We put Cisco’s security strategy under the microscope about six weeks ago after hearing from many, many networking pros who felt Cisco had lost its way, at least a little. I think Cisco was hearing that message a little bit as well, because it focused heavily on its network security business this week with its latest round of Borderless Networks news. I received two separate briefings for this latest Cisco news cycle. The first briefing was a straightforward update on the various Borderless Networks products: the routers, switches, firewalls and software that make up the soup-to-nuts product portfolio.
The other briefing was strictly about Cisco’s security business. It was a WebEx panel led by Cisco’s security technology chief Tom Gillis and a coterie of marketing and product management folks. Unlike the first briefing, which was a one-on-one affair, this one was open to an unknown number of reporters and analysts who dialed in or made the trip to California to be there in person.
Gillis used this event to lay out Cisco’s current game plan for network security. The details of this talk didn’t make it into my Borderless Networks story this week, so I thought I’d lay out some of the basics here.
First, Gillis reviewed the state of Cisco’s security play. The company has an impressive footprint.
- Cisco earned $2.2 billion in security revenue in its 2010 fiscal year, which represented a 14.5% growth rate over the previous year.
- Cisco has 150 million VPN endpoint clients installed globally, and about 33% of them are the company’s new AnyConnect Secure Mobility client, a hybrid VPN/802.1X product.
- Cisco’s Security Intelligence Operations (SIO) center, the company’s threat and vulnerability analysis lab, processes 20 billion URLs per day and has more than 500 security researches, analysts and rule writers distributed across the world.
Next, Cisco dug into the details for the biggest security piece to come out of this week’s news: The Adaptive Security Appliance (ASA) 5585-X. This firewall/IPS/VPN gateway box is Cisco’s first attempt to offer a product with the scalability and power to compete with the data-center class versions of Juniper Networks’ SRX platform.
In the past networking pros have told me that the ASA 5500 series is a decent product that lacks the firepower and scalability for high-end data centers. Cisco hopes the 5585-X answers those critics. Although the Cisco folks didn’t name the SRX or Juniper during this briefing, they did keep referring to vendor “J,” whose product’s specs bore an uncanny resemblance to the SRX3600.
The 5585-X comes in a 2 RU format (about 40% of the size of SRX boxes with similar specs) and offers 20 Gbps of simultaneous firewall and IPS throughput, 350,000 new connections per second and 8 million total connections. Cisco also said it draws less power than the vendor “J” product (785 watts to 1,750 watts).
The ASA 5585-X should give enterprises the ability to scale up the number of AnyConnect clients they deploy. AnyConnect is a hybrid of a IPsec VPN and SSL VPN client and a 802.11X supplicant. Cisco says it can run on pretty much any device and enable enterprises to provide secure network access to employees, partners and suppliers, regardless of what device they are on and where they are. Since 33% of Cisco’s VPN client footprint has already upgraded to this product, which was released earlier this year, customers should already be discovering for themselves whether AnyConnect is truly able to provide them with an open yet secure network.
Cisco has focused its marketing efforts on a broad range of new markets in recent years (telepresence, Flip video cameras, smart grid technology, and servers), leading some networking pros to question its commitment to its bread and butter markets like routing, switching and security. This week proved to me that Cisco is at least listening to those customers who are worried.
Can you imagine a world where Cisco Systems wasn’t THE networking vendor… a world where Cisco shares top dog status with two other companies with the products, resources and support capabilities to compete on equal ground with the longtime industry leader?
Cisco has been top dog in the enterprise networking market for quite a number of years. You can attribute its dominance to a variety of factors. It generally produces good, reliable technology that its customers are comfortable with. It generates tens of billions of dollars in annual revenue and is highly profitable, which means customers can rest assured that Cisco will be around for the long haul to support and advance its products.
Cisco also tends to stay ahead of the networking industry’s innovation cycle. It has the resources available to drop $1 billion on research and development for a new product line such as its Nexus data center switches. And where it doesn’t lead in innovation, it can pick up a competitor like the wireless LAN vendor Aironet Wireless Communications.
