En Garde!

What to look for when purchasing network equipment…

2009-07-01T19:31:00-07:00

By Joe Golden
Does it adds value beyond the traditional equipment it may replace?

During these economic times, all purchases will be under increased scrutiny. Data has consistently shown that opex constitutes 70% to 80% of IT’s overall costs, so buying equipment that can save IT time is critical. For example, being able to tie username to a traffic flow, with application information, can dramatically lower IT’s troubleshooting time. In addition, having this kind of user and application control built into the network infrastructure means IT can avoid the capex associated with buying overlay products and the opex needed to run all those disparate systems.

To get a feel for the value a given product can provide, IT buyers should explore the manufacturer’s vision for how business demands are changing and how the network must evolve to meet those changing requirements. Does the vendor’s vision for the business issues align with the challenges your organization is having? Does the current product meet your requirements today but also have a path for evolving with your business? Is there programmability and flexibility built into the system to enable the vendor to deliver on its vision over the long term?

As IT Director John White of Technicolor explains, these are all reasons he chose ConSentry to secure his network - click here to view ConSentry's Technicolor Case Study on YouTube.

The operational impact is key. Small and medium-size companies don’t have the luxury of extra staff, so they need devices that are simple to deploy and run and, more importantly, make key ongoing IT tasks easier.

What a week in LAN switching!

2008-01-30T22:47:20-08:00

I’ve been watching the LAN market a long time – as a journalist and analyst for nine years and as a vendor for another eight since then – and this has been one of the more interesting weeks in LAN infrastructure in years.

After not changing much since the advent of switches in the early 90s and routing switches in the mid-90s, the LAN market saw some pretty interesting events this week. Cisco’s targeting of the data center switch market with its Nexus announcement on Monday is one example of the move toward greater intelligence and application awareness in the network. Add in Cisco’s philosophy in TrustSec of the need for role-based networking and the intelligence they’re talking about in the PISA blade for the 6500, and that’s a lot of places in the LAN getting a lot smarter about users and applications.

Then you have Juniper, in what has to be one of the industry’s worst-kept secrets in years, coming out yesterday with its entrance into the LAN switch market. While the initial switches appear to offer just the basic L2/L3 switching capabilities, the company has a history of distinguishing itself in application smarts and other value-add capabilities, and one would hope Juniper will eventually apply this vision to their LAN switches as well.

Here at ConSentry, we took advantage of the timing to add to the industry discussion about LANs getting smarter. On Monday, we took the wraps off our vision for Intelligent Switching, with user and application control built into the switch. We were founded – and funded – to build the next-gen switch, with built-in security and control features. We took the pragmatic step of building an appliance first, to make customer adoption easier, but with this announcement we were able to fully detail our original vision and show how it fits within these broader industry changes. We highlighted the differences between the legacy and intelligent switch architectures – the latter having knowledge of user identity, device, role, application, and destination native in the switch. This intelligence gives IT business context like never before, which simplifies tasks like limiting access to resources or troubleshooting user or application problems.

A lot of publications picked up on this trend toward greater intelligence, including the San Jose Mercury News and Network World. And we may not be done with the news for the week. Rumors continue to swirl about, as one analyst put it, one more “monumental” announcement, after which the switch landscape is supposed to look very different. Regardless of whether more news comes, though, this week’s already seen a sea change in what’s state of the state, and for the first time in a long time, IT has more than the commodity switch feature set to think about when investigating switches for their next LAN upgrade.

As the saying goes, may you live in interesting times. At least in LAN switching, it would appear we are. Sure makes this all a lot more fun.

--Michelle McLean

mmclean-at-consentry-dot-com

Cisco oneNAC – and Four Types of Cisco Customer

2007-09-05T16:31:14-07:00

Another day, another flavor of NAC from Cisco.

Network World’s Tim Greene was among those reporting on this latest variant of Cisco NAC – this time oneNAC that aims to combine aspects of the Cisco NAC Appliance and the Cisco NAC Framework. And it'll be ready in just 12 or 18 short months from now.

