Alan and I normally are close enough on our positions that I don’t feel it necessary to argue with him.
I certainly don’t feel compelled to come to the defense of a competitor that Alan’s unloading on, but I’m really confused about his interpretation of what TippingPoint’s Chief Architect, Brian Smith, is communicating and where Alan suggests that he and StillSecure’s position lays.
To re-cap, Brian Smith was quoted in an SC Magazine Article as describing his views on how security ought to be positioned in the network thusly:
"Brian Smith, the chief architect of 3Com and a
founder of TippingPoint, says his first-ever RSA keynote will focus on
integrating solutions such as network access control, intrusion
prevention and behavioral anomaly detection to create an intelligent
network.
"I can do all of these sorts of synergies and when you trace it
out, what ends up happening is you’re able to debug network problems
that you were never able to do before, get an unprecedented level of
security, and also lower the total cost of ownership," Smith says.
"They have to talk to each other. If we can pull all of these solutions
together, I think that’s going to be the trend over the next five to 10
years. It’s a natural evolution in the technology cycle."
Smith says he also plans to emphasize the benefits of the
bump-in-the-wire network approach to deploying security solutions.
Rather than embedding solutions into switchers and routers, Smith plans
to suggest overlaying solutions to allow for a more converged, cheaper
way to add intelligence to the network."
Amen to that. But lest you think I am intimating that we should all just toss appliances willy-nilly across the network (in fact, that’s the opposite of what I think,) please read on…
Apparently it was the third (boldfaced) paragraph that got Alan’s goat and provoked him into a state of up-chuckedness. Specifically, it seems that it is repugnant to Alan that someone who works for a "switch" company could suggest that overlaying security can be facilitated as a "bump-in-the wire." I guess that depends upon your interpretation of "bump-in-the-wire."
I’m guessing that Alan thinks that means individual appliances being inserted between network segments with one "goesinta" and one "goesouta" cable and yet I can’t figure out why "…virtualizing some of this stuff and putting it on blades and so forth" has to be within the router or switch and not on an extensible services platform?
I have a feeling I’m going to hear the typical "not everyone can afford big iron" as a response…but if you can generalize to prove a point, I can become surgical and suggest that it’s not fair to treat the Global 2000, Carriers, Service Providers and Mobile Operators as an exception rather than the rule when it comes to describing security trends and markets, either.
Summarily, it appears that the "convergence" of networking and security in Alan’s eyes means that security functionality MUST be integrated into routers and switches in order to be successful and that adding security functionality on top of or in conjunction with the network is a lousy idea.
Strange comments from a guy whose company takes generic PC appliances with security software on them and deploys them as bumps in the wire by sprinkling them across the network — usually at the cursed perimeter and not at the core. Confused? So am I.
Alan goes on:
Most of the guys who do the bump in the wire are trying like hell to
move up the stack and the network to get away from the edge to the
core. You may be able to do IPS as a bump in the wire at the core if
you have the horsepower, but you are going to be forced to the edge for
other security stuff if you insist on bump in the wire. Single point
of failure, scalability and cost are just working against you.
Eventually you have to turn to the switch. I just don’t get where he is
coming from here.
So you’re saying that your business model is already dead, Alan?
The final piece of irony is this:
Has selling big-ass, honking ASIC boxes to do IPS for so long totally
blinded them to virtualizing some of this stuff and putting it on
blades and so forth inside the switch and network.
Um, no. Again, not like I feel any inclination to defend Tippingpoint, but it’s apparent that Alan is not aware of TippingPoint’s M60 which is a huge multi-gigabit LAN switching platform (10-14 slots) with integrated IPS (and other functionality) that can either replace a typical switch or connect to existing switch fabrics to form an overlay security service. It’s about a year overdue from the last announcement, but the M60 is an impressive piece of iron:
Each blade in the M60 acts as a stand-alone IPS device, similar to
TippingPoint’s T-series appliances, in which network connectivity and
IPS packet processing are done on the hardware. (The exception is with
10G interfaces; the M60 uses 3Com’s 8800 dual-port 10G blades, which
connect to TippingPoint IPS blades through the switch’s backplane.)