No other vendor in the networking market has the ability to do all these things, at least in the North American market. There was a time, 10 years ago when companies like Nortel and 3Com seemed poised to bring Cisco down a notch, but neither company executed when they had the opportunity. Nortel collapsed and 3Com retreated.
For much of the last decade, most of Cisco’s competitor’s in the enterprise networking market have been spunky upstarts (Force10, Extreme, Enterasys, etc.) rather than multi-billion dollar industry giants.
Things are changing. HP, which has competed for years on the low-end of the networking industry with its ProCurve brand, acquired 3Com earlier this year. The deal was struck shortly after 3Com reinvented itself with its H3C brand of Chinese-developed high-performance networking products. 3Com was showing some promise with its new products, but at the time of the HP acquisition it had not yet succeeded in establishing a foothold in the market outside of Asia. Given its overall status as a gigantic, profitable IT vendor, HP now has the opportunity to compete with Cisco as a peer in the networking market… if it can executive its 3Com acquisition and convince Cisco customers to consider alternative vendors in critical parts of their networks.
Now we have indications that IBM is leaning toward a return to the networking industry. IBM made news today with its plans to buy Blade Network Technologies, a start-up which specializes in top-of-rack and blade chassis data center switches. It produces switches for both IBM and HP’s blade server chassis lines and it has a close relationship with Juniper Networks, itself an up-and-coming networking vendor which has a venture capital stake in Blade.
You may recall that in December IDC’s chief analyst Frank Gens predicted that IBM would buy Juniper in 2010. This Blade Network Systems acquisition would appear to bring Juniper and IBM closer together than ever before. If Gens’ prediction of an IBM-Juniper marriage comes to pass, networking pros will suddenly find themselves in a position they’ve never been in before: A world where three of the world’s largest technology vendors all have well-regarded portfolios of enterprise networking products. Cisco, IBM and HP.
There’s an old adage in the industry that no one ever got fired for buying IBM. In recent years the term has been adapted by Cisco customers, many of who say “No one ever gets fired for buying Cisco.” Could networking pros soon find themselves saying: “No one ever got fired for buying switches from IBM, HP or Cisco?”
Disclaimer: This author attended a snooty liberal arts college and may have registered for one too many womyn’s studies classes.
A couple of recent blog entries by my colleagues at Network World Cisco Subnet warmed my heart: “Special Cisco Live Contest – Hottest Booth Girl” by Michael J. Morris, and: “Who’s the hottest video game chick?” by Jimmy Ray Purser.
The first closely examines which of the booth babes at Cisco Live was hottest, while the second goes a bit deeper, exploring the relationship between a father and son (Purser and his boy) through the scope of which video game vixen each finds sexier (i.e. The family that lusts together stays together).
I fully support my Network World colleagues in conducting such in-depth analysis of networking technology and its implications on network engineers. Great work, guys.
I also thank them for highlighting just how welcome women are at networking technology conferences and other forums for serious technology discussion.
Last year I attended LISA Usenix in Baltimore, which was easily the best conference I had attended all year. It was populated by long-haired, academic engineers rather than Docker-wearing product marketers (read Interop). In my first two hours at the conference, I had three in-depth conversations: one about open source network management tools, another about open source community tactics in networking technology and a third about where The Clash went wrong. I was in heaven.
But when I walked into lunch the first day, I was also struck by the very same problem that hits me at every tech conference I attend: I could count the number of women in a room of around 200 on one hand. At least at LISA there were no half-naked chicks selling switches or promoting firewalls, and as a result, I felt welcome to discuss, contribute and learn. But it is very hard to feel like a serious participant at a conference like Cisco Live where (according to Morris’ blog) BlueCat Networks thought it best to have two girls in spandex explain IP Address Management, while NetOptics went the route of selling network management tools through a girl in short-shorts and a sailor cap.
