Thursday, August 24, 2006

All Network Security Functions in the Switch

The ISS acquisition has me thinking again about the security space. I noticed Richard Stiennon wrote the following:

Consolidation? Not even close. There are over 867 vendors in the IT-Harvest knowledge base this morning. When that number falls month to month we can start talking about consolidation.

I'm not sure that's the right way to look at the issue. How many of those companies are 1 year old or less? 2 years? 3 years? I'm guessing that many companies that were firewall development startups have either been bought or gone out of business. The same can be said for other product types. The vendor count may never decrease because new companies are always joining the market to address new problems (or so they claim). I think that process is consolidation.

The main reason I posted this entry, however, is the title above. I am not the only person to discuss collapsing all network security functions into switches, and I have probably said something similar already. Nevertheless, I believe that the future is not bright for companies that want to introduce network security products but remain independent.

Let me define a few terms. By "network security" I mean products that interact with network traffic, for inspection or access control decisions. I do not mean products which work on the host level. When I say "remain independent" I mean start as a small company and grow to become a billion dollar plus company.

It seems as though all network security functions are going to collapse into the devices which carry traffic -- switches. Consider a router to be a "layer 3 switch" for the sake of this argument. If you can't accept that, imagine I said "switches and routers" earlier.

I think the shelf life of point products is going to become increasingly short. In other words, I could see IBM eventually selling or abandoning its ISS network security product line. Why? IBM doesn't make switches or routers that compete with Cisco. The functions that ISS network security products provide, however, are going to end up in Cisco switches. Those features are going to be available as upgrades to sufficiently powerful switches, leaving managers with the choice of running Cisco plus other boxes, or just Cisco. They will choose "just Cisco."

Am I Cisco hack? No (but I do have my CCNA). Do I think this is the best of all possible worlds? No, since I prefer Cisco's routing and switching to its security products. Nevertheless, the drive to consolidate products is going to eventually collapse network security functionality down to the only boxes which absolutely must remain -- switches.

I expect to see network security point products continue to be developed. However, they will continue to be outsourced research, development, and viability testing factories for Cisco. When Cisco sees a product it likes, it will buy the company and then integrate the functionality into its own equipment.

Where does this leave the other security gorillas, and gorilla wanna-bes? Those that focus on host-centric products may continue to exist, but there is a good chance that they will be continue to be bought by Microsoft. Those that provide services to make all this work will grow. I think this is where IBM and other giant integrators can make a good living.

9 comments:

Dennis Cox said...

Consolidation can only occur when the technology is at a point that it is known and containable. Security is a quite uncontainable in terms of techniques and solutions. Every day the technology required to provide security is beaten. I do think consolidation into a switch is "okay" idea - I just don't think it's realistic.

I'm one of the few folks that think firewall + ips = bad idea. Consolidation also brings on challenges of securing all the necessary technologies in one system. A group of engineers are going to make the switch component, another group the ACL component, another group the SSL component, another group the IPS component and so on. A flaw in one component leads to a flaw in all components. Instead of having to get past three or four security devices - I only have to get past one now.

As for the market consolidating in terms of companies - that is a benefit to startups. Startups can then move onto new technologies in regards to solving security problems. Gorillas on the other hand have to deal with integrating the two products. I'll have done both in my career (multiple times) and I can say that I'll bet on the startup versus the integration any day.

Look at the market to see the result of that.

NigelMellish said...

Right now, though, Cisco has the same issues as Sony does in the mp3 market. It seems like they should be logically pulling this off - they have Sony music, they have a brand that traditionally is associated with portable music, and they even have form factor killers in Sony/Ericsson phones. But for whatever reason, their audio products just aren't gaining critical mass. It's in the execution...

Cisco has firewall penetration, to be sure. But for whatever reason, their infosec initiative is somewhat stuck outside of firewall/VPN. From what i understand reception to NAC, MARS, and their IDS solutions has been tepid.

That's not to say that neither company can or will get their act together w/regards to hardware...

However, Steinnon's perspective on the health of the market given the number of vendors aside, I think we should consider another point - that ISS was as much a Services provider as it was a hardware vendor, and maybe even moreso. For Cisco to *truly* take advantage of their market share at the switch - they'll want to develop an entire services branch, and not just monitoring. All the "hard" and "soft" skills will need to be represented.

Anonymous said...

All of this discussion is actually 'assuming' that these network companies don't engineer their security products in a vacuum; most just engineer products inline with their networking products without real insight into how security products should be designed. When looking at most 'security' prodcuts offered by networking companies, it is still obvious that they look at security from an 'enclave' perspective. IPS...works 'ok' when it is deployed in a single ingress/egress point. Move it outside of that scenario (to include multi-vendor solutions)...you're asking for trouble. I'll be concerned about Cisco (and similar companies) owning the security product space when they actually start to make 'innovative security products' and not 'security enabled networking products'.

stiennon said...

I agree with you completely Richard that network security functions belong in the switch. I even dubbed the idea: "Secure Network Fabric".

If you believe in consolidation than you expect the Symantecs of the world to acquire a lot of companies and become one-stop-shops for security. Yet, that has not worked at all.

What Cisco did to the switch network is consolidation. They bought everybody until they had 80% market share. That is not happening in security. The largest player has about 5% of the market. ISS is so small the acquisition by IBM does not impact the market at all. EMC buying RSA is not consolidation either. It is a storage player responding to market demands that it perceives.

(Of course I have a vested interest in claiming the industry is not consolidting. I have quit my job and started an independant research firm to study the security space. If it is consolidating I should be moving on to SOA, or Web 2.0 or something new)

Richard Bejtlich said...

Ah -- thanks RS. I thought someone had a term for that. Cool.

spyder said...

I would like to think that, in the end, the best technology would win out. However, my observation is that decisions regarding consolidation are driven from a management perspective, not a security one. In the end, it really doesn't matter if Cisco can do the job well at all.

Anonymous said...

I agree with you on this Richard. Protecting systems at a chokepoint (aka perimeter firewall) is not enough...for me at least. I want to monitor and firewall every host in some form.

I'm still waiting for someone to build a new switch from the ground up, with security features built-in and done right the first time, not as clunky add-ons that don't scale well.

A Juniper/NetScreen core switch would be neat. Firewalling and nsm on all ports!

Brad said...

Seems like similiar thoughts were being thrown around in '98: "Today's security specialty companies cannot all survive; they can be eclipsed by the platform vendors too easily. Only platform vendors can deliver security that is integrated enough to scale and invisible enought to ignore" (Risk Management is Where the Money is At by Geer)

dghnfgj said...
This comment has been removed by a blog administrator.