Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘Cisco Systems’

The Smart-Fat and Smart-Thin Edge of the Network

Wednesday, November 17th, 2010

Take a look at ESG Research and you’ll see a number of simultaneous trends. Enterprises are consolidating data centers, packing them full of virtual servers, and hosting more and more web applications within them. This means massive traffic coming into and leaving data centers.

Yes, this traffic needs to be switched and routed, but this is actually the easiest task. What’s much harder is processing this traffic at the network for security, acceleration, application networking, etc. This processing usually takes place at the network edge, but additional layers are also migrating into the data center network itself for network segmentation of specific application services.

Think of it this way: There is a smart-fat network edge that feeds multiple smart-thin network segments.

The smart-fat network edge aggregates lots of network device functionality into a physical device, cluster of devices, or virtual control plane. This is the domain of vendors like Cisco, Crossbeam Systems, and Juniper Networks for security and companies like A10 Networks, Citrix (Netscaler), and F5 Networks for application delivery. These companies will continue to add functionality to their systems (for example,  XML processing, application authentication/authorization, business logic, etc.) to do more packet and content processing over time. It wouldn’t surprise me at all if security vendors added application delivery features and the app delivery crowd added more security.

Once the smart-fat network edge treats all traffic, packets and content will be processed further within the data center (i.e., smart-thin network edge). This will most likely be done using virtual appliances like the Citrix VPX. Why? Virtual appliances can be provisioned on the fly with canned policies or customized for specific workloads. They can also follow applications that migrate around internal data centers or move to public clouds.

A few other thoughts here:

  1. I’m sure we’ll see new startups focused on smart-thin virtual appliances but I don’t expect them to succeed. Existing vendors will simply deliver virtual appliance form factors and dominate this business.
  2. Legacy vendors have the best opportunity here as many users will want common command-and-control for the smart-fat edge and the smart-thin edge. Nevertheless, this further network segmentation does provide an opportunity for aggressive vendors to usurp customer accounts and marketshare.
  3. Smart-fat edge systems are delivered as physical devices today but this isn’t necessarily true for the future. I can see virtual appliances with horizontal scalability running on , HP, or IBM blade servers in the future.

The smart-fat, smart-thin architecture is already playing out in cloud computing and wireless carrier networks today and I expect it to become mainstream in the enterprise segment over the next 24 months. The technology is ready today but many users have no idea how to implement this type of architecture or capitalize on its benefits. Vendors who can guide users along with knowledge transfer, best practices, and reference architectures are most likely to reap the financial rewards.

Cisco’s “Kitchen Sink” Product Announcements

Thursday, October 7th, 2010

Did you see the series of announcements Cisco made this week? It was pretty impressive. This is the traditional season where Cisco announces products and new initiatives but this week’s announcements were very extensive — new switches, routers, security devices, wireless access points, WAN optimization equipment, etc.

In its marketing mastery, Cisco related all of these announcements to two core strategic initiatives, data center virtualization and borderless networks. In other words, Cisco is talking about the way IT applications and services are hosted (central data centers, virtualization, cloud), and the way they are accessed (wired and wireless networks, security, access control).

Cisco is clearly demonstrating that it plays in a different space then it used to. It’s all about industries, business processes, and enterprise IT now; the network simply glues all the pieces together. So why all these announcements at once? Doesn’t this water down the individual piece parts? I don’t think so. Cisco is actually doubling down on integration across its products with an overall strategy aimed at:

  1. Competing on all fronts. In one day, Cisco delivered a response to a spectrum of IT vendors like Aruba, Check Point, Juniper Networks, and Riverbed. Cisco may not have the “best-of-breed” product in each category but it is reinforcing the message that the whole is greater than the sum of its parts.
  2. Out-executing the big competition. Cisco is betting that it can deliver technology integration and enterprise IT initiatives faster than its primary competitors — HP and IBM. There is some precedent here–HP and IBM business units haven’t always worked together well so Cisco believes it can capitalize on its organizational structure and market momentum.

Now I realize that the “integrated stack” story has limited value today since customers have a history of buying servers from HP, wired networks from Cisco, Wi-fi from Aruba, storage from , etc. That said, IT is radically changing. For example, ESG Research indicates that server virtualization is driving a lot more cooperation across disparate functional IT groups. As these organizations come together, it’s only natural that they will look for common solutions from fewer vendors.

