StillSecure, After All These Years

I love the idea that you can use software for free.  I am a big fan of open source software being made available to people.  I am also a big fan of commercial companies with an open source business model.  I am not a big fan of irrational exuberance though. Maybe that is a result of living through the dot com bubble and Alan Greenspan.  Maybe it is the recent housing/mortgage/credit bubble. In any event I was reading an article in InfoWorld today on Untangles "re-router" software.

The gist of the article was that Untangle has taken its open source router/UTM Linux based software and made it run on a Windows XP PC.  Great!  I assume they are running a virtual instance of their Linux server with the apps on top of it.  I don't think that is rocket science, but having played a bit with this myself, my first question was what is the throughput and usability like.  From what I know unless the laws of physics have been circumvented, you are not going to get a lot of performance running a UTM on that type of platform.  Sure enough Untangle's CTO acknowledges that this solution is really aimed at the under 25 user crowd.  Untangle claims this same customer would have to use several boxes otherwise for similar functionality.  The company sees this appealing to companies who don't have the money to buy the hardware and/or the resources to configure the apps.

OK, first of all there are plenty of low budget UTM's that can do this job and do it cheaply.  eSoft is one I know, our own Cobia is another and there are plenty of others.  So Untangle is talking about saving the cost of one low end box?  A few hundred dollars?  Is setting up the Untangle software going to be any easier than any of the commercial solutions? Open Source stuff is free, but generally not easy.  But here is my real problem with this from a business perspective.  Untangle is going to give this away for free and seeks to run their company from the percentage of these users who will sign up for support and higher end services.  There are lots of open source business models that work like this.  But if the customer is too small to afford to buy a server costing a few hundred dollars, what makes you think they can afford to pay for a service to manage it?  If they do need a service they need an MSSP type of product.  At the end of the day is Untangle an MSSP?  I don't think so.  Fundamentally, I think that is where the problem here lies.  How can Untangle generate enough revenue from a market sector that they say is too poor to pay for anything? 

If they did this to build presence while pursuing a higher market segment to pay the bills, that would make sense.  But I don't see that.  So at the end of the day, virtualizing your software for the SOHO crowd is dandy.  But how do you put food on the table?

Bob Walters from Untangle on his Untangling blog has an article about open source business models and how Untangle is utilizing multiple revenue streams as their business model because the software they use is open source and is inherently free. Bob calls the article "Money for nothin’ and Code for Free ".Not sure how big a music fan Bob is but I think he has Dire Straits (the band who did that song) spelled wrong, but that is not the only thing I think wrong with Bob's article. Bob lays out Untangles revenue models as this:

• Untangle makes money from software by selling proprietary, for-profit extensions to our core open source code. We have targeted these extensions to appeal to larger, commercial customers. Our core software is open-source, full-featured, and free. Period.
• Untangle optionally packages its software on Pentium-based server appliances. We sell these servers at “cost-plus,” and so this is deliberately positioned as a convenience to our customers and channel and not as a core money-making strategy.
• Untangle sells tech support services, primarily to larger commercial customers, but also some of the larger schools and non-profits

So lets have a look. First off, if you don't know Untangle has a UTM that is aimed squarely at the "S" in the SMB market. It is open sourced and free and is made up of modules based on open source security tools. I get the upsell of extensions or premium features for some modules and premium modules, that is a no brainer. I don't disagree with the off the shelf hardware justification either, though there are many companies selling off the shelf appliances for a significant mark up over cost and it is a profit center for them. Untangle seems to be writing that revenue stream off. Than Bob says they are selling tech support services to larger customers. Again there is nothing earth shattering on that. Maybe sharing the revenue with local implementation partners? Again sounds like a VAR play, nothing special.

