Lockdown Networks, a network access control (NAC) appliance vendor, shut its doors earlier this week. In just a few days, I've read a number of statements about the meaning of this event. A tech meltdown? The end of the NAC market?
Nope, it's nothing that bold or startling. To me, the ramifications are pretty simple:
• It's hard to succeed when you change horses in the middle of a stream.
When I first became familiar with Lockdown, the company was focused on vulnerability scanning to compete with companies like Foundstone, ISS, and Qualys. When this didn't work, Lockdown reinvented itself as a NAC appliance vendor. Anytime a start-up pulls an about-face like this, it is a sure sign of trouble. There are exceptions like F5 and Ingrian, which successfully went through an extreme makeover, but the vast majority of companies fail.
• When the big guys refer to your core functionality as a "product feature," you are in big trouble.
NAC appliance vendors used to compete with one another. Now they compete with Cisco Systems, Hewlett Packard, Juniper Networks, and Nortel Networks, companies whose NAC features work with their devices, traffic management tools, and administrative consoles. As NAC moves from a tactical implementation to a strategic enterprise initiative, the appliance guys simply can't compete.
• This is a sign of an over-invested industry.
Lord knows why VCs invested in the sixth or seventh NAC appliance vendor a few years ago, but they did. The Lockdown failure follows the fire sale of Caymas Systems' assets to Citrix Systems last year, and others are sure to follow soon. I look across numerous other security niches and see the same thing. There are lots of 3-year-old start-ups with $40 million worth of investments, doing between $8 million to $10 million in revenue. What's the exit strategy for these guys? Seems to me that they either luck out through an acquisition (very few), go through VC extortion, recap and take a bath on shares, or die on the vine. Lockdown suffered the worst fate possible.
Now that I've voiced my opinion on what the demise of Lockdown means, let me be clear on what it doesn't mean. "Out of business" signs at Lockdown don't indicate that the NAC market isn't real--far from it.
Large organizations absolutely want to control who gets access to the network; they just want to centralize these policies and enforce them within the existing network architecture. Networks continue to get smarter, but the same can't always be said for entrepreneurs, investors, and (dare I say) analysts.
My point last month, when I wrote that Ethernet connections in a hotel room are not secure, was that wired Internet connections in a hotel are no more secure than wireless connections. The issue I described involved a technically savvy guest, reconfiguring the network to place their computer logically between you and the outside world. Thus positioned, they might as well be watching over your shoulder.
A few days ago Leo Notenboom cited two additional reasons why wired hotel connections can't be trusted: hotel employees can snoop and, if the rooms are connected with a hub, even a nontechie person in another room can easily snoop on your Internet connection (see "Can hotels sniff my internet traffic?").
There are two approaches for dealing with this, a good one and a bad one.
The bad one involves dealing separately with each Internet application. For Web browsing, this means only viewing sensitive pages through an encrypted HTTPS connection. For e-mail using client software such as Thunderbird (as opposed to Web mail), it means a nontrivial reconfiguration of the e-mail environment, which may not even be possible, since not all e-mail providers offer encryption. Then still, instant-messaging, FTP, and other applications have to be dealt with individually. What a mess.
The good approach is to use a VPN, or virtual private network, to encrypt everything.
Virtual private networks
Often VPNs are spoken of in terms of corporate employees connecting back to their corporate LAN. But there are also VPNs for the rest of us. A handful of companies rent out VPNs to anyone, and they're not very expensive.
These rented VPNs provide a secure, encrypted pathway (techies use the term "tunnel") between you and the company renting the VPN. For example, if the VPN company is in Cleveland, your computer makes a secure connection to Cleveland. Everything traveling between you and Cleveland is encrypted. No matter who does what in a hotel, all they can get from you is a useless encrypted bunch of bits.
When your Web pages, e-mail messages, instant messages and whatnot get to Cleveland, they are decrypted and dumped onto the Internet just like everything else. The encryption is only between you and Cleveland, not end to end.
Put another way, someone staying at a hotel in California looking at my personal Web site, michaelhorowitz.com, in Texas would send an encrypted request for a Web page to the VPN company in Cleveland, where the request is decrypted and forwarded to Texas. My Web site responds and sends a Web page back to Cleveland (as far as my Web site knows, the request came from Cleveland) where the VPN company encrypts it and sends it to the hotel in California.
This does slow things down a bit, but with a broadband connection the trade-off is certainly worth it and probably not noticeable.
To use the VPN service, you first connect to the Internet, then start up the VPN software. At this point you are safe, secure and happy. When you are done, first shut down the VPN software, then disconnect from the Internet.
Where to rent
Two companies that rent VPNs are Witopia and HotSpotVPN. Both offer two types of VPNs, PPTP and SSL. The pros and cons of each type of VPN are not something I'm ready to get into. Suffice it to say that a PPTP VPN is usually cheaper, probably won't require software to be installed, and is not as secure when compared to an SSL-based VPN.