In a response to the Cisco hot chicks blog, one of Morris’ readers sums it up perfectly:
“We encourage women to train for high-tech careers, and this degrading attitude doesn’t help,” the reader wrote. “Your editorial staff should consider your liability for a civil rights lawsuit, for creating a hostile work environment for women.”
As a journalist, freedom of speech is my religion, so I wouldn’t go as far as a lawsuit. But I do wonder why we journalists so easily waste this freedom – and further perpetrate a culture that ultimately shuts out women and the innovation they could contribute.
Then again, these two blogs may have had less to do with sexism and more to do with a desperate – and clumsy – grab for attention. In fact, I think my editorial director Susan Fogarty said it best in a quick email regarding the blogs, “This is just playing to the lowest common denominator and stirring the pot to spike up the page views.”
I choose a different path. I’ll take my page views from actual networking technology coverage and use my right to speak for things that matter.
In the meantime, we have a duty to work toward an IT community that fosters growth for women and encourages their contributions.
Forrester Research Inc. is proposing a new mantra for IT security. In his report “No More Chewy Centers: Introducing the Zero Trust Model of Information Network Security,” Forrester analyst John Kindervag suggests that we should dispense with the old Reaganism “Trust but verify” and replace it with “verify and never trust.”
Forrester says enterprises must adopt a zero trust security model because there is no reason to ever trust any packets that are passing over a network. Packets aren’t people. You can’t look at them as say, “That’s a packet that I have faith in not to betray me.” Malicious insiders and incompetent insiders alike are both real threats that no hardened perimeter can protect against. There is always the potential for a person to abuse the access they have to network resources or to be negligent with their access to those resources. You can’t afford to lower your guard on your network just because someone has presented the proper credentials for getting on a network.
So what is a zero trust security model? Forrester is promising to roll out subsequent reports that detail the architecture it has in mind and some case studies from enterprises who have adopted something like it. This first report mostly argues the case for why enterprises should consider this security approach. It’s one of the more entertaining reads I’ve had with analyst research.
In the meantime, Kindervag lays out some basic concepts:
- Use network access control (NAC) technologies to manage access to network resources tightly. Specifically, Kindervag says enterprises should consider role-based access control features from NAC vendors. Use this and other technologies to strictly enforce access privileges, giving users only the minimum of access they need to resources.
- Even then, enterprises can’t assume that people won’t abuse or be careless with the access privileges they have. Traffic must be logged, and better yet, inspected. This requires more than the log management capabilities many security professionals use. Network analysis tools that are capable of seeing and analyzing network flow technologies like Netflow and sFlow are also critical to giving network security pros a real-time view into what’s happening on their networks.
Kindervag writes that this approach will lead to more collaboration between networking pros and information security pros, because infosec folks are going to to be using the network more actively than they have in the past to monitor and secure the enterprise. NAC products and network analysis products are often implemented on the network and managed by networking teams rather than security teams, so these two groups will have to come together more than they have in the past.
I’m hearing echos in the zero trust model of what Cisco has talked about recently with its Borderless Networks strategy. That strategy is very much a network story, about providing access to network resources for users regardless of where they are, what devices they are using and how they connect those devices to the network. First and foremost this is a networking strategy for Cisco, but security is a critical piece. Cisco is aligning its security products so that network and security teams can make this ubiquitous access vision secure. I talked in depth about this concept with Cisco in my recent story on Cisco’s overall security strategy.
The concept is also relevant to other security trends we’re seeing right now. For instance, there’s a lot of chatter about the future of firewalls… about so-called next generation firewalls. Vendors like Palo Alto Networks have built firewall products that don’t rely on ports and protocols to determine whether to allow or disallow traffic in and out of a network. Instead they are building Layer 7 inspection engines that can identify traffic by application. Suddenly all those Port 80 apps that look like simple Web traffic to older firewalls are identifiable as YouTube, peer-to-peer sites and Facebook.
The concept of deperimeterization — that a secure perimeter just isn’t good enough — has been bouncing around for years now. This zero trust model seems like a logical evolution of it. It’s a nice articulation of how enterprises need to adjust their mindset toward security fundamentally. Not only is the perimeter no long the best line of defense. There is no single line of defense. You need to protect everything on your network everywhere on your network from everyone on your network.
