Ted Schlein from Kleiner Perkins is obviously a smart guy (I tend to go with the theory that people who serially invest in successful companies know what they are talking about, everyone else just got lucky). He gives an interview in NWW today asserting that the way of the future in security is to focus on the client. Ted makes some good arguments, and I agree that there are some things that are best handled with a client if you have that luxury (blocking USB thumb drives for instance), but I have to call BS on a couple of points.
The first is that Ted conveniently avoids the issue (or is it selective recall) that if you put security in userland (i.e. client software), it inevitably becomes part of the problem. It is software written by humans after all, and therefore will have vulnerabilities. The interesting part for me is that Ted started life writing software for Symantec, specifically their anti-virus product. In recent history there have been at least two incidents where vulnerabilities in the Enterprise Edition of Symantec AV have been the focus of attacks. In one instance an endpoint could be completely taken over, and in the other RINBOT targets Symantec software. So, if Ted is right and the future is all about the client, who's watching the watchmen? Surely if there is one thing we have learned over the past 20 years, it's that we need layers of security.
The second point I have issue with is that Ted asserts that security focus needs to be on the endpoint. Well, actually that's not the issue, I'm in violent agreement with him there. But he goes on to say there is no value in blocking the roads (i.e. the network paths), that's where I have an issue. It strikes me that Ted may not be up to speed on the concept of LAN Security. I think he still thinks of network security as Firewalls and IPS devices high in the network. In that case the value in securing the endpoint is minimal, but with LAN Security devices like the Secure Switches and Appliances that we provide, we have focused on the endpoint and integrated multiple identity aware security technologies (NAC, stateful firewall, application layer gateways, Layer 2 security, IPS signature matching, anomaly detection, etc). All of these technologies can operate in unison, to improve both accuracy and security, at 10's of Gigabits/sec right down to the port in the wiring closet, giving you, in effect, a personal network security agent for every user on the network, without putting it in userland. Do we think this supercedes the need for client software? No, not all, but it certainly makes things a hell of a lot more secure and gives you the confidence that someone is watching the watchers
//Dom Wilde
Dom, I think you are right on here. Stiennon actually calls this a secure network fabric. On the other hand the Forrester guys seem to buy into the endpoint thing as well. Not sure why they all think it has to be one or the other. Why not have both?
Posted by: ashimmy | June 15, 2007 at 09:09 PM