In the meantime, service providers and financially-strapped organizations (i.e.,  State/local government, higher education, real estate, etc.) will look for IT savings anywhere they can, even if it means moving away from some vendors with relatively stronger point products in the process.

Cisco also has a services opportunity in that it gets to play services Switzerland and partner with companies like Accenture, CSC, and Unisys in competition with IBM Global Services and HP/EDS.

Lots of people knock Cisco products and point to better, faster, cheaper alternatives. Maybe, but the overall Cisco story seems pretty strong to me. As of Tuesday, Cisco has a bunch of new products that support its corporate strategy and make its story even stronger.

Cisco Bolts Into High-End Network Security — Again!

Wednesday, October 6th, 2010

If you look at revenue numbers, Cisco is the clear leader in network security. That said, the company has been far less visible over the last few years–especially at the high-end of the market in consolidated data centers, wired and wireless carrier networks, and cloud computing infrastructure. This opened this lucrative market to Juniper’s SRX and the security duo of Crossbeam Systems/Check Point.

As the saying goes, “never wake the sleeping giant.” In an unprecedented series of announcements yesterday, Cisco announced its new high-end security system, the ASA 5585X. Cisco’s deepening data center chops are clearly evident here. The ASA 5585X is a 2 rack unit appliance, a small form factor that one-ups the competition in terms of power, space, and cooling but still delivers massive data center performance from 2Gb to 20Gb of throughput. Cisco also demonstrated that it is paying attention to the mobile Internet market by emphasizing that the 5585X can deliver up to 350,000 connections per second — a metric that will really appeal to wireless carriers.

The ASA 5585X announcement was one drop of a veritable waterfall of news coming out of Cisco yesterday. Whether you love Cisco or hate it, you have to give the company credit — all of the announcements were strong on their own, tied together with overall company initiatives, and supported one another. For example, the ASA 5585X announcement:

  1. Balanced security and performance. Beyond announcing a “hot box,” Cisco is also reminding the market of its security prowess. The 5585X combines traditional defenses like firewall and IDS/IPS but it also leverages IronPort services for content security, web security, and its security reputation database.
  2. Ties into the Secure Borderless Network Initiative. Here, Cisco is highlighting that the 5585X supports AnyConnect, Cisco’s “always-on” VPN client. AnyConnect is designed to created trusted client/server relationships, encrypt all traffic, and ease connectivity for mobile workers. By linking these two products, Cisco can compete for network security in the wireless carrier space AND push AnyConnect as a universal endpoint standard.
  3. Focuses on the new data center. Cisco can bundle the 5585X into huge deals that also feature UCS, Catalyst, Nexus, etc.

I don’t know how the ASA 5585X compares to the competition, but speeds-and-feeds are somewhat beside the point. The ASA 5585X gets Cisco back in the game. Combined with Cisco’s growing portfolio, data center experience, and un-matched marketing messages, it will most certainly sell a lot of high-end security boxes.

Juniper’s Mobile Device Security Gamble

Tuesday, August 3rd, 2010

Cisco Systems has purchased dozens of companies in its history, so most deals receive relatively little attention. There are exceptions, however. When Cisco acquired companies like Scientific-Atlanta (2005), WebEx Communications (2007), and Jabber, Inc. (2008), it signaled a change. Cisco was broadening its strategic focus and viewing the network as a platform rather than a series of boxes. Fast forward to the present and Cisco continues to acquires companies and technologies that build on top of its network platform and customer base.

In my humble opinion, Juniper Networks made a similar strategic transition last week when it acquired SMobile, a privately-held software company specializing in smartphone and tablet security.

Allow me to explain: like Cisco in 2005, Juniper always thought of itself as a networking hardware vendor. This changed in late 2009, when Juniper announced several products and programs centered around its core operating system, JUNOS. The goal? Make JUNOS a development platform for network-based functionality.

The SMobile acquisition demonstrates that Juniper is willing to put its money where its mouth is and build the value of JUNOS through acquisitions, not just internal development projects. In announcing the deal, Juniper highlighted its plans to integrate SMobile security with its JUNOS Pulse endpoint software for network connectivity and acceleration.

The story gets better. The JUNOS Pulse/SMobile client will gain added functionality when combined with the other elements of the Juniper platform built into carrier-class networking and high-end security systems. Who is using all of the elements of the platform? Wireless carriers who are already big Juniper customers. Juniper figures that it can help these carriers create lucrative and profitable services built on top of JUNOS. Mobile device network access, security, and high performance seem like a great place to start.