Here is where I think Bob and Untangles model could be in trouble. Bob assumes that the underlying software Untangle uses will be free, because it is free to them. But Untangle is using a Heinz 57 mix of open source security software of which it owns little if any of the copyrights. Yes, much of the software is today open source under GPL. But what happens if the copyright holders of the software and the project owners decide that Untangle is profiting from their software and hard work. What happens if they decide to dual license the software to anyone repackaging it in a UTM or other commercial product or for profit entity. Than what does Untangle do? Their whole business model goes down the tubes. From what I know of Untangles downloaded user base and their conversion rate to paying customers and what they charge, I don't think they have the margin to pay for any software. They could fork the software and develop it themselves or hope to develop a community to continue development, but I haven't seen that pulled off very often, if at all.

To stay with Bob's money for nothin theme, if he does not protect against this, Untangle could find themselves in dire straits.

As we continue to develop Cobia here at StillSecure we keep peeling away layers of the onion in the UTM market.  It really is a fascinating market.  So many of the leading solutions have stressed taking open source security solutions and putting a pretty, easy-to-use face on them.  Not that I think there is anything wrong with using open source security solutions in UTM.  However, I wonder if there is not more to what people want.  Instinctually I think people would like more than a collection of solutions in a common GUI. I think they would like true integration between the applications.  Realizing a real 1+1=3 equation.  Of course, the question is how do you make this integration work?  What will people see value in?  Good questions for sure.

In order to answer this I think you have to move beyond the analyst papers and the marketing spin of the venders. I need to know what users really use in their UTMs.  What applications do you actually use?  Which ones look cool, but not critical enough to waste time with.  What have you tried but finds it adds no value?  How would you like to see the different modules work together.  I can see very obvious ways that IPS, AV and Firewall can work together.  What about content filtering and anti-spam?  This is your chance to help shape the future of this market.  Take a moment and leave me a comment on what you think a great UTM should have.

Oh by the way, what is the "+" for? It is for going beyond what most UTM is today. What else would you want on a gateway networking/security device?  I am interested in all of your opinions on this, so please let me know.  You can email me at podcast@stillsecure.com if you feel uncomfortable leaving a comment. 

TippingPoint announced their Core Controller appliance today. It is a 10GBPS in line IPS. Actually what it sounds like it is, is a network controller that load balances traffic among several conventional Tipping Point boxes and than puts the flow back together and passes it on.  Sounds cool, but I would like to see the latency involved in doing this.   Sounds like a lot of moving parts.  It also sounds a lot like the way Hoff used to do things over at Crossbeam Systems.

The real question for me though is not whether or not this new appliance does line speed IPS or not.  The question is do we still want our IPS as stand alone IPS or do we want it as part of UTM. Mike Rothman in his 2008 Days of Incite talks about "best of breed DOA". In it Mike talks about 2007 being a year where customers clearly voted for integrated solutions over individual best-of-breed.  He also says 2007 was the year the first open source perimeter platforms hit.  I like to think he is talking about Cobia. But 2008 will be an even bigger year for Cobia functionality! The bottom line though is except for the Ferrari crowd does anyone want to buy a stand alone IPS? Mike says it best when he says. "Market maturity kills product innovation".

Yes people buy UTM for one application at first. It could be firewall, it could be IPS or gateway AV, URL filtering or anti-spam. But they like the idea of getting more than what they just needed and paid for.  They figure they are going to turn on the other stuff soon enough anyway.  Plus they get it all from one vender.  So on this one, I have to agree with Mike.  I think people will buy UTM over single purpose security solutions in increasingly greater numbers in the months to come.  Agree?  Disagree?  Leave a comment with your opinion.

I have been following the Don "Cutaway" Weber/ Chris Hoff "dialog" around whether UTMs just add complexity and risk to the security equation. Of course the peanut gallery than had to join in.  That Georgia peanut, Mike Rothman puts in his 2 cents and complete with a reference to Shinola comes Michael Farnum with his own play-by-play and color commentary. This in addition to lots of comments from various sundry sources like AndyIT Guy and others.  Frankly, I was content to read, chuckle and keep quiet.  However, something Michael Farnum wrote struck a chord with me and reminded me of a discussion I had with some folks at a large tech company recently. 

