Good Morning:
Kids say the darnedest things. At least mine do. At the beach, we usually trek down to the Boardwalk in the late afternoon for a few carnival rides, some desert and basically to further tire the kids out before bed time. Though I'm not sure how it happened, the Boss let my son out of the house in his Flash costume. Yes, the kid was walking along the boardwalk as the Flash.

And I'll also admit it was very cute. Lots of folks were commenting on his costume, including one jackass who confused him with Shazam! Come on now. Who doesn't know the difference between the Flash and Captain Marvel? Thankfully my older daughter goes up to the guy and says, "That's not Shazam, it's the Flash!" Wallflowers my kids are not.

So the boy actually seemed a little embarrassed by all the attention. He's a bit shy and he didn't like all those folks he didn't know talking to him (yes, it's hard to out run your genetics). I tried to make him feel a bit better by saying that all those folks are talking to him because he's cute in his costume.

He looks up at and the Boss and says, 'I'm not cute." Huh? What do you mean you aren't cute, boy? Crap, do I need to set him up with the therapist right away? Is this a four alarm self-esteem issue? Nope, he then follows that up with: "I'm not cute, I'm handsome!" 

Yes boy, you are handsome. And bold and innocent and all the stuff that we old folks need to remind ourselves to be in the morass that is our daily lives.

Now go have some fun today. I'm certainly going to.

Incite #4: Weaving security into the network fabric

Network security hits the tipping point where it’s no longer considered novel or a “must-have,” but rather it’s just there – truly becoming a feature of the network fabric. Network Access Control remains a proxy for all things network security, and makes minor inroads in 2008 – largely as people stop talking about it. Independent NAC vendors either sell or struggle, as the big networks force their will on locked-in customers. The NAC standards battle turns out to be much ado about nothing.

Read the original Days of Incite post on this topic.

6-month grade: C+

The challenge of making prognostications is that things happen in my mind fairly quickly, and in the real world - a hell of a lot slower. So the idea that we will be getting to this mythical "Secure Network Fabric" is certainly still in the works - though it will be a multi-year evolution to get there. So let's look at the data points that validate this theme.

First is Cisco's TrustSec, which is basically another marketecture from the kings of marketecture - really focusing on how to evolve the current switch infrastructure to something more secure. Yes, it will take a long time and hopefully not involve a wholesale rip and replace of all your current gear (like the C-NAC Framework of old), although your Cisco rep would certainly like it. Basically, it's just a fancy way of saying what has been obvious for a long time. Network security will be in your network, not in a set of overlay boxes meant to protect your status quo switching fabric.

Juniper is also getting into the enterprise switch game and their differentiator? Ah, uh, well, it's basically their operating system and their NAC stuff. And scarily enough, that may be enough for the few that don't want to buy from Cisco and aren't comfortable that the other switch vendors will be around long enough to support their stuff down the road. So the Secure Network Fabric is happening, though at a snail's pace.

It's also been interesting to see how far and how fast the NAC business has fallen out of favor. Evidently all it took was a couple of high profile flame-outs and the rest of the business largely just shutting up and getting back to the business of actually solving some customer problems and selling some gear. 

And an amazing thing is happening, the business is growing. Although modestly, though I'm not sure how modestly since I don't do numbers, and I don't believe what folks like Infonetics say. So I'll just use the term modestly - which is a lot better than not modestly. This is a disappointment to the investors and hype-meisters that have been looking for huge growth (meaning IPOs and high value acquisitions) out of this space, but in reality any kind of market growth is not a bad thing nowadays.

Customers still have problems with visitors and outsourcers and other folks that now are supposed to be on their networks, but without the ability to manage those devices. These problems sometimes bubble to the top of the priority list, especially if an auditor has said to fix it for compliance purposes. My biggest issue with the space was whether a customer could wait to deploy NAC? And the answer has been largely yes, but enough folks feel the pain to keep the business moving forward. 

Who is doing well in this space? Everyone says they are doing great, just like Lockdown. Ultimately, it doesn't matter. My procurement philosophy has to do with solving your problems, not with picking who is doing well. So figure out what problems you are trying to solve and then figure out if NAC is the right solution for you. But the key here is to focus on the longer term and how you want to get there. The reality is, you will be rolling out a secure network over the next 5-7 years. Do you want to evolve slowly or quickly? Do you have an option? Is an overlay the best answer or do you want to start incrementally updating your fabric in crucial areas?

There are lots of questions to ask and that is the most important part of considering a NAC solution. In terms of grading this Incite at the 6 month mark, it's good in some areas and not so much in others. Overall, a mediocre showing, which is about a C+.

Photo credit: leigh.

2007 Incite: Trust No One
The “insider threat” continues to garner tremendous hype, but leaves customers struggling to figure out muddled offerings and providing disappointing results for early adopters. The NAC (network access control) bubble pops rather visibly in a maelstrom of confusion, forcing users to focus on solving specific problems (like visitor and contractor access) and implementing monitoring processes which result in checks and balances at all levels of the organization.

2008 Incite: Weaving security into the network fabric
Network security hits the tipping point where it’s no longer considered novel or a “must-have,” but rather it’s just there – truly becoming a feature of the network fabric. Network Access Control remains a proxy for all things network security, and makes minor inroads in 2008 – largely as people stop talking about it. Independent NAC vendors either sell or struggle, as the big networks force their will on locked-in customers. The NAC standards battle turns out to be much ado about nothing.

When you think about it, there really shouldn’t even be a network security industry. Who is going to connect to the Internet bareback nowadays? Only Rip Van Winkle. Even back in the late 90’s you have to look hard to find folks that didn’t use firewalls. But a firewall alone does not a network security strategy make.