I love these announcements. They highlight everything that Cisco wants to be while making it painfully clear all the places they’re falling short. It also helps invite customers, media, and analysts to ask how we compare to Cisco. We love to do that – especially in the form of competitive bake-offs – because anyone who looks at the issues quickly grasps the disparity between what Cisco wants to do and what they can do. And between what Cisco and ConSentry can do.

My favorite version of the comparison question is “How can you sell security infrastructure, especially switches, given Cisco’s dominance in the switch market?”

Through my many years of competing with Cisco – in service provider core routing, wireless, WAN optimization, and now LAN security – I’ve seen a wide range of Cisco customers. Here at ConSentry, it’s really crystallized for me that Cisco customers fall into four camps.

Type 1
The true-blue believer. These customers build their networks according to Cisco blueprints and don’t diverge from that path. Luckily, ConSentry inside sales reps can quickly qualify out these prospects so we don’t end up spending time with them.

Type 2
Wedded to Cisco for switching infrastructure but will consider other vendors for appliances or other services when Cisco falls short. At Peribit, selling WAN optimization and application acceleration, I saw plenty of these, and we sell plenty of ConSentry Controllers – our appliance form factor – to these guys now.

Type 3
Wedded to Cisco for switching infrastructure at headquarters but open to other infrastructure vendors for regional or branch offices. These customers sometimes surprise you – we’ve had more than one customer tell us they’d never consider our LANShield Switch, and they happily deploy our LANShield Controller in headquarters. Then some months or even a year later, as they’re approaching a switch upgrade project in their regional locations or branch offices, they come back asking “Now what does that switch look like again? And it’s cheaper than the dumb switch I was going to buy from Cisco?” These guys represent a fantastic opportunity for both our LANShield Switch and LANShield Controller.

Type 4
Won’t waver from Cisco chassis switches in the core but consider the LAN edge to be commoditized. These customers are the most fun because they think the biggest right out of the gate – they immediately see the value of the ConSentry secure switch in lieu of something like a 3750. They love the ability to deploy identity-based control, and they see the need for it right at the LAN edge. We’ve had several customers who sought us out originally for our appliance end up accelerating their switch upgrade projects by as much as nine months to get all the security built in for free and spend less than the budgetary planning amount set aside to upgrade with Cisco

For companies like ConSentry, all the fits and starts coming out of Cisco around NAC and the self-defending LAN serve us incredibly well. The announcements serve to validate all the functionality needed but dramatically call attention to the current shortcomings of the Cisco solution. So let me say once again – thanks Cisco for making our jobs easier!

--Michelle McLean
mmclean-at-consentry-dot-com

NAC Fight - Five Rounds and Counting

2007-08-06T21:18:42-07:00

A blog fight! A blog fight!

No surprise Alan Shimel’s involved, and this time he’s taken on Dominic Wilde at Nevis. It started with Dominic’s post responding to Mike Fratto’s blog on the limits of NAC. I took issue with some of Mike’s blog too and left a comment.

Then Alan took Dominic to task, Dominic responded , Alan replied, Dominic replied, and Alan replied again, promising it’s his last post on the topic.

So what’s to gain from jumping into the fray, with emotions running so high and allegations flying back and forth? I think both guys have gotten a bit lost in the weeds, whining at each other about various details, but the overall nature of the debate sits close to my heart. At the highest level, Dom is arguing that pre-connect or pre-admission checks are insufficient and Alan’s arguing, well, a bunch of stuff but essentially he gets mad whenever anyone says pre-admission isn’t enough.

So let me start by saying pre-admission, of whatever quality, isn’t enough – for a lot of customers. If it were all anybody wanted, we wouldn’t have well over 100 customers. (Now I have to tease my friends at Nevis and say “come on – not a SINGLE customer announcement all year? What’s up with that?”) Of course, pre-admission is enough for some, or Still Secure wouldn’t have any customers. (And actually, Alan, I couldn’t find any customer announcements for this year on the Still Secure site either.)

