Subscribe in a reader
Perimeter defense - Tastes like chicken!
Submitted by Mike Rothman on Tue, 2006-06-13 15:01.
I was intrigued by Alan Shimel's post this AM (link here) about the inevitable morphing of IDS/IPS into something else. The metaphor he uses is the dinosaurs evolving into birds. I thought dinosaurs were extinct, but that's why I studied engineering and not history in school. Speaking of dinosaur birds, how cool is Rodan? Alan does your 4 year old grok Rodan yet? Man, sometimes I'm a total tool.
Back to the point. Alan uses the post to seemingly poke at some of the vendors that are now chasing sexier terms like UTM and NAC. Sure, there are quite a few struggling IPS vendors that are trying to reposition in the NAC space. That's not news, nor is it interesting. You'll always have those ankle biters chasing the next best thing hoping to hit the Cisco, Symantec or McAfee acquisition lottery. So aside from the stupid vendor marketing tricks, there is actual technology evolution happening here, which are both predictable and inevitable. At some point pretty much everything technology hits the commodity curve. That happens when volumes go up, and in the IDS/IPS space we are seeing volumes (or my contacts are at least).
Why? Because IDS/IPS is not sexy anymore. It's mature. It's stable. The channel knows how to sell it and implement it. It's low risk. We can certainly argue whether it does anything or not, but that's not the point. Customers THINK it does something, so they are buying it. I've got lots of contacts in the channel and end user community and IDS/IPS is on main street (in Geoffrey Moore's parlance). TippingPoint is keeping 3Com afloat, Sourcefire continues to grow rapidly and ISS is holding its own. It's largely because the unsophisticated masses are now buying IDS/IPS.
I don't think about markets in terms of HOW, I think in terms of WHAT. Huh? IDS/IPS, firewalls, network anomaly detection, email security and probably 10 other things are HOW's to me. How you do something. I like to examine the WHAT. You are protecting your perimeter - that's WHAT. I don't much care how you protect your perimeter, but you need to protect it. There are lots of ways to skin the cat. The right approach will have everything to do with what your environment needs, not what arbitrary category a vendor's product is placed at some point in time.
I had an Incite at the beginning of the year called "Losing the Religion" (link here) and this is further confirmation of that path. UTM is all about using the right technique to block different attacks, while hopefully giving customers some management leverage. Of course the IDS/IPS vendors are going there because customers want them to. Only the big of the big can afford to support all sorts of different functions on different boxes with different management (see No mas box). The great unwashed want the IDS/IPS built into something bigger and simpler.
We are seeing the natural order of things. Getting back to Alan's bird metaphor - you've got lots of different birds and customers want something that tastes like chicken. It could be a Cornish hen or a turkey, but it better resemble poultry.
The second part of Alan's post is about Sourcefire basically focusing on post-admission control. It seems his biggest problem is that Sourcefire's RNA doesn't do pre-admission control. Yes, Alan sells pre-admission control, so he has strong feelings about it's usefulness and you know on what side of the fence he's going to end up. But customers shouldn't be playing favorites. At some point, you'll need both.
Pre-admission only solves half the problem. What happens if a machine is compromised AFTER it is admitted to the network? Likewise post-admission doesn't prevent a compromised or foreign attacker from doing damage until it is picked up by the passive monitoring approach and quarantined. So neither solves the entirety of the problem, how do you make sure only the right devices get onto the network and then do the right stuff when they are connected.
Over time the question becomes WHERE you perform these functions. My bet is that you do pre-admission control on an access gateway. Maybe a SSL VPN box on steroids to handle LAN speeds. Maybe on access points that terminate in-building wireless networks and public meeting spaces.
I think you do post-admission control in the network fabric. Initially you need to passively monitor traffic and centralize decision making, but over time (like 5-7 years) as more intelligence and capability makes its way into the wiring closet then you will actively enforce local policies in the closet and have a passive "overlord" watching everything to ensure network integrity and enterprise policy compliance.
