Richard Stiennon brought up a great issue in a comment on my "Security Goodness - Baked Right In" post. I was writing my reply into a comment back to him but decided to post as another entry to encourage more discussion with the broader audience.
Richard summed up the perspective of his panelists at RSA as "security must stay separate from the network because the switching market is driven by cost-per-port and security is too expensive." Richard wants to know our response.
It's a great question in several ways. First off, I totally agree that switching has hit commodity status and security, particularly LAN security, is far from it. There are exceptions on both sides, of course, but it's generally true. So what's the implication for a secure switch? Essentially, a secure switch is a security device first and a switch second. So it's anything but a commodity product. If a customer's switch purchasing decision is driven solely by price, a secure switch will not even be on his or her radar. Someone buying a secure switch needs something more - some form of network access control. This buyer is motivated by the security feature set, not by simple packet forwarding, and that changes the equation immediately.
Richard's question indirectly raises two other interesting issues.
One - the separation of security and control planes. A minority of shops will want to keep the security plane separate from the control plane in perpetuity. Those shops are rare, but we do see them, so the market for a controller-type approach, where the enforcement device stays separate from the LAN switching infrastructure, will continue. It'll be much smaller than the secure switch market, but it will persist.
Two - the innovation cycle for security vs. switching. This topic is even more interesting, because every shop has this problem. Basically, people want their infrastructure to last five to seven years but they know security changes at a much faster rate. So how can you have a switch that can "keep up" with those security changes?
To be fast, switches have been built on ASICs. But a secure switch has to be updated to stay relevant. So the commodity merchant silicon chips that everyone - including ConSentry - uses to build their switches aren't enough. To build a secure switch, you also need programmability, but to keep up with LAN speeds, you need really fast programmability. For ConSentry, the answer is our custom CPU (see the Multithreading post from Dan a couple weeks ago).
And now we've come full circle - that combination of high speeds and programmability is why a secure switch isn't a commodity. Richard's panelists are right - you can't get the security you need in today's "cost per port" designed switches. But that's doesn't mean security and switching can't come together effectively - they just can't come together in those switches. You need a new architecture. You need a secure switch.
--Michelle McLean
mmclean-at-consentry-dot-com
Thanks Michelle. Great response. Next questions. Why are the traditional switch vendors, Cisco, Foundry, Extreme, *not* adding security features to their switches? Is it just inertia? Some grand conspiracy? Lack of ability to innovate?
-R
Posted by: Stiennon | March 26, 2007 at 06:14 PM
Richard,
Great questions, and indeed we get them from our customers!
I think the big boys are adding security features, but ultimately, they're limited by the architecture of their products. The fixed nature of the hardware, the existing OS architecture, the limited flexible horsepower in the CPU - these all mean they can take only small steps and increment modestly.
To provide a leapfrog-level of innovation will take a radically new architecture. That's much easier for a startup to do, where innovation is your only goal and you have no baggage. It's a lot harder for a big vendor with an existing, earlier-gen architecture and a large installed base to mind. It basically takes you from a 5.0 level product, or whatever number you're at, back to a 1.0 level product, to rearchitect that fundamentally to get all the horsepower plus security smarts in there. So yes, inertia plays a role, but not from the standpoint of the big boys don't get it or don't have good ideas - it's just a big, big deal to re-do your architecture.
The onus is on us to make use of this window - where there's an acknowledged need and problem to solve and no good answer from the incumbents. We've won several edge switch upgrades already with our secure switch. We just have to make sure we continue to capitalize on this first-mover advantage.
--Michelle
Posted by: Michelle McLean | March 28, 2007 at 02:29 PM