing.  It is now called best of breed vs big security.  I know we have debated this in the past, but I still don't buy it all.  I think there is a difference between buying multiple security products from one vendor versus buying from the big boys. Using Mike's examples of McAfee and Symantec, even Mike says their suite products have been largely a failure. So what makes him or anyone think that is now changing.  Yes they have a lot of products, but they are not integrated.

Mike that is the key, integration.  SMBs want unified products, not lots of individual products from one vendor.  Until big security can show unified integration, they are no better than the little guy, who at least gives you best-of-breed.  This is exactly why we think a Unified Network Platform will be so appealing to this crowd.

For those who read my blog or Mitchell's, you probably have already surmised that we have been working on something new and exciting here at StillSecure.  We are almost ready to take the wraps off, but not quite yet.  We are also looking at adding a key member to the team which could be really exciting.  Mitchell has posted tonight his white paper/manifesto that explains a lot of what he has been thinking about and working on for a while now. He sums it up as a Unified Network Platform. There have been enough hints and clues dropped for those who want to know, I think to figure it out.  But if not, read the white paper and keep your eyes peeled.

You may have seen all the press a couple of days ago around the launch of 3Coms Open Services Networking (OSN) program accompanying 3Com On partner program. Phil Hochmuth over at Network World has a good article up on it.  Basically, 3Com is seeking to tackle Cisco and Juniper in the router market by making a Linux blade that will run inside their router.  Using VMware and such, they want to run a bunch of different apps that can benefit being near the router and network. Sounds like a good idea.  It would be good to see 3Com win back some market share, after some rough times over the past few years.  Maybe the Tipping Point folks would even be proud to say they are part of 3Com.   

The article talks about a few of the partners 3Com has lined up that will run in this environment.  One company absent was StillSecure.  However, a perusal of the 3Com On web site under security solutions shows StillSecure listed as a partner for our Safe Access NAC product. In fact clicking on the StillSecure link takes you to a page on the 3Com site that tells all about Safe Access. Including the fact that Safe Access was tested and certified on their 5500g model.

So why were we not mentioned in any of the press articles or press releases.  I think the answer lies more in Tipping Points own NAC plans (I am sure we will hear more about this soon, maybe even RSA which is shaping up as a NAC-fest) than anything else. 

Michael Farnum, my friend from down Texas way, gives us his take on the Tipping Point - Brian Smith remarks about pursuing a bump in the wire approach to network security. Long and short of it is Michael feels somewhat responsible for the way he answered a customer response survey about if he would buy a Tipping Point blade on a 3Com switch.  Basically, Michael makes no excuse that he thinks 3Com switches for the enterprise suck and that he is not alone.  He would consider a Tipping Point blade on another company switch, just not 3Com.

I suspect that this is actually the Tipping Point guys point of view.  The ones I have spoken to are almost ashamed to be affiliated with 3Com and begrudgingly accept the 3Com name on their business cards, but call themselves Tipping Point still.  I say they weren't so proud and arrogant when they were taking the 400+ million dollars from 3Com were they.  Hey as far as I am concerned, the Tipping Point made a bargain and got paid for it too.  Now they have to live with it.  How is it in the best interests of 3Com to tolerate this.  Yeah, it may be short term positive for Tipping Point to disassociate themselves from 3Com, but long term it kills 3Com to not have a coherent, unified company.  If they can't leverage switch business with the Tipping Point stuff, they should just spin Tipping Point off now (don't laugh, I have heard rumors to that effect, but I suspect it is just wishful thinking by Tipping Point guys) and take the money and run.  I wonder if the tail is wagging the dog over there.

Was reading an article in SC Magazine tonight about some of the people speaking at this years RSA. It is a pretty impressive list with Colin Powell, Larry Ellison and Deborah Platt Majoras, the chairwoman of the FTC, all scheduled to speak. However, what caught my eye and got me thinking was news about what Brian Smith, co-founder of Tipping Point and chief architect of 3Com wants to talk about in his keynote speech.  From the article, here are the relevant parts:

"Brian Smith, the chief architect of 3Com and a founder of TippingPoint, says his first-ever RSA keynote will focus on integrating solutions such as network access control, intrusion prevention and behavioral anomaly detection to create an intelligent network.

