Illuminations

Aside from being immensely amused at Alan's incredible self belief that someone appointed him the NAC Sheriff (he already ran those Forescout scoundrels out of town), and that we're all guilty of idiocy, incompetence and outright lying until we can prove we're innocent, I'm really struggling to understand where he is coming from in his latest rant and what point he is trying to make.  Come to think of it I'm still trying to find the point of the previous rant as well.  I see a bunch of wild aspersions cast about, and I see that he believes the onus is on me to prove to him that his amateur assessment of our technology is incorrect.  I actually think it's more fun to let him keep guessing as he seems to have enough time on his hands to spend worrying about what everyone else is doing.  I will, however, give you a couple of clues Alan:

1) The Firewall is not IPtables (can I say it any clearer?).  It provides application layer gateways and  application recognition and control (read L7, not just L3/L4) for every user and every port while still maintaining switching performance and latency.  Just because you don't know how to do it Alan, doesn't mean it isn't so.

2) The IPS functionality is not SNORT based (can I say it any clearer?).  It integrates signature matching along with protocol, traffic and behavior anomaly algorithms.  The signature set is developed in house by our security research team.

Now, I think we can all agree that Alan was plain wrong about those two items, so it's safe to assume that there is a high probability that his other accusations were wrong too.  N'est pas?  At the end of the day the market is going to decide truth from fiction, and I'm very willing to put my fate in the hands of that justice system rather than the StillSecure Kangaroo Court.

So Alan, here's a few questions for you:

a) You claim to be an out of band device, but it appears from the recent NWW test that you in fact sit in-line.  So, how does your box fare with triple play and quad play traffic?  Cause any bottlenecks?  Add any latency?  Bring the network down when the box fails?  I'm sure you'll say no to all of the above, but why should I believe you?  Remember, this is Sheriff Shimel's town and whatever you say must be a flat out lie.  Either that or you can't be smart enough to overcome the problems.  Oh, but hang on, Sheriff Shimel's rules only apply to the rest of us, so you'll get away with that.

b) So you can't do authorization based on user roles?  Man, that must make policy configuration a bit of a nightmare, even in a moderate sized organization.  I'm guessing you'll say no, but watch out for Sheriff Shimel, you know that won't fly with him.  What am I saying?  I keep forgetting it's only the rest of us who have to worry about that. 

c) These advanced endpoint checks that you've been crowing about.  Apparently you need a PhD in Python to make them usable.  So does anyone actually use those features?  Again, I'm sure your answer is yes, and Sheriff Shimel's special rules apply again.

d) So you don't have the ability to detect if an endpoint is already infected other than a few token things like Blaster?  I'm guessing the answer to this one is that you'll sell me your IPS to cover that.  But hang on a minute, how much will that cost me, and will it actually prevent rapidly propagating malware at the user edge of the network anyway?  I'm pretty sure Sheriff Shimel will turn a blind eye to this one

e) Apparently your reporting capabilities leave a lot to be desired, so how does anyone know if they're getting any value out of the solution?  Yep, you guessed it, Sheriff Shimel is going to give you a get out of jail free card on this one

As I mentioned earlier, the market will ultimately decide our fate.  There are many different ways to skin a cat, but we have a strong belief here at Nevis that integrating (not bolting on) NAC, identity-based application intelligent firewalling, and IPS, significantly increases the value proposition to the customer, enables new business initiatives and provides greater IT efficiency savings.

Finally, just so I can end this feeling like I might have contributed something of worth to the World (and for the sake of my own sanity), here's some background and thinking on why general purpose processors can't provide the level of performance required to do deep security processing in the LAN:

The LANsecure ASIC provides the enabling technology for the entire LANenforcer product line, having been designed from the ground up as the basis for a family of security platforms. The overarching design goals were to enable integrated deep packet inspection security with high throughput flow-based network processing in a way that scales in multiple dimensions.

Most security appliances today are designed around general-purpose processors. As these processors were not really designed for networking, most appliances add FPGA, NPU, or custom ASIC front-ends. These front-ends offload mechanical fast path processing to enhance performance. However, slow path classification and security policy processing, including looking deep into packets to detect and identify malware, still must be done in software on the CPU, or in look aside peripheral processors attached to the CPU.

The LANsecure ASIC overcomes this fundamental scalability limitation by integrating slow path security processing directly into the massively multi-threaded network processing engines. This not only enables integrated flow classification and stateful firewall policy processing, it modularizes the processing to support scaling, and provides the ability to react in real time to changes in policy or dynamic network threat status.

Since the LANsecure fast path is entirely in software, it can easily be extended to accommodate additional security or networking services in subsequent software releases. Furthermore, it uses the integrated security engines to accelerate in-line security processing on every packet, including threat signature matching, and checksum verification.

In summary, each LANsecure ASIC provides

And thanks for the medal Alan, I will wear it proudly

//Dom