Rational Survivability

As previously mentioned, I’m off to Africa this week to go on a little hiking expedition with some mates of mine.  We’re climbing Mt. Meru, Mt. Kilimanjaro and then going on Safari all across Tanzania.

I’ll be gone for 17 days or so and flying home just in time to drop my bags, kiss the wifey and kids and fly to San Francisco (8 hours later) to get to the RSA show for the UTM smackdown panel I’m on.  If you’re at RSA and see a tatooed, newly-bearded, scruffy and frostbitten guy with a conference badge and an attitude to match, chances are it’s me.  Or Rothman.  He’s prettier than I, or so I hear.

If the altitude, stomach pathogens, or Mosquitoes don’t kill me, the amount of email and work when I return certainly will.

In case Rothman, Shimmy, Stiennon, Ptacek, McKeay or Vet decide to take this opportunity to get cute and sneak in some post that I would otherwise respond to, I hear there is GSM/GPRS service all the way to the top of the mountain.  Be warned. 🙂

Hold down the fort, boys.  I shall return!

Hoff

Alan and I normally are close enough on our positions that I don’t feel it necessary to argue with him.

I certainly don’t feel compelled to come to the defense of a competitor that Alan’s unloading on, but I’m really confused about his interpretation of what TippingPoint’s Chief Architect, Brian Smith, is communicating and where Alan suggests that he and StillSecure’s position lays.

To re-cap, Brian Smith was quoted in an SC Magazine Article as describing his views on how security ought to be positioned in the network thusly:

"Brian Smith, the chief architect of 3Com and a
founder of TippingPoint, says his first-ever RSA keynote will focus on
integrating solutions such as network access control, intrusion
prevention and behavioral anomaly detection to create an intelligent
network.

"I can do all of these sorts of synergies and when you trace it
out, what ends up happening is you’re able to debug network problems
that you were never able to do before, get an unprecedented level of
security, and also lower the total cost of ownership," Smith says.
"They have to talk to each other. If we can pull all of these solutions
together, I think that’s going to be the trend over the next five to 10
years. It’s a natural evolution in the technology cycle."

Smith says he also plans to emphasize the benefits of the
bump-in-the-wire network approach to deploying security solutions.
Rather than embedding solutions into switchers and routers, Smith plans
to suggest overlaying solutions to allow for a more converged, cheaper
way to add intelligence to the network."

Amen to that.  But lest you think I am intimating that we should all just toss appliances willy-nilly across the network (in fact, that’s the opposite of what I think,) please read on…

Apparently it was the third (boldfaced) paragraph that got Alan’s goat and provoked him into a state of up-chuckedness.  Specifically, it seems that it is repugnant to Alan that someone who works for a "switch" company could suggest that overlaying security can be facilitated as a "bump-in-the wire."  I guess that depends upon your interpretation of "bump-in-the-wire." 

I’m guessing that Alan thinks that means individual appliances being inserted between network segments with one "goesinta" and one "goesouta" cable and yet I can’t figure out why  "…virtualizing some of this stuff and putting it on blades and so forth" has to be within the router or switch and not on an extensible services platform?

I have a feeling I’m going to hear the typical "not everyone can afford big iron" as a response…but if you can generalize to prove a point, I can become surgical and suggest that it’s not fair to treat the Global 2000, Carriers, Service Providers and Mobile Operators as an exception rather than the rule when it comes to describing security trends and markets, either.

Summarily, it appears that the "convergence" of networking and security in Alan’s eyes means that security functionality MUST be integrated into routers and switches in order to be successful and that adding security functionality on top of or in conjunction with the network is a lousy idea.

Strange comments from a guy whose company takes generic PC appliances  with security software on them and deploys them as bumps in the wire by sprinkling them across the network — usually at the cursed perimeter and not at the core.  Confused?  So am I.

Alan goes on:

Most of the guys who do the bump in the wire are trying like hell to
move up the stack and the network to get away from the edge to the
core.  You may be able to do IPS as a bump in the wire at the core if
you have the horsepower, but you are going to be forced to the edge for
other security stuff if you insist on bump in the wire.  Single point
of failure, scalability and cost are just working against you.
Eventually you have to turn to the switch. I just don’t get where he is
coming from here.

So you’re saying that your business model is already dead, Alan?

The final piece of irony is this:

Has selling big-ass, honking ASIC boxes to do IPS for so long totally
blinded them to virtualizing some of this stuff and putting it on
blades and so forth inside the switch and network.

Um, no. Again, not like I feel any inclination to defend Tippingpoint, but it’s apparent that Alan is not aware of TippingPoint’s M60 which is a huge multi-gigabit LAN switching platform (10-14 slots) with integrated IPS (and other functionality) that can either replace a typical switch or connect to existing switch fabrics to form an overlay security service.  It’s about a year overdue from the last announcement, but the M60 is an impressive piece of iron:

Each blade in the M60 acts as a stand-alone IPS device, similar to
TippingPoint’s T-series appliances, in which network connectivity and
IPS packet processing are done on the hardware. (The exception is with
10G interfaces; the M60 uses 3Com’s 8800 dual-port 10G blades, which
connect to TippingPoint IPS blades through the switch’s backplane.)

The blades run 3Com’s TippingPoint IPS device operating system and use the vendor’s Digital Vaccine updating service, letting  the device identify the latest threat signatures and vulnerabilities.

This was one of the results of the Huawei joint venture with 3Com.  I believe that THIS is really what Brian Smith is talking about, not device sprinkling appliances.  It’s  a switch.  It’s an IPS.  That’s bad, how?