"I can do all of these sorts of synergies and when you trace it out, what ends up happening is you're able to debug network problems that you were never able to do before, get an unprecedented level of security, and also lower the total cost of ownership," Smith says. "They have to talk to each other. If we can pull all of these solutions together, I think that's going to be the trend over the next five to 10 years. It's a natural evolution in the technology cycle."

Smith says he also plans to emphasize the benefits of the bump-in-the-wire network approach to deploying security solutions. Rather than embedding solutions into switchers and routers, Smith plans to suggest overlaying solutions to allow for a more converged, cheaper way to add intelligence to the network."

This just doesn't sit well with me and I have to put my two cents in. First off, I perfectly get the first paragraph.  The street is ripe with rumors of Tipping Point (funny how they don't say 3Com, you would almost confuse who bought whom over there) buying a NAC company (some customers our sales people have spoken to claim to have seen Powerpoint slides from Tipping Point to that effect). In addition to that, today they announced a partnership with Lancope, the behavior and anomaly based detection provider (I would say behavior based IPS, but they don't use that term anymore I think). So now that Tipping Point has the pieces, all of a sudden convergence and integration of security technologies instead of separate silos becomes the holy grail that they are on the verge of finding.  OK, better late to the party than never.

Where I feel the need to upchuck is around Brian's comments around emphasizing the bump-in-the-wire network approach rather than integrating with routers and switches.  Talk about missing the forest for the trees!  If you get that integration of security is a good thing, how do you miss the convergence of network with security?  Especially from a guy who last time I checked works for a large network vendor.  Do the Tipping Point people resent and hate their 3Com overlords so much that they refuse to see the natural evolution of converging security and network gear?  Has selling big-ass, honking ASIC boxes to do IPS for so long totally blinded them to virtualizing some of this stuff and putting it on blades and so forth inside the switch and network.  A bump in the wire security approach is so 2003.  Most of the guys who do the bump in the wire are trying like hell to move up the stack and the network to get away from the edge to the core.  You may be able to do IPS as a bump in the wire at the core if you have the horsepower, but you are going to be forced to the edge for other security stuff if you insist on bump in the wire.  Single point of failure, scalability and cost are just working against you. Eventually you have to turn to the switch. I just don't get where he is coming from here.

Hey, maybe it is a good thing.  I am pretty sure what I will be telling our sales team on how to position against Tipping Point after this one.  Unless of course sanity sets in and the 3Com folks give their Tipping Point children a little network religion.

I usually try to stay away from piling on to Mitchell's blog posts, as it could be too much from both of us at the same company.  However, I think Mitchell's recent post on "Networking needs an iPhone" is so right on that I need to follow up (also his post one or two after that about our holiday party is pretty cool too). I have stayed away from all of the iPhone envy posts since Steve Jobs showed us all the future of the converged consumer platform at MacWorld.  Thats right I did not say a phone that plays music and videos too.  The functionality of the iPhone goes way beyond a phone marrying an iPod.  The iPhone is a consumer application platform as Mitchell points out. What the particular mix of applications it has at any given time is not important.  Because it is built on Apple's OSX, I think we will see applications come and go over time on this platform.  I also think that the hardware that it runs on will expand over time. You will have more options around HW platform then just storage space. 

If there is one place I don't agree with Apple on this one, it is that like everything Apple, it will only come on Apple HW (actually I don't like that Cingular/ATT has an exclusive and I dont like no 3G either, but I digress).  If Apple wanted to make the iPhone a true revolution it would license the software to multiple standard hardware platforms.

This is all something we have spent considerable time at StillSecure thinking about.  We look around at the network and UTM appliances out there and I see them using a router for a phone, a WAP for an iPod, a firewall for an email client.  In case I am not clear, what I am trying to say, is we see people using multiple boxes for network applications.  Can't someone make iPhone like software and create a platform for multiple network applications?  I think they can and am looking forward to seeing it!