Clearly I agree with Dom’s overall premise that for many enterprises, pre-admission checks aren’t enough – they need post-admission control. And by post-admission, I don’t mean just running pre-admission checks over and over again, as a lot of people want to define it. I mean something very different – truly controlling what users can do after they’re admitted onto the LAN. This level of access control involves understanding who the user is and limiting the applications and resources that user can access based on role, location, time of day, and other aspects of who the user is.

This debate between Alan and Dom went down a few other paths I’d like to touch on as well.

Dominic – next time you steal my line, at least give me my props! Probably all nine people reading this blog fight were at the New York event and heard me draw the analogy between doing vs. teaching to talk about being inline.

Both of you – you talk about architecture, debating inline vs. out of band, as if the customers are thinking that way from the start. They're not, and they shouldn't be. They're thinking about what business problems they’re trying to solve. When they lay out their requirements, and match it up against product features, only then will architecture trends start to emerge. It so happens that if they need to actually control what people can do on the LAN, they need an inline device. The customers who need identity-based control get it – they understand that to do that, the device actually has to first see and then be intelligent about doing enforcement on all the traffic going through it. But the discussion doesn’t start with architecture religion – it starts with the enterprise’s needs.

Alan – your questions on the quality of the switch miss the point. Switching’s commoditized, for one, and second, anyone looking at a secure switch cares first and foremost about the security capabilities. Cisco, for all its switch dominance, can’t hold a candle to us on security features in its switches. Certainly we have the enterprise-class features needed to sell or we wouldn't be successfully selling it, but a purchase driven by security does change the decision focus.

For the last two quarters in a row, we’ve sold more switches than appliances, and the way this quarter’s shaping up, it looks like that'll happen again. It’s never about rip and replace – we offer both appliances and switches so enterprises can choose the platform that suits them best. But let me tell you, it’s really nice when an enterprise can take advantage of an existing, and substantial, budget item already earmarked for a switch upgrade and use that money to also get security and identity-based control built right in. It's that kind of pragmatism that shows me this stuff ends up in the infrastructure.

Both of you – way overblown on the IPS thing. Maybe Nevis uses Snort, maybe not – but regardless, it’s not the point. Enterprises will still use separate IDS/IPS devices – no one should act like even best of NAC devices will change that. But I heartily believe that if you’re sitting inline anyway, seeing all the traffic coming from the user edge of the network, and you can build in some smarts to do anomaly detection and help pinpoint network problems, you’re providing good value. And keep in mind anomalies take a lot of forms. For one of our customers, the ConSentry algorithms tripped alerts on an application built in-house. It certainly wasn’t malware, but it showed them where a piece of the code was written badly and was sending people off to the Internet for data they had in house. Not IPS, clearly, but still useful.

Alan – your rant on ASICs seems off too. Of course we at Nevis and ConSentry would be proud of our custom silicon – it’s the secret sauce for doing what we do. Even if merchant silicon is improving, we’re still way ahead of what you can buy, and owning those goods is incredibly valuable. Line rate, 10 Gbps packet inspection, including full L7 so I can show you the filename a user just accessed over Windows or the URL they just clicked on – that’s truly where we get the customer “a-ha!” moments. And you just can’t get there with off-the-shelf silicon. Secret sauce is always worth crooning about, especially when it's actually why you win.

You’re right Alan – your blog is your domain, and you are master of that domain. But I have to admit – I’m pining a bit for the old days when you blogged on stuff beyond picking on your competitors and trumpeting about Still Secure products. And riding your coattails? Come on - he's engaging in a debate that you started.

And just for the record, I’m siding with Dom here, but I can assure you I’m not playing the Olivia Newton-John role. I'm afraid neither my figure nor my voice would cut it.