What has me confused is that if Alan is so against hanging security services/functions OFF a switch, why did StillSecure do the deal with Extreme Networks in which the concept is to hang an appliance (the Sentriant AG) off the switch as an appliance instead of "inside" it like he suggests is the only way to effectively demonstrate the convergence of networking and security?

So, I totally get Brian Smith’s comments (despite the fact that he’s a competitor AND works for a switch vendor — who, by the way, also OEM’d Crossbeam’s X-Series Security Services Switches prior to their Tippingpoint acquisition!)

The model is valid.  Overlaying security as an intelligent service layer on top of the network is a great approach.  Ask me how I know. 😉

Chris

Alan Shimel is commenting here on his blog in this post titled "People are not appliances they’re flexible."  In this entry he muses on about vocational "flexibility" and what appears to be the "cosmic humanity" of folks in the IT/Security space.

He also keeps talking about the need to keep buying COTS hardware appliances…he’ll never learn!

Specifically, Alan’s argument (which is orthogonal to the actual topic) is that as specialized appliances proliferate, he disagrees with the fact that the operators and administrators of said appliances must also specialize.  In fact, he waxes on about the apparent good-natured ebb and flow of utilitarian socialism and how ultimately we’re all re-trainable and can fluidly move from one discipline to another irrespective of the realities and vagaries of culture and capability.

Using that as an example it seems that a help-desk admin who deploys patches from one appliance can just pick up and start doing IDS analysis on another?  How about that same  "appliance" technician reading PCI for dummies and starting to manage firewall appliances doing policy manipulation?  Sure, they’re re-trainable, but at what incidental cost?  Seems a little naive of a statement for my tastes.

Mike Murray from nCircle on the other hand suggests that Enterprises inherently gravitate toward silos.  I totally agree — emphatically as we speak about larger Enterprises.  Operationalizing anything within a big machine means that you have political, operational and economic silos occuring naturally.  It’s even a byproduct of compliance, separation of duties and basic audit-output mitigation strategies.  Specializing may be "bad" but it’s what happens. 

Appliances don’t cause this, the quest for money or the love of what you do, does.

Even if Alan ignores the fact that you don’t have to keep buying individual appliances (you can consolidate them) the fact is that different elements within the organization manage the functions on them.   Even on our boxes…when you have firewall, IDP and AV in an X80 chassis, three different groups (perhaps more) manage and operate these solutions.  Silos, each and every one of them.

Nature of the beast.

That being said, this doesn’t mean I don’t disagree that I’d *like* to see more cross-functional representation across solution sets, but it’s just not reality:

Evolution teaches us that too specialized a species is a recipe for
extinction. That is what we need from our appliance models, flexibility
and adaptability, not more silos!  We need to break down the silos and
have interaction among them to improve productivity.

One could take that argument and extrapolate it to explain why people are so polarized on certain issues such as (for example) security and its ultimate place in the Enterprise: in the network or in specialized appliances.   

Innovation, specialization and (dare I say) evolution suggests that survival of the "fittest" can also be traced back to the ability to not just "survive" but thrive based upon the ability to adapt in specificity to what would otherwise be an extinguishing event.  Specialization does not necessarily infer it’s a single temporal event.  The cumulative or incremental effect of successive specialization can also provide an explanation for how things survive.  Take the platypus as an example.  It ended up with a beaver’s tail and a duck’s bill.  Go figure. 😉

What’s important here is the timing of this adaptation and how the movie plays forward.

Hoff

Freddy Got Fingered is probably one of the most disgustingly funny movies I’ve ever seen.  It’s truly sick.  In the first 10 minutes, Chris Elliot Tom Green (thanks, Zach!) performs unnatural acts on a farm animal and plays a Brahms concerto on an electronic keyboard with pieces of meat strung from overhanging pulley systems that move up and down as he plays.

Weird.

What the hell does this have to do with what Martin McKeay wrote about my blog entry welcoming Richard Stiennon to the ranks of the UTM vendor pool?  Nothing, really.  Except for the fact that I got "fingered" (ew!) by Martin as he pegged my post for what I said it was — an un-objective "Welcome to the Jungle" message to Richard who in our last exchanges didn’t seem to believe in UTM. 

Now he does.  What a difference a day makes.

I started thinking about Richard’s comment about how in his new position he’s not going to become a "defender of the product" — somehow rising above it all and not getting dirty debating the "merits" because he’s the Chief Marketing Officer.  At first I dismissed his comments and blew him a kiss given how early in the game it is for him @ Fortinet, but I, like Martin, sure as hell hope that he’s not going to hide under a title because he doesn’t want to debate openly.

We’ve called each other out — sort of. 

I respect Richard’s opinions.  I don’t happen to agree with all of them and unfortunately I seem to be violating some unwritten rule that suggests it’s out of bounds to say so?  I guess that’s why I don’t consider myself in marketing.  Ptacek would call me on that one because everyone — including my plumber — he considers in marketing 😉

When Mr. S. was an analyst he thought fit to be able to debate and agree/disagree with anything I said.  Because he was "independent?"  Now that he’s not, he can’t?

Perhaps I missed the memo, but I think it’s a cop-out to essentially "take the fifth" when doing a 180.  I just don’t subscribe to the fact that there’s some secret code that suggests that when roles change so do opinions and the exposure that comes with articulating them.

