Forrester Research Inc. is proposing a new mantra for IT security. In his report “No More Chewy Centers: Introducing the Zero Trust Model of Information Network Security,” Forrester analyst John Kindervag suggests that we should dispense with the old Reaganism “Trust but verify” and replace it with “verify and never trust.”
Forrester says enterprises must adopt a zero trust security model because there is no reason to ever trust any packets that are passing over a network. Packets aren’t people. You can’t look at them as say, “That’s a packet that I have faith in not to betray me.” Malicious insiders and incompetent insiders alike are both real threats that no hardened perimeter can protect against. There is always the potential for a person to abuse the access they have to network resources or to be negligent with their access to those resources. You can’t afford to lower your guard on your network just because someone has presented the proper credentials for getting on a network.
So what is a zero trust security model? Forrester is promising to roll out subsequent reports that detail the architecture it has in mind and some case studies from enterprises who have adopted something like it. This first report mostly argues the case for why enterprises should consider this security approach. It’s one of the more entertaining reads I’ve had with analyst research.
In the meantime, Kindervag lays out some basic concepts:
- Use network access control (NAC) technologies to manage access to network resources tightly. Specifically, Kindervag says enterprises should consider role-based access control features from NAC vendors. Use this and other technologies to strictly enforce access privileges, giving users only the minimum of access they need to resources.
- Even then, enterprises can’t assume that people won’t abuse or be careless with the access privileges they have. Traffic must be logged, and better yet, inspected. This requires more than the log management capabilities many security professionals use. Network analysis tools that are capable of seeing and analyzing network flow technologies like Netflow and sFlow are also critical to giving network security pros a real-time view into what’s happening on their networks.
Kindervag writes that this approach will lead to more collaboration between networking pros and information security pros, because infosec folks are going to to be using the network more actively than they have in the past to monitor and secure the enterprise. NAC products and network analysis products are often implemented on the network and managed by networking teams rather than security teams, so these two groups will have to come together more than they have in the past.
I’m hearing echos in the zero trust model of what Cisco has talked about recently with its Borderless Networks strategy. That strategy is very much a network story, about providing access to network resources for users regardless of where they are, what devices they are using and how they connect those devices to the network. First and foremost this is a networking strategy for Cisco, but security is a critical piece. Cisco is aligning its security products so that network and security teams can make this ubiquitous access vision secure. I talked in depth about this concept with Cisco in my recent story on Cisco’s overall security strategy.
The concept is also relevant to other security trends we’re seeing right now. For instance, there’s a lot of chatter about the future of firewalls… about so-called next generation firewalls. Vendors like Palo Alto Networks have built firewall products that don’t rely on ports and protocols to determine whether to allow or disallow traffic in and out of a network. Instead they are building Layer 7 inspection engines that can identify traffic by application. Suddenly all those Port 80 apps that look like simple Web traffic to older firewalls are identifiable as YouTube, peer-to-peer sites and Facebook.
The concept of deperimeterization — that a secure perimeter just isn’t good enough — has been bouncing around for years now. This zero trust model seems like a logical evolution of it. It’s a nice articulation of how enterprises need to adjust their mindset toward security fundamentally. Not only is the perimeter no long the best line of defense. There is no single line of defense. You need to protect everything on your network everywhere on your network from everyone on your network.
Last week I wrote a story about how some enterprises save money by using commodity network switch vendors at the access edge of their local area networks. These low-cost vendors use merchant silicon and build basic-functionality switches to keep their costs low. While reporting this story, I emailed several questions to Bjarne Munch, an Australia-based principal research analyst with Gartner. Munch was on vacation at the time and was unable to respond to my questions until now. I’ve pasted my questions and his answers below.
1. You advocate that enterprises save money by using Layer 2 switches wherever possible. In what scenarios would an enterprise want to have layer 3 routing on their edge/access switches?
I would say not very often, but in cases with a high degree of VLAN segmentation there may be a need for routing in the access for some more distributed network design. Or in cases where the Layer 2 functionality do not offer sufficient QoS, this could be situations with high use of both voice and video from the desktop.
