An eight-slot chassis will appeal to service providers and web-scale companies (Facebook, Google, etc.). Last year F5 introduced a down-market Viprion, the two-slot 2400, which is priced for companies that want something a little more flexible and powerful than the company’s fixed-configuration BIG-IP appliances. During the earnings call, McAdam said the Viprion 2400 is selling very well and he implied that the 4480 is seeing softer sales as service provider spending has dropped across the industry.

F5 will also introduce an “application delivery firewall” via an update to its ADC firmware, TMOS. McAdam said this firewall will integrate Layer 3 through Layer 7 security, “including the loss prevention and unique application fluency to prevent sophisticated application attacks.” This firewall will also include DPI functionality, although McAdam indicated DPI would be aimed mostly at service provider customers.

“The dominant competitor we’re going after across all our products is Cisco,” said Kiren Sekar, vice president of marketing at Meraki.

Originally a pure WLAN player

Meraki first offered a unique solution: A wireless LAN that required only access points, but no central controller appliance. Instead, the access points would go to a Meraki cloud for control and management. Meraki’s cloud interface offers administrators configuration management, automated firmware upgrades, and global visibility into the managed devices.

The vendor has done pretty well in a booming wireless LAN market, listing Burger King, Applebee’s, and the University of Virgina as customers. Meraki’s approach offers low-cost network operations, since its cloud-based management interface is aimed at serving general IT administrators rather than experienced network engineers.

Now routers and access switches

Last year Meraki introduced a small line of branch router-firewalls, its MX series. Like it’s wireless line, the Meraki MX routers are managed through the cloud. Again, the cloud approach offers global views of ports across multiple sites, configuration management, alerting and diagnostics, and automated firmware upgrades. The firewall functionality also included application layer inspection, a key feature of next-generation firewalls.

This month, Meraki expanded its portfolio even further, adding MX boxes capable of connecting enterprise campuses and data centers. The routers feature two-click, site-to-site VPN capabilities and WAN optimization features such as HTTP, FTP and TCP acceleration, caching, deduplication and compression.

Also, Meraki launched a new MS series of Layer 2/3 access switches, including 24-port Gigabit Ethernet model and a 48-port 1/10 Gigabit Ethernet model, with or without Power over Ethernet (PoE). Again, these MS switches are managed through the Meraki cloud. The switches are obviously designed to compete head-to-head with the Catalyst 3750 series of switches from Cisco. These MS switches start at a list price of $1,199 for the 24-port, non-PoE switch. Combine that with ongoing licensing for the cloud-management support, and the total cost of ownership on the basic switch is about $1,400 over three years.

If a low cost of ownership value proposition on switching and routing (and WLAN) is important to you, Meraki can make a compelling case. However, the low-TCO sales pitch is starting to wear thin according to a lot of the experts I talk to. Networks are getting more complex, not simpler. Low-cost doesn’t ring bells in every IT department.

That’s why Meraki offers home-grown, advanced network services for no additional cost on its boxes. The MX router-firewalls come with WAN optimization features bundled in. Other vendors would require a license upgrade (or a separate appliance). They feature application-aware inspection and policy enforcement, something that usually requires a separate vendor. I can’t vouch for how these Meraki features compare to the WAN optimization capabilities of Riverbed Technology or the next-generation firewall capabilities of Palo Alto Networks and Check Point Software. But Meraki isn’t interested in competing with Riverbed, Palo Alto or Check Point. It’s going after Cisco.

“We view WAN acceleration as a way to differentiate ourselves from Cisco as opposed to a way to compete with Riverbed,” Meraki’s Sekar said. “For every company that has Riverbed, there are 10 who don’t, because they can’t absorb the cost or the complexity. But everyone needs a firewall.”

Is a low-cost, easily managed networking vendor something you’re looking for? Or do you still prefer to go for the higher-end products from your established vendors? Let us know.

Given the angst over the FWSM, I was surprised to see how little fanfare Cisco gave the unveiling of its new ASA (Adaptive Security Appliance) Services Module for the Catalyst 6500. It merited a one sentence reference in Cisco’s press release and just a bullet point in the slide-deck I was shown this week as Cisco rolled out a huge slate of new data center technologies. Cisco gave more publicity to a new Application Control Engine (ACE) module for the 6500 that can do dynamic load balancing of VM workloads across data centers.

The ASA Services Module has 20 Gbps of maximum firewall throughput and it supports 300,000 connections per second, 10 million concurrent connections and 1,000 VLANs. You can install four of them in a single Catalyst 6500.

It’s nice to see these new service modules for the Catalyst 6500, but customers want to see comparable products for the Nexus 7000 products. Cisco hasn’t offered any guidance on what the future holds for bringing such functionality to its newer switch line. However, Cisco has developed a Virtual Security Gateway product which runs as software on the Nexus 1010 box, a command and control appliance for the Nexus 1000v virtual switch. Perhaps Cisco plans on doing all this stuff in software rather than hardware with Nexus.

A few months ago I reported about how vendors like Cisco and Check Point have created software that essentially extends the reach of physical firewalls into a server’s hypervisor. At the time, Juniper was developing the same capability by partnering with virtualization security startup Altor Networks. Not long after I wrote that story, Juniper bought Altor. Now just a couple months after the deal Juniper has announced that it’s integrated Altor’s technology with its firewalls, the SRX Series Services Gateway products. Juniper’s new vGW Virtual Gateway is a hypervisor-level firewall based on Altor’s technology. Network engineers can deploy vGW on every virtualized server in a data center and then manage and enforce security on the VMs on those servers through the SRX hardware.