Michelle McLean
mmclean-at-ConSentry-dot-com

NAC's Role in Protecting VoIP

2007-07-16T21:25:12-07:00

Tim Greene's column on the relationship between NAC and VoIP and Alan Shimel's blog response both took a fairly narrow view of how NAC can help protect VoIP systems. The perspective in both cases is limited to a more admission-focused definition of NAC.

Tim talks about how endpoint scans could catch an infected system and in turn prevent that system from infecting the VoIP systems. Alan responds saying NAC really can't do much to help VoIP at all and saying so just adds to the over-hyping of NAC.

I disagree with both, because they've overlooked a key way that NAC can extend protection to VoIP systems. If by NAC one means not just admission control but also network access control, and if that access control can include policies that limit which devices can communicate with which other devices, then NAC can help substantially in protecting VoIP systems.

Think about a system that first is able to identify VoIP components - either via MAC address whitelisting or via reverse DNS lookup and using device names. Then think about policies that say VoIP phones can communicate only with the call manager and vice versa. You take just that simple combination and you've already got fairly robust protection right out of the gate. A desktop spewing a worm won't infect a VoIP phone or the call manager, whether or not an endpoint scan catches that worm, because that endpoint is not a device that's authorized to communicate with either the VoIP phones or the call manager. Similarly, a desktop trying to launch a DoS attack on the call manager will fail, because again, that's not a device that's allowed to send traffic to the call manager. Emerging SPIT (spam over IP telephony) attacks would also fail, since direct communications from VoIP phone to VoIP phone would also be against policy and therefore blocked.

Then imagine extending those controls with specific protocol support - so the policy would say that only the SIP, H.323, or Cisco Skinny protocols should ever emanate from a device known to be a VoIP phone. Same with a call manager. Now any data-based attack, from any device, will not be able to take down the call manager or the VoIP phones.

So really, NAC can do much more than just accidentally help protect VoIP systems. It's all in how you define it - and defined as network access control, with strong post-admission capabilities, NAC can get you there.

--Michelle McLean
mmclean-at-consentry-dot-com

Reflections on Gartner's Security Conference

2007-06-06T21:57:09-07:00

I’m just back from attending the Gartner Security Summit in DC. I know several industry folks were there, but for those who weren’t, a few reflections on the conference.

John Pescatore kicked off the event with his “Security 3.0” talk. I didn’t react negatively to that title the way Rothman did. Pescatore was just using that scheme to call out a third era of security. He defined Security 1.0 as when everything was under lock down in the mainframe era, 2.0 was when we were perennially trying to catch security up with user activities, and 3.0 is about trying to get ahead of the game.

What I object to with that title is posing this concept as something new - I think most people thinking about security have been trying to "get ahead" vs. "just react" for a while now. That aside, though, I do believe that thinking about what you can do to get security built in vs. layered on later is a really helpful exercise. One, you get more security, period – you get it built into the network, the application, the PC, etc.

And two - and here's the really interesting angle - the more you get security “built in” to stuff, the more you can shift capital costs to hit budgets other than the security budget. I love this idea, in large part because we’re seeing it today here at ConSentry with our secure switch. We have customers who have a switch upgrade already on the books. They use that money to upgrade to secure switches instead of plain ol’ vanilla switches and presto – even with no separate NAC or other security line item, they get a massive new security layer built into the edge of the LAN. Another argument for why it’s got to be built right into the infrastructure.

In another session, Gartner analyst Rich Mogull hosted a panel on vulnerability research and ethical disclosure, with Thomas Ptacek, Chris Wysopal, and David Maynor. All three guys had interesting perspectives and experiences to share. I’m not sure the average conference attendee got too much out of it – what these researchers do is usually a bit removed from the average enterprise, even if it shouldn’t be. But having read those guys’ blogs for a while, it made for fun listening. And it was good to meet Ptacek in person – maybe he’ll find another way to call ConSentry “committed” to security now that we’ve met face to face!