If I went to work for Cisco tomorrow, based upon my comments and opinions in the past, I’d sure as hell expect that people would question me on it and expect to debate the "merits" one way or the other.  I’d also feel compelled to ‘splain.  But that’s just me.

Also, I’ll take any advice anyone has — whether the topic is fly fishing, chainsaw juggling or branding.  I’m an equal opportunity opinionist that expects to receive as much as I give. 😉

Enough.  This is getting to sound like I’m trying to pick on Richard.  I’m not.  Well, OK.  I am.  But that’s what all you people pay to see, right?

Rich — whaddya say we rent those inflatable Sumo suits @ RSA and do a true UTM grudge match!?  I expect that you’ll take Ken Xie’s place on Rothman’s UTM panel?

Hoff

I smell blood.  This will be a very fun next couple of months.  Why?

In case you haven’t heard, Richard Stiennon has announced that after his provoking and inciteful rant (sorry, Mike) against Check Point, Ken Xie from Fortinet wooed him back to the darkside and he’s going to join them as their newly-titled Chief Marketing Officer.  Timing is everything, eh?

The esteemed Mr. Stiennon is a really smart guy and I am honestly looking forward to seeing how and what he does @ Fortinet.  It will be thought-provoking for sure.

So much for the niceties…Richard’s railed on me previously about how big honkin’ UTM boxes aren’t the answer to security but I reckon that’s going to change — or spin — now that he works for a vendor that sells (amongst mostly SMB/SME solutions) big honkin’ UTM boxes.

We really had a good time going at each other in regards to NAC and his Secure Network Fabric (SNF) positioning and it lead to a podcast debate on Martin McKeay’s blog, also.  I am eager to see how, or if, Fortinet’s strategy changes once Richard gets his hands on the positioning and messaging.

Fortinet really doesn’t compete in the "…high-end enterprise, carrier and managed service provider" space, but their ATCA-based chassis products are certainly positioned to play there.  He’s got his work cut out for him. 

I forecast that Fortinet’s high-end ATCA-based product line will be the soapbox from atop which Richard continues to evangelize his SNF strategy — but instead of "embedding" security in the switching fabric, it will be overlaid with big honkin’ UTM boxes, despite his prior arguments to the contrary.  I further prognosticate that we’ll see PR regarding relationships with switch vendors like what Shimmy @ StillSecure did with Extreme…

Either way, it’s going to be entertaining.

Congrats on the job, Richard.  At least I don’t have to listen to your "…I’d rather debate with independent analysts" comments anymore. 😉  Looking forward to our continued interaction.

Chris

Firstly, I really like debating elements with Ptacek.  He’s a really, really smart guy.  Somewhat misguided, but a really, really smart guy.  I’m honored that he picks on me.  Really. 

He picked on Bejtlich the other day.  Given this association, I believe I have solved the Poincaré conjecture which has something to do with math, intractability and doughnuts.  Mmmmm.  Doughnuts.

Here, he mentions in response to my post regarding my Chicago presentation, that Cisco will crush Crossbeam.  Privately he gave me a date and time, but I told him that I wouldn’t repeat when because it might affect his Cisco stock value.

Secondly, I can only giggle about Thomas’ choice for his blog entry title ("Cisco can kill Crossbeam any time it wants…") relating how Cisco will assimilate us all…I remember that same Borg-like prediction about how Microsoft would crush the Linux movement and how no other OS would stand a chance.

I believe Thomas is still using a Mac today…

At any rate, I started with Crossbeam almost exactly a year ago.  The funny thing about crossing over from a security practitioner to working for a security vendor is that all your credibility goes out the window instantly.

I get this, it’s part of the game, but I refuse to bow to the notion that the last 15 years of my life and the credibility it has earned is erased by this singular event, so I go on assuming that my opinions count as they always have – like the paper they’re written on.

Almost always, I end up arguing with people who have either only been a vendor or an analyst and short of securing their home networks have never actually been a CISO of a company whose assets have monetary value with the word “billions” preceeding it.  I have.  I argue from that point and the beliefs that come from that perspective.  Yes, I am biased.  I was before I came to Crossbeam, too.

The one thing that makes it difficult to sort out addressing someone who is as long-winded as I am is figuring out which parts of the debate are religious, marketing, technical or dogma.

Thomas is obviously reacting to my post playing the role of Cisco’s VP of Marketing, despite his disclaimers to the opposite.  I will answer disguised as a cabaret dancer from Ohio.  I hope that’s not confusing.  If nothing I say makes sense, I’ll just ask you to rent the movie “Showgirls” and you’ll forget all about this security nonsense.

So I’ve read his retort to my post/presentation, and I’m going to respond to the things I think are worth responding to because a good chunk of his posting doesn’t really address my points – they defend Cisco’s misses.  Yet I digress…

Ptacek starts out all right, doing a good job of summarizing the sentiment of both my post and my presentation:

Chris’ argument has three salients:

• Cisco’s Self-Defending Network Architecture (the successor to SAFE) is just marketecture.
• Cisco hasn’t put its money where its mouth is on integration of security into its mainline platforms (the Cat and routers).
• Security belongs at a “service layer”, virtualized over the entire network, not as point-deployed boxes (IPS) or embedded into the infrastructure (IPS blade).

