For the past 15 years or so, the networking industry has been hinting at a vision with a snappy title like “identity-driven networking.” I first heard this concept in the late 1990s when Cisco came up with its own spin on this theme with an initiative called Directory Enabled Networking (DEN). The thought was that the network would query the network directories to enforce some kind of access control policy based upon user properties stored in network directories. Cisco nailed the vision and was way ahead of its time.
So what’s happened since? Things were slow and spotty for a while with a few hints of innovation. Broadband access led to VPNs. Wireless networking led to the need for 802.1X device authentication. Worm storms in 2004 led to a flurry of activity around Cisco’s Network Admission Control (NAC) and Microsoft‘s Network Access Protection (NAP) to keep “unhealthy” PCs off the network. Each of these advanced the cause, but rather than fulfill the identity-driven network vision, these were really tactical solutions.
Fast forward to 2011: the industry has moved on to 40/100Gb Ethernet, IPv6, virtualization, and cloud computing, so you don’t hear much about identity-driven networking anymore–but in point of fact, the vision is coming together. Networks can now recognize multiple types of devices, network location, and user attributes to enforce policies. Critical application traffic can be prioritized on a user-by-user basis while other applications can be blacklisted or rate limited based upon users and groups. VPNs are now automated: no more IPSec clients, user names, or passwords; you can get to the network resources you want to from wherever you are.
A few leading examples include Cisco AnyConnect VPN, Juniper‘s Pulse Client and the Funk Software RADIUS server, and Extreme Networks Identity Manager.
We are quickly moving to the service paradigm of identity management where entities like users and devices connect to network services for connectivity, application access, printing, etc. Cloud computing will only accelerate this transition. In this type of architecture, networks have to play a role in “knowing” who or what wants network access, enforcing policies based upon this information, and then optimizing good traffic and blocking bad traffic. It is nice to see that we are making real progress.
Tags: 802.1X, AnyConnect, Cisco, DEN, Extreme Networks, identity-driven networking, Juniper, Juniper Pulse, NAC. NAP, RADIUS, Security Posted in Uncategorized | 1 Comment »
Now that we all have an assortment of iPhones, Droids, tablet devices, and Windows devices, lots of industry folks believe that mobile security is the next hot market. There are a number of players already in this market from pure plays like Good Security and Mobile Active Defense. Traditional endpoint security vendors like McAfee see this as an extension of its antivirus business. Symantec is in the same boat with antivirus as well as encryption software from PGP. Networking vendors also see up-side in the mobile device security market. Cisco has AnyConnect and ScanSafe while Juniper Networks wants to combine its Pulse client with its recent acquisition of SMobile.
These vendors come at mobile security from many different angles with different security functionality in different places–some on the device and some on the network. Will this confuse the market? No. Enterprises are actually looking for a wide range of mobile device security functionality. According to an ESG Research survey of 174 security professionals working at enterprise (i.e., more than 1,000 employees) organizations, the top three most important mobile device features are 1) device encryption, 2) device firewall, and 3) strong authentication. They also want things like DLP, VPN, and device locking.
Beyond security functionality, most enterprises also want an integrated platform for mobile device security and management. In other words, they want a single software package for device provisioning, configuration, reporting, etc. They also want a common set of features for all mobile devices rather than a potpourri of different features for iPhone, Windows 7, Droid, Palm, etc.
It appears then that the mobile device security market will include networking, security, and management vendors along with device manufacturers and carriers as well. Personally, I think mobile device security will have a network architecture look to it, with technology safeguards built into devices, the enterprise, and the cloud. If this happens, integration will be critical for all leading products.
Tags: Android, AnyConnect, Cisco, Droid, Good Security, iPhone, Juniper Networks, McAfee, Mobile Active Defenses, Palm, PGP, ScanSafe, SMobile, Symantec, Windows 7, Windows 7 Phone Posted in Uncategorized | No Comments »
If you look at revenue numbers, Cisco is the clear leader in network security. That said, the company has been far less visible over the last few years–especially at the high-end of the market in consolidated data centers, wired and wireless carrier networks, and cloud computing infrastructure. This opened this lucrative market to Juniper’s SRX and the security duo of Crossbeam Systems/Check Point.
As the saying goes, “never wake the sleeping giant.” In an unprecedented series of announcements yesterday, Cisco announced its new high-end security system, the ASA 5585X. Cisco’s deepening data center chops are clearly evident here. The ASA 5585X is a 2 rack unit appliance, a small form factor that one-ups the competition in terms of power, space, and cooling but still delivers massive data center performance from 2Gb to 20Gb of throughput. Cisco also demonstrated that it is paying attention to the mobile Internet market by emphasizing that the 5585X can deliver up to 350,000 connections per second — a metric that will really appeal to wireless carriers.
The ASA 5585X announcement was one drop of a veritable waterfall of news coming out of Cisco yesterday. Whether you love Cisco or hate it, you have to give the company credit — all of the announcements were strong on their own, tied together with overall company initiatives, and supported one another. For example, the ASA 5585X announcement:
I don’t know how the ASA 5585X compares to the competition, but speeds-and-feeds are somewhat beside the point. The ASA 5585X gets Cisco back in the game. Combined with Cisco’s growing portfolio, data center experience, and un-matched marketing messages, it will most certainly sell a lot of high-end security boxes.
Tags: AnyConnect, ASA 5585X, Borderless Networks, Check Point, Cisco Systems, Crossbeam Systems, Juniper Networks Posted in Uncategorized | No Comments »
Earlier this week, Cisco announced its intentions to end-of-life the Cisco Security Agent (CSA) at the end of the year. Cisco will continue to support CSA for another 3 years but it won’t enhance the product any longer.
Moving forward, Cisco’s endpoint security efforts will center upon AnyConnect, an agent-based offering that unfies endpoint connectivity, TrustSec, DLP, threat defenses, and policy management. As far as pure AV protection, Cisco will recommend partner with vendors like Sophos and Trend Micro.
What’s going on here? Is Cisco walking away from an entire product and market? No. In fact, ESG believes this decision demonstrated guts and vision. Cisco has never had any luck with Windows client software and that’s really what CSA is. Cisco may be saying adios to Windows but this move is right down Broadway as it aligns with Cisco’s strengths and market direction. Why? Because:
Cisco has a fair number of CSA customers so I’m sure some folks within the company wanted to continue to invest in the product. This would have been the easy “let’s not rock the boat” decision.
Yes, this would have been the easy path but it also would have been the wrong decision. Cisco can now focus on endpoint security from a position of network/cloud strength rather than its Windows PC weakness.
The market is already headed in this direction. Cisco is simply shedding some legacy baggage and positioning the company at the nexus of endpoint, network, and cloud security. This is the absolute right decision.
Tags: AnyConnect, Cisco Systems, Okena, Sophos, Trend Micro Posted in Uncategorized | No Comments »
Your email: