Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘AnyConnect’

Identity and Networking

Tuesday, January 25th, 2011

For the past 15 years or so, the networking industry has been hinting at a vision with a snappy title like “identity-driven networking.” I first heard this concept in the late 1990s when Cisco came up with its own spin on this theme with an initiative called Directory Enabled Networking (DEN). The thought was that the network would query the network directories to enforce some kind of access control policy based upon user properties stored in network directories. Cisco nailed the vision and was way ahead of its time.

So what’s happened since? Things were slow and spotty for a while with a few hints of innovation. Broadband access led to VPNs. Wireless networking led to the need for 802.1X device authentication. Worm storms in 2004 led to a flurry of activity around Cisco’s Network Admission Control (NAC) and Microsoft‘s Network Access Protection (NAP) to keep “unhealthy” PCs off the network. Each of these advanced the cause, but rather than fulfill the identity-driven network vision, these were really tactical solutions.

Fast forward to 2011: the industry has moved on to 40/100Gb Ethernet, IPv6, virtualization, and cloud computing, so you don’t hear much about identity-driven networking anymore–but in point of fact, the vision is coming together. Networks can now recognize multiple types of devices, network location, and user attributes to enforce policies. Critical application traffic can be prioritized on a user-by-user basis while other applications can be blacklisted or rate limited based upon users and groups. VPNs are now automated: no more IPSec clients, user names, or passwords; you can get to the network resources you want to from wherever you are.

A few leading examples include Cisco AnyConnect VPN, Juniper‘s Pulse Client and the Funk Software RADIUS server, and Extreme Networks Identity Manager.

We are quickly moving to the service paradigm of identity management where entities like users and devices connect to network services for connectivity, application access, printing, etc. Cloud computing will only accelerate this transition. In this type of architecture, networks have to play a role in “knowing” who or what wants network access, enforcing policies based upon this information, and then optimizing good traffic and blocking bad traffic. It is nice to see that we are making real progress.

Enterprises Want Broad Functionality for Mobile Device Security

Monday, November 1st, 2010

Now that we all have an assortment of iPhones, Droids, tablet devices, and Windows devices, lots of industry folks believe that mobile security is the next hot market.  There are a number of players already in this market from pure plays like Good Security and Mobile Active Defense.  Traditional endpoint security vendors like McAfee see this as an extension of its antivirus business.  Symantec is in the same boat with antivirus as well as encryption software from PGP.  Networking vendors also see up-side in the mobile device security market.  Cisco has AnyConnect and ScanSafe while Juniper Networks wants to combine its Pulse client with its recent acquisition of SMobile.

These vendors come at mobile security from many different angles with different security functionality in different places–some on the device and some on the network.  Will this confuse the market?  No.  Enterprises are actually looking for a wide range of mobile device security functionality.  According to an ESG Research survey of 174 security professionals working at enterprise (i.e., more than 1,000 employees) organizations, the top three most important mobile device features are 1) device encryption, 2) device firewall, and 3) strong authentication.  They also want things like DLP, VPN, and device locking.

Beyond security functionality, most enterprises also want an integrated platform for mobile device security and management.  In other words, they want a single software package for device provisioning, configuration, reporting, etc.  They also want a common set of features for all mobile devices rather than a potpourri of different features for iPhone, Windows 7, Droid, Palm, etc.

It appears then that the mobile device security market will include networking, security, and management vendors along with device manufacturers and carriers as well.  Personally, I think mobile device security will have a network architecture look to it, with technology safeguards built into devices, the enterprise, and the cloud.  If this happens, integration will be critical for all leading products.

Cisco Bolts Into High-End Network Security — Again!

Wednesday, October 6th, 2010

If you look at revenue numbers, Cisco is the clear leader in network security. That said, the company has been far less visible over the last few years–especially at the high-end of the market in consolidated data centers, wired and wireless carrier networks, and cloud computing infrastructure. This opened this lucrative market to Juniper’s SRX and the security duo of Crossbeam Systems/Check Point.