I really could just stop here because I’ve yet to find anyone (besides Thomas) who would actually disagree with any of those points, so why continue? 😉

But, he did, so I will…

1.    Is SDNA “marketecture”? Of course it is. SDNA is code for “sole-source network security from Cisco”. Sniping at SDNA’s credibility is as silly as sniping at the Cisco SAFE architecture in 2001: absolutely nobody designs networks according to these “schemes”. SDNA is a “why we did it” story that is retrofit onto Cisco’s evolving product lines to make it seem like they have strong management and a real vision.

Roger that.  SDNA = marketing.  Being opportunistic marketing-wise = vision.  Check.

But Chris’ argument isn’t about SDNA. It’s about whether enterprises should sole-source from Cisco, with around $1b in security sales, or consider vendors like Crossbeam that post sales less than 8% of that.

That’s right, my argument is that you shouldn’t sole-source your security solutions from a single vendor who claims competency in 15+ categories of security without demonstrating it, ever, except with a checkbook.

Also, just to double-check, Thomas, in Cisco math, a $200,000 Cat6500 switch with two FWSM blades is still $200,000 of “security sales,” right?   Uh-huh.  How about those “negative margin” deals…

That’s a fine argument to make, but if you’re going to build it on Cisco’s inability to run a real playbook, you can’t cherry pick Cisco’s weakest messages. SDNA may be meaningless. NAC isn’t. Even if it doesn’t work yet, it’s actionable and it’s changed the way people think about securing their network, and when Cisco buys the company that can really deliver on it for large enterprises, NAC is going to cause Crossbeam huge headaches.

Cherry-pick their weakest message?  SDNA is their message, Thomas!   DVVM and Quad-play is dependent upon this underlying message that “security is the network.”  I didn’t make this up, Cisco did.

You just contradicted yourself hugely.  In the first paragraph you said that “…absolutely nobody designs networks according to these “schemes”” but somehow that’s affected the way in which folks secure their networks!?  You’re right…they take a look at the Cisco method and realize it doesn’t work and look for other solutions.

Also, I just love the “…you just wait until Cisco buys something that actually works” sentiment!

By the way, Crossbeam doesn’t have to fear when Cisco gets NAC working (which is the most hysterical comment you’ve made,) because we can simply get a best-of-breed partners’ NAC application running on our platforms…no cash, no development, no fuss.  In fact, we are already in the process of doing that.

Furthermore, when you say NAC, you mean CNAC.  But which CNAC are you referring to?  The one that didn’t completely pan-out (CSA) or the new-and-improved Clean Access?  You know, the same Clean Access that requires ANOTHER appliance to be added to the network to function and is purdy much a Cisco-only solution…

2.    If you’re an indie network security vendor with a pulse, the idea of Cisco embedding IPS and firewalls into every Cat switch and access router puts you in a cold sweat. Is Cisco full of shit about this plan? Reasonable people will disagree, but the answer will be “no”.

See, I don’t think they’re full of shit.  I just think they’re not a security company and aren’t executing on their vision in a manner consistent with the customers they serve outside of the SMB.  The Enterprise strategy is showing cracks and they are very distracted across an immense portfolio.  They’re trying to re-group on the convergence front, but there’s pressure there, too.  All the while, security plods on.

First, the existence proof: the ISR. Large enterprises buy them by the hundreds. It’s one of Cisco’s most successful products ever. And it’s a direct threat to the branch/satellite-office market that is the primary revenue multiplier for indie perimeter security vendors —- Crossbeam’s bread and butter.

The ISR is fantastic…and if you’re a branch/satellite-office company I’d suggest it’s a very good product – still only provides limited security functionality and that’s why Cisco sells ASA’s with them.

Also, if you’re suggesting that the SMB/Branch perimeter is Crossbeam’s “bread and butter” you are completely and absolutely incorrect.  90% of our revenue comes from Large enterprise data center consolidation and service provider/MSSP/mobile operator customers.  Your definition of the “perimeter” needs work as does your understanding of what we do…again.

Cisco does more than $10b a year in Cat switching alone; by revenue, their grip on that market is comparable to Microsoft’s lock on operating systems. All it takes for Cisco to launch completely integrated network security is a credible ASA blade for the Cat6k. How far out can that be? Enterprises already buy the Firewall Switch Module.

Actually, the ASA isn’t their answer to the aging FWSM, the ACE and VSA are…and it’s got a long way to go.   By the way, who said that I’m suggesting we’re out to crush Cisco?  Beating them where they do a lousy job is a very nice living by your own math above.  How far out?  You’ll have to ask them.

The 6500 series is old in the tooth and if you read Gartner’s recent 2006 MQ for Campus LAN, their darling Cisco takes some serious knocks.  That includes the security piece.  Gasp!

And finally there’s the obvious point to be made about NAC and Cisco Security Agent, the alien larvae Cisco is trying implant into host security. NAC is a lot of bad things, but “un-integrated” is not one of them.

You’re right, but you forget that "un-integrated (?)" does not equal “functional.”  You’re also a couple of months late on this argument already…please see above.  I think your a little out-of-date on where Cisco is with CNAC…please see the report above for a very interesting look at the Gartner report.

Basically, every indie vendor has a talking point about how Cisco should just stick to the connectivity that they’re good at. This stuff all sounds good at first, but c’mon. Cisco doesn’t own connectivity because they make the best routers and switches. To claim that their routing (perimeter) and switching (internal) real estate doesn’t give them a dominant position in security is to claim that the perimeter and internal networks aren’t implicated in security. Delusional.

A dominant position or an advantage in hocking their wares because there’s some box that might be a platform to deploy it someday or today in pieces?  I’d say the latter.  Where is my bottle of Zoloft, anyway?

