Cisco Can Kill Crossbeam Any Time It Wants

Thomas Ptacek | November 3rd, 2006 | Filed Under: Industry Punditry, Uncategorized

Before we start, a caveat: if I didn’t think Chris was worth talking to, I wouldn’t bother sniping at him. Is there anything less (or more, even!) boring than security bloggers agreeing with each other?

Chris Hoff from Crossbeam presents in Chicago (for some reason, he doesn’t bother to let me buy him a beer —- if you’re visiting my hometown, esteemed reader, don’t make the same mistake). He has an interesting topic: “Is Cisco Full Of Shit?” Hyperbole on my part? Here’s how he starts:

“Embedded” network security as proposed by Cisco is a pipe dream. In fact, it’s nothing more than the aging appliance model with boxes NOT embedded into the routers and switches at all

Chris’ argument has three salients:

• Cisco’s Self-Defending Network Architecture (the successor to SAFE) is just marketecture.

• Cisco hasn’t put its money where its mouth is on integration of security into its mainline platforms (the Cat and routers).

• Security belongs at a “service layer”, virtualized over the entire network, not as point-deployed boxes (IPS) or embedded into the infrastructure (IPS blade).

I think Chris is going to lose this argument. Before I say why, I’m going to lay out some disclaimers:

• I am not a huge Cisco fan.

• However, to the extent that I believe in “network security” at all, I’m a believer in embedded security.

• For the 4 years prior to cofounding Matasano, I had Cisco- and customer- facing roles at a company that hung on Cisco’s every word.

I laid Chris’ points out above in the order I want to address them.

1.

Is SDNA “marketecture”? Of course it is. SDNA is code for “sole-source network security from Cisco”. Sniping at SDNA’s credibility is as silly as sniping at the Cisco SAFE architecture in 2001: absolutely nobody designs networks according to these “schemes”. SDNA is a “why we did it” story that is retrofit onto Cisco’s evolving product lines to make it seem like they have strong management and a real vision.

But Chris’ argument isn’t about SDNA. It’s about whether enterprises should sole-source from Cisco, with around $1b in security sales, or consider vendors like Crossbeam that post sales less than 8% of that.

That’s a fine argument to make, but if you’re going to build it on Cisco’s inability to run a real playbook, you can’t cherry pick Cisco’s weakest messages. SDNA may be meaningless. NAC isn’t. Even if it doesn’t work yet, it’s actionable and it’s changed the way people think about securing their network, and when Cisco buys the company that can really deliver on it for large enterprises, NAC is going to cause Crossbeam huge headaches.

2.

If you’re an indie network security vendor with a pulse, the idea of Cisco embedding IPS and firewalls into every Cat switch and access router puts you in a cold sweat. Is Cisco full of shit about this plan? Reasonable people will disagree, but the answer will be “no”.

First, the existence proof: the ISR. Large enterprises buy them by the hundreds. It’s one of Cisco’s most successful products ever. And it’s a direct threat to the branch/satellite-office market that is the primary revenue multiplier for indie perimeter security vendors —- Crossbeam’s bread and butter.

Cisco does more than $10b a year in Cat switching alone; by revenue, their grip on that market is comparable to Microsoft’s lock on operating systems. All it takes for Cisco to launch completely integrated network security is a credible ASA blade for the Cat6k. How far out can that be? Enterprises already buy the Firewall Switch Module.

And finally there’s the obvious point to be made about NAC and Cisco Security Agent, the alien larvae Cisco is trying implant into host security. NAC is a lot of bad things, but “un-integrated” is not one of them.

Basically, every indie vendor has a talking point about how Cisco should just stick to the connectivity that they’re good at. This stuff all sounds good at first, but c’mon. Cisco doesn’t own connectivity because they make the best routers and switches. To claim that their routing (perimeter) and switching (internal) real estate doesn’t give them a dominant position in security is to claim that the perimeter and internal networks aren’t implicated in security. Delusional.