Last week I wrote a story about how some enterprises save money by using commodity network switch vendors at the access edge of their local area networks. These low-cost vendors use merchant silicon and build basic-functionality switches to keep their costs low. While reporting this story, I emailed several questions to Bjarne Munch, an Australia-based principal research analyst with Gartner. Munch was on vacation at the time and was unable to respond to my questions until now. I’ve pasted my questions and his answers below.
1. You advocate that enterprises save money by using Layer 2 switches wherever possible. In what scenarios would an enterprise want to have layer 3 routing on their edge/access switches?
I would say not very often, but in cases with a high degree of VLAN segmentation there may be a need for routing in the access for some more distributed network design. Or in cases where the Layer 2 functionality do not offer sufficient QoS, this could be situations with high use of both voice and video from the desktop.
2. You mention that enterprises generally don’t need Gigabit Ethernet to the desktop. In what situations would you say enterprises should pull Gigabit all the way to the desktop?
If you add bandwidth needs for a typical enterprise user and incorporate UC and Video you will not even get close to 100M to the desktop. Some enterprises with CAD/CAM such as city planning or architects may have higher bandwidth needs or in the medical area with X-ray images. But this is a niche which is typically easy to identify.
3. You mention that enterprises can drive costs down even further with commodity switches by adopting automation for operational tools. Could you elaborate on this further?
A large percentage of the ongoing cost is labor-based, i.e. time based on configuring or trouble shooting. For larger networks operational tools that can automate these processes can thus save time and thus reduce the ongoing operational costs, i.e. bring down the TCO.
4. You talk about using fixed-format switches over modular ones where possible to drive down costs. In what kinds of situations will enterprises be required to deploy modular switches at the edge?
Most cases I have seen have been just in case investment where the enterprise was not sure of needs so they chose a modular switch partly for switch port expansion but also for housing of other functions such as WLAN controller
5. These low-cost vendors use merchant silicon instead of ASICs to keep costs low. What exactly is the value of those ASICs? What are enterprises losing by deploying switches with merchant silicon at the edge?
There is some loss of performance by using merchant silicon and there may also be some degree of performance variations depending on traffic load but for most enterprises this is not really an issue within the edge of the network.
Any concerns that Cisco would not open up to virtualization partnerships beyond VMware have been quashed. Today Citrix and Cisco announced a deal linking XenDesktop with Cisco’s Unified Computing System. The problem is, this deal may not be offering the exact technology that networking folks actually need right now.
The Cisco Desktop Virtualization Solution isn’t quite technically tantalizing, but it assures customers that Citrix virtual desktop will work on Cisco’s California servers, and it offers pre-configured deployment kits and integrated customer services, among other features. The companies claim the partnership was a result of user demand for confirmation that XenDesktop would work in UCS, a complex combination of servers, storage and networking on a unified fabric.
But the partnership might have been sexier if the two companies had announced that the Cisco Nexus 1000v – a virtual traffic switch that only works in VMotion – could be used in a Citrix environment. As network admins are called on to manage networking within heavily virtualized environments, what they really need is visibility and manageability of traffic between virtual servers within a physical server. Cisco’s Nexus 1000V enables routing of this traffic in a VMware environment, but many enterprises with Cisco networks are opting for alternative virtualization technology from Citrix and Microsoft.
For now, Citrix customers will be able to use the Open vSwitch but this technology is aimed more at the public cloud as opposed to the enterprise data center.
Hopefully this initial Cisco-Citrix partnership announcement will only be the first of many in an ongoing relationship.
Cisco is aggressively building out its smart grid capabilities this week, announcing a major partnership with a smart reader company yesterday and buying a making of IP-based wireless network systems and software for energy management today.