I agree, they haven’t done it yet, but I’ll make a statement that’s sure to get me yelled at: as soon as Cisco decides it’s ready, it can end companies like Crossbeam, Checkpoint, and SourceFire within 18 months. Isn’t not doing that, and running security as a totally seperate business unit, one of the big mistakes they made in the 90s?

Oh, OK.  They haven’t because instead of feeding the hungry, bestowing Linksys DSL routers to everyone in Kentucky or donating to stop the killing in Darfur, they’ve instead decided to give  kindly by not destroying their competitors. 

Jesus, I had no idea!  Thanks for clearing that up.   

Security is now under Jayshree’s organization which is routing/switching, and I don’t believe it has ever been a separate unit.  It should be.  That way if it doesn’t pan out they can just scrap-heap it and say that it’s a feature, not a market.

3.  Does it make sense to deploy security uniformly across the whole network, defending secretary desktops the same way you defend iSCSI servers or server-agent management consoles? No. Security should be focused on assets.

Hey, that’s a great point.  I think I made it! Please tell me how they do that?

But exactly what does this have to do with network architecture? Read Chris’ slides and it seems to mean “the way to architect your network is to hang Cisco boxes off of a couple Crossbeams in your core”.

Not quite, but your extreme-isms are starting to have me think you should write for Al-Jazeera.   How about quoting what I actually talked about…you know, like build a fast, reliable, resilient and responsive network infrastructure and overlay security as a combination of security services which provides the absolute best-of-breed security in combination where you need it, when you need it and at a price tag where the risk justifies the cost.

But that’s what you meant, right? 😉

The points Thomas pins his venom on below are from a single slide in the preso which is basically a Letterman’s top-10 spoof.  Some of them are purposely meant to incite, others are humorous, some are leverage points for the rest of the discussion that the audience and I had.

I’ll respond to some of them because many of Thomas’ objections are out of context and some are just to silly to respond to.  If you really, really want a line-by-line, I’ll do it.  Y’all just let me know 😉

2.  When’s the last time a network guy could perform a byte-level forensic trace of a Botnet C&C channel or a security guy troubleshoot a nasty BGP route-reflector distribution problem?

I don’t know. You might try asking Dug Song at Arbor, Kirby Kuehl at Cisco, or any of the Team Cymru guys. When’s the last time a security guy bought a Cisco product? Hint: it happened 5 times while you read this sentence.

Ummmm…I was referring to the average security and network practitioner in a stove-piped Enterprise or service provider, not the rest of the crew from your Saturday afternoon flag-football squad 😉

These guys, like you, are not representative of the typical folks who have to actually use the stuff we’re talking about.

You know, customers.

  3.  Managing threats and vulnerabilities is not the same as managing risk; networks don’t understand the value of the data traversing it..how can they protect it accordingly?

Cisco is not an ethernet cable. “The network” is whatever your vendor says it is. In Crossbeam’s case, “the network” is Cisco and “security” is everything else, including Checkpoint and SourceFire, both of whom sell products that Cisco has pin-compatible substitutes for.

Do any of these companies “understand the data”? No, I agree, they don’t. Is “understanding the data” important? Then let’s suspend the conversation until Cisco buys Vontu and Crossbeam partners with Vericept.

Pin-compatible?   Label-compatible, perhaps.  I think this is exactly the divergence that’s at the crux of the debate here, as the “quality” of the individual security solutions on their own (appliance or embedded) versus how they work as part of an architecture is the issue.  That’s my point, but it’s not a bullet-in-a-list sort of answer.

Also, I don’t care about Cisco buying Vontu, but what makes you think that we’re not already talking (and haven’t been for some time) to an extrusion prevention/IP Leakage vendor like Vericept?   

Crossbeam doesn’t suffer from having to wait to acquire technology and then spend 18 months butchering it to get it to work within the existing platforms (or build yet another point-solution appliance.)  We do our research in advance and when the time is right – and the customers desire it – we bring a partner’s application(s) onto the platform.

   4.  Just because two things are branded with the same name doesn’t mean they can communicate or interoperate well; just ask my wife

How’s that SourceFire/Checkpoint CPMI integration coming then? You got ISS using Snort signatures yet, or vice versa? Does anyone do app-level integration well?

Nope, and we’re not going to.  Neither will Cisco because they have no reason to if the entire network — and all the security components within — is theirs.  In fact, it’s within their interests to not have this happen.  If it did, it would just make your arguments weaker.

I’m just dinging the message and the messenger.  Our “app-level integration” is approached from a different perspective that starts first with consolidation of functions, virtualization of transport, application and policy then with the capability to flexibly pass flows through combinations of these virtual security stacks managed by the discrete parties charged with their care.  Best of breed functions that can be added to in an open platform without the need for a bunch of point solutions.

In large networks, the people responsible for FW are different than those responsible for IDS, are different than those responsible for XML, etc.   They’re still very, very vertically-stovepiped.

We don’t need to boil the ocean and we don’t.  We still have work to do on providing the overall global view of how traffic moves and is affected through these stacks, but we’re not the one blowing smoke about how this supposedly all works today.

That would be your job 😉

6.  The dirty little secret of embedding security in the “network” is that it’s the same as doing it with point-appliances…a single vendor’s set of appliances

Yes, it’s true: if Cisco succeeds in embedding security into its mainline products, you are going to be using Cisco security products. Diversity and consumer choice are valid arguments against Cisco.