2. You mention that enterprises generally don’t need Gigabit Ethernet to the desktop. In what situations would you say enterprises should pull Gigabit all the way to the desktop?
If you add bandwidth needs for a typical enterprise user and incorporate UC and Video you will not even get close to 100M to the desktop. Some enterprises with CAD/CAM such as city planning or architects may have higher bandwidth needs or in the medical area with X-ray images. But this is a niche which is typically easy to identify.
3. You mention that enterprises can drive costs down even further with commodity switches by adopting automation for operational tools. Could you elaborate on this further?
A large percentage of the ongoing cost is labor-based, i.e. time based on configuring or trouble shooting. For larger networks operational tools that can automate these processes can thus save time and thus reduce the ongoing operational costs, i.e. bring down the TCO.
4. You talk about using fixed-format switches over modular ones where possible to drive down costs. In what kinds of situations will enterprises be required to deploy modular switches at the edge?
Most cases I have seen have been just in case investment where the enterprise was not sure of needs so they chose a modular switch partly for switch port expansion but also for housing of other functions such as WLAN controller
5. These low-cost vendors use merchant silicon instead of ASICs to keep costs low. What exactly is the value of those ASICs? What are enterprises losing by deploying switches with merchant silicon at the edge?
There is some loss of performance by using merchant silicon and there may also be some degree of performance variations depending on traffic load but for most enterprises this is not really an issue within the edge of the network.
Any concerns that Cisco would not open up to virtualization partnerships beyond VMware have been quashed. Today Citrix and Cisco announced a deal linking XenDesktop with Cisco’s Unified Computing System. The problem is, this deal may not be offering the exact technology that networking folks actually need right now.
The Cisco Desktop Virtualization Solution isn’t quite technically tantalizing, but it assures customers that Citrix virtual desktop will work on Cisco’s California servers, and it offers pre-configured deployment kits and integrated customer services, among other features. The companies claim the partnership was a result of user demand for confirmation that XenDesktop would work in UCS, a complex combination of servers, storage and networking on a unified fabric.
But the partnership might have been sexier if the two companies had announced that the Cisco Nexus 1000v – a virtual traffic switch that only works in VMotion – could be used in a Citrix environment. As network admins are called on to manage networking within heavily virtualized environments, what they really need is visibility and manageability of traffic between virtual servers within a physical server. Cisco’s Nexus 1000V enables routing of this traffic in a VMware environment, but many enterprises with Cisco networks are opting for alternative virtualization technology from Citrix and Microsoft.
For now, Citrix customers will be able to use the Open vSwitch but this technology is aimed more at the public cloud as opposed to the enterprise data center.
Hopefully this initial Cisco-Citrix partnership announcement will only be the first of many in an ongoing relationship.
Cisco is aggressively building out its smart grid capabilities this week, announcing a major partnership with a smart reader company yesterday and buying a making of IP-based wireless network systems and software for energy management today.
Yesterday Cisco unveiled a strategic partnership with Itron, a vendor of smart meter technology with about 8,000 global utility customers. The two companies will collaborate on a reference design to ensure that their smart grid field technology is based on end-to-end IPv6 networking technology, ensuring interoperability among smart meters, intelligent power distribution systems and on-site customer interfaces. Today most utility SCADA networks are filled with proprietary and archaic protocols that don’t play nicely with each other. Basically Cisco and Itron will work to make their various power management and smart grid products are standards-based IP technologies that can be deployed in any network. Itron will license Cisco’s IP technologies for use in its products. Although based on IP standards, the reference design will no doubt require the usual bending and stretching of standards by Cisco and Itron that other vendors may not choose to follow.
Today Cisco announced plans to buy Arch Rock, a specialist in IP-based, mesh wireless networking for Smart Grid technology. Arch Rock is a five-year-old start-up founded by a couple of researchers from Intel’s research lab in Berkeley.
Silver Spring Networks, a primary competitor to both Cisco and Itron in the smart grid market, is probably watching these moves closely.
Last week I published a feature that took a long, hard look at Cisco’s network security strategy. This story tackled a big subject so naturally I left out a few odds and ends and a little analysis. I thought I’d drop them here for your reading pleasure.
