Tuesday, December 19, 2006

Thoughts on Check Point Acquisition of NFR

Earlier this year I covered Check Point's attempt to purchase Sourcefire. Well, Check Point bought another vendor -- NFR -- for $20 million. Talk about market valuation; Sourcefire's sale price was $225 million. NFR is also down to 22 employees, according to the press release. Although the FAQ says

Check Point intends to continue to sell, support, and develop an independent NFR Security product line.

I doubt that will last. It doesn't make sense to buy the technology but not integrate it into Check Point's firewalls, and then discard the separate box.

At this point it seems we're left with the following IDS/IPS vendors:

Let's see how that relates to the idea that all network security functions will collapse to switches. The first four sell switches, so I expect them to lead that drive. The fifth (ISS) is owned by IBM, who is more interested in services these days. I expect IBM will discontinue or sell off that product line, following Symantec's lead, to focus on services.

I don't think McAfee's prospects are good. I think Microsoft will eventually crowd out the anti-virus/anti-malware/anti-spyware/NAC/host defense market. All host-centric security will collapse into the operating system. That knocks out a huge chunk of McAfee's product line. This is really going out on a limb, but I could see McAfee being sold off in pieces, with Microsoft acquiring host-centric assets, Cisco or another switch vendor buying Intrushield, and IBM acquiring the services part.

Where does this leave Sourcefire? If they eventually do go public, I think they will still end up being purchased by someone -- maybe Cisco. At some point Cisco will realize their IDS is not that great, and they will buy better technology. The Feds will see Cisco as a perfectly acceptable suitor and will approve the deal.

Returning to Check Point, they will probably be acquired by a switch vendor at some point too.

Did I miss anyone? I don't count all the vendors repackaging Snort.


Anonymous said...


I agree that network security functions will eventually collapse to the switch if the scope of this assertion is limited to the large-scale enterprise switches such as Cisco's 4500/6500 or Juniper's T series.

However, I wonder how feasible it will be for vendors to develop branch/closet switches with similar security functionality? If this functionality increases the price of the switches, thrifty managers will likely cut costs by sacrificing security monitoring features.

Unknown said...

Will ipv6 affect this much? I'm not all that knowledgable about ipv6, but it does utilize ipsec by default, which will hamper network monitoring?

Anonymous said...

I agree with your assertions. Microsoft is not going to allow us to forget that Vista is the cure for all host-related security issues (yeah, right...)

Where would Fortinet fit into the IDS/IPS mix?
Would you categorize their devices as "repackaging Snort"? Just curious.

Thanks - again, nice thoughts.

Richard Bejtlich said...


IPv6 does not use IPSec by default. IPv6 is no more secure than IPv4 -- maybe less so. IPv6 stacks must be IPSec-capable, but they do not need to use it. IPv4 stacks do not need to be IPSec-capable; that is the difference.

Anonymous said...

A vendor missing above that's still around: Enterasys (Dragon).

Richard Bejtlich said...

I already listed Enterasys and Dragon.

Anonymous said...

Richard. I always read your posts and value your opinion but I disagree with you on the MS point. I can already see the anti-trust lawsuit against MS if they were to attempt to shut out Symantec/Macafee by trying to collapse all security features into the OS, even if this is where the industry, technically, is headed.

The focus on security services and not hardware is fine for some, but those clients are typically large organizations. All these large security companies abandoning their security appliances leaves the small/medium business hanging, which is where the vendors you didnt mention will clean up.

Richard Bejtlich said...

Hi Chris,

Microsoft was legally declared a monopoly and what happened? Nothing. No one is going to be able to stop this evolution, and maybe no one really should.

Anonymous said...


You did forgot at least one Finnish vendor, Stonesoft.

And no, Stonesoft does not repackage Snort.

Anonymous said...


Richard Bejtlich said...

Stonesoft -- irrelevant. Never heard a single client or student ever mention them.

Fortinet -- a "UTM" appliance. I didn't want to mention the UTM space, but there's an example of another set of functions that will end up in the switch. I bet Fortinet's new marketing guy would agree since he invented the "Secure Network Fabric" term.

I got a Google blog alert telling me Matasano said I forgot Intrusion. Their blog is unreachable so I can't read the details right now. I consider Intrusion another side player. They've been around forever but never seemed to amount to anything. The last time I dealt with them, the Air Force was trying to recover from the junk they shipped to us.

Anonymous said...

To be fair, you're also leaving out bro


Richard Bejtlich said...

No one can buy Bro.

