En Garde!

A blog fight! A blog fight!

No surprise Alan Shimel’s involved, and this time he’s taken on Dominic Wilde at Nevis. It started with Dominic’s post responding to Mike Fratto’s blog on the limits of NAC. I took issue with some of Mike’s blog too and left a comment.

Then Alan took Dominic to task, Dominic responded , Alan replied, Dominic replied, and Alan replied again, promising it’s his last post on the topic.

So what’s to gain from jumping into the fray, with emotions running so high and allegations flying back and forth? I think both guys have gotten a bit lost in the weeds, whining at each other about various details, but the overall nature of the debate sits close to my heart. At the highest level, Dom is arguing that pre-connect or pre-admission checks are insufficient and Alan’s arguing, well, a bunch of stuff but essentially he gets mad whenever anyone says pre-admission isn’t enough.

So let me start by saying pre-admission, of whatever quality, isn’t enough – for a lot of customers. If it were all anybody wanted, we wouldn’t have well over 100 customers. (Now I have to tease my friends at Nevis and say “come on – not a SINGLE customer announcement all year? What’s up with that?”) Of course, pre-admission is enough for some, or Still Secure wouldn’t have any customers. (And actually, Alan, I couldn’t find any customer announcements for this year on the Still Secure site either.)

Clearly I agree with Dom’s overall premise that for many enterprises, pre-admission checks aren’t enough – they need post-admission control. And by post-admission, I don’t mean just running pre-admission checks over and over again, as a lot of people want to define it. I mean something very different – truly controlling what users can do after they’re admitted onto the LAN. This level of access control involves understanding who the user is and limiting the applications and resources that user can access based on role, location, time of day, and other aspects of who the user is.

This debate between Alan and Dom went down a few other paths I’d like to touch on as well. 

Dominic – next time you steal my line, at least give me my props! Probably all nine people reading this blog fight were at the New York event and heard me draw the analogy between doing vs. teaching to talk about being inline.

Both of you – you talk about architecture, debating inline vs. out of band, as if the customers are thinking that way from the start. They're not, and they shouldn't be. They're thinking about what business problems they’re trying to solve. When they lay out their requirements, and match it up against product features, only then will architecture trends start to emerge. It so happens that if they need to actually control what people can do on the LAN, they need an inline device. The customers who need identity-based control get it – they understand that to do that, the device actually has to first see and then be intelligent about doing enforcement on all the traffic going through it. But the discussion doesn’t start with architecture religion – it starts with the enterprise’s needs.

Alan – your questions on the quality of the switch miss the point. Switching’s commoditized, for one, and second, anyone looking at a secure switch cares first and foremost about the security capabilities. Cisco, for all its switch dominance, can’t hold a candle to us on security features in its switches. Certainly we have the enterprise-class features needed to sell or we wouldn't be successfully selling it, but a purchase driven by security does change the decision focus.

For the last two quarters in a row, we’ve sold more switches than appliances, and the way this quarter’s shaping up, it looks like that'll happen again. It’s never about rip and replace – we offer both appliances and switches so enterprises can choose the platform that suits them best. But let me tell you, it’s really nice when an enterprise can take advantage of an existing, and substantial, budget item already earmarked for a switch upgrade and use that money to also get security and identity-based control built right in. It's that kind of pragmatism that shows me this stuff ends up in the infrastructure.

Both of you – way overblown on the IPS thing. Maybe Nevis uses Snort, maybe not – but regardless, it’s not the point. Enterprises will still use separate IDS/IPS devices – no one should act like even best of NAC devices will change that. But I heartily believe that if you’re sitting inline anyway, seeing all the traffic coming from the user edge of the network, and you can build in some smarts to do anomaly detection and help pinpoint network problems, you’re providing good value. And keep in mind anomalies take a lot of forms. For one of our customers, the ConSentry algorithms tripped alerts on an application built in-house. It certainly wasn’t malware, but it showed them where a piece of the code was written badly and was sending people off to the Internet for data they had in house. Not IPS, clearly, but still useful.

