Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘Juniper’

More from RSA

Thursday, February 17th, 2011

It’s late and my brain is fried from 3 days of meetings — but here are a few more observations from the RSA Security conference.

1. There is way less discussion about regulatory compliance than in the past which puzzles me. Compliance fatigue? Perhaps but with PCI 2.0, FISMA 2.0 and pending cyber security legislation, I expected more compliance banter. Actually, what I’d really like to hear is more talk about real-time IT risk management. RSA/Archer and Agiliance recently gave me a preview of what they are doing and it is truly a step in the right direction. We need better visibility into risk, better metrics, and more effective and efficient controls. Why aren’t more people talking about this?

2. Symantec is doing some nice integration between GuardianEdge, PGP, Verisign, and its other existing products. It’s fashionable in the industry to downplay Symantec’s acquisition and integration skills but the company really figured out how to do this over the past few years. Symantec needs to tell its story more often, it has a broad portfolio of tools that are starting to come together in visionary ways.

3. Both Juniper and Cisco have jumped into the mobile security market in a big way and will compete with the traditional endpoint security folks. What’s different here however is the role of the network where a lot of access decisions and malware prevention processes will take place. Obviously, both of these companies know something about networks.

4. Vendors are starting to realize that enterprises need an integrated security architecture — not a bunch of disparate security products. Check Point’s 3-D security architecture is a great example as it combines central policy management, identity-centric granularity, distributed enforcement, and lots of functionality (DLP, application controls, firewall, VPN, IDS/IPS, etc. Tie this together with Check Point’s historical management strength and you have a pretty compelling enterprise architecture at that.

5. I really like Citrix’s commitment to open vSwitch in its virtualization technology. The world is headed toward multiple hypervisors which makes open standards like this a “must have.”

6. McAfee’s DLP story is very good and getting better in the near future. I like the analytics capabilities which can help make policy creation and testing must simpler than other products. I hear that McAfee DLP sales are growing — not surprising given the market requirements and product capabilities.

More from SF tomorrow.

Identity and Networking

Tuesday, January 25th, 2011

For the past 15 years or so, the networking industry has been hinting at a vision with a snappy title like “identity-driven networking.” I first heard this concept in the late 1990s when Cisco came up with its own spin on this theme with an initiative called Directory Enabled Networking (DEN). The thought was that the network would query the network directories to enforce some kind of access control policy based upon user properties stored in network directories. Cisco nailed the vision and was way ahead of its time.

So what’s happened since? Things were slow and spotty for a while with a few hints of innovation. Broadband access led to VPNs. Wireless networking led to the need for 802.1X device authentication. Worm storms in 2004 led to a flurry of activity around Cisco’s Network Admission Control (NAC) and Microsoft‘s Network Access Protection (NAP) to keep “unhealthy” PCs off the network. Each of these advanced the cause, but rather than fulfill the identity-driven network vision, these were really tactical solutions.

Fast forward to 2011: the industry has moved on to 40/100Gb Ethernet, IPv6, virtualization, and cloud computing, so you don’t hear much about identity-driven networking anymore–but in point of fact, the vision is coming together. Networks can now recognize multiple types of devices, network location, and user attributes to enforce policies. Critical application traffic can be prioritized on a user-by-user basis while other applications can be blacklisted or rate limited based upon users and groups. VPNs are now automated: no more IPSec clients, user names, or passwords; you can get to the network resources you want to from wherever you are.

A few leading examples include Cisco AnyConnect VPN, Juniper‘s Pulse Client and the Funk Software RADIUS server, and Extreme Networks Identity Manager.

We are quickly moving to the service paradigm of identity management where entities like users and devices connect to network services for connectivity, application access, printing, etc. Cloud computing will only accelerate this transition. In this type of architecture, networks have to play a role in “knowing” who or what wants network access, enforcing policies based upon this information, and then optimizing good traffic and blocking bad traffic. It is nice to see that we are making real progress.

