Illuminations

The Blogosphere has been surprisingly quiet about Cisco's TrustSec announcement, so I thought I'd weigh in and try and get some debate going. Mitchell Ashley did put out a couple of insightful posts on the subject and there have been a few articles reporting the news.

First thing I should say is that this announcement finally validates what we've known for sometime. The task of managing internal access to an Enterprise LAN is a problem that is too complex to use the traditional Cisco topology-based access control approach. You absolutely need to take an identity-based (or role based) approach otherwise the task of defining and managing policy becomes complex and unworkable. So the first piece of good news from this announcement is that we will be able to stop wasting energy on the religious wars over topology vs. identity because the big guy on the block finally admits that we were right all along.

As an aside, I do have to have a chuckle at Jayshree's quote on CNN where she claims "a new paradigm for security in role-based user access to applications and resources without compromising business velocity". Puhleeease, Nevis Networks, Consentry, Vernier (or should I say Autonomic Networks as they are to be known henceforth, more on that later) have been shipping solutions for years, and the paradigm was around long before that (can you say DEN). So history will be recast and re-written again, but that's ok, I'm quite flattered actually since Cisco has viewed our website over 2500 times in the past 6 months, I'm going to assume that their marketing team learned a lot from us.

So what about the Cisco TrustSec technology itself? What will this mean for customers and the market?

Cisco vs. Microsoft - Round 1,658  ding, ding

TrustSec is a Cisco response to Microsoft's Server Domain Isolation.  We saw an attempt by the two giants of the Enterprise to make nice over NAC/NAP with the promise of interoperability, but it strikes me that they are increasingly trying to solve the same problems at different network layers, so how long will that peace last and who ends up as the collateral damage in the ensuing battle?  You guessed it, Enterprise customers.  While Microsoft stuck to the desktop and Cisco stuck to switching and routing everything was fine, but Cisco has pushed further up the stack, and even set up shop in MS's backyard with an endpoint initiative in NAC.  Microsoft on the other hand just keep trying to abstract the network and diminish it's role to nothing more than a dumb transport.  All of this gets further complicated by the fact that they sell to different teams in IT organizations and that can lead to overlapping efforts or turf wars.

The Cost of Upgrades

For those Cisco customers interested, what will this mean in terms of cost?  Well, 802.11AE describes a new Ethernet frame format so that will mean software upgrades, and possibly hardware too, not just in the wiring closet but throughout the network and in the router infrastructure as well.  The big issue, as always, is that Cisco wiring closet switches have a very limited set of ACLs available and you need both ingress and egress ACLs.  So if you get too granular on your identity based policy you are definitely looking at hardware upgrades, possibly throughout the network.

It also relies on 802.1AF for key management, which is an extension of 802.1X.  So you're going to have to deploy that as well.  Bottom line here is that for Fortune 500's with big IT teams and money to spend, this might be possible, but for everyone else the cost of deployment and maintenance will probably be prohibitive. 

Secure Malware Channels

The thing that really struck me about TrustSec is the fact that it provides the ability to create point to point encrypted channels based on policy.  This is near and dear to my heart because Nevis introduced this ability using IPSec 2 years back.  The piece that Cisco seem to have overlooked is that if you don't implement IPS on each and every access switch port at wire speed like we do, you've just created secure channels to spread malware throughout the network.  Now, I'm sure they'll tell you that this is where NAC comes into play and that if you deploy NAC alongside TrustSec you have nothing to worry about.  Hmmm, except, as we all know, pre-connect NAC alone (particularly Cisco's flavor of it) is really bad at mitigating blended malware threats, particularly zero day threats. 

Heterogeneity

Another big stumbling block with TrustSec is that it depends on you having a 100% Cisco network.  Cisco has really been pushing hard against the best of breed approach lately and redoubling their efforts to lock customers into a single vendor approach.  Call me crazy, but I see this as a sign that there is a chink in their armor.  They've been losing switch market share slowly but surely to HP, and now you have other upstarts in the Secure Switch arena like Nevis Networks and Consentry starting to make in-roads in the wiring closet.  It's interesting to see Cisco starting to adopt "defend your turf" strategies that the other 7 dwarves in switching have had to live with for so long to defend against Cisco.  I think there is good opportunity for some of those other switching vendors to go on the offensive right now using security and wiring closet commodotization as the weapon of choice.

Standards (or are they?)

According to the Cisco releases and whitepaper, TrustSec is "based" on 802.1AE.  Interesting word "based".  Are we to conclude that Cisco have "interpreted" this new IEEE standard, which is just another way of saying "made it proprietary"?  Or have they developed proprietary extensions to lock in some additional Cisco goodness?  Or have they just built an architecture on top of the IEEE standard so that it would be interoperable with multi-vendor equipment?  I think the latter is highly unlikely.  I tend to agree with Mitchell Ashley's assessment, that this will be a closed Cisco architecture

If anyone else has any insight or opinion, I'm all ears

//Dom