Alan – your rant on ASICs seems off too. Of course we at Nevis and ConSentry would be proud of our custom silicon – it’s the secret sauce for doing what we do. Even if merchant silicon is improving, we’re still way ahead of what you can buy, and owning those goods is incredibly valuable. Line rate, 10 Gbps packet inspection, including full L7 so I can show you the filename a user just accessed over Windows or the URL they just clicked on – that’s truly where we get the customer “a-ha!” moments. And you just can’t get there with off-the-shelf silicon. Secret sauce is always worth crooning about, especially when it's actually why you win.

You’re right Alan – your blog is your domain, and you are master of that domain. But I have to admit – I’m pining a bit for the old days when you blogged on stuff beyond picking on your competitors and trumpeting about Still Secure products. And riding your coattails? Come on - he's engaging in a debate that you started.

And just for the record, I’m siding with Dom here, but I can assure you I’m not playing the Olivia Newton-John role. I'm afraid neither my figure nor my voice would cut it.

Michelle McLean
mmclean-at-ConSentry-dot-com

I’m just back from attending the Gartner Security Summit in DC. I know several industry folks were there, but for those who weren’t, a few reflections on the conference.

John Pescatore kicked off the event with his “Security 3.0” talk. I didn’t react negatively to that title the way Rothman did. Pescatore was just using that scheme to call out a third era of security. He defined Security 1.0 as when everything was under lock down in the mainframe era, 2.0 was when we were perennially trying to catch security up with user activities, and 3.0 is about trying to get ahead of the game.

What I object to with that title is posing this concept as something new - I think most people thinking about security have been trying to "get ahead" vs. "just react" for a while now. That aside, though, I do believe that thinking about what you can do to get security built in vs. layered on later is a really helpful exercise. One, you get more security, period – you get it built into the network, the application, the PC, etc.

And two - and here's the really interesting angle - the more you get security “built in” to stuff, the more you can shift capital costs to hit budgets other than the security budget. I love this idea, in large part because we’re seeing it today here at ConSentry with our secure switch. We have customers who have a switch upgrade already on the books. They use that money to upgrade to secure switches instead of plain ol’ vanilla switches and presto – even with no separate NAC or other security line item, they get a massive new security layer built into the edge of the LAN. Another argument for why it’s got to be built right into the infrastructure.

In another session, Gartner analyst Rich Mogull hosted a panel on vulnerability research and ethical disclosure, with Thomas Ptacek, Chris Wysopal, and David Maynor. All three guys had interesting perspectives and experiences to share. I’m not sure the average conference attendee got too much out of it – what these researchers do is usually a bit removed from the average enterprise, even if it shouldn’t be. But having read those guys’ blogs for a while, it made for fun listening. And it was good to meet Ptacek in person – maybe he’ll find another way to call ConSentry “committed” to security now that we’ve met face to face!

The highlight, though, was the Lawrence Orans session on NAC. Parts of it demonstrated the “when you have a hammer, everything looks like a nail” phenomenon – lots of pre-admission focus, which is no surprise given Cisco’s dominance in general and especially within the Gartner client set. But in the entire hour’s talk, he shared just one customer case study – and it was a ConSentry customer! Very, very cool to see our application, and the customer’s need for role-based control, as his one example of an interesting deployment.

All in all, a good two days, especially meeting other bloggers, talking with several of the analysts one-on-one, seeing other industry folks like Richard Stiennon, and best of all chatting with enterprise users in between sessions.

--Michelle McLean
mmclean-at-consentry-dot-com 

Last week, Cisco had an announcement about an updated Supervisor 32 engine for its 6500 line of Catalyst switches. Understandably, this news fell under the radar of most security blogs and reports, but it's worth highlighting. The heart of this new Sup engine is the Programmable Intelligence Services Accelerator, promising L7 packet inspection and enforcement, and the focus is on getting this kind of intelligence in the wiring closet, as a blade in 6500s deployed at the LAN edge.

It's exciting to see Cisco drive this message around the need for security in the wiring closet, and for ConSentry, the timing couldn't be better. We rolled out our Secure Switching news today, and it's great to be in such good company as we drive that message. Of course, the Cisco module isn't out quite yet, and it'll max out at 2 Gbps, but we definitely get a boost from the Cisco messaging that this is the way IT should be building LANs. And it clearly broadens the message well beyond the well-worn Network Access Control path.