The blades run 3Com’s TippingPoint IPS device operating system and use the vendor’s Digital Vaccine updating service, letting the device identify the latest threat signatures and vulnerabilities.
This was one of the results of the Huawei joint venture with 3Com. I believe that THIS is really what Brian Smith is talking about, not device sprinkling appliances. It’s a switch. It’s an IPS. That’s bad, how?
What has me confused is that if Alan is so against hanging security services/functions OFF a switch, why did StillSecure do the deal with Extreme Networks in which the concept is to hang an appliance (the Sentriant AG) off the switch as an appliance instead of "inside" it like he suggests is the only way to effectively demonstrate the convergence of networking and security?
So, I totally get Brian Smith’s comments (despite the fact that he’s a competitor AND works for a switch vendor — who, by the way, also OEM’d Crossbeam’s X-Series Security Services Switches prior to their Tippingpoint acquisition!)
The model is valid. Overlaying security as an intelligent service layer on top of the network is a great approach. Ask me how I know. 😉
Chris
Those of you who know me realize that no matter where I go, who I work for or who’s buying me drinks, I am going to passionately say what I believe at the expense of sometimes being perceived as a bit of a pot-stirrer.
I’m far from being impartial on many topics — I don’t believe that anyone is truly impartial about anything — but at the same time, I have an open mind and will gladly listen to points raised in response to anything I say. I may not agree with it, but I’ll also tell you why.
What I have zero patience for, however, is when I get twisted semantic marketing spin responses. It makes me grumpy. That’s probably why Rothman, Shimmy and I get along so well.
Some of you might remember grudge match #1 between me and Alex Niehaus, the former VP of Marketing for Astaro (coincidence?) This might become grudge match #2. People will undoubtedly roll their eyes and dismiss this as vendors sniping at one another. So be it. Please see paragraphs #1 and 2 above.
My recent interchange with Richard Stiennon is an extension of arguments we’ve been having for a year or so from when Richard was still an independent analyst. He is now employed as the Chief Marketing Officer at Fortinet.
Our disagreements have intensified for what can only be described as obvious reasons, but I’m starting to get as purturbed as I did with Alex Neihaus when the marketing sewerage obfuscates the real issues with hand-waving and hyperbole.
I called Richard out recently for what I believed to be complete doubletalk on his stance on UTM and he responded here in a comment. Comments get buried so I want to bring this back up to the top of the stack for all to see. Don’t mistake this as a personal attack against Richard, but a dissection of what Richard says. I think it’s just gobbledygook.
To be honest, I think it took a lot of guts to respond, but his answer makes my head spin as much as Anna Nicole Smith in a cheesecake factory. Yes, I know she’s dead, but she loved cheesecake and I’m pressed for an analogy.
The beauty of blogging is that the instant you say something, it becomes a record of "fact." That can be good or bad depending upon what you say.
I will begin to respond to Richard’s retort wherein he first summarily states:
I also assume that this means Richard hates the bit buckets that Firewall, IPS, NAC, VA/VM, and Patch Management (as examples) have become, too? This trend is the natural by-product of marketers and strategists scrambling to find a place to hang their hat in a very crowded space. So what.
UTM is about solving applied sets of business problems. You can call it what you like, but the only reason marketeers either love or hate UTM usually depends upon where they sit in the rankings. This intrigues me, Richard, because (as you mention further on) Fortinet pays to be a part of IDC’s UTM Tracker, and they rank Fortinet as #1 in at least one of the product price ranges, so someone at Fortinet seems to think UTM is a decent market to hang a shingle on.
Hate it or not, Fortinet is a UTM vendor, just like Crossbeam. Both companies hang their shingles on this market because it’s established and tracked.
You’re right. Lumping Crossbeam with Fortinet and Astaro is the wrong thing to do. 😉
Arguing the viability of a market which has tremendous coverage and validated presence seems a little odd. Crafting a true strategy of differentiation as to how you’re different in that market is a good thing, however.
