Peter Christy

RSA is a puzzling event. On the one had it's a very successful meeting, fun to attend, and brings together the IT security industry for a week. On the other hand, when we saw old friends and exchanged the traditional show greeting "What have you seen that's exciting?" and the answer in general was "not much." That's paradoxical, or at least troubling. All the vendors were there and they were spending money like Persian Princes. And the security problems are as important as ever, if not more. So if the spending is there and the problems exist, why wasn't there much new? It's a puzzlement. Part of the problem is that it's a lot harder to solve today's criminal attack problems than it was to stop worms and viruses. And the customer now wants to talk in terms of intelligent risk mitigation rather than just "preventing bad things from happening" and that's difficult too. Maybe most of the vendors neither know how to prevent the modern problems nor how their customer should justify the expense. We can hope that things will improve by next year.

Cisco held a press/analyst day just before RSA that included a very interesting customer visit to (and dinner with) Esurance, the Web-based auto insurance company with the flashy cartoon ads. The event started with a "big" announcement of a partnership with RSA (specifically integrating information from EMC's Infoscape technology -- where the Tablus DLP content analysis stuff ended up) with the Cisco Security Agent (so the user would be notified when they were about to do inappropriate stuff with sensitive files). The cooperation makes sense and the basic ideas are noteworthy but on balance the discussion seemed sort of premature because what was actually being committed to was vague and sounded more like a "Barney" announcement ("I love you, you love me, we're a happy family!). There was more than enough "side story" to make up for any holes however. Richard Palmer, the long term Cisco security SVP and GM is moving off to run the edge router group (a $6-7 B business!) and Scott Weiss, the GM and previous head of IronPort is going to take over the larger security effort. The IronPort guys certainly think of security well out of the network box so it will be interesting to see how they change direction and speed.

At RSA Microsoft (with great fanfare) introduced the notion of "end-to-end trust" featuring a White Paper by Scott Charney, VP Trustworthy Computing, and featured in Craig Mundie's keynote, shown here in dialog with Chris Leach, Affiliated Computer Services' CISO. The paper and the topic are thoughtful and meaningful, but the tenor of the paper is very academic and not at all prescriptive. My MS friends explained that there is still a good deal of remembered pain from Hailstorm, Microsoft's web authentication effort from some years ago which was too prescriptive. Trying to resolve this tension I went around and polled some wise men in security on whether they thought we were winning the war (making the Internet safer) and sadly few feel very optimistic. In the past Microsoft has been a real industry leader in trying to drive collective change. Maybe it's just that Mundie isn't very comfortable wearing the shoes he inherited from Gates. With no blame meant toward Microsoft (they're still out in front of the pack in leadership) it sort of feels like the bad old days of Spam "control" -- Fiddling while Rome burns. I wonder if the bad guys buy analyst services.

In the last month John and I took separate (but equal!) vacations in Paris. John completed the Paris Marathon while I took my high-school daughter to visit this wonderful city on her Spring break. On our way back we were routed through Heathrow and had the bad luck of experiencing British Air's now infamous Terminal 5 on its first day of attempted operation. The BA planes were full of wonderful and expensive propaganda about how amazing and wonderful T5 was going to be (reminded me somehow of those olds jokes about a computer salesman who never consummates his marriage instead spending each night telling his new bride how great it's going to be). It took over two hours for our luggage to be unloaded into the new and marvelous baggage hall that was designed to be so efficient that it doesn't have any food or even anywhere to sit down (because the baggage will come so quickly!). Only the Brits can screw something like this up so badly (all those old British Leland auto assembly workers must now work for BA). Anyway, as they often cheerfully say "Sorry!"

You probably believed it was true anyway, but now using expensive modern brain imaging technology Stanford researchers have now gathered real evidence that sex does in fact help sell products (in this case motorcycles). To quote from their news release "The study showed that when heterosexual men are exposed to positive emotional stimuli—in this case, erotic photos of a man and woman—an area of the brain associated with anticipation of reward is stimulated. In the immediate aftermath of that stimulation, men are consistently more likely to take bigger financial risks than they otherwise would, said Brian Knutson, assistant professor of psychology."

Malcolm Gladwell Blinks at RSA: Malcolm Gladwell (who I must confess is probably my favorite author) was one of the paid keynote speakers and gave a really excellent 45 minute talk more or less on the subject of his most recent book Blink! Whether or not you've read the book I really recommend the movie (in this case the keynote replay available from the RSA website). The book and the talk are all about how humans make good decisions (contrary one might say about the McKinsey consulting approach) and how important this problem is now that we are swamped with information to deal with (it turns out less is more). And Gladwell is very entertaining to boot.