I agree, they haven’t done it yet, but I’ll make a statement that’s sure to get me yelled at: as soon as Cisco decides it’s ready, it can end companies like Crossbeam, Checkpoint, and SourceFire within 18 months. Isn’t not doing that, and running security as a totally seperate business unit, one of the big mistakes they made in the 90s?

3.

Does it make sense to deploy security uniformly across the whole network, defending secretary desktops the same way you defend iSCSI servers or server-agent management consoles? No. Security should be focused on assets.

But exactly what does this have to do with network architecture? Read Chris’ slides and it seems to mean “the way to architect your network is to hang Cisco boxes off of a couple Crossbeams in your core”. Here’s what he says to justify that, and my responses:

1. Router and switch vendors are focused on doing one thing; selling you more routers and switches.

   If Crossbeam isn’t focused on selling more Crossbeam boxes, they need to stop returning the i-banker’s phone calls; for that matter, they should consider becoming a 501(c).

2. When’s the last time a network guy could perform a byte-level forensic trace of a Botnet C&C channel or a security guy troubleshoot a nasty BGP route-reflector distribution problem?

   I don’t know. You might try asking Dug Song at Arbor, Kirby Kuehl at Cisco, or any of the Team Cymru guys. When’s the last time a security guy bought a Cisco product? Hint: it happened 5 times while you read this sentence.

3. Managing threats and vulnerabilities is not the same as managing risk; networks don’t understand the value of the data traversing it..how can they protect it accordingly?

   Cisco is not an ethernet cable. “The network” is whatever your vendor says it is. In Crossbeam’s case, “the network” is Cisco and “security” is everything else, including Checkpoint and SourceFire, both of whom sell products that Cisco has pin-compatible substitutes for.

   Do any of these companies “understand the data”? No, I agree, they don’t. Is “understanding the data” important? Then let’s suspend the conversation until Cisco buys Vontu and Crossbeam partners with Vericept.

4. Just because two things are branded with the same name doesn’t mean they can communicate or interoperate well; just ask my wife

   How’s that SourceFire/Checkpoint CPMI integration coming then? You got ISS using Snort signatures yet, or vice versa? Does anyone do app-level integration well?

5. A single vendor’s version of the truth really stinks if it’s wrong; What happens when we hit Web3.0 and we’re still only at Security 2.4beta11?

   What does this even mean?

6. The dirty little secret of embedding security in the “network” is that it’s the same as doing it with point-appliances…a single vendor’s set of appliances

   Yes, it’s true: if Cisco succeeds in embedding security into its mainline products, you are going to be using Cisco security products. Diversity and consumer choice are valid arguments against Cisco.

   But there’s one way in which using embedded security demonstrably isn’t the same as using point products: you don’t have to deploy point products to do it.

7. Modeling the security of the self-defending network after the human immune system and suggesting that it’s the ultimate analog is a crappy idea; people die

   Yes. What I hate about Cisco’s solutions is that you have to let a few machines on your network get infected for them to generate antigens; also, when Cisco’s security features coagulate around injuries, YouTube gets really slow.

8. Security solely by acquisition does not make you a security company… just like acquiring lots of security “stuff” does not make you secure

   You sure this is a good argument to make for a company that delivers 99% of its security value prop through partnerships with other companies?

   Let’s ask the mean question: using product space names and market position (ie, “the #5 IPS vendor”), name some of the companies Crossbeam has turned down as partners? Cisco’s kind of picky about what it buys, you know.

9. Security in breadth is not the same thing as security in depth; “good enough” security is not good enough in the data center

   What aspect of Cisco’s IPS is not “good enough” for the data center?

10. Securing everything, everywhere is not only unnecessary, it’s unachievable

    It is if Cisco sells it at 10 points below cost in order to turn the entire network security market into a line-item feature for the Catalyst 6000.

I know it doesn’t sound that way, but I’m neither a fan of Cisco nor a skeptic about Chris. But his arguments don’t take Cisco seriously, and if we’re going to armchair quarterback the security industry, why be nice about that?