Not to drag up the whole "who needs another agent" thing, but I wanted to comment on an article by Mike Murray the other day and a follow up to that by the guys over at nCircle.  Mike made I think a great point, that as much as we have disdain for the over abundance of agents, we are seeing the same thing with appliances.  This is something I have spoken about for years.  Appliances were supposed to make our lives easier.  Plug and play, no configurations to mess with, easy to use.  For the most part they are.  But as Mike points out, put 3 in, then 6, then 12 and so on and so on.  It is not just security appliances either, everyone seems to jump on the appliance bandwagon.  Now what was supposed to make our lives easier has turned into a data center mess. 

Managing multiple appliances is just not efficient.  On top of this, these appliances are not flexible.  If you want to switch vendors, do a significant upgrade or want to change the technology you are using, you have to throw out the box and start over again.  In spite of the fact that most of these "appliances" are just COTS boxes with a custom bezel, that you pay a premium for.  This was exactly what we tried to avoid at StillSecure by selling a "software appliance" that ran on COTS HW.  You could repurpose, reconfigure and reuse the hardware over and over.  Additionally, the whole virtualization thing flies in the face of the dedicated appliance model.  So, as I said Mike is right on.

The post up on nCircle's blog takes as you can imagine (after all they sell a custom appliance model, off the shelf with a custom bezel) a contrary position. They analogize appliances to people.  Just as we have seen increased specialization in our job roles, the argument is we need increased specialization in appliances.  The reason according to the article is "enterprises like building silos of control".  I see this logic as flawed.  I think no matter how special the person, people are inherently flexible.  They can always be tasked and trained to do another job in addition to what they do or instead of.  In fact humans probably represent the ideal for what we should strive for in designing our technology solutions for flexibility and adaptability. It is this adaptability that has allowed us to evolve and survive these millions of years (please don't start an evolution vs creation thing with me).  Evolution teaches us that too specialized a species is a recipe for extinction. That is what we need from our appliance models, flexibility and adaptability, not more silos!  We need to break down the silos and have interaction among them to improve productivity.

Maybe it is because at StillSecure we deal with the federal government an awful lot, but we have been hearing from customers about how important it is for our products to support IPv6 for some time.  The federal government has mandated that all of their networks and the applications that run on it must be IPv6 compliant by June, 2008.  However, an article by Andrew Hickey over TechTarget, referencing a research report by TheInfoPro, says that IPv6 is just not catching on despite the hype.  The research shows that despite the hype, only 5% of organizations have IPv6 in place now and only 18% have at least some interest in deploying it in the next 12 to 18 months.  Not exactly an overwhelming tide of support.

This is in spite of the fact that most every major networking vendor in the world has built IPv6 into their product already and the federal mandate is in place.  So the question is:  What is it going to take to move IPv6 forward?  Good question.  Here is the problem, very few people are going to move to this unless there is a compelling reason to do so.  That is the way capitalism works.  So some reasons to move according to the article are:

• They want to gather experience though it is not yet business critical.
• They run out of IPv4 address space.
• They need end-to-end security they can't get through NAT.
• They want to deploy VoIP and stumble with NAT.
• They want to use an application that uses IPv6 features and is not available for IPv4.
• They want to use mobile IPv6.
• They need to upgrade their backbone and switching hardware
  anyway, and can use that as an opportunity to turn on IPv6 at the same
  time

My biggest reason for supporting IPv6 is the possibility for improving security across the network.  In my mind that may be reason enough alone to go for it, but we will have to wait and see.  I am interested to see what other folks think about this. Let me know where you stand on IPv6.

Mitchell writes a lot about converging network technologies and it is something we are both interested in.  So Juniper's recent announcement around their strategy for enterprise branches was pretty interesting to me.  Juniper certainly seems to be on course to converge data, voice, security and acceleration on one box.  What they seem to have now is just basic routing functions combined with UTM.  In Junipers case UTM is IDp with firewall/VPN.  I think that is a fine start, but if they are really going to doUTM where is AV and content filtering? 

Their announcement says in the future they will integrate some of the VOIP technology they co-developed with Avaya. At some unspecified future date after this Juniper will also incorporate acceleration, compression and caching technology, which I assume is from the Redline and other acquistions.  Whether or not or when we see this is another story, but Juniper certainly seems to be jumping on the convergence bandwagon.  It will be interesting to see how other infrastructure providers respond.

Juniper Networks Announces Strategy for the Enterprise Branch