Unlike Cisco, Juniper hasn’t strayed too far from its comfort zone by acquiring companies focused on consumer electronics or cloud computing applications. Good idea–Juniper is pretty insular and engineering-focused, so it needs to proceed slowly and really leverage its technical strengths, install base, and the JUNOS software development mission.

I believe that Juniper does have a great opportunity with JUNOS and I like the company’s strategy and the SMobile acquisition. But unless you follow Juniper pretty closely, you probably still think of it as a network hardware company and you’ve most likely never even heard of JUNOS. In a similar situation, Cisco would create a flurry of marketing campaigns, events, programs, and business development programs. Juniper isn’t Cisco, but it needs to take a page out of the John Chambers playbook to make SMobile, JUNOS, and its overall software strategy a success.

For those interested in more information, I’ve also written a brief on the acquisition, which can be found here.

End of life for CSA? That’s okay!

Wednesday, June 16th, 2010

Earlier this week, Cisco announced its intentions to end-of-life the Cisco Security Agent (CSA) at the end of the year. Cisco will continue to support CSA for another 3 years but it won’t enhance the product any longer.

Moving forward, Cisco’s endpoint security efforts will center upon AnyConnect, an agent-based offering that unfies endpoint connectivity, TrustSec, DLP, threat defenses, and policy management. As far as pure AV protection, Cisco will recommend partner with vendors like Sophos and Trend Micro.

What’s going on here? Is Cisco walking away from an entire product and market? No. In fact, ESG believes this decision demonstrated guts and vision. Cisco has never had any luck with Windows client software and that’s really what CSA is. Cisco may be saying adios to Windows but this move is right down Broadway as it aligns with Cisco’s strengths and market direction. Why? Because:

  1. Windows PCs are no longer the point. We all have PCs, smart phones, Macs, etc., and this list will only grow over time. I want to secure my stuff, not my Windows PC. How can you amalgamate this task? Through the network, of course. This is exactly what Cisco wants to do.
  2. Think cloud. Yes, the cloud will provide us all with infrastructure, applications, and services, but it can also be a big honking proxy service. As we virtualize our workloads, this has to happen. Cisco gets this and is already offering cloud-based security services via IronPort and Scansafe. This is the future, not CSA.
  3. The definition of endpoint security has grown. When Cisco acquired Okena, endpoint security was really about malware protection. Now endpoint security extends to identity, access controls, usage policies, and data assurance. Again, most of these other functions can be managed via the network.

Cisco has a fair number of CSA customers so I’m sure some folks within the company wanted to continue to invest in the product. This would have been the easy “let’s not rock the boat” decision.

Yes, this would have been the easy path but it also would have been the wrong decision. Cisco can now focus on endpoint security from a position of network/cloud strength rather than its Windows PC weakness.

The market is already headed in this direction. Cisco is simply shedding some legacy baggage and positioning the company at the nexus of endpoint, network, and cloud security. This is the absolute right decision.

Juniper’s New Network Gains Traction

Tuesday, May 18th, 2010

Yesterday, Juniper Networks made a series of announcements. The company is introducing technologies to flatten and secure the data center network and change the economic model. Juniper will offer multiple new homegrown and third-party applications built on top of Junos (a.k.a., the Junos Space initiative). Juniper is also changing its support model for enterprise customers and offering its support in conjunction with IBM and other partners.

These announcements are receiving positive, yet lukewarm, reviews. I read several articles saying the Juniper isn’t going far enough; that it is too secretive about its Stratus project and that it isn’t talking enough about storage.

Hmm. I understand these responses — Juniper has never been a company that goes out on a limb to discuss its roadmap or vision. The whole notion of the “new network” is also pretty vague. That said, I think the naysayers are overlooking one important fact: Juniper is making steady progress in new areas. Two years ago, Juniper’s enterprise presence was limited to high-end routers and security devices. Now, it has a full data center portfolio and is winning enterprise accounts. Industry insiders may not get this, but Wall Street certainly does.

Juniper faces a tough road ahead. Cisco owns the enterprise, is refreshing its product line, and is the absolute thought leadership master. HP now owns the 3Com high-end stuff and will try to leverage its enterprise server and storage base to hawk networking equipment. The battle to compete with Cisco or become the #2 enterprise networking vendor will be a long, hard struggle.