We also decided to have a little fun with our news and how we explain the impact on the wiring closet. If you get a second, check out our take on what this all means for enterprise networks.

--Michelle McLean
mmclean-at-consentry-dot-com

Richard Stiennon brought up a great issue in a comment on my "Security Goodness - Baked Right In" post. I was writing my reply into a comment back to him but decided to post as another entry to encourage more discussion with the broader audience.

Richard summed up the perspective of his panelists at RSA as "security must stay separate from the network because the switching market is driven by cost-per-port and security is too expensive." Richard wants to know our response.

It's a great question in several ways. First off, I totally agree that switching has hit commodity status and security, particularly LAN security, is far from it. There are exceptions on both sides, of course, but it's generally true. So what's the implication for a secure switch? Essentially, a secure switch is a security device first and a switch second. So it's anything but a commodity product. If a customer's switch purchasing decision is driven solely by price, a secure switch will not even be on his or her radar. Someone buying a secure switch needs something more - some form of network access control. This buyer is motivated by the security feature set, not by simple packet forwarding, and that changes the equation immediately.

Richard's question indirectly raises two other interesting issues.

One - the separation of security and control planes. A minority of shops will want to keep the security plane separate from the control plane in perpetuity. Those shops are rare, but we do see them, so the market for a controller-type approach, where the enforcement device stays separate from the LAN switching infrastructure, will continue. It'll be much smaller than the secure switch market, but it will persist.

Two - the innovation cycle for security vs. switching. This topic is even more interesting, because every shop has this problem. Basically, people want their infrastructure to last five to seven years but they know security changes at a much faster rate. So how can you have a switch that can "keep up" with those security changes?

To be fast, switches have been built on ASICs. But a secure switch has to be updated to stay relevant. So the commodity merchant silicon chips that everyone - including ConSentry - uses to build their switches aren't enough. To build a secure switch, you also need programmability, but to keep up with LAN speeds, you need really fast programmability. For ConSentry, the answer is our custom CPU (see the Multithreading post from Dan a couple weeks ago).

And now we've come full circle - that combination of high speeds and programmability is why a secure switch isn't a commodity. Richard's panelists are right - you can't get the security you need in today's "cost per port" designed switches. But that's doesn't mean security and switching can't come together effectively - they just can't come together in those switches. You need a new architecture. You need a secure switch.

--Michelle McLean

mmclean-at-consentry-dot-com

My buddy Mike Rothman comments today on a wireless LAN product adding more security and how that's representative of the broader trend of security getting built directly into the infrastructure. He leads off with this statement:

I've been saying for a while that security eventually becomes a feature of the infrastructure. That's right, baked right into the network fabric and data center.

Richard Stiennon calls this idea the "secure network fabric."

I couldn't agree more with both these guys. Most new network functions and services come into the network as an overlay first but work their way into the infrastructure. Firewalls got integrated into routers, network monitoring happened first in probes and then got built into switches, and even the now-ubiquitous Power over Ethernet went from separate add-on bricks to a feature of every wiring closet switch.

As an ardent pragmatist, Rothman I'm sure can appreciate the overlay appeal of LAN security and network access control. Forcing a switch upgrade throughout the entire enterprise to add in security doesn't fly - offering an appliance that can drop in, with no network changes, is the pragmatic approach.

But if security ultimately ends up in the switch, when does "ultimately" happen? For some of our customers, today. Some of those who've been using our controllers for more than a year are now approaching a network upgrade cycle. For them, getting a "two-fer" -- as in two for one in our secure switch -- has a lot of appeal. Rather than buy just a dumb switch and stick a controller behind it, they'd rather take the opportunity of the upgrade cycle to integrate security directly into their network infrastructure.

Why is this kind of integration appealing, and ultimately inevitable? Device consolidation, tighter control, pervasive coverage, operational simplicity.

Rothman alludes to the market resembling the musical chairs game, saying there's still time for the overlay model but the music will stop. I contend it will stop not all at once but customer by customer, as they go through the upgrade cycle. And whether you'll have a chair depends on whether you can offer the integrated, "baked right in" approach.

--Michelle McLean
mmclean-at-consentry-dot-com