So we had things like IDS and then eventually IPS that made inroads. We had application oriented attacks, so we needed spam gateways, web filters, and web firewalls. Now we have application firewalls because the existing network security devices can’t really handle some of these new fangled attacks. It’s that same innovation, integration, and consolidation cycle I mentioned yesterday.

At the same time the perimeter defenses were integrating, we had a general acknowledgment that letting infected devices connect to our networks was a bad thing. It just took a few SQL*Slammers to show how dangerous it was when a mass proliferating anything breached your perimeter. So the network access control business was born. It was actually called Network Admission Control initially, and Cisco coined the term. Of course, the ABC (anyone but Cisco) crowd couldn’t let that happen, so they all banded together and figured Network Access Control (NAC) was a better term.

NAC was the second coming. NAC was everywhere. NAC could cure cancer. That’s if you believed the hype. I, of course, did not and was projecting a disappointing 2007 for NAC. I was right, but that was obvious. No technology could live up to that hype. And it didn’t.

So where do we go from here? Basically I think a lot of forgot the first word in network security, and that is NETWORK. I’m seeing a lot of operational security resources migrate back to the ops teams (and the pendulum swings back) – so a lot of the buying decisions for network oriented stuff is going to increasingly end up with the network folks.

Guess who networking folks like to buy product from? Right, networking vendors. Thus, it’s just a matter of time before Big Networking squeezes the network security specialists out. So anyone selling an exclusively overlay network security solution is going to have a problem. Over time, those capabilities are built into the switch. So if you don’t have a switch and you do NAC, I’m hard pressed to see how that works out a couple years from now.

To be clear, this is not an absolute and it’s going to take years to get there. But to think that end users want layers of overlay security on top of their devices is silly. Also figuring that your favorite big networking vendor isn’t going to get their majority of network security market share is being naïve.

That means the shakeout will continue. And this year it’ll be more than just Vernier becoming Autonomic and heading for higher ground (again). The good news is that there are a lot of big networking firms that don’t really understand security. Most are struggling, but they still have a lot of dumb money. That means Barnum can come in and sell them a bill of goods. It also means that it’s a race, and the one without a seat when the music stops is in a world of hurt.

But don’t believe me. Believe a couple of guys that are actually smart. Thomas and Nate debate NAC towards the end of their annual predictions. And they are right.

Lastly, I want to drive my stiletto deep into the heart of NAC standards. Windows Server 2008 is pretty much here, so now that means NAP will become pervasive, right? Wrong. Cisco has its own thing, and everyone else has TCG/TNC.

But the cold, hard truth is that customers don’t care about standards. If the functionality were important enough, they would deploy the technology without a standard. If it’s not, they tell the sales reps that “standards are important” and they are going to wait for the standards to shake out. That way the sales rep’s ego isn’t impacted and they’ll stop calling. But in reality, the customer is saying, “What you do isn’t important enough to me,” so I’ll wait until it is.

And that seems to be the story of NAC.

Not sure if the word is out, but Richard Stiennon will be taking on my former columnist slot at NetworkWorld. Good luck with that Richard. Hopefully you can learn from the line I drew in the sand. I believe his first column appears on Monday.

But just as I went out swinging, Richard is coming in swinging. Richard sends Gil Shwed of Check Point a little love note here. Something tells me Gil just took Richard off his Hanukkah card list. But Richard makes a number of good points about what Check Point should be doing next. I won't rehash the entire letter here, but put my spin on a few points that Richard makes.

1. Check Point needs to ship a hardware appliance - First of all, Sofaware doesn't count. I agree with this and believe given the need for Check Point to fortify their enterprise and service provider position, they should buy Crossbeam. And they should do it today. If someone like Lucent/Alcatel, Motorola, Ericcsson or Siemens takes them out you'll be sorry Gil. You really will because Richard is right, the service providers are itching to build in-the-cloud security services and Crossbeam can help get you there. And yes, Nokia will be pissed, but where else are they going to go? There is minimal risk there.
   
   
2. Check Point should focus on the network - This I disagree with. Given that I believe "big is the new small" I don't see how it's defendable over any length of time to not play on the servers or on the end points. Customer want more integrated solutions to help with the mind-numbing complexity they have to deal with, not just networking stuff. Check Point already does the endpoints OK (with the zone stuff), but now they should buy a database security player (maybe like Imperva and bring Shlomo back home) to gain exposure to that segment.
   
   
3. Reset expectations on margins - This is an astute observation from Richard. Check Point's unbelievable, Microsoft-ian margins is not doing them any favors. It's set unrealistic expectations for Wall Street that they need to leave behind. Buying a box player is one way to do it and making it more attractive to sell for the channel is another. And Check Point has such margin cushions, they could add another 5 points for the channel and not even breath heavy. Juniper, not so much.
   
   

There is one other thing I'll add to Richard's suggestions. Take a long hard look at WAN and web site optimization. I'm a big fan of focus and believe there are lots of security things you can (and should) focus on, but Citrix is right. The perimeter is consolidating around secure accelerated access. Application and network acceleration is a perfect complement to the stuff you already sell to customers. If you don't want to mess around in the data center, dig deeper into the perimeter and what's selling in the perimeter is application and network acceleration.

But as with Richard, feel free to take my feedback with a grain of salt. And I have no doubt that you will. You can milk your existing installed base for years to come, maintain your crazy margins and just exist. But what fun is that? It's about winning and right now, you ain't. So get out the checkbook and get moving, time is a wasting...

DISCLOSURE: I am a very very very limited partner in a venture capital fund that has invested in Crossbeam. I have no involvement in the management of the fund or any of its portfolio companies.