Networking and Virtualization Vendors Should Join the Open vSwitch Effort

Thursday, September 16th, 2010

My colleague Mark Bowker and I are knee-deep in new research data on server virtualization. Within this mountain of data, we are discovering some existing and impending networking issues related to network switching.

Today, many server virtualization projects are led by server administrators, with little or no participation from the networking team. As you may imagine, this means that the server team configures all virtual switches to the best of its ability, without considering how physical switches are already configured. As things scale, the server team realizes the error of its ways and quickly calls the networking group in to help out. This is where things really break down. Before doing anything, the networking folks have to learn the virtualization platform, understand how the physical and virtual networks should interoperate, and then roll up their sleeves and start gluing everything together.

This is a painful learning curve but I believe that future issues will be far more difficult. As organizations increase the number of VMs deployed, networking configurations get more difficult — especially when VMs move around. Users regularly complain about the number of VLANs they have to configure, provision, and manage. This situation will grow worse and worse as VMs become the standard unit of IT.

In my mind, it makes no sense for virtualization vendors like Citrix, Microsoft, Oracle, and VMware to recreate the richness of physical L2 switches in the virtual world. So what can be done? Well one alternative is to eliminate virtual switches entirely and do all switching at the physical layer via the Virtual Ethernet Port Aggregator (VEPA) standard being developed in the IEEE.

I believe this will happen but in the meantime there is another alternative being discussed this week at the Citrix Industry Analyst Event — Open vSwitch. As described on the Apache web site, “Open vSwitch is a multilayer virtual switch licensed under the open source Apache 2.0 license. The goal is to build a production quality switch for VM environments that supports standard management interfaces (e.g., NetFlow, RSPAN, ERSPAN, CLI), and is open to programmatic extension and control.”

Here’s why this makes sense to me:

  1. Given a pool of collective resources, a collaborative open effort would provide more advanced switching functionality sooner rather than later.
  2. An open alternative would expose APIs that could be easily integrated with leading switch management tools from Brocade, Cisco, Extreme, Force 10, HP, Juniper, etc.
  3. Vendors would not have to integrate with each hypervisor independently. This would improve code quality and again speed time-to-market.

At the very least, Citrix, Microsoft, and Oracle should back this as a way to push back on VMware’s marketshare lead.

I’ve been around long enough to know the strengths and limitations of open source and standards but I think that with the right support, this one could have legs. I know that vendors have their own businesses to look after but isn’t another end goal to create products that the market wants? I think Open vSwitch would fit this bill.

Making Sense of Intel and McAfee: What this Acquisition is and is not.

Monday, August 23rd, 2010

It’s been a few days since Intel‘s surprising McAfee acquisition announcement. This weekend, I took time to read what others were saying about the merger and there seems to be a lot of posturing and confusion out there. Here is a short list of some of the misconceptions:

  1. Intel is buying McAfee for mobile security. This may have strategic merit, but mobile security can’t possibly be a major motivation. Why? The whole mobile security market is extremely fragmented and worth a few $100 million today. McAfee recently acquired its way into mobile security, so internal efforts are a work-in-progress. Rather than spend $7.7 billion on McAfee, Intel could have grabbed a vendor like Good Technology or Mobile Active Defense for a fraction of what it paid for McAfee. By comparison, Juniper just picked up SMobile for $70 million.
  2. Intel will bundle McAfee security functionality into vPro. Intel vPro has some security functionality for cryptography and secure communications, but nothing else. Why not integrate McAfee desktop security and even Safeboot encryption? Intel actually tried this for years with lots of partners and then buried the effort as if it never happened. I have to imagine that development was too difficult and too costly to proceed. I don’t think the McAfee acquisition changes anything.
  3. Intel wants to create hardware/software bundles for consumers. Some people think this will center around distribution alone, while others believe that Intel will create a vPro-like chip for consumer PCs. Neither of these things will happen. Consumer vPro won’t happen because it is too hard to do. Bundling won’t happen because of anti-trust. If bundling was possible, Microsoft would have done it two years ago.