The HotSpotVPN-1 service is based on PPTP, while the HotSpotVPN-2 is based on SSL. HotSpotVPN-1 is roughly $9 per month, and HotSpotVPN2 ranges from roughly $11 to $14 per month depending on the strength of the encryption. According to Steve Gibson, the cheapest encryption strength is sufficient. In both cases, yearly charges are 10 times the monthly charge. HotSpotVPN-1 is also available by the day or week.
WiTopia calls their rented VPN service PersonalVPN. The SSL-based version of PersonalVPN is only $40 a year (the equivalent service from HotSpot is $110 to $140 per year). Witopia does not offer the PPTP version by itself, instead they currently throw it in for free when you purchase/rent the SSL-based product.
HotSpot also throws in a PPTP-based VPN when you order their SSL-based product. Both companies point out that Apple's iPhone supports PPTP-based VPNs.
Using a VPN is a small annoyance, but security and convenience will forever be at odds.
For more on this see More about VPNs: Price and Trust from March 14, 2008.
See a summary of all my Defensive Computing postings.
Little green men? Roswell, N.M.? Nope. This invasion is centered on Cisco Monitoring Analysis and Response System (MARS). Cisco MARS (formerly Protego) is a hybrid event management and network behavior analysis product that monitors network/security devices and network traffic, looking for anomalous activities and ongoing security events.
Cisco is one of dozens of vendors who play in this networking/security management nexus. The competitors are not slouches; the list includes a few recognizable companies such as EMC, IBM and Symantec. Even the "start-ups" in this space are pretty mature. ArcSight, Arbor Networks, Mazu Networks and SourceFire have been around for years, raised tons of dough, and established themselves with enterprise and service provider customers.
This begs the question: Why is Cisco MARS so prevalent? There are three main reasons:
1. Cisco continues to give away the razors to sell the blades. In this case, MARS is a razor, while switches, routers, security devices, IP-telephony or anything else Cisco sales reps have in their product catalogs are the blades. The strategy is simple. Get MARS out in as many accounts as you can. It's hard to buy a competing widget when Cisco will give you one for free.
2. Security remains a networking domain. Say what you will about recent security imperatives around encryption, data leakage protection or identity management, most security folks come from a networking background. In spite of IBM's data center presence, Microsoft's desktop dominance and Juniper's routing excellence, no one can shmooze the enterprise networking crowd like Cisco.
3. Cisco's phat sales and marketing resources give it an unfair advantage. OK, IBM and EMC are strong here too, but Cisco has done a great job of using its account relationships, field-level expertise and marketing communications skills to get its product in the door. In a confusing market space like security management, Cisco has the right people, money and message.
Many competitors dismiss Cisco saying that MARS is an inferior product. Hmm, sounds a lot like what Digital Research said about DR-DOS when Microsoft won the IBM PC business. I can't recall the last time I even thought about Digital Research, can you?
Right now, security management is extremely hot, so everyone is winning their share of business, but all the vendors in this space say that they see Cisco MARS everywhere. As things get a bit tighter, this may put Cisco in the security management catbird's seat.
Just before Interop in May, the OpenSEA Alliance, a new industry group focused on open software solutions for networking and security, was announced. The OpenSEA Alliance plans to develop a robust, multiplatform and widely available open 802.1X supplicant with the goal of emulating the successful Mozilla Firefox model.
Just what is an 802.1X supplicant? It's a piece of client code that authenticates an endpoint (i.e. PC or laptop) to a network and thus enhances security.
The OpenSEA Alliance is not alone in the PC space. Microsoft bundles an 802.1X supplicant in Windows XP and Vista. Juniper Networks got into this business when it acquired Funk Software and Cisco Systems did the same by purchasing Meetinghouse Network Access Security.
While the PC space is well covered, there is a new network-security frontier out there that remains barren. What about Internet Protocol phones? What about mobile devices? What about network-based appliances like printers? All of these systems communicate over IP, so it would be nice to know their identity before giving them carte blanche to chat over our pipes.
My suggestion is as follows: make the OpenSEA Alliance 802.1X supplicant the standard for non-PC network devices. Let's eschew the typical cycle of proprietary technologies, multiple standards bodies, and mental gymnastics for once and simply get to an open end-game where the next billion network devices are all instrumented in a common way. If we agree on this up front, we can expand IP communications and improve security at the same time. What a concept!
Who would benefit from such a radical idea? We technology users do. Universities love this idea because they are wired to the teeth. This would provide another layer of security. The New York Stock Exchange is the world's largest wireless implementation where traders use specialized devices, not PCs. I've talked to some folks there and they love the idea of accelerating standards-based technologies.