After years of technical geek-speak, Juniper now seems up to the task at hand. Yes, it still needs more vision, but in my view, the company continues to make steady progress — just look at its financial results.

FedRAMP Seeks to Unify Cloud Computing Security Standards Across the U.S. Government

Wednesday, May 5th, 2010

Yesterday, I hosted a panel at the Cloud Computing summit focused on cloud security for the federal government. The panel was made up of some smart folks: Alex Hart from VMware, Bob Wambach from , and one of the primary authors of the Cloud Security Alliance guidelines, Chris Hoff from Cisco.

While these folks offered great contributions, most questions were focused on the fourth member of the panel, Peter Mell from NIST, the chair of the Federal Cloud Computing Advisory Council. Why? Let’s just say that Mell may be the single individual most focused on cloud security in the world. He has been tasked with defining cloud computing standards for the entire federal government–a big responsibility since President Obama and Federal CIO Vivek Kundra continue to trumpet the benefits of cloud computing and push federal agencies to adopt pilot projects.

Mell’s work will soon come to fruition when the feds introduce the Federal Risk and Authorization Management Pilot program (FedRAMP). FedRAMP has two primary goals:

  1. Aggregate cloud computing standards. Today, many agencies have their own sets of standards, which complicates procurement and frustrates federally-focused technology vendors. FedRAMP is intended to consolidate cloud computing requirements into one set of standards that span the entire federal government.
  2. Ease agency certification processes. Let’s say Microsoft’s federal cloud is FISMA-certified by the Dept. of Agriculture. In today’s world, this wouldn’t matter to any other agency–they would still be required to certify Microsoft’s cloud before procuring services. Kundra, Mell, et. al. recognize the redundancy and waste here. With FedRAMP, once a cloud provider passes the Certification and Accreditation (C and A) of one agency, all other agencies get a free pass.

Since FedRAMP is still a work in progress, the audience made up of federal IT people had a lot of questions about all of the fine points. Thus Mell was in the hot seat for most of the time.

Peter Mell deserves a lot of credit. Federal agencies have often acted independently with regard to IT, so Mell and his team are herding cats.

If FedRAMP works, cloud service providers can deliver to a single set of standards. This will encourage innovation and bolster competition. On the agency side, FedRAMP could pave the way for a wave of cloud computing consumption over the next few years. What happens if FedRAMP fails? The federal government becomes difficult to service, so most cloud service providers treat it as a market niche. If that happens, the federal government could lose its cloud computing leadership and momentum very, very quickly.

Final thoughts on Interop — and Las Vegas

Friday, April 30th, 2010

Okay, I’m back in sunny Boston after four days at Interop. I’m now convinced that no normal person should be subject to Las Vegas for more than this amount of time. Everyone I ran into yesterday was looking forward to leaving. I flew out at 2:15 and found that people with later flights were jealous. This says it all.

Enough about the fake city however. As for Interop, a lot of people thought that the 2009 downer indicated that Interop may not be around much longer. In less than a year, the buzz has returned under the guise of strong financials, more market demand, and cloud computing. Here are my final thoughts on the show:

  1. I was certainly entertained by the Xirrus booth that featured a real boxing ring with live sparring. That said, Xirrus positioned this as the Wi-Fi battle between Arrays and APs. Hasn’t this debate been settled? Personally, I think that Wi-Fi must evolve into a smart mesh that seamlessly integrates into the wired network. Aerohive seems especially innovative in this regard.
  2. I was impressed last year by 3Com’s product line and bravado but wondered if it really had the resources to impact Cisco. Now that 3Com is part of HP, those concerns go away. At the very least, Cisco margins will be impacted every time HP is in a deal but HP’s product line and resources may represent the first real Cisco challenger since Wellfleet Networks. HP’s problem? Marketing. When Cisco leads with its compelling borderless network vision, HP can’t simply respond with price/performance. What’s HP’s vision of the network in a cloud computing-based world? To challenge Cisco, it needs its own vision and thought leadership — qualities that HP hasn’t been strong with in the past.
  3. The WAN optimization market continues to flourish with Blue Coat, Cisco, and Riverbed leading the pack. To me, the next battle royale here is desktop virtualization. Which vendor will offer the best support? Too early to tell but this certainly provides a new opportunity for Citrix and it Branch Repeater product.
  4. It seems like the application acceleration market has become a two horse race between F5 and Citrix/NetScaler. I was impressed by some new feature/functionality from Brocade and also like scrappy startup A10 Networks who play the “hot box” role in this market. Of course Cisco plays in this market as well.  I need to ask my friends in San Jose for an update as the competition is aggressive and confident.
  5. Yes, Juniper wasn’t at Interop. Should we read anything into this as some people have suggested? No. Just look at Juniper’s financial results and you’ll see that the company is doing quite well. With all due respect to the folks who run Interop, it is no longer a requirement to attend industry trade shows.

