It's the great new debate of network security: Should security be an integral part of the network, or should it be its own technology category? Vendors are taking sides, and customers, for now, are stuck in the middle.
Network equipment vendors have spent the last two years busily repositioning themselves as security companies. The reason: Products like routers and switches are becoming cheap commodities. That means vendors can't sustain profit margins, so they have to look elsewhere for growth. Adding security to the switch is a natural reason to charge buyers more money. Network security is already a $1 billion market, according to Infonetics Research Inc. in Campbell, Calif. The secure router market grew an amazing 121% in 2005 on a tripling of shipments, compared with nearly no growth for the general router market, Infonetics said.
In the traditional security market there's chaos. A fragmented industry to begin with, vendors have responded to challenge from the big networking players by selling out, aligning with the new entrants or trying to diversify their business. There's a lot still to shake out there.
Users have to cope with new terms and concepts as a result of this shift. The first thing big vendors do when they get serious about a market is announce an architecture. Cisco Systems Inc. has Network Admission Control (NAC) and Microsoft has Network Access Protection (NAP). Both these ideas basically aim to keep the network secure by keeping bad devices from connecting in the first place. At some point, NAC and NAP are supposed to work together. Maybe. There's also a third option called Trusted Network Connect that was basically put together by Cisco's competitors. Whether it will work with the other two is anybody's guess.
The new network
The basic principle of Cisco's NAC and other initiatives is sound: If you sew up the network so that no one can get to it without meeting a very specific set of criteria, then you can greatly simplify security. It's a reversal of the security paradigm of the past, in which the network was open and we tried to keep the bad guys out. The new thinking is to keep everybody out except for a few invited guests.
If all this confuses you, don't be ashamed. This is a really big shift in technology and market structure, and it's confusing to a lot of people.
The good news is that users will eventually be better off for it. Security infrastructure is way too scattered and disorganized for most companies these days. There are separate appliances for firewalls, virtual private networks and intrusion detection and prevention. Then you've got your routers and switches, which have varying degrees of security in them. Finally, there is client and server software for handling things like spyware, viruses and denial-of-service attacks. It makes sense to bring all this stuff together, if not in a single appliance then at least under a single architecture.If all this confuses you, don't be ashamed. This is a really big shift in technology and market structure, and it's confusing to a lot of people.
Unfortunately, it's going to be pretty messy getting there. Every networking equipment vendor is reinventing itself as a security company, which makes for a stew of new strategies, frameworks and acronyms. Software companies are doing the same. Microsoft has said that Windows Vista will support some client-side admission features, but that's a year out. Meanwhile, the companies that plan to survive the shakeout are busily buying up smaller competitors.
Few small and midsized businesses (SMBs) can be bothered to wade through this stuff. If stability and predictability are your most important issues, then stick with Cisco. It will be there forever and will develop a nice solar system of third parties that support NAC. But it will cost you, because Cisco always does.
If choice and value are your guiding principles, then have a look at Trusted Network Connect. Many of those companies undercut Cisco on price, and a third-party network should be more open to innovative new entrants.
Microsoft will do whatever it wants to do. Just hope that it's compatible with your network.
The result of this reshuffling should be a cleaner, simpler security landscape for SMB customers. Just be ready for some headaches getting there.
Paul Gillin is a technology writer and consultant and former editor-in-chief of TechTarget. His website is www.gillin.com.