It's a compelling vision and we are a long ways off, but that's one guy's vote on how things shake out.
Back to the point. Alan uses the post to seemingly poke at some of the vendors that are now chasing sexier terms like UTM and NAC. Sure, there are quite a few struggling IPS vendors that are trying to reposition in the NAC space. That's not news, nor is it interesting. You'll always have those ankle biters chasing the next best thing hoping to hit the Cisco, Symantec or McAfee acquisition lottery. So aside from the stupid vendor marketing tricks, there is actual technology evolution happening here, which are both predictable and inevitable. At some point pretty much everything technology hits the commodity curve. That happens when volumes go up, and in the IDS/IPS space we are seeing volumes (or my contacts are at least).
Why? Because IDS/IPS is not sexy anymore. It's mature. It's stable. The channel knows how to sell it and implement it. It's low risk. We can certainly argue whether it does anything or not, but that's not the point. Customers THINK it does something, so they are buying it. I've got lots of contacts in the channel and end user community and IDS/IPS is on main street (in Geoffrey Moore's parlance). TippingPoint is keeping 3Com afloat, Sourcefire continues to grow rapidly and ISS is holding its own. It's largely because the unsophisticated masses are now buying IDS/IPS.
I don't think about markets in terms of HOW, I think in terms of WHAT. Huh? IDS/IPS, firewalls, network anomaly detection, email security and probably 10 other things are HOW's to me. How you do something. I like to examine the WHAT. You are protecting your perimeter - that's WHAT. I don't much care how you protect your perimeter, but you need to protect it. There are lots of ways to skin the cat. The right approach will have everything to do with what your environment needs, not what arbitrary category a vendor's product is placed at some point in time.
I had an Incite at the beginning of the year called "Losing the Religion" (link here) and this is further confirmation of that path. UTM is all about using the right technique to block different attacks, while hopefully giving customers some management leverage. Of course the IDS/IPS vendors are going there because customers want them to. Only the big of the big can afford to support all sorts of different functions on different boxes with different management (see No mas box). The great unwashed want the IDS/IPS built into something bigger and simpler.
We are seeing the natural order of things. Getting back to Alan's bird metaphor - you've got lots of different birds and customers want something that tastes like chicken. It could be a Cornish hen or a turkey, but it better resemble poultry.
The second part of Alan's post is about Sourcefire basically focusing on post-admission control. It seems his biggest problem is that Sourcefire's RNA doesn't do pre-admission control. Yes, Alan sells pre-admission control, so he has strong feelings about it's usefulness and you know on what side of the fence he's going to end up. But customers shouldn't be playing favorites. At some point, you'll need both.
Pre-admission only solves half the problem. What happens if a machine is compromised AFTER it is admitted to the network? Likewise post-admission doesn't prevent a compromised or foreign attacker from doing damage until it is picked up by the passive monitoring approach and quarantined. So neither solves the entirety of the problem, how do you make sure only the right devices get onto the network and then do the right stuff when they are connected.
Over time the question becomes WHERE you perform these functions. My bet is that you do pre-admission control on an access gateway. Maybe a SSL VPN box on steroids to handle LAN speeds. Maybe on access points that terminate in-building wireless networks and public meeting spaces.
I think you do post-admission control in the network fabric. Initially you need to passively monitor traffic and centralize decision making, but over time (like 5-7 years) as more intelligence and capability makes its way into the wiring closet then you will actively enforce local policies in the closet and have a passive "overlord" watching everything to ensure network integrity and enterprise policy compliance.
It's a compelling vision and we are a long ways off, but that's one guy's vote on how things shake out.
Recent comments
8 hours 52 min ago
10 hours 43 min ago
13 hours 24 min ago
14 hours 10 min ago
15 hours 44 min ago
17 hours 26 min ago
17 hours 27 min ago
18 hours 30 min ago
19 hours 11 min ago
19 hours 22 min ago