The highlight, though, was the Lawrence Orans session on NAC. Parts of it demonstrated the “when you have a hammer, everything looks like a nail” phenomenon – lots of pre-admission focus, which is no surprise given Cisco’s dominance in general and especially within the Gartner client set. But in the entire hour’s talk, he shared just one customer case study – and it was a ConSentry customer! Very, very cool to see our application, and the customer’s need for role-based control, as his one example of an interesting deployment.

All in all, a good two days, especially meeting other bloggers, talking with several of the analysts one-on-one, seeing other industry folks like Richard Stiennon, and best of all chatting with enterprise users in between sessions.

--Michelle McLean
mmclean-at-consentry-dot-com

It's All About Controlling Users

2007-05-18T12:14:58-07:00

Fortunately or unfortunately, I have another job at ConSentry aside from blogging, so I don't get to do it as frequently as I'd like. But the discussion that started, for the umpteenth time, a few days back on where the value is in NAC is just too important to leave with mis-information. So I'm responding to Alan's (is that better, Alan? ;)) comments here in more detail.

Let's be clear about one thing first - yes, ConSentry is really strong in post-admission. No, that's not why I think post-admission is the key to doing access control right. Let's think about typical business problems today:

The offshore development office where you've got no oversight over your "employees"
The contractors who have to be on your LAN but should only go to certain servers
The medical devices, robots, printers, and VoIP phones that need protection but can't host an agent
The stored data with no app-level control, like the research docs the DuPont guy stole
The credit card data that you have to not only restrict access to but document that control

None of these is solved with pre-admission control - not one. It's all about limiting what people can do AFTER they're on the LAN.

Admission control has limited value. And in case I haven't been clear in my opinion here, let me just say that I think admission control has limited value. It's not worthless - it just doesn't buy you much. And I believe that for reasons well beyond the fact that I work at ConSentry.

To be clear, ConSentry "gets it" that you need pre-admission control as a piece of the overall security solution. We just don't think that delivering our own installed endpoint agent is what customers want. Let's look at the strategy:

For unmanaged machines, no installed agent - you don't own the device, you're not installing software on it. Enter the ConSentry dissolvable agent. And yes, Alan, we OEM it from Check Point. Looks at OS, looks at AV, checks for adware/malware/spyware, looks at Registry settings, etc. Way more than "do you have AV software installed?" which is where a lot of dissolvable agents stop.

For managed machines, you need a permanent agent. We're smoking something if we believe you'll buy one from ConSentry. If Cisco's not winning at that game, why the heck would we think we could? Enterprises don't want to install yet another agent just to do NAC. They'll wait for MS NAP or they'll get the latest Sygate/McAfee/Trend version - something that's ALREADY on their desktop will do it. The managed PC is the desktop team's problem, and they're going to use software that's already on the desktop for NAC. That's where I think Amrit and Stiennon are really coming from - why would you go through all that trouble and expense of installing new software on the PC just for NAC? The endpoint software guys know they need to get there - hence the Symantec acquisitions of Sygate and Altiris.

So ConSentry's strategy - go figure - is why fight the customer. We'll work with NAP and Sygate and McAfee and Trend and any of the endpoint guys our customers ask us to. We're already working with regional endpoint guys in Europe and Japan, too - we call this Universal Endpoint Interoperability. We excel at post-admission control, but we know you need endpoint checking too, so we'll leverage whatever you've already got on the desktop to do it. And we'll give you a dissolvable agent to check the desktops you don't own.

As for advocating for out of band vs. inline, it's like the old saying - if you can do, do. If you can't, teach. Now that's actually heretical in my book since both my parents were teachers, but seriously, if you have the horsepower to be inline, and you're focused on security, you sit inline - full stop. It's always more secure to be inline. Those who advocate out of band simply CAN'T sit inline.

