Thoughts on Check Point Acquisition of NFR
Earlier this year I covered Check Point's attempt to purchase Sourcefire. Well, Check Point bought another vendor -- NFR -- for $20 million. Talk about market valuation; Sourcefire's sale price was $225 million. NFR is also down to 22 employees, according to the press release. Although the FAQ says
Check Point intends to continue to sell, support, and develop an independent NFR Security product line.
I doubt that will last. It doesn't make sense to buy the technology but not integrate it into Check Point's firewalls, and then discard the separate box.
At this point it seems we're left with the following IDS/IPS vendors:
Let's see how that relates to the idea that all network security functions will collapse to switches. The first four sell switches, so I expect them to lead that drive. The fifth (ISS) is owned by IBM, who is more interested in services these days. I expect IBM will discontinue or sell off that product line, following Symantec's lead, to focus on services.
I don't think McAfee's prospects are good. I think Microsoft will eventually crowd out the anti-virus/anti-malware/anti-spyware/NAC/host defense market. All host-centric security will collapse into the operating system. That knocks out a huge chunk of McAfee's product line. This is really going out on a limb, but I could see McAfee being sold off in pieces, with Microsoft acquiring host-centric assets, Cisco or another switch vendor buying Intrushield, and IBM acquiring the services part.
Where does this leave Sourcefire? If they eventually do go public, I think they will still end up being purchased by someone -- maybe Cisco. At some point Cisco will realize their IDS is not that great, and they will buy better technology. The Feds will see Cisco as a perfectly acceptable suitor and will approve the deal.
Returning to Check Point, they will probably be acquired by a switch vendor at some point too.
Did I miss anyone? I don't count all the vendors repackaging Snort.
Check Point intends to continue to sell, support, and develop an independent NFR Security product line.
I doubt that will last. It doesn't make sense to buy the technology but not integrate it into Check Point's firewalls, and then discard the separate box.
At this point it seems we're left with the following IDS/IPS vendors:
- Cisco
- 3Com (via Tipping Point)
- Juniper
- Enterasys (Dragon)
- IBM (via ISS)
- McAfee
- Sourcefire
Let's see how that relates to the idea that all network security functions will collapse to switches. The first four sell switches, so I expect them to lead that drive. The fifth (ISS) is owned by IBM, who is more interested in services these days. I expect IBM will discontinue or sell off that product line, following Symantec's lead, to focus on services.
I don't think McAfee's prospects are good. I think Microsoft will eventually crowd out the anti-virus/anti-malware/anti-spyware/NAC/host defense market. All host-centric security will collapse into the operating system. That knocks out a huge chunk of McAfee's product line. This is really going out on a limb, but I could see McAfee being sold off in pieces, with Microsoft acquiring host-centric assets, Cisco or another switch vendor buying Intrushield, and IBM acquiring the services part.
Where does this leave Sourcefire? If they eventually do go public, I think they will still end up being purchased by someone -- maybe Cisco. At some point Cisco will realize their IDS is not that great, and they will buy better technology. The Feds will see Cisco as a perfectly acceptable suitor and will approve the deal.
Returning to Check Point, they will probably be acquired by a switch vendor at some point too.
Did I miss anyone? I don't count all the vendors repackaging Snort.
Comments
I agree that network security functions will eventually collapse to the switch if the scope of this assertion is limited to the large-scale enterprise switches such as Cisco's 4500/6500 or Juniper's T series.
However, I wonder how feasible it will be for vendors to develop branch/closet switches with similar security functionality? If this functionality increases the price of the switches, thrifty managers will likely cut costs by sacrificing security monitoring features.
Where would Fortinet fit into the IDS/IPS mix?
Would you categorize their devices as "repackaging Snort"? Just curious.
Thanks - again, nice thoughts.
IPv6 does not use IPSec by default. IPv6 is no more secure than IPv4 -- maybe less so. IPv6 stacks must be IPSec-capable, but they do not need to use it. IPv4 stacks do not need to be IPSec-capable; that is the difference.
The focus on security services and not hardware is fine for some, but those clients are typically large organizations. All these large security companies abandoning their security appliances leaves the small/medium business hanging, which is where the vendors you didnt mention will clean up.
Microsoft was legally declared a monopoly and what happened? Nothing. No one is going to be able to stop this evolution, and maybe no one really should.
You did forgot at least one Finnish vendor, Stonesoft.
And no, Stonesoft does not repackage Snort.
Fortinet -- a "UTM" appliance. I didn't want to mention the UTM space, but there's an example of another set of functions that will end up in the switch. I bet Fortinet's new marketing guy would agree since he invented the "Secure Network Fabric" term.
I got a Google blog alert telling me Matasano said I forgot Intrusion. Their blog is unreachable so I can't read the details right now. I consider Intrusion another side player. They've been around forever but never seemed to amount to anything. The last time I dealt with them, the Air Force was trying to recover from the junk they shipped to us.
.Seth
what a bad blog posting day
He said Enterasys never really committed to Dragon and is now looking for a way to sell it off. He estimates there are maybe 5 developers left to do minor revisions, but no major development.
That would explain why Enterasys disappeared from view a few years ago.
A better model would be one that starts at the host and fans out to network clients and switches.
I'm not discounting host-centric security. However, compromised hosts cannot contain themselves. Independent devices can contain compromised hosts, at least to some degree. Also, some activities are better implemented by the network because they can be uniformly imposed on all nodes, whether the nodes want to cooperate or not.
You said "If those hosts are trusted rather than merely hardened though, they can't be compromised, so that would have to be a key influencing factor on choice of security model then?"
I think you answered your own question. "Can't be compromised" is impossible. Also, trusted != trustworthy. Trusted means you have placed trust in the system. Trustworthy means placing trust is a wise choice decision.
I actually think one of the main drivers will be the management aspect - IDS/IDS implementations tend to be underutilized because of the difficulty in tuning / managing them, and Cisco has gone through several different approaches to IDS management. From the old days of CSPM to VMS and now CSM, it seems that it is still a challenge to present an interface that customers find intuitive or at least usable, and Cisco has always separated the configuration piece from the management piece (or at least the configuration and logging, i.e., IDM and IEV). Folding the security into the network fabric and this the security management into the network management products may be an issue. I think from a security management perspective several vendors are starting to move towards a more "solutions-oriented" approach - i.e., for Cisco shops the direction is to have everything security related report to MARS for correlation and CSM for the configuration/provisioning. I would welcome the addition of the sourcefire technology, but it is hard to say if they would view the benefits of the Sourcefire IDS technology as outweighing the issues of folding in the competitive Sourcefire SEM technology with the MARS product.
What is to say that you can trust independent network devices any more than a host based security model; each of them is a potential attack vector in its own right.
I'm going to defend radware here.
Maybe you didn't see them deployed at your customers but I do think they are worth looking at.
Most vendors are still taking the signature approach (disregarding signature/vulnerability filter discussion here).
I do admit that radware is weak at doing
this, but their BDOS module actualy performs quite well wheras the anti-dos capabilities of the other vendors are mostly limited to nothing or to syn cookies.
Richard: Have you dealt at all w/ Cisco IDS/IPS products lately?