- Who owns the security strategy at Cisco? When I was reporting this story, a few of the people I interviewed wondered aloud about who actually runs the show for Cisco’s security strategy these days. In case you were wondering, Tom Gillis, vice president and general manager of Cisco’s Security Technology Business Unit, runs the show. Gillis was one of the founders of IronPort Systems, the email and web security company that Cisco bought three years ago. He was serving as senior vice president of marketing at IronPort at the time of the acquisition.
- Speaking of which, this Q&A with Gillis on Cisco’s web site is was referred to me by at least four different Cisco PR and marketing people as the most recent articulation of Cisco’s security strategy. So if you want to hear straight from them what they’re vision is, go there.
- Fred Kost, director of security solutions marketing at Cisco, told me Gillis owns most of Cisco’s security strategy, however security is a big area that touches on a number of different business units. Kost said several other senior VPs and GMs at Cisco work with Gillis to coordinate the security elements of their products with Cisco’s overall security strategy.
- I’ve heard many networking pros and consultants talk abut how Cisco seems to have two competing approaches to network access control, causing some confusion in the network. It has an appliance-based NAC product from its acquisition of Perfigo and it has an infrastructure-based product developed from within its routing and switching business. Kost said Cisco has been converging these two products in recent months under one brand: TrustSec. Ultimately Cisco’s NAC approach will become more closely tied to network infrastructure. Kost said NAC is a growing market for Cisco, but the standalone NAC appliance market hasn’t caught on.
A school district in California is using location-based wireless technology to track preschoolers. I admit that when I first saw the headline for this story, I worried that the school was embedding RFID tags in the kids… kind of like the tags they put in pets these days. Thankfully, that’s not the case!
KTVU-TV is reporting that the Contra County School District is using some combination of RFID and Wi-Fi technology to check students in and out of schools, to track their locations and to make sure they get fed lunch. Based on what I saw in the video, this seems to be some kind of real-time location system (RTLS).
The school district spent $50,000 on the system, which includes a series of sensors throughout the school and basketball jerseys that have an RFID and Wi-FI package embedded in the chest. The school district says the system improves security but it will also save 3,000 man hours a year by eliminating paperwork (teachers had to fill out paperwork every time a child entered or left the school and every time a child was fed).
The reporter for this story didn’t identify the vendor(s) who provided this system to the school, but he noted that it was based on technology commonly deployed in hospitals. There are a lot of RFID/WI-FI-based patient and asset tracking system vendors serving the healthcare industry. One of them probably adapted this technology for the school.
Virtual Private LAN Service (VPLS) enables multipoint-to-multipoint communication over carrier-based MPLS/IP networks, basically enabling enterprises to extend LAN segments over long distances.
In this video, Juniper Networks MX Series product manager Rameshbabu Prabagaran explains how enterprises now use service provider infrastructure as just another transport layer for their enterprise LANs through VPLS.
Data center MPLS was a hot topic earlier this week at a Juniper Networks Data Center Design workshop in NYC. In this video, Juniper Networks MX Series product manager Rameshbabu Prabagaran explains that some companies are turning to MPLS inside the data center as a means to implement network segmentation that is more scalable than alternatives.
During his latest earnings call with Wall Street analysts, Cisco CEO John Chambers put a good spin on the supply chain issues that have plagued his company and many other IT vendors for more than a year as component manufacturers have struggled to meet demand. (On a side note, I’m still waiting for someone to explain to me why suppliers aren’t able to ramp up production to meet demands from Cisco and other vendors. Are they struggling to find raw materials? Are they afraid to expand capacity for fear of another downturn gutting demand and forcing them to make extraordinary cuts a second time since the recession began?)
Chambers said Cisco’s supply chain constraints are improving but remain challenging, with supplier lead times stabilized but still longer than ideal. He said Cisco has made significant progress with this and product lead times are now within a normal range for the majority of the company’s products. Note that he said the majority of products are within normal lead times now, but not all. Chambers didn’t specify which products still have long lead times… whether or not they include the high volume products that networking pros have been griping about such as the Adaptive Security Appliance (ASA) 5000 series devices.