Anonymous said...

put me down for TopLayer and Radware in your category of "Richard forgot ...".

what a bad blog posting day

Richard Bejtlich said...

dre, TopLayer is probably worth mentioning, but just barely. Radware? Forget it. Maybe I should have said "MAJOR" IDS/IPS vendors.

Anonymous said...

By "major" IDS/IPS vendor, would customers such as eBay, Lycos, Akamai, and countless others be included as major accounts for Radware or would you simply discount it because the Air Force didn't include them in their evaluation because it's an Israeli company?

Richard Bejtlich said...

"Countless?" By definition, false. Radware is a company you see at trade shows but I have never seen the product fielded. Do I not get out enough? Maybe. Do I hear people using the "major" vendors I listed earlier? All the time. Of course YMMV.

Anonymous said...

I am not going to pick at your list of IPS vendors, but I did want to relay something I heard from a former Enterasys engineer.

He said Enterasys never really committed to Dragon and is now looking for a way to sell it off. He estimates there are maybe 5 developers left to do minor revisions, but no major development.

That would explain why Enterasys disappeared from view a few years ago.

Anonymous said...

The idea that core data can be protected at the switch has limitations, in my books. Network security is not data assurance, and never will be.

A better model would be one that starts at the host and fans out to network clients and switches.

Richard Bejtlich said...


I'm not discounting host-centric security. However, compromised hosts cannot contain themselves. Independent devices can contain compromised hosts, at least to some degree. Also, some activities are better implemented by the network because they can be uniformly imposed on all nodes, whether the nodes want to cooperate or not.

Anonymous said...

If those hosts are trusted rather than merely hardened though, they can't be compromised, so that would have to be a key influencing factor on choice of security model then? And if those settings could be imposed (pushed) on all nodes to create trust channels to enforce security policies and user access to data inside the network, rather than just limited to the host, then we will certainly have arrived.

Richard Bejtlich said...

Hi Rob,

You said "If those hosts are trusted rather than merely hardened though, they can't be compromised, so that would have to be a key influencing factor on choice of security model then?"

I think you answered your own question. "Can't be compromised" is impossible. Also, trusted != trustworthy. Trusted means you have placed trust in the system. Trustworthy means placing trust is a wise choice decision.

Unknown said...

Ahh, sorry, I should read up on ipv6 more before blurting things out. :) Thanks!

Unknown said...

I would agree that in the enterprise environments the switches are (for some time now by Cisco) being marketed as having "integrated security". It will be interesting to see how much integration they go after in the commercial SMB space, since up until now they have pretty much left Linksys alone to do its own thing and are pretty consistent about separating the "enterprise class" products (and features)from the SMB space.
I actually think one of the main drivers will be the management aspect - IDS/IDS implementations tend to be underutilized because of the difficulty in tuning / managing them, and Cisco has gone through several different approaches to IDS management. From the old days of CSPM to VMS and now CSM, it seems that it is still a challenge to present an interface that customers find intuitive or at least usable, and Cisco has always separated the configuration piece from the management piece (or at least the configuration and logging, i.e., IDM and IEV). Folding the security into the network fabric and this the security management into the network management products may be an issue. I think from a security management perspective several vendors are starting to move towards a more "solutions-oriented" approach - i.e., for Cisco shops the direction is to have everything security related report to MARS for correlation and CSM for the configuration/provisioning. I would welcome the addition of the sourcefire technology, but it is hard to say if they would view the benefits of the Sourcefire IDS technology as outweighing the issues of folding in the competitive Sourcefire SEM technology with the MARS product.

Anonymous said...

If we can not speak of trust in absolutes, then that leaves relative trust. The moment one can make a statement about trustworthiness of host security that outweighs network security, then it should become incorportated into the network, even to supplement edge security.

What is to say that you can trust independent network devices any more than a host based security model; each of them is a potential attack vector in its own right.

Anonymous said...


I'm going to defend radware here.

Maybe you didn't see them deployed at your customers but I do think they are worth looking at.
Most vendors are still taking the signature approach (disregarding signature/vulnerability filter discussion here).
I do admit that radware is weak at doing
this, but their BDOS module actualy performs quite well wheras the anti-dos capabilities of the other vendors are mostly limited to nothing or to syn cookies.

Dustin said...

On Cisco IDS/IPS, hasn't it come some way though? I do know that full content data (must be enabled) is collected w/ the AIP-SSM IPS modules. If you leave the add-ons out of the picture (RNA, MARS), then it seems to me that Cisco is pretty competitive w/ Sourcefire.

Richard: Have you dealt at all w/ Cisco IDS/IPS products lately?