Yesterday Cisco unveiled a strategic partnership with Itron, a vendor of smart meter technology with about 8,000 global utility customers. The two companies will collaborate on a reference design to ensure that their smart grid field technology is based on end-to-end IPv6 networking technology, ensuring interoperability among smart meters, intelligent power distribution systems and on-site customer interfaces. Today most utility SCADA networks are filled with proprietary and archaic protocols that don’t play nicely with each other. Basically Cisco and Itron will work to make their various power management and smart grid products are standards-based IP technologies that can be deployed in any network. Itron will license Cisco’s IP technologies for use in its products. Although based on IP standards, the reference design will no doubt require the usual bending and stretching of standards by Cisco and Itron that other vendors may not choose to follow.
Today Cisco announced plans to buy Arch Rock, a specialist in IP-based, mesh wireless networking for Smart Grid technology. Arch Rock is a five-year-old start-up founded by a couple of researchers from Intel’s research lab in Berkeley.
Silver Spring Networks, a primary competitor to both Cisco and Itron in the smart grid market, is probably watching these moves closely.
Last week I published a feature that took a long, hard look at Cisco’s network security strategy. This story tackled a big subject so naturally I left out a few odds and ends and a little analysis. I thought I’d drop them here for your reading pleasure.
- Who owns the security strategy at Cisco? When I was reporting this story, a few of the people I interviewed wondered aloud about who actually runs the show for Cisco’s security strategy these days. In case you were wondering, Tom Gillis, vice president and general manager of Cisco’s Security Technology Business Unit, runs the show. Gillis was one of the founders of IronPort Systems, the email and web security company that Cisco bought three years ago. He was serving as senior vice president of marketing at IronPort at the time of the acquisition.
- Speaking of which, this Q&A with Gillis on Cisco’s web site is was referred to me by at least four different Cisco PR and marketing people as the most recent articulation of Cisco’s security strategy. So if you want to hear straight from them what they’re vision is, go there.
- Fred Kost, director of security solutions marketing at Cisco, told me Gillis owns most of Cisco’s security strategy, however security is a big area that touches on a number of different business units. Kost said several other senior VPs and GMs at Cisco work with Gillis to coordinate the security elements of their products with Cisco’s overall security strategy.
- I’ve heard many networking pros and consultants talk abut how Cisco seems to have two competing approaches to network access control, causing some confusion in the network. It has an appliance-based NAC product from its acquisition of Perfigo and it has an infrastructure-based product developed from within its routing and switching business. Kost said Cisco has been converging these two products in recent months under one brand: TrustSec. Ultimately Cisco’s NAC approach will become more closely tied to network infrastructure. Kost said NAC is a growing market for Cisco, but the standalone NAC appliance market hasn’t caught on.
A school district in California is using location-based wireless technology to track preschoolers. I admit that when I first saw the headline for this story, I worried that the school was embedding RFID tags in the kids… kind of like the tags they put in pets these days. Thankfully, that’s not the case!
KTVU-TV is reporting that the Contra County School District is using some combination of RFID and Wi-Fi technology to check students in and out of schools, to track their locations and to make sure they get fed lunch. Based on what I saw in the video, this seems to be some kind of real-time location system (RTLS).
The school district spent $50,000 on the system, which includes a series of sensors throughout the school and basketball jerseys that have an RFID and Wi-FI package embedded in the chest. The school district says the system improves security but it will also save 3,000 man hours a year by eliminating paperwork (teachers had to fill out paperwork every time a child entered or left the school and every time a child was fed).
The reporter for this story didn’t identify the vendor(s) who provided this system to the school, but he noted that it was based on technology commonly deployed in hospitals. There are a lot of RFID/WI-FI-based patient and asset tracking system vendors serving the healthcare industry. One of them probably adapted this technology for the school.
Virtual Private LAN Service (VPLS) enables multipoint-to-multipoint communication over carrier-based MPLS/IP networks, basically enabling enterprises to extend LAN segments over long distances.
In this video, Juniper Networks MX Series product manager Rameshbabu Prabagaran explains how enterprises now use service provider infrastructure as just another transport layer for their enterprise LANs through VPLS.