Cisco and Microsoft, each a powerful competitor and market leader have also shown that they can work together when so "encouraged" by their large mutual customers. The most impressive example at least in our bailiwick is the recent announcement of the addition of Windows Server services to Cisco WAAS acceleration appliances. In addition to "WAN acceleration" many customers need basic Windows services in branch offices, and the fact of the matter is that no one does Windows like Microsoft (I guess we shouldn't be surprised). So, leveraging virtualization, Cisco is supporting a virtualized version of Windows Server 2008 running as a guest O/S on top of the Cisco WAAS solution that is built on LINUX. Once enabled, these WS2008 guests are discoverable and manageable by Microsoft's System Center. This initial implementation is pragmatic and accomplished by use of the KVM module in LINUX rather than the virtualization of the WAAS system itself so further interesting shoes may yet fall. In the same timeframe Riverbed announced the Riverbed Services platform on a similar path. In the first release the RSP is even more pragmatic enabling the protected execution of LINUX code from partners, but the second phase due at the end of the year is said to be much like what Cisco has done.

As part of our data center networking investigations, we visited with Arastra, Andy Bechtolsheim's latest venture. Andy is one of the most remarkable Silicon Valley fixtures. Not only has he made a lot of money, but along the way he's done some extremely elegant product designs, often doing things simply better than others or doing things that others didn't think could be done (or hadn't thought of). Arastra looks like another winner. It's a 10G switch, and as such is in a category most will never think about but probably use every day. But for those who deal with it directly, it's another really elegant example of Andy's work as the picture below shows:

Arastra's first product is a 48 port 1RU device which is a packaging feat not unlike the Faberge Eggs that the Romanov's were so fond of. Just putting those 48 connectors in a 1U box and still having cooling work is pretty amazing to those practiced in the art. The Arastra switch is also interesting because it's a real deviation from a lot of Andy's early work where he used high complexity custom silicon to create a barrier to others to follow. The Arastra switch has none. Instead it leverages standard parts and creates differentiation through packaging. Steve Wozniak practiced similar art with the Apple II making amazingly clever use of standard parts while others piled on expense to do the same thing. Since hardware isn't the competitive barrier here it must be software. The Arastra switch is designed for the addition of third party software (or the adaptation of existing code into switch functionality). The base operating system of the switch is LINUX and then real-time capabilities are provided by an innovative NetWare like inner environment with a shared state repository providing a lot of the coordination. NetWare was a marvelous software system when Drew Major first created it 20+ years ago in order to make a MHz class PC serve as a high-performance I/O controller (today's multicore CPU's are maybe 5,000 times more powerful). High performance software designers rediscover NetWare regularly. It's sad we don't just teach it in school.

The freezer compressor for the Safeway across the street failed resulting in the loss of $100,000 worth of food, no small hit to a modest grocery store that runs on razor thin margins. I wonder if they have reconsidered having a more costly redundant system? Earlier this year there was a spate of undersea cable failures in the Middle East, enough and some in strange enough circumstances to lead to speculation that it wasn't simply chance. In the not too distant past undersea earthquakes and landslides lead to multiple cable failures in the Far East. All of these cable failures significantly degraded Internet performance, especially for the time it took to sort out the new routes and stabilize everything. What's the point of all this? Most business executives and government leaders have no understanding of the structure or potential failure modes of the Internet that we all increasingly depend on, just like the manager of the Safeway, I'm betting had any no idea of how the freezer infrastructure was designed until the proverbial shit hit the fan. Even for network experts it's easy to design in the use of "redundant" networks for reliability only to learn under duress that all the providers share a common fiber cable. Should we be more worried about any of this? Is a more serious network failure due to not paying enough attention to risk as likely as a financial meltdown due to the inadequate understanding of the cascade started by sub-prime mortgage securities? Probably.

Cisco is a remarkably vibrant $40B company doing business in a challenging industry where product prices are rapidly commoditized. Networking equipment is highly standardized and there is no shortage of vendors that are happy to sell at a lower (than Cisco) price. Through this all Cisco continues to transform, evolve and delivery innovative products to the market. Today Cisco introduced the Nexus family of switches. In December Cisco introduced the TrustSec architecture, both of which we describe briefly here and cover more thoroughly in reports for our clients. Both are excellent and fascinating examples of what a vibrant company with dominating market share (Cisco probably prefers we don’t use that term but let’s call a spade a spade) can do even in such a constrained market space.

Today Cisco announced the NEXUS switch family, a remarkable redefinition of data center switching. Over the last five years the data center has become more and more of an IT focus driven by these forces:

1. The increased deployment and use of shared, server-based applications and services,

2. The desire to improve IT cost efficiency (through consolidation),

3. The need to more carefully govern and control IT activities (regulatory compliance) and

4. The need to protect sensitive and private data.

The increased focus on the data center has in turn made it a fertile ground for innovation and yielded technology-enabled breakthroughs such as data center virtualization. As data center technologies and architectures evolved the network stood out as much as a limitation as an enabler in ways that seemed difficult to fix with just improved features.