As the saying goes, “never wake the sleeping giant.” In an unprecedented series of announcements yesterday, Cisco announced its new high-end security system, the ASA 5585X. Cisco’s deepening data center chops are clearly evident here. The ASA 5585X is a 2 rack unit appliance, a small form factor that one-ups the competition in terms of power, space, and cooling but still delivers massive data center performance from 2Gb to 20Gb of throughput. Cisco also demonstrated that it is paying attention to the mobile Internet market by emphasizing that the 5585X can deliver up to 350,000 connections per second — a metric that will really appeal to wireless carriers.

The ASA 5585X announcement was one drop of a veritable waterfall of news coming out of Cisco yesterday. Whether you love Cisco or hate it, you have to give the company credit — all of the announcements were strong on their own, tied together with overall company initiatives, and supported one another. For example, the ASA 5585X announcement:

  1. Balanced security and performance. Beyond announcing a “hot box,” Cisco is also reminding the market of its security prowess. The 5585X combines traditional defenses like firewall and IDS/IPS but it also leverages IronPort services for content security, web security, and its security reputation database.
  2. Ties into the Secure Borderless Network Initiative. Here, Cisco is highlighting that the 5585X supports AnyConnect, Cisco’s “always-on” VPN client. AnyConnect is designed to created trusted client/server relationships, encrypt all traffic, and ease connectivity for mobile workers. By linking these two products, Cisco can compete for network security in the wireless carrier space AND push AnyConnect as a universal endpoint standard.
  3. Focuses on the new data center. Cisco can bundle the 5585X into huge deals that also feature UCS, Catalyst, Nexus, etc.

I don’t know how the ASA 5585X compares to the competition, but speeds-and-feeds are somewhat beside the point. The ASA 5585X gets Cisco back in the game. Combined with Cisco’s growing portfolio, data center experience, and un-matched marketing messages, it will most certainly sell a lot of high-end security boxes.

End of life for CSA? That’s okay!

Wednesday, June 16th, 2010

Earlier this week, Cisco announced its intentions to end-of-life the Cisco Security Agent (CSA) at the end of the year. Cisco will continue to support CSA for another 3 years but it won’t enhance the product any longer.

Moving forward, Cisco’s endpoint security efforts will center upon AnyConnect, an agent-based offering that unfies endpoint connectivity, TrustSec, DLP, threat defenses, and policy management. As far as pure AV protection, Cisco will recommend partner with vendors like Sophos and Trend Micro.

What’s going on here? Is Cisco walking away from an entire product and market? No. In fact, ESG believes this decision demonstrated guts and vision. Cisco has never had any luck with Windows client software and that’s really what CSA is. Cisco may be saying adios to Windows but this move is right down Broadway as it aligns with Cisco’s strengths and market direction. Why? Because:

  1. Windows PCs are no longer the point. We all have PCs, smart phones, Macs, etc., and this list will only grow over time. I want to secure my stuff, not my Windows PC. How can you amalgamate this task? Through the network, of course. This is exactly what Cisco wants to do.
  2. Think cloud. Yes, the cloud will provide us all with infrastructure, applications, and services, but it can also be a big honking proxy service. As we virtualize our workloads, this has to happen. Cisco gets this and is already offering cloud-based security services via IronPort and Scansafe. This is the future, not CSA.
  3. The definition of endpoint security has grown. When Cisco acquired Okena, endpoint security was really about malware protection. Now endpoint security extends to identity, access controls, usage policies, and data assurance. Again, most of these other functions can be managed via the network.

Cisco has a fair number of CSA customers so I’m sure some folks within the company wanted to continue to invest in the product. This would have been the easy “let’s not rock the boat” decision.

Yes, this would have been the easy path but it also would have been the wrong decision. Cisco can now focus on endpoint security from a position of network/cloud strength rather than its Windows PC weakness.

The market is already headed in this direction. Cisco is simply shedding some legacy baggage and positioning the company at the nexus of endpoint, network, and cloud security. This is the absolute right decision.

Search
© 2011 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site