But there’s one way in which using embedded security demonstrably isn’t the same as using point products: you don’t have to deploy point products to do it.

I call bullshit.  If you look at the slides in my preso, I can count over 13 different “point solutions” that aren’t routers and switches which are today relied upon to deploy this supposed “embedded” security.  The only difference between Cisco’s approach to embedded security and the appliance model is that the “appliances” are all Cisco’s.

Just because they have a Cisco label on it doesn’t make it “embedded.”

  7.  Modeling the security of the self-defending network after the human immune system and suggesting that it’s the ultimate analog is a crappy idea; people die

      Yes. What I hate about Cisco’s solutions is that you have to let a few machines on your network get infected for them to generate antigens; also, when Cisco’s security features coagulate around injuries, YouTube gets really slow.

Puff, puff, pass.  Puff, puff, pass.  You’re f-in up the rotation…man!

Please point me to a single customer in the world who has a self-defending network that functions like this.  Oh, that’s right, it’s the marketecture that you referred to in your first point and forgot that it doesn’t, actually, exist.  If YouTube being slow was the biggest problem businesses had today, you wouldn’t be employed either, T.

   8.  Security solely by acquisition does not make you a security company… just like acquiring lots of security “stuff” does not make you secure

You sure this is a good argument to make for a company that delivers 99% of its security value prop through partnerships with other companies?

Let’s ask the mean question: using product space names and market position (ie, “the #5 IPS vendor”), name some of the companies Crossbeam has turned down as partners? Cisco’s kind of picky about what it buys, you know.

It’s absolutely the right argument to make.  I guarantee you that the model of being customer-driven to take the best-in-breed security solutions from true security vendors and integrate it into a delivery architecture that is designed to do this rather than being force-fed into a retro-fit, works.  Today.

Oh, and #5 is a long way from #1, Mr. T.

"I pity the fool who mess wit Cisco.   Unnhnhnhnhh!  I want Balboa.  Sucka!"

Oh, I’d be more than glad to email you the list of 15-20 vendors over the last 6 months that we’ve said “no” to. 

You’re about to hit my threshold trip-limit on how much of our business model you claim inside knowledge to…especially since you’re batting zero at this point.

9.  Security in breadth is not the same thing as security in depth; “good enough” security is not good enough in the data center

What aspect of Cisco’s IPS is not “good enough” for the data center?

…the same one that loses to ISS, Sourcefire, and Enterasys every day.  Want to ask the same about DDoS?  I believe the answer there would be your own beloved Arbor.

People deploy Cisco’s solution usually in conjunction with other products or the same function.  I think I’ve said enough.

Did you run your original post through the Babelfish English → Cisco parser before you copy/pasted it here, or what?

10.  Securing everything, everywhere is not only unnecessary, it’s unachievable

It is if Cisco sells it at 10 points below cost in order to turn the entire network security market into a line-item feature for the Catalyst 6000.

So you admit that this is not about the efficacy of a solution but rather how much shit you have to give away for free to be called a market leader?

Actually, with the example above, Cisco now suggests you buy a completely separate 6509 into which you put all the security functions and turn it into a “security services switch” that is plugged into the “real” switching/routing fabric. 

Sound familiar?  It does to me.

I know it doesn’t sound that way, but I’m neither a fan of Cisco nor a skeptic about Chris. But his arguments don’t take Cisco seriously, and if we’re going to armchair quarterback the security industry, why be nice about that?

You’re right, it doesn’t.  I still love you, though. 

By the way, Lindstrom and I both looked at each other and laughed when we had lunch together at the show realizing that should you ever figure out we were in Chi-town and didn’t call you that you’d be grumpy.  (I had no idea you lived in Chicago so it was all Pete’s fault.)

/Hoff

Uncle Mikey thinks I’m backward and defensive.  He’s referring to my post last night about the yawns I continue to experience regarding Cisco’s approach to the "self-defending network."  I’ll make no bones that more and more security will make its way into the network…that wasn’t the point.  Just because it’s there, doesn’t mean it’s worth using or actually works.  That *is* my point.

Here’s his post:

Every time Chris Hoff writes something, I wonder if he’s back. It’s
been months since he’s consistently been involved in the conversation,
and I’ve missed his participation. This piece though strikes me as a
bit defensive and backwards looking. I guess Chris just had the
epiphany that Cisco’s "Self-Defending Network" is a marketecture. Of
course it is. And yes, it’s in Cisco’s best interest to have security
everywhere, OVER TIME. I understand that your business is to sell a
"virtualized best of breed security as a service layer" stuff, but to
think that the trend is not towards having security capabilities
embedded within the fabric of the network suffers from a bit of tunnel
vision. Maybe you don’t like Cisco’s plan to get customers there, but
they will get there. To be clear, I’m not talking about right now, this
is a path that we’ll follow for the next 5-7 years. But at that time,
it’ll be about how to most effectively MANAGE the embedded
capabilities. So your "virtualized service layer" morphs into a
management layer. But I suspect you already know that, but it’s more
fun to bang up Cisco and talk about arm bars.

So he’s right.  I am backward — more specifically contrarian. I am also "defensive" because I could give a shit if big is the new small, purple is the new black or men wearing lipstick is socially acceptable.  What *I* care about is solving security and survivability problems TODAY…that same marketecture that you call out is taking place over 5-7 years supposedly started 5-7 years ago according to John Chambers!

How many decades are you willing to wait just to say "I told you so" in regards to your prophetic exclamation that security will become more integrated into the network?    Convenience and cost aren’t all they’re cracked up to be.  Sometimes the stuff actually has to work!