One final thought. I don’t think anyone really knows what the network will look like in a world with cloud computing, advanced mobile devices, and ubiquitous wireless broadband. In my opinion, this means that the network business is up for grabs in a way it hasn’t been in the past. This should make next-year’s Interop just as exciting — I just wish it were at the Moscone Center.

PS: Thanks to all the folks who provided feedback on my comments about Arista Networks. Clearly, I owe Jayshree a call.

Observations from Interop

Wednesday, April 28th, 2010

I’m here in the wasteful energy capital of the world, Las Vegas, for Interop. After back-to-back meetings and a few strolls across the show floor, here are some of my observations:

  1. Extreme is demonstrating a 40gbE switch in its booth and is boasting an amazing $1,000 per port pricing. Others will follow very soon. To me, this aggressive pricing will certainly accelerate the transition to a converged data center network. Goodbye Fibre Channel and Infiniband, hello Ethernet everywhere.
  2. Lots of introductions of virtual networking appliances. Will these replace network hardware? I don’t think so but I do envision a pervasive hybrid model by the end of 2011.
  3. VC darling Arista is highlighting its new aggregation switch. Frankly, I don’t get it. Even if Arista switches offer the high performance and low latency that the company describes, isn’t this just a feature that all the other Ethernet switch vendors will quickly deliver? Does the world really need another Ethernet switching vendor regardless of the pedigree of the founders?
  4. What will the network look like in a world of cloud computing? Cisco’s borderless network is probably the most complete and well articulated vision.
  5. There is a lot of talk about network automation in order to make the network more responsive to the dynamic nature of virtual servers. I get it from an operations perspective but compliance, governance, and security folks are going to be scared to death when you can click and mouse and alter an entire network configuration. I strongly suggest that networking vendors review ITIL best practices for configuration and change management before they get too carried away with making the network more dynamic.
  6. Security appliance vendor Barracuda may do a good job with manufacturing and distribution, but hiring booth babes is rather tacky, even in Vegas.
  7. John McHugh is a perfect fit for Brocade and its vision for a data center fabric for all connectivity.

More tomorrow, I have to walk through the cigarette smoke Casino and meet some friends for dinner.

Network Security Renaissance

Friday, March 19th, 2010

ESG’s research indicates that network security spending will be a focus area for 2010. Nearly half (48%) of midsized (less than 1,000 employees) and enterprise (more than 1,000 employees) organizations will invest in network security technologies like firewalls, IDS/IPS, gateways, and threat management solutions.

Yes, all of these technologies are important components of a defense-in-depth security architecture, but they are also quite mature. Why the network security renaissance? Because of:

  1. Equipment consolidation. I see lots of organizations replacing individual firewall appliances with big network security gateway products running virtual firewall instances. This simplifies the network and cuts down on software licensing costs. Good news for Check Point, Crossbeam Systems, and Juniper Networks.
  2. Network upgrades. There is plenty of 10GbE activity in the data center and in network backbone upgrades. Fast network throughput demands new security equipment. Advantage IBM/ISS, McAfee, Sourcefire, and TippingPoint (HP).
  3. Integrated security. Most enterprises are replacing standalone security devices with more integrated threat management solutions.
  4. New threats. The bad guys are way more sophisticated than an IPS device circa 2007. Large organizations need better threat detection, prevention, and mitigation. Furthermore, network security must work as a team with desktop, server, messaging, and other security defenses.

With all of this activity, many networking vendors stand to benefit. Cisco and Juniper have great network security offerings that interoperate with their core networking products. HP will pick up TippingPoint with 3Com, but it needs to build an architecture story quickly. Brocade is working with partners and must continue to make this a core part of its value. Other networking vendors need to make similar moves.

Security gets more complex each day, so state-of-the-art devices may have a short shelf life. Expect continuous investment in network security moving forward. Networking vendors that recognize this will put themselves in the best position.

Search
© 2011 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site