Michael says that Don, Andy and that crowd are equating "UTM=big Linux box with a bunch of security apps thrown on it."  Michael is of the opinion that "real" companies like Checkpoint, Fortinet, etc. don't use that and have "proprietary OS’s that do not typically fall prey to the same problems that a Linux server with Squid, Snort, and SpamAssassin installed on it".  To that I say, jokes on you Vet.  Many of the biggest names including some of the ones you mention do in fact take a Linux distro, pile on some open source, slap a GUI on and abracadabra you have a UTM.  Yes they  may have ASIC or custom silicon, but many of these UTM's are Linux and many may have one or two non-open apps and then load the open source on from there.  ClamAV, Spam Assassin, etc are staples of these boxes.  Yes, Hoff's old company Crossbeam may not follow this, their schtick (put that with your Shinola, Michael Farnum) was they took best-of-breed apps and put them together on one UTM.  But the rest are guilty as charged.  Let me be clear.  I am a big believer in UTM.  I don't buy the single point of failure stuff, I don't buy the increased complexity and security crap.  But Linux and some open source mash up with a smiley GUI is unfortunately the state-of-the-art with many UTM vendors.

As I said earlier in this post, I was talking to a large tech company who wants to bring a UTM/Network gateway product to market.  In our discussions it was clear what type of applications they would want on the box.  But no matter how much I tried to explain and not matter how much I banged my head on the brick wall, they just could not understand that when you pile crap high one on top of another, you end up with high pile of crap!  There has to be more to it.  You need to leverage efficiencies, you have to make products work together.  Customers want to manage these things out of one GUI.  Not a portal where you click on an app icon and it launches another browser window.  You need a way for them to share information, licensing and user accounts.  In short you need a framework, much like we built with Cobia. If you think you can do a mash up of a bunch of open source apps all just running on Linux without any glue holding them together, you don't have anything worth buying.  I suspect the tech company I was speaking to is going to find this out the hard way.  I also suspect that many of todays UTM players who are not doing more than this are going to learn that hard lesson as well.

In the meantime, Don, Andy and the rest, you are spitting into the wind. The UTM train has already left the station.  Though it may not account for 50% of network security purchases by 2011 as Stiennon and IDC project, it is gaining momentum every day. It is going to be tough to buy a stand alone IPS or firewall in the near future.

I was reading a Fortinet press release today about IDC naming them the market leader in the UTM market.  No surprise there.  But I did read a few things that left me wondering.  One is what gives with IDC?  Gartner and most of the other larger analysts never give quotes that are specific to any particular vendor. That did not stop Charles Kolodgy (who I know and is a heck of a nice guy) from giving Fortinet a glowing quote.  Not sure what that is about.  But the bigger thing for me was that UTM as IDC defines it (network firewall, NIDS/NIPS and gateway AV), will account for 50% of the overall network security market by 2011. 

Take a moment and get your head around that.  Will there be no stand alone security apps on appliances anymore?  What about NAC, is that part of the other 50%?  One out of every two dollars spent on network security going to UTM? I am just not sure I buy into that one.  I agree that it is a market growing fast, but I also think it is a market still undergoing change and convergence.  I think the UTM market as it will exist in 2011 will have more functionality that just these three security apps that IDC counts right now. 

Changing open source licensing will effect this market as well.  Too many of the leading UTM vendors are loading up open source apps on an appliance.  As these open source licensed security apps move to dual-license models, it is going to be harder to for the UTM vendors to make it fit their business models. I think this could be a significant factor in who will lead the UTM market in 2011.  Whether it is 50% of the network security market or not.

At the risk of pissing off Hoff, I am going to agree with Richard Stiennon twice in a row.  First his article in SC Magazine last month read like a marketing piece for Cobia, now his most recent post in his Threat Chaos blog on ZDNet has some great points on UTM. Richards points that I agree with are:

1. UTM comes down to a best-of-breed versus suite decision.  Can a UTM really provide a best in class solution for each type of security application on board?  Hoff and the Crossbeam gang have built their business on that, but does it scale down from large corporations and carriers to the rest of the world?  Also, as Richard points to a point made by Barry Shteiman, can just OEM'ing or piling on applications without any integration or synergies be the effective long term?  I think first generation UTM's just piled up lots of security applications.  I think the market is going to demand integration and one plus one equals three value in the near future.