It’s not like you have to be Ms. Cleo to see what Cisco’s doing, but you don’t have to pretend to be blind and accept that it’s the cure for world hunger, also.

This piece though strikes me as a
bit defensive and backwards looking. I guess Chris just had the
epiphany that Cisco’s "Self-Defending Network" is a marketecture. Of
course it is. And yes, it’s in Cisco’s best interest to have security
everywhere, OVER TIME. I understand that your business is to sell a
"virtualized best of breed security as a service layer" stuff, but to
think that the trend is not towards having security capabilities
embedded within the fabric of the network suffers from a bit of tunnel
vision.

No, I didn’t *just* have this epiphany, it’s been the bane of my (and almost everyone else I talk to) existence for years.  I didn’t say  that security isn’t trending into the network, Mike.  What I said is that it’s a flawed approach with an even more flawed  genesis.  Here’s a turets-inspired outburst for you:

You don’t need security everywhere, all the time.  The network will never have the intelligence to make decisions on content in context.  The balance of delivery versus security will ALWAYS swing to the former in Cisco’s world.  CISCO IS NOT A SECURITY COMPANY.

The entire corner piece for Cisco’s SDN strategy for the last few years has been on CSA — software running on damned host!  Like Stiennon says, relying on the health of the very end-point you’re trying to protect to ensure the basis of your network’s viability and survivability is freaking ludicrous.  NAC is important, but up until last year, that was it in terms of the self-defending network — leave it to the host.  Now you can send telemetry to build dynamic ACL’s.   There’s a giant step forward.

Oh, but network vendors are from venus and security folks will use MARS — is that it?

Slapping together a bunch of stuff from acquisition is security in breadth not security in depth.

Maybe you don’t like Cisco’s plan to get customers there, but
they will get there. To be clear, I’m not talking about right now, this
is a path that we’ll follow for the next 5-7 years. But at that time,
it’ll be about how to most effectively MANAGE the embedded
capabilities. So your "virtualized service layer" morphs into a
management layer. But I suspect you already know that, but it’s more
fun to bang up Cisco and talk about arm bars.

You know what, Mike?  Kindly define "there" for me.  Because if you define "there" as a cobbled together bunch of appliances, routers and switches trying to effect security dispositions across an infrastructure and security monoculture without being able to make decisions on content and context, then I totally agree with you.

Screw waiting for this stuff, Mike.  They are the biggest networking company on the planet and it’s already been 5 years.  They keep announcing strategies like they’re a special on aisle 7 and then putting them on the discount shelf when they don’t pan out.

Take AON for example.  I always used to joke it would take an EON for AON.  I’m right.  That whole thing was a crock of…and now it’s, um, moved sideways to be integrated into yet another "strategy" because architects are smart enough to detect a polished turd when they see one.

Cisco is not the answer to life, the universe and everything else.  People are NOT willing to bet their business, reputation and company’s health on another marketecture.  People also are fed up with a single vendor’s version of the truth.  That’s why there are 600+ vendors in the network security space.

Does Cisco have huge marketshare?  In networking, yes.  But over 70% of security dollars spent DO NOT GO TO CISCO.

Will Cisco "get there."  Sure.  I wonder, however, if "there" is where people really care about being.

I don’t.  My customers have problems they need solved today that overlay and work synergistically with very reliable, fast, available and robust network plumbing.  In the data center, protecting the things that matter most, good enough is NOT good enough.

At the SMB perimeter, it is.

I think, quite honestly, that you’re the one with the myopic lens — all you see is a freight train heading towards you not realizing all you have to do is jump tracks. 

All aboard!

Congratulations to Wayne, Marty and Team @ Sourcefire as they filed their S-1 to go public. 

Sourcefire is one of Crossbeam’s top ISV partners, so it’s great to see them do well in reaching both profitabilty and leading a security IPO.  God knows we need it in this drought.

Mike Rothman did a nice job of extracting the S-1 particulars:

They hope to raise $75M or so and released the following data:

* Total revenue in 2005: $32.9 million
    * 2005 loss of $8.1 million
    * Current cash of about $25 million
    * Existing shareholders have put about $56 million into the
      company
    * Revenue ramp starting in 2002: $1.9MM, $9.4MM, $16.6MM,
      $32.9MM
    * Services currently running about 36% of total revenues
    * Last 4 quarters have been: $11.6MM, $8.5MM, $9.5MM,
      $10.8MM

    * Profitable and cash flow positive for Q3 2006
    * Over 80% of revenue from the US
    * Marty Roesch owns about 9% of the company
    * Sierra Ventures is the biggest venture investor with a 28.8% position

As Mike said, this puts SF in a very interesting place; they can either go out or set themselves up to be taken out before they finalize the deal.   Watch the sharks start to circle once again!

Interesting also that the BT/Counterpane deal also surfaced.  Makes sense given IBM/ISS.   I give HP odds of buying Verisign’s MSSP division next… 😉

It’s about time we had a security IPO — it’ll set the stage for ’07.

For the 3 people who read my steaming pile of blogginess, you’ve noticed a drop-off lately.  While I am sure that apologizing for not posting is not only the first cardinal sin of blogging, I am doubly sure that it veignly implies that anyone actually gives a crap in the first place…

At any rate, the title is commensurate with my indignant yet sincerly apologetic prose; I am making a mountain out of a molehill.  Specifically, I am busy getting ready to climb one.   A mountain, that is.