Health care institutions are adding all kinds of non-PC wireless devices as well. A standard 802.1X implementation would help here with thorny issues around identity and security as they relate to compliance with the Health Insurance Portability and Accountability Act.
Authentication, identity and security are difficult issues, but in my mind the technology industry makes things way harder than they need to be. By standardizing non-PC devices on the OpenSEA Alliance 802.1X supplicant, we can side step these issues for once. I just hope Apple, Avaya, HP, Motorola, Nokia, Nortel, Palm and Symbol--as well as all kinds of specialized-device makers--share a similar desire.
LAS VEGAS--After three days here--about as much time as any sane person should spend in this town--I bid adieu to Interop.
I heard that there were 21,000 people in town for the Interop conference. Judging by the hoard of people leaving the Mandalay Bay convention center yesterday (and headed for the saloon for a little geek speak), I believe it. My takeaways from the show are as follows:
• The buzzwords this year were network access control, wide-area network optimization and security. Security is a must-have. NAC is real and will go from concept to strategy in the next 12 months. WAN optimization is also a requirement. Why? Enterprises networks and applications have been designed in isolation and don't work very well together. WAN optimization adds intelligence to bridge this gap.
• Networking folks are really smart technicians, but few can talk about business processes and solutions. Cisco Systems sure can, and until another vendor can match John Chambers and Co. on business chops, it will continue to dominate.
David DeWalt
• Wasn't network security supposed to be baked into the infrastructure by now? This certainty didn't really happen, and I still see real value in layering security on top of the network. Companies like IBM's Internet Security Systems, McAfee and TippingPoint Technologies continue to prosper in this space.
Finally, a friendly dig to old Enterprise Strategy Group friend Dave DeWalt, CEO of McAfee, one of the Interop keynote speakers. Dave's picture appeared next to other industry dignitaries like John Chambers (Cisco), Bob Muglia (Microsoft), and Tom Noonan (ISS/IBM) all over the show. Unlike these others, however, Dave's picture was more casual (no tie, open collar, etc.) and thus made it look like a personal ad. I can see the text now, "I enjoy walks on the beach and the Sunday paper. Looking for long-lasting relationship with as many enterprises as possible."
Sometimes we analysts have an "all sizzle and no steak" reputation. We come up with high falootin' concepts, write reports and columns, and get quoted in the media, but we don't really "do" anything.
Former executive vice president of marketing for EMC, Bob Ano, once put it to me this way: "If I make a bet on your latest 'vision' and you turn out to be wrong, I lose my job and reputation. You simply change a few PowerPoint slides and move on."
With this as background, I am proud to say that I actually helped with the execution on one of my analyst ideas (albeit I played a supporting role at best).
Last summer, I was troubled by some industry activity that I believed might alter the progress of the IEEE 802.1X networking standard. My fear was that businesses' initiatives might actually impede the progress of 802.1X proliferation and thus render networks less secure.
With this in mind, I did what every analyst does: I wrote a bunch of stuff and pitched my ideas to the press. I proposed that the industry get together and develop an open-source version of the 802.1X supplicant in the model of Mozilla Firefox. Why Firefox? It's stable, it runs on lots of platforms, it's widely available, and it's extremely popular.
This time I went a bit further, though. I took my role beyond writing and actually took this idea to the networking and security industry. I found that a lot of folks shared my idea and passion. We all decided to work together to make something happen.
On Monday morning, the OpenSEA Alliance, announced its existence to the world. The OpenSEA Alliance is comprised of six security and networking vendors (Extreme Networks, Identity Engines, Infoblox, Symantec, TippingPoint and Trapeze Networks), along with Ukerna/ja.net, a U.K.-based organization focused on high-speed networking for the U.K. academic community. The group will collaborate on delivering a stable, multiple-platform, widely available 802.1X supplicant based upon the existing Xsupplicant work done at the University of Utah.
While I did play a part in the genesis of this project, the six companies and Ukerna/ja.net really stepped up and worked diligently to create an open-source foundation. As I mentioned, the group is focused on an 802.1X supplicant today but will consider other open-source networking and security projects in the future. The group welcomes other vendors, government organizations, academic institutions and individual contributors to join in its efforts. More information is available at the OpenSEA Alliance Web site.
On a personal note, I learned a lot about open-source software, project management, and cooperation during this process. Cliff Schmidt of the Apache Software Foundation was instrumental in this effort and deserves a lot of credit. We also received a lot of advice and support from folks at Mozilla, the Eclipse Foundation and others in the initial phases of the project when I was completely green.
I wish the group continued success. With today's threat landscape, all technology users benefit when the industry works collectively on security and privacy safeguards. Hopefully, the OpenSEA Alliance will help make this happen.
- prev
- 1
- next