Chambers said the number of components that are scarce in Cisco’s supply chain has decreased. At the beginning of the last quarter Cisco was “chasing” 550 parts that were hard to acquire in its supply chain, he said. By the end of the quarter that number was down to around 300. Chambers noted that in normal times Cisco chases about 100 components in its supply chain.
Also, Cisco has clearly taken extraordinary steps to get products into the hands of its customers faster. Chambers admitted that profit margins have suffered as the company has spent money on speeding up its supply chain with more use of airfreight and other unspecified methods.
Despite chasing parts and trying to grease the wheels of supply chain, customers still have gripes. As we reported recently, some networking pros have turned to Cisco competitors rather than wait for Cisco to deliver. They aren’t willing to leave Cisco behind, but for some parts of the network they are willing to try a new vendor. Of course, if they like what they see from these new vendors, their use of Cisco alternatives could increase if the supply chain issues get worse again.
So are customers seeing improvement? It’s not just Chambers saying this. I’ve heard from networking pros who say the delays aren’t as bad as they were on many products.
If you’re still feeling the pinch, let us know in the comments section.
The FCoE debate is over. At last there is an answer to converged storage networking that leaves tiresome Ethernet behind: Fibre Channel over Token Ring (FCoTR).
The newly launched FCoTR Alliance is working feverishly to develop the 802.5qZ standard, which will soon be submitted to a standards body.
The alliance “is responding to growing industry pressure from a diverse group of networking and storage professionals” with the primary goal of furthering “the awareness, adoption, and commercial support of FCoTR.”
More importantly, the alliance aims to prevent storage professionals from ever having to learn burdensome Ethernet technology while enabling long-time networking admins to remain comfortable in a technology they know and love – Token Ring.
“The adoption of Fibre Channel technology means an opportunity for network convergence. Leveraging my existing Proteus token ring network for use with storage is a very desirable proposition,” said Jose Chavez, director of information technology for Superannuated Systems, Inc.
FCoTR also enables both storage and networking purists to keep the Ethernet gene pool clean.
“Many Fibre Channel gurus balk at the idea of Ethernet being capable of guaranteeing the right level of lossless delivery and performance required for the SCSI data their disks need. IP Junkies like Greg Ferro ofEthereal Mind balk at the idea of changing Ethernet in any way and insist that IP can solve all the world’s problems including world hunger (Sally Struthers over IP SSoIP.) Additionally there is a fear from some storage professionals of having to learn Ethernet networks or being displaced by their Network counterparts,” writes esteemed Define the Cloud blogger Joe Onisick.
Ferro – who is one of a team engineers drafting the standard – is only attempting to help storage professionals maintain their Fibre Channel investment.
“For all those Storage Nut Jobs who can’t imagine their precious FibreChannel frames crossing an Ethernet network, we are proposing the development of FibreChannel over Token Ring. That’s right, the second best networking protocol ever invented (after FDDI), offers everything you sad, attention deficit ridden, storage losers ever wanted in shared network. Deterministic delivery, over engineered cabling, layer 2 troubleshooting. We can even improve the FC protocol by isochronous transmission for serial clocking performance and guaranteed delivery,” writes Ferro. “Last known Token Ring standards were developed to Gigabit performance, and it shouldn’t be too hard to dust them off and ramp them to 10Gigabit and more.”
Once the 802.5qZ standard is established, it is very likely vendors will launch a series of product (most of which promise not to be interoperable, but will be launched with lavish press events, maybe even one on the New York Stock Exchange floor). Here are some predicted product launches:
· EMC SLOW (It’s the version of FAST that supports Token Ring)
· NetApp SMTR (SnapManager for Token Ring)
· HDS UPS (It is to USP what UPS is to FedEX)
· 3PAR HeyNow! (3Par requires each disk to say “Hey Now!” if they want the token)
· Compellent Frozen Data (It’s the Fluid Data line slowed down so much it freezes)
· IBM WHU (The Prequel to XIV)
· HP StorageDoesntWork (Just saying)
Learn more about the lossless storage over token ring in this in-depth and well-explained video on FCoTR.