Alan's right - it's all about identity-based control. But out-of-band approaches cannot provide identity-based control. Taking feeds from an IDS does not equate to identity-based control. VLANs and ACLs do not equate to identity-based control. What do you do for the simple case, say the CIO? She's an exec and she's in IT - she needs overlapping sets of permissions. Are you going to build a VLAN of one for her, and then for every other person with a unique set of access rights? It just doesn't work. Plus, all this VLAN and ACL stuff is happening at L3 and L4, and what you really need is L7 - really understanding the app involved and applying access rights with that parameter as well.

Identity-based control is knowing all sorts of info about the user - name, addresses, location, role, group memberships - and mapping that to all sorts of info about what's happening at that moment - what server are you going to, what app are you running, what time of day is it - and applying policy to control access based on that entire universe of info.

I was an analyst and journalist for nine years, and as Rothman says, the instinct for skepticism simply doesn't get out of your blood. I didn't check my brain at the door in favor of a fresh batch of Kool-Aid when I joined ConSentry. I believe what I believe about the need for post-admission control not because it's all I have to hawk but because customers constantly affirm they need it. I'm fortunate to get a fair bit of time with customers, and many of them were trying to do this stuff with ACLs and VLANs, and it just wasn't working.

I'll readily admit to the "selective reality" problem, where given what your product's good at, you end up in front of customers with problems you can solve instead of those who can't use your technology. But that said, all you need to do is read the news today about what's getting companies into trouble and it's crystal clear it's all about controlling users after they're on the LAN. I believe that through and through, regardless of what ConSentry makes.

--Michelle McLean

mmclean-at-consentry-dot-com

Security as an After-Thought and (again!) What NAC Can Do for You

2007-05-17T16:38:18-07:00

Art Wittman's recent column in Network Computing on how "Security Drives Everything" highlights some of the findings in the latest NAC survey from the Network Computing/Current Analysis collaboration. Art comments that the healthcare industry, at least as embodied by Kaiser Permanente, has not embraced NAC because NAC can't help secure its medical devices.

Then Amrit, Shimel, and Stiennon are once again getting all worked up about the value of NAC. Amrit and Stiennon are boxing it into a corner saying it buys you minimal security and Shimel, understandably, is arguing the other side.

I have to say, I end up agreeing more with Amrit and Stiennon on this one - the way most NAC is positioned, especially Cisco's NAC and CCA/NAC Appliance, there isn't much value. Checking the integrity of a machine before admitting it, and verifying the user as authenticated, just doesn't buy you much. Is it a good best practice, and should it help define the access policy for your users? Yes. Does it set the bar for security? Far from it. That's why the Kaiser guy says NAC isn't for him - in that form, it can't support one of his most critical issues, which is to protect the medical devices on his LAN.

To meet Stiennon's Venn diagram take on what security should encompass, it must provide far more than pre-admission control. The big risk to organizations is what users can do after they're on the LAN, so network ACCESS control, in the broadest sense of what you should be allowed to access on the LAN, is key for businesses to protect their data.

It's also how the Kaiser guy can get his medical devices protected. Agent-based NAC won't help him at all. Instead, he needs a way to place that device into a "medical device" role and control what devices it can receive from and send to and what protocols it can run. That's how he can protect a CT scan machine from getting hit by a virus or other attack and protect against the machine or its port from being co-opted and used for evil.

IT needs to be thinking about network access control in its broadest form, and that really means having full control over all your users and devices, the whole time they're on the LAN.

Related to this broader definition, Rothman comments on Art's column and makes the point that too many IT folks see security as an after thought rather than fundamental to their business. He argues that to do things right, IT has to "talk business to the business people." Part of the challenge there is that the security products have to let IT implement controls using business logic. When all you have are VLANs and ACLs, it makes it pretty tough for IT to talk business.

Instead, they need tools that let them map those business policies much more intelligently into network enforcement practices. They also need infrastructure that embeds the security directly, rather than forcing IT to bolt on new features or use old dogs like VLANs and ACLs to perform new tricks like identity-based control. We talk about embedded security as Secure Switching - the ability to control every user and secure every port on the LAN. Whether it's an appliance, which is pragmatic for organizations not doing a switch refresh, or whether it's a secure switch if a company is upgrading their switches, the key is to have control capabilities embedded directly in the infrastructure.