From this perspective we can see that what Cisco has done with Nexus is an impressive systematic improvement to data center switching. Some of the elements we have seen before (what Cisco calls switch “virtualization” for example). We knew that Cisco was working with Nuova to improve Ethernet so that it could serve as a transport for fiber channel SAN protocols. We had already seen in the Catalyst offering how Cisco has evolved the product line for customer investment protection assuring that essentially all the components in the switch can be upgraded independently -- new control processors, new data backplane, and of course new line cards -- and that the old line cards had firmware flexibility to adapt to evolution in other parts of the switch. We knew that Cisco could and liked to do high-speed custom silicon (a great barrier to entry). NEXUS has all of that built into what is really a completely new network system for data center applications.

NEXUS represents a large and expensive product development effort for Cisco which we won’t try to describe in any real detail, but here are the key aspects:

1. Evolve switching so that Fiber Channel SAN traffic can use the same network fabric. NEXUS not only carries LAN and SAN traffic over the same switch but can use a single port for both. Converging these networks simplifies the data center infrastructure, reduces CapEX and OpEx and according to Cisco’s numbers saves an amazing amount of power when you consider the reduced number of server adaptors required.

2. Create a data center network architecture where all ports are equal and minimize the need for any physical network moves and changes or re-cabling while supporting the IT agility inherent in a virtualized data center (the ability to move applications between servers at will).

3. Reduce CapEx while providing very high availability. This is where the switch virtualization yields high returns by eliminating the need for “standby” devices and using them in the network fulltime.

4. Improve network availability by greatly improving the network re-convergence time after failure. Cisco makes heavy use of Level 2 coordination of the devices thereby avoiding the recovery delays that come with traditional spanning tree algorithms and also thereby flattening the topology toward the goals of having all ports equal for all tasks.

The net result over time is a data center network that is faster, more reliable and cheaper, hence what we think of a real step forward. Along the way the feeds and speeds improve a lot. Having enough backplane capacity to assure that the backplane is never the limitation was key to the integration of FC SAN traffic. The switch uses a new operating system derived from the SAN-OS used in the MDS 9000 SAN switching products. FC requires assured delivery which is quite different from traditional packet best effort delivery. Since a lot of the features required in WAN routing don’t need to be supported in the data center it made sense to move to an O/S platform with these key SAN primitives.

Cisco says that they set about rethinking data center switching when they began this effort quite a few years ago. Typically “rethinking” is added by the marketing people when a project is done but in this case we think it’s probably true. The kind of wholesale systematic redesign is something only Cisco can do in enterprise networking (remember they own 70%+ market share to their nearest competitors 7%). Most dominating companies get lethargic and spend more time resting on their laurels and improving the bottom line a little by constraining R&D spending. We’re delighted that Cisco is still driving progress so aggressively.

Cisco’s TrustSec architecture significantly advances the state-of-the-art in network-provided security. Security was much easier when the action was primarily at the enterprise headquarters. We had a “perimeter” model of security. If a user was inside the perimeter (local) then they were trusted. Access from outside the perimeter was not trusted. Life was very simple.

But over the last five years the perimeter has pretty much become useless as a means of judging or enforcing security. Most enterprise users are no longer within the headquarters network. Compliance, security and privacy issues require that we “distrust” internal users. Where the user is doesn’t particularly help, while at the same time securing applications and data is increasingly important. What should we do?

IRG has long believed that the right answer categorically is an evolution to “identity-based” networking where the identity of the user is the prime determinant, not just their network location, but how should this be implemented? Historically the prime means of defense were various forms of firewall rules typically keyed off of source and destination IP number (network location again) augmented by some understanding about the specific flow (the application related to the traffic). Firewall rules were at best complicated (at worst incomprehensible) especially considering that firewalls were typically located in the “middle” of the network where there was a lot work to be done because of the diversity of flows that transited the network at that part -- sorting out what all the traffic was and then looking for the rules that were specific to that traffic. The difficulty of the approach was compounded by the challenge of fully understanding how traffic flows in a network and assuring that there aren’t any unanticipated network sneak paths that bypass the security devices.

A set of vendors including Nevis, Consentry and Vernier attacked this problem by putting much more intelligence at the network ingress points (e.g., where users connected to the network), and then using the user’s identity to determine the specific rules governing what they could do on the network. The difficulty in this approach is that it requires use of a new class of access switches with a great deal of security functionality on each port.

Cisco TrustSec re-factors the problem very creatively. The architecture encompasses these ideas:

1. Make the enterprise network more trustable (increase the confidence about the data that has transited the network);

2. When traffic enters the network tag each packet with an identifier that signifies what is known about it and do so in a way that most directly reflects how that data can be trusted.