Many of the smartest financial and industry analysts can’t make heads or tails out of this deal and I can understand their confusion. There really are no obvious synergies between the two technologies. Nevertheless, I believe that the security market is in transition where new products will need a whole new level of scale, intelligence, integration, and enterprise-class sophistication. The “new” security market will start abruptly and grow to over $1 billion extremely quickly. Intel wants a piece of this transition as well as portfolio diversification. It’s that simple.

Venture Capitalists MUST Invest More in Cybersecurity

Friday, April 16th, 2010

There is a glimmer of good news on the venture capital front. In Q1 2010, venture funding rose 38% from a year ago to $4.7. What’s more, the pool of VC money is spread over 681 companies–a 7% increase from Q1 2009.

Good, but not great news. Most of the dough is going to biotech companies while investment in clean technology tripled.

The bad news? Investment in software declined 1% year over year. Remember that in Q1 2009, we were preparing for runs on banks and Hoovervilles.

While I have no data, there is anecdotal evidence suggesting additional bad news. I speak with security companies all the time and I simply don’t see VCs investing heavily in this space.

Perhaps they got burned investing in the 5th NAC, anti-spyware, or UTM vendor. Maybe they think that Cisco, Check Point, Juniper, McAfee, Symantec, and Trend Micro have everything covered. It could be that many believe that the whole tech space is mature, so they are chasing the new new thing in other technical areas.

I’m not sure why the VCs are eschewing security investments, but I do know that this is a problem. Why? At a time when attack volume is steadily increasing, cybercriminals operate like Fortune 500 companies, and FBI directors characterize cybersecurity attacks as “an existential threat to our nation,” the VCs are moving on to perceived greener pastures. In other words, there is serious demand for next-generation security skills and technology, but the supply-side continues to invest elsewhere. Bad economics and bad for the digital assets we all depend upon.

Okay, I understand that the VCs are in it for the money and nothing else, but something is wrong with this picture. It seems to me that when demand exceeds supply, there is money to be made. I’d like to see the VCs invest in security as a patriotic act, but I’m not optimistic. Therefore, I have a few ideas for the “smartest guys in the valley” on Sand Hill Rd.

  1. Co-invest with In-Q-Tel. In-Q-Tel is a VC firm that came directly out of the CIA. On its web site, the firm’s mission statement reads as follows, “In-Q-Tel identifies and partners with companies developing cutting-edge technologies to help deliver these solutions to the Central Intelligence Agency and the broader U.S. Intelligence Community (IC) to further their missions.” The key here is to find the smartest security firms whose technology is good enough for the CIA, DOD, and NSA and can be adapted for commercial use. Given the recent string of private attacks, the private sector would welcome military-grade protection.
  2. Explore other direct federal funding. It’s likely that DARPA, NSF, DOE, and other agencies will have money to spend on cybersecurity research and development. Smart VCs will figure out ways to hedge their risks by getting these agencies involved.
  3. Partner with Universities. UC-Berkeley, Carnegie-Mellon, MIT, Purdue, Johns Hopkins, and Cornell are all doing advanced research in various security disciplines. The VCs need to buddy up to these prestigious institutions and find investments that provide mutual benefits.
  4. Seek out Israeli money. Educated at Tel Aviv University and Technion and then saturated in security in the IDF, Israel produces some of the smartest security minds in the world. I’d like to see more American investment in Israel and more outreach to Israeli VCs from Sand Hill Rd.

The lack of VC investment in security could have broad implications moving forward, so the VCs can’t sit on the sidelines. It’s time for the rich guys to get more involved and proactively champion security innovation and investment rather than sit back, drink Merlot, and wait for business plans to come in. Our digital security may depend upon this.

Search
© 2011 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site