2. Does UTM add to security or consolidate security?  Richard points out that the Asian security market is immature enough that a UTM is actually bringing new security functionality to customers. In more mature markets, UTM just consolidates existing security apps in one box. I can see this, but I think I disagree a bit.  I think most people buy UTM for one or two security applications and get the rest "for free".  Many of them are almost throw ins.

3. Spam and content filtering are real drivers in the UTM market.  Too many of us seem to focus on the firewall, IDS and AV applications. Meanwhile spam and content filtering are very important to many UTM buyers.  This is a great lesson for us with Cobia.

4. Finally, Richard is still fighting the, is UTM for the biggest enterprises fight.  Hoff gets violent about this one and I am sure Richard in his own mid-western way gets down right feisty, but people still want to know.

My friend and fellow StillSecure exec, Jayson Ayers recently returned from a salmon fishing trip to Alaska where he hooked some big fish.  It always fascinated me how salmon make their way "uphill" against the current to spawn.  Having to get by the fishermen, the Bears and everything else, it is a wonder of nature that so many of them make it.  I felt the same way reading Peter Stephenson's article today ranting against the trend towards all in one boxes.

Peter is a heck of a nice guy and runs the test labs over at SC Magazine.  He is also pretty smart.  That is why I was surprised to see him take such a contrarian view on this one. I frankly thought this was a battle that had already been fought and to the victors belong the spoils.  Peter thinks that putting multiple security apps on one box at the perimeter into a "SuperUTM" defeats the layered security model.  Peter makes two points that stand out to him:

1. The boxes represent single point of failures.  I don't think this one holds water.  Think about it, having separate boxes for firewall, IPS, etc. just represents multiple single points of failure.  If any of them fail, it could bring your network down.  At least in the UTM model you just have to worry about one box, not several.

2. A single box is not a layered, security in depth defense.  I disagree with this one as well. Just because they are on one box, does not mean that you are not deploying layered security defenses.  Yes if you can bypass the box, you bypass multiple layers, but that is easier said then done.  Also, you might bypass the IPS, but not the firewall.  Or you could bypass the content filter and not the AV. The fact that they are are on one box is not really the issue.

Lastly, Peter says having all of these apps on one box does not mean they are easier to manage.  That may have been true, but even Peter admits that is getting better.  It is certainly cheaper.  The question in my mind is do they all function on one box.  With virtualization and powerful off the shelf hardware, the age of multi-function boxes has arrived for sure!

Now Peter, once you get your head around a multi-function security box, let me introduce you to the next evolutionary step, a unified network platform, Cobia.

Its been about a month or so since we publicly announced Cobia over at StillSecure. An interesting but puzzling fact that we have observed is that just because a device can perform more than one function, people think that somehow limits you from using it as a single function device.  Case in point is Cobia's firewall and router functions.  We have received more then one question asking if you can just use the firewall function in Cobia, without the router and other modules.  Similarly, we have been asked by people who want to just use Cobia as a router (sometimes just temporarily) but not any of the security functions.

This got me to thinking about UTM's and other multi-function devices.  Do people think just because they have a UTM, they must use more then one function.  I happened to come across a blog ad for Fortinet (they offer ads for the Security Bloggers Network), the only thing they mention in the ad is a fourth generation firewall.  Could it be that most people are just using UTM's for firewall. I know Chris Hoff reads my blog.  I wonder if Chris has any numbers on how many Crossbeam customers are just loading firewalls on their X-series boxes.  Does having all of these choices confuse people from using just one of them? I think this is a common problem in technology.  We tend to load so much functionality into our machines that they can be overwhelming and bloated.  Do you really want your toaster to be hooked into the net?

Of course if you're interested, the answer is even at this early stage, Cobia is a great choice for a free firewall or router or both.  The GUI allows for easy management and configuration.  If you need to drop a router in while performing some network redesign or just want to put an easy to use firewall in, even at home, give it a try. I promise you don't have to run everything else Cobia can do, unless you really, really want to ;-)