3. Filter the data on exit from the network (e.g., at the point the network connects to a server) by acting on the tags.

TrustSec represents a long and large investment for Cisco; we can’t describe the details adequately here and won’t try. But the 50,000 foot view is relatively simple. We make the network trustable by (a) authenticating network devices before we let them join the network -- the device equivalent of NAC for people. For example, we can check the device serial number, the revision level of the firmware, and assure that the signature of the firmware is authentic, and only authenticate the device if all those tests pass. Then (b) we encrypt the links between authenticated devices so that the data cannot be snooped and more importantly can’t be modified by some “man in the middle” attack. This encryption is done link-by-link using certificates receives as part of the authentication process.

With a trustable network in place we next annotate traffic as it enters the network with what we know about it from a security perspective. Because the network is trustable we can confidently act on that tagging when the data exits the network because we know it hasn’t been modified. To simplify the filtering at the egress point, TrustSec is designed so that the tags used for the data identify the trust category (Cisco uses the term role) so the filtering task is as simple as possible since there aren’t complex IP-number-based rules to evaluate later on. A server only has to understand what level of trusted data to pass.

Finally, in a TrustSec based implementation, we need a way of tagging the data on entry. Cisco has announced a new family of edge switches capable of doing this tagging at line rates (a much simpler task than the challenge Nevis and Consentry had of doing full traffic identification and firewalling at line rate). An evolved version of NAC is used to authenticate the user and identify the suitable trust class (role) to assign to that user’s traffic. Anticipating the fact that Cisco customers aren’t going to do a wholesale refresh of their edge switches to implement TrustSec, there is a form of implementation in which the tagging is done by a switch inward from the edge coordinated with edge implemented NAC via out-of-band control plane communication.

The net result of this is to greatly diminish the role of traditional firewalls for this kind of security while emphasizing NAC and data center switching all of which makes sense given Cisco’s market strength. So we give Cisco two thumbs up for TrustSec for significantly advancing the state of network-enforced security!

We usually don't pay a lot of attention to Cisco organization changes as long as John Chambers is still in place at the top, but the recent engineering changes caught our eye. It starts with the Chief Development Officer -- Charlie Giancarlo -- leaving to join a Private Equity firm. The plot gets somewhat more interesting if you add in the fact that Chambers just hired Padmasree Warrior as CTO (she had been Motorola's quite visible CTO prior). Cisco's CTO role had been open since last held by Charlie, and not very visible since Judy Estrin left in 2000. Warrior will report directly to Chambers as will the engineering functions. The other interesting change is that Chambers has built a software group led by Don Proctor and including the other major software development organizations. From our perspective software is at the core of Cisco's future given the system nature of most of Cisco's strategic initiatives. We look forward to seeing what Proctor decides to do.

It's been one of those "good news, bad news" months for bandwidth. At the Cisco Analyst meeting Chambers and other all mentioned an IP Traffic Forecast that Cisco had assembled (and has made available on their Web site along with a companion piece). For those of us who have been frustrated trying to get any meaningful traffic data in the past this is a wonderful document that presents a coherent view of what's happening to IP traffic in the Internet (hint: it's growing!). On the other hand, Chambers got exuberant and suggested that in fact video usage could cause traffic to grow much faster citing Cisco's own internal network growth driven by their aggressive use of TelePresence and other video services. Always eager to steal keen insights on the future I tried to find the facts under the enthusiasm and came up short. It's a longer story than fits here but this is the Readers' Digest version. (1) Video On Demand is clearly a happening thing. (2) Unfortunately the evidence that exists suggests that what people will do with VoD is time shift the same stuff (it's not one of them mythical "long tail" things). In which case, (3) the video needs can be served with content caches of some form right near the point of consumption and all that bandwidth won't do much to drive network equipment spending. If any of you dear readers has a more compelling argument why video use will drive a lot of core Internet bandwidth please share it with me!

If you want to understand security you can't ignore the economics as Bruce Schneier likes to point out. If you take phishing for example you can't expect the consumer or their ISP to spend much on the problem -- it's the financial institutions with brand and reputation at risk that the have most to gain from anti-phishing and therefore the most to spend. Early on when most of the phishing discussions were on technical solutions we were delighted to talk to the Cyota team because they very much thought of themselves as a service organization to financial service companies that happened also to bring some interesting technology to bear. Cyota was acquired by RSA and we hadn't talked to them since until recently we had a chance to get an update on the state of the evildoer art. It's pretty chilling. If you think we're making a lot of progress getting cyber crime under control you probably need to think again. It's not that good work isn't being done by Cyota and others. The problem is that the "enemy" includes some very bright and highly motivated criminals. It makes you think that maybe the right answer is ripping out the phone line and putting duct tape over unused electric outlets to keep them at bay.