That way, you're getting far more than NAC - which at the end of the day should simply be a feature on a switch. And you're not stuck with security as an after-thought - it's enabled in the infrastructure, supported by the tools to apply business logic so IT can finally talk business to the business people.

--Michelle McLean
mmclean-at-consentry-dot-com

In Good Company

2007-05-07T10:36:09-07:00

Last week, Cisco had an announcement about an updated Supervisor 32 engine for its 6500 line of Catalyst switches. Understandably, this news fell under the radar of most security blogs and reports, but it's worth highlighting. The heart of this new Sup engine is the Programmable Intelligence Services Accelerator, promising L7 packet inspection and enforcement, and the focus is on getting this kind of intelligence in the wiring closet, as a blade in 6500s deployed at the LAN edge.

It's exciting to see Cisco drive this message around the need for security in the wiring closet, and for ConSentry, the timing couldn't be better. We rolled out our Secure Switching news today, and it's great to be in such good company as we drive that message. Of course, the Cisco module isn't out quite yet, and it'll max out at 2 Gbps, but we definitely get a boost from the Cisco messaging that this is the way IT should be building LANs. And it clearly broadens the message well beyond the well-worn Network Access Control path.

We also decided to have a little fun with our news and how we explain the impact on the wiring closet. If you get a second, check out our take on what this all means for enterprise networks.

--Michelle McLean
mmclean-at-consentry-dot-com

The Problem with Commodity Switches

2007-03-20T22:18:36-07:00

Richard Stiennon brought up a great issue in a comment on my "Security Goodness - Baked Right In" post. I was writing my reply into a comment back to him but decided to post as another entry to encourage more discussion with the broader audience.

Richard summed up the perspective of his panelists at RSA as "security must stay separate from the network because the switching market is driven by cost-per-port and security is too expensive." Richard wants to know our response.

It's a great question in several ways. First off, I totally agree that switching has hit commodity status and security, particularly LAN security, is far from it. There are exceptions on both sides, of course, but it's generally true. So what's the implication for a secure switch? Essentially, a secure switch is a security device first and a switch second. So it's anything but a commodity product. If a customer's switch purchasing decision is driven solely by price, a secure switch will not even be on his or her radar. Someone buying a secure switch needs something more - some form of network access control. This buyer is motivated by the security feature set, not by simple packet forwarding, and that changes the equation immediately.

Richard's question indirectly raises two other interesting issues.

One - the separation of security and control planes. A minority of shops will want to keep the security plane separate from the control plane in perpetuity. Those shops are rare, but we do see them, so the market for a controller-type approach, where the enforcement device stays separate from the LAN switching infrastructure, will continue. It'll be much smaller than the secure switch market, but it will persist.

Two - the innovation cycle for security vs. switching. This topic is even more interesting, because every shop has this problem. Basically, people want their infrastructure to last five to seven years but they know security changes at a much faster rate. So how can you have a switch that can "keep up" with those security changes?

To be fast, switches have been built on ASICs. But a secure switch has to be updated to stay relevant. So the commodity merchant silicon chips that everyone - including ConSentry - uses to build their switches aren't enough. To build a secure switch, you also need programmability, but to keep up with LAN speeds, you need really fast programmability. For ConSentry, the answer is our custom CPU (see the Multithreading post from Dan a couple weeks ago).

And now we've come full circle - that combination of high speeds and programmability is why a secure switch isn't a commodity. Richard's panelists are right - you can't get the security you need in today's "cost per port" designed switches. But that's doesn't mean security and switching can't come together effectively - they just can't come together in those switches. You need a new architecture. You need a secure switch.

--Michelle McLean

mmclean-at-consentry-dot-com