“Typically we see the data center carved up into different [security] zones,” said Peter Lunk, director of product marketing at Juniper. “We’ve done integration so that the vGW can pull down zone information from the SRX and then it can populate and place individual VMs sitting on that server into the different zones assigned by the SRX. Then it can push that information up to the SRX. Now you can see all the way down to the VM level and see which virtual machines are sitting in which zone. Now [engineers] have control over whether you can move VMs in and out of those zones. And if you’re turning up a new VM, [engineers can control] which zone it needs to be attached to. If someone is trying to change the VM we have some control over that as well.”

A product like this gives network security engineers renewed visibility and control over what’s happening within virtual infrastructure. It should also have plenty of application in cloud computing environments as well.

The vGW can also mirror traffic within hypervisors up to the SRX so that the SRX can perform deep analysis on packets and basic reporting on any anomalies. Lunk said Juniper will expand on this mirroring capability in the future. He declined to offer details, but undoubtedly Juniper will add some automated security response features to the SRX for traffic mirrored by the vGW.

Lunk said Juniper has also done some engineering work to make Altor’s syslogs compatible with its own, so that the vGW can report into Juniper’s Security Threat Response Manager (STRM).

The other briefing was strictly about Cisco’s security business. It was a WebEx panel led by Cisco’s security technology chief Tom Gillis and a coterie of marketing and product management folks. Unlike the first briefing, which was a one-on-one affair, this one was open to an unknown number of reporters and analysts who dialed in or made the trip to California to be there in person.

Gillis used this event to lay out Cisco’s current game plan for network security. The details of this talk didn’t make it into my Borderless Networks story this week, so I thought I’d lay out some of the basics here.

First, Gillis reviewed the state of Cisco’s security play. The company has an impressive footprint.

• Cisco earned $2.2 billion in security revenue in its 2010 fiscal year, which represented a 14.5% growth rate over the previous year.
• Cisco has 150 million VPN endpoint clients installed globally, and about 33% of them are the company’s new AnyConnect Secure Mobility client, a hybrid VPN/802.1X product.
• Cisco’s Security Intelligence Operations (SIO) center, the company’s threat and vulnerability analysis lab, processes 20 billion URLs per day and has more than 500 security researches, analysts and rule writers distributed across the world.

Next, Cisco dug into the details for the biggest security piece to come out of this week’s news: The Adaptive Security Appliance (ASA) 5585-X. This firewall/IPS/VPN gateway box is Cisco’s first attempt to offer a product with the scalability and power to compete with the data-center class versions of Juniper Networks’ SRX platform.

In the past networking pros have told me that the ASA 5500 series is a decent product that lacks the firepower and scalability for high-end data centers. Cisco hopes the 5585-X answers those critics.  Although the Cisco folks didn’t name the SRX or Juniper during this briefing, they did keep referring to vendor “J,” whose product’s specs bore an uncanny resemblance to the SRX3600.

The 5585-X comes in a 2 RU format (about 40% of the size of SRX boxes with similar specs) and offers 20 Gbps of simultaneous firewall and IPS throughput, 350,000 new connections per second and 8 million total connections. Cisco also said it draws less power than the vendor “J” product (785 watts to 1,750 watts).

The ASA 5585-X should give enterprises the ability to scale up the number of AnyConnect clients they deploy. AnyConnect is a hybrid of a IPsec VPN and SSL VPN client and a 802.11X supplicant. Cisco says it can run on pretty much any device and enable enterprises to provide secure network access to employees, partners and suppliers, regardless of what device they are on and where they are. Since 33% of Cisco’s VPN client footprint has already upgraded to this product, which was released earlier this year, customers should already be discovering for themselves whether AnyConnect is truly able to provide them with an open yet secure network.

Cisco has focused its marketing efforts on a broad range of new markets in recent years (telepresence, Flip video cameras, smart grid technology, and servers), leading some networking pros to question its commitment to its bread and butter markets like routing, switching and security. This week proved to me that Cisco is at least listening to those customers who are worried.

Asked by Ponemon to rank the effectiveness of technologies used to protect cardholder data, auditors identified encryption of data at rest and in motion, firewalls and endpoint encryption as the best technologies. Least effective were ID & credentialing systems, intrusion protection and detection systems (IDS and IPS), and website sniffers and crawlers. Ponemon’s research didn’t explain why auditors felt this way about the various technologies. A systems administrator at a nonprofit recently told SearchNetworking.com that his organization is looking at segmenting its network with VLANs to help implement the controls it needs for compliance.

Also, the corporate network is the MOST vulnerable infrastructure element to a potential data breach, auditors said. Fifty-one percent of auditors identified corporate networks as a weak point. Corporate databases (43%) were the second most vulnerable. Only 10% considered unattended payment terminals as a vulnerability.

Ponemon also revealed that the average Tier 1 merchant spend about $225,000 on its compliance audit, but it didn’t identify how much these company’s spend on operations and technology.  Auditors said that business units are the most likely (40%) part of a company to be responsible for auditing PCI compliance, but they unlikely to own responsibility for delivering that compliance (19%). IT security (30%) and the office of the CIO (10%) combine to own a plurality of compliance responsibility. This division of responsibility between compliance and auditing could create some tension between IT and business units.