So what you’re saying is that you like the nebulous and ill-defined blob that is Gartner’s view, don’t like IDC, but you’ll gladly pay for their services to declare you #1 in a market you don’t respect?
You mean besides when you said:
Just in case you’re interested, you can find that quote here. There are many, many other examples of you saying this, by the way. Podcasts, blog entries, etc.
Also, are you suggesting that Fortinet does not consider itself a UTM player? Someone better tell the Marketing department. Look at one of your news pages on your website. Say, this one, for example — 10 articles have UTM in the title and your own Mr. Akomoto (VP of Fortinet, Japan) says "The UTM market was pioneered by us," says Mr. Okamoto, the vice-president of Fortinet Japan. Mr. Okamoto explains how Fortinet created the UTM category, the initial
popularity of UTM solutions with SMBs…"
Yes, I understand how much you dislike IDC. Can you kindly show reference to where you previously commented on how Fortinet was executing on your vision for Secure Network Fabric? I can show you where you did for Crossbeam — it was at our Sales Meeting two years ago where you presented. I can even upload the slide presentation if you like.
Richard, I’m not really looking for the renewal of your Crossbeam Fan Club membership…really.
Oh, now it’s on! I’m fixin’ to get "Old Testament" on you!
Just so we’re clear, ISV applications that run on Crossbeam such as XML gateways, web-application firewalls, database firewalls and next generation network converged security services such as session border controllers are all UTM "legacy applications!?"
So besides an ASIC for AV, what "new" non-legacy apps does Fortinet bring to the table? I mean now. From the Fortinet homepage, please demonstrate which novel new applications that Firewall, IPS, VPN, Web filtering and Antispam represent?
It must suck to have to craft a story around boat-anchor ASICs that can’t extend past AV offload. That means you have to rely on software and innovation in that space. Cobbling together a bunch of "legacy" applications with a nice GUI doesn’t necessarily represent innovation and "next generation."
It’s clear you have a very
deludedinteresting perspective on security applications. The "innovation" that you’re suggesting differentiates what has classically been described as the natrual evolution of converging marketspaces. That over-played Snort analogy is crap. The old "signature" vs. "anomaly detection" argument paired with "deep packet inspection" is tired. Fortinet doesn’t really do anything that anyone else can’t/doesn’t already do. Except for violating GPL, that is.I suppose now that Check Point has acquired NFR, their technology is crap, too? Marcus would be proud.
Oh come on, Richard. First of all, the answer to your question is that many, many large enterprises and service providers utilize a layered defense and place an IPS before or after their firewall. Some have requirements for firewall/IDS/IPS pairs from different vendors. Others require defense in depth and do not trust that the competence in a solutions provider that claims to "do it all."
Best of breed is what the customer defines as best of breed. Just to be clear, would you consider Fortinet to be best of breed?
If you use a Crossbeam, by the way, it’s not a separate device and you’re not limited to just using the firewall or IPS in "front of" or "behind" one another. You can virtualize placement wherever you desire. Also, in many large enterprises, using IPS’s and firewalls from separate vendors is not only good practice but also required.
How does Fortinet accomplish that?
Your "payload inspection" is leveraging a bunch of OSS-based functionality paired with an ASIC that is used for AV — you know, signatures — with heuristics and a nice GUI. Whilst the Cosine IP Fortinet acquired represents some very interesting technology for provisioning and such, it ain’t in your boxes.
You’re really trying to pick a fight with me about Check Point when you choose to also ignore the fact that we run up to 15 other applications such as SourceFire and ISS on the same platform? We all know you dislike Check Point. Get over it.
Really? So since you don’t have separate products to address these (Fortinet sells UTM, afterall) that means you had nothing to offer them? Convergence is driving UTM adoption. You can call it what you want, but you’re whitewashing to prove a flawed theorem.
…and what the heck is the difference between that and UTM, exactly? People don’t buy IPS, they buy network level protection to defend against attack. IPS is just the product catagory, as is UTM.
I don’t like Scotch, Richard. It leaves a bad taste in my mouth…sort of like your response 😉