In January, thanks to the kind and mid-life-crisis-driven-niceites of my friend Craig Samuel, a group of 5 of us are climbing/hiking both Mt. Meru and Mt. Kilimanjaro in Tanzania.  I have to tell you that despite the fear of suffering a high altitude cerebral edema (Kili is ~19,000 feet high) I am psyched.

Besides working 16+ hours a day at this point, I’m also walking to/from work and everywhere else I can in order to prepare for the jaunt up one of the world’s legenday seven summits.

So, there it is…the reason for my laziness.

/Chris

(On the advice of someone MUCH smarter than Ptacek or me [my wife] I removed the use of the F/S-bombs in this post.]

Holy crap.  Thomas Ptacek kicked me square in the nuts with his post here in regards to my commentary about Blue Lane’s PatchPoint.

I’m really at a loss for words.  I don’t really care to start a blog war of words with someone like Thomas Ptacek who is eleventy-billion times smarter than I’ll ever hope to be, but I have to admit, his post is the most stupid frigging illustration of derivate label-focused stubborness I have ever witnessed.  For chrissakes, he’s challenging tech with marketing slides?  He’s starting to sound like Marcus Ranum.

Thomas, your assertions about Patch Point (a product you’ve never seen in person) are innaccurate.  Your side-swipe bitch-slap commentary about my motivation is offensive.  Your obvious dislike for IPS is noted — and misdirected.  This is boring.  You assail a product and THEN invite the vendor to respond?  Dude, you’re a vendor, too.  Challenging a technology approach is one thing, but calling into question my integrity and motivation?  Back the hell up.

I just got back from an awesome gathering @ BeanSec!2 and Bourbon6 — so despite the fact that I’m going to hate myself (and this post) in the morning, I have to tell you that 4 of the people that read your post asked "what the hell?"  Did I piss in your corn flakes inadvertenly?

Let me just cut to the chase:

1) I worked with Blue Lane as a customer @ my last job while they were still in stealth.  That’s why the "start date" is befor the "live date"
2) When they went live, I bought their product.  The first, in fact.  It worked aces for me.
3) Call it an IPS.  Call it a salad dressing.  I could care less.  It works.  It solves a business problem.
4) I have ZERO interest in their company other than I think it solves said BUSINESS problem.
5) This *is* third party patching because they apply a "patch" which mitigates the exploit related to the vulnerability.  They "patch" the defect.
6) Your comment answers your own question:

You see what they did there? The box takes in shellcode, and then, by
“emulating the functionality of a patch”, spits out valid
traffic. Wow. That’s amazing. Now, somebody please tell me why that’s
any improvement over taking in shellcode, and then, by “emulating the
functionality of an attack signature”, spitting out nothing?

…ummm, hello!  An IPS BLOCKS traffic as you illustrate…That’s all. 

What if the dumb IPS today kills a valid $50M wire transaction because someone typed 10 more bytes than they should have in a comment field?  Should we truncate they extra 10 bytes or dump the entire transaction? 

IPS’s would dump the entire transaction because of an arbitrary and inexact instantiation of a flawed and rigid "policy" that is inaccurate.  That’s diametrically opposed to what security SHOULD do.

[Note: I recognize that is a poor example because it doesn’t really align with what a ‘patch’ would do — perhaps this comment invites the IPS comparison because of it’s signature-like action?  I’ll come up with a better example and post it in another entry]

Blue Lane does what a security product should; allow good traffic through and make specifically-identified bad traffic good enough.  IPS’s don’t do that.  They are stupid, deny-driven technology.  They illustrate all that is wrong with how security is deployed today.  If we agree on that, great!  You seem to hate IPS.  So do I.  Blue Lane is not an IPS.  You illustrated that yourself.

Blue Lane is not an IPS because PatchPoint does exactly what a patched system would do if it received a malicious packet…it doesn’t toss the entire thing; it takes the good and weeds the bad but allows the request to be processed.  For example, if MS-06-10000 is a patch that mitigates a buffer overflow of a particular application/port such that anything over 1024 bytes can cause the execution or arbitrary code from executing by truncating/removing anything over 1024 bytes, why is this a bad thing to do @ the network layer?

This *IS* a third party patch because within 12 hours (based upon an SLA) they provide a "patch" that mitigates the exploit of a vulnerability and protects the servers behind the applicance WITHOUT touching the host. 

When the vendor issues the real patch, Blue Lane will allow you to flexibly continue to "network patch" with their solution or apply the vendor’s.  It gives you time to defend against a potential attack without destroying your critical machines by prematurely deploying patches on the host without the benefit of a controlled regression test.

You’re a smart guy.  Don’t assail the product in theory without trying it.  Your technical comparisons to the IPS model are flawed from a business and operational perspective and I think that it sucks that you’ve taken such a narrow-minded perspective on this matter.

Look,  I purchased their product  whilst at my last job.  I’d do it again today.  I have ZERO personal interest in this company or its products other than to say it really is a great solution in the security arsenal today.  That said, I’m going to approach them to get their app. on my platform because it is a fantastic solution to a big problem.

The VC that called me about this today seems to think so, too.

Sorry dude, but I really don’t think you get it this time.  You’re still eleventy-billion times smarter than I am, but you’re also wrong.  Also, until you actually meet me, don’t ever call into question my honor, integrity or motivation…I’d never do that to you (or anyone else) so have at least a modicum of respect, eh?

You’re still going to advertise BeanSec! 3, right?

Hoff