The Forrester Blog For Infrastructure & Operations Professionals
Home About This Blog Forrester Research Join Our Research Panel Forrester Blogs

Robert Whiteley

October 06, 2008

NAC Results Make Waves

Robertwhiteley In early September, Forrester published its “The Forrester Wave™: Network Access Control, Q3 2008.” Forrester’s findings revealed that Microsoft, Cisco Systems, Bradford Networks, and Juniper Networks lead the pack because of their strong enforcement and policy, but that Microsoft’s NAP technology, despite being a newcomer, has become the de facto standard.

Any time you try and put some order to vendor solutions, you are bound to find people in agreement – and to raise ire in others. However, reaction in the blogosphere to a recent Network World article on the research has raised some questions about Forrester’s Wave methodology which I’ll aim to address:

  • Security Incite writes, “The Forresters checked out a bunch of data sheets and decided Microsoft was “top of the NAC heap.”” If only it were that easy! More than 150 hours of analysis went into the Network Access Control (NAC) Wave, in which we analyzed more than 70 criteria (encompassing more than 200 attributes) for the 10 vendors that were included in the study. The criteria was based on more than 200 client inquiries I’ve fielded in my five-plus years covering the space.
  • Our study was not based on the number of units sold or performance tests – it was based on real-world challenges faced by very large enterprises and not an academic exercise (for the record, the sky is blue in our real-world). Those common metrics are, for lack of a better word, useless. I know for a fact that several of the vendors in the study are giving their product away to gain market share, so how can unit volume equate to the quality of the product? Where does that fall on the BS-O-meter?

Performance tests are even less dependable because there are too many variables to consider and all too frequently are vendor-sponsored. Security Incite writes:

“…People that really buy products understand that a good RFP response gets you in the bake-off. That’s when things like “performance tests” start to matter.”

Since when is performance a critical factor in security? When’s the last time you heard a security pro say, “It doesn’t protect us, but boy does it scream with speed when it lets harmful users get by!”

Bottom line, I believe the NAC Wave was a fair, balanced and comprehensive study that looked at the products of 10 leading vendors in the space and concluded that Microsoft was the leader based on vendor strategy moving forward – even Security Insight and Security For All acknowledged it would be a standard in the future – and their presence in the market. While we may have to agree to disagree on the results, the methodology that helped us reach those conclusions should not be called into question.

By Robert Whiteley

Check out Rob's research

Posted by Rob Whiteley at 11:13 AM in Enterprise mobility, Robert Whiteley | | Comments (2) | TrackBack (0)

June 23, 2008

Is Your ISP Jumping On The 100 Gigabit Ethernet Bandwagon?

We've established that 10 GbE is now ready for the enterprise, which means it is time to start worrying about whether your Internet service provider (ISP) is adopting 100 gigabit Ethernet (100 GbE). ISPs aggregate enterprise traffic and connect you to the Internet over high speed optical networks that must ensure the adequate bandwidth and quality of service (QoS) you require.

While the majority of customers won’t fill their 10 GbE pipes this year or next, many will; advanced applications such as high definition video streaming, video conferencing, data replication, and wide area clustering for business continuity will tax bandwidth. Moreover, corporate networks will take advantage of the better bandwidth of 10 GbE to shift to IP-based Unified Communications (UC.) Forrester Research found that 36% of enterprises in North America and Europe have deployed or are rolling out UC this year with another 36% evaluating it. All these high-bandwidth services require strong QoS to meet enterprise needs and drive adoption.

While 10 GbE becomes more pervasive, the aggregate traffic will reach to multi-terabits originating from enterprise data centers and content providers such as YouTube. Sure, ISPs can add more 10 GbE links to their environment to accommodate this growth but efficient networking comes from the aggregation and ability to oversubscribe a shared pipe -- which 100 GbE will enable. 100 GbE is necessary to prevent bottlenecking that would cripple the adoption of these high bandwidth services. With gas prices topping $4.00 a gallon, the potential degradation to increasingly critical videoconferencing systems alone is reason to make this investment.

Unfortunately, 100 GbE still hasn’t left the drawing board; the standard is expected to be ratified in early 2010. However, vendors such as Force10 Networks and Infinera are working on 100 GbE platforms today. ISPs who invest early in 100 GbE stand to reap significant gains with enterprises driving the delivery of high bandwidth services -- you will need them as much as they will need you. If your enterprise has aggressive plans in this area, get your ISPs on the phone and determine their plans and timeframes. Make sure they line up with your needs and that the bandwidth you need will be there when you need it.

In the meantime, it behooves you to invest in WAN optimizers and application accelerators, popular methods to improve latency issues. These investments will help bullet proof your high bandwidth service deployments as 100 GbE matures as an enterprise solution.

By James Staten and Robert Whiteley

Check out James' research
Check out Rob's research

Posted by Rachel Dines at 09:48 AM in Emerging technologies, James Staten, Robert Whiteley | | Comments (0) | TrackBack (0)

May 20, 2008

Can Great Bay Software Help Redefine NAC?

Rob NAC is an ever evolving topic in its definition and understanding. For me, NAC remains a curiosity. Our clients crave deploying it, but remain stymied by its ever evolving nature. NAC today is about enforcement, policy, and posture. Adding to the mix of these features is better identity for your users and asset management for your non-computing network attached end points. This last issue is actually becoming a real sore point as more IP enabled devices start to show up on your network. IT managers are brainstorming ways to track, monitor and manage end point devices such as printers, faxes, IP phones, badge readers, HVAC systems, wireless access points, etc. Yet most NAC solutions today don’t adequately extend access control to these non-computing endpoints. In fact, many just require you create a white-list and allow these devices to bypass any authentication and access control framework. 

Role based identity management is crucial for a well rounded NAC solution, but we’d argue no system is complete without asset tracking and comprehensive endpoint profiling. Enter Great Bay Software, which is addressing these issues and partnering with infrastructure-based NAC vendors such as Cisco and Juniper. If you have deployed NAC from any of these vendors — or even thinking of jumping on NAC bandwagon — then Great Bay Software is an operational lifesaver. Its Beacon Endpoint Profiler enables discovery of network attached endpoints and it includes information about the type and location of the endpoint. As Beacon crawls the network it will actually build a central repository of non-computing endpoints. This “fingerprinting” claims to be extremely accurate and will discover, classify, and allow you to extend policy to all the devices listed above — which can be upwards of 50% of the IP-enabled nodes on your network!. Moreover, Beacon handles all non-EAP devices prior to implementing strong authentication, which means a smooth onramp to port-based security such as 802.1x.

With the release of Sponsored Guest Access solution, Great Bay Software is also entering into the guest user access market. Its SGA solution will enable management, monitoring, and configuration of guest clients, which is a much needed feature for today’s NAC solution. Overall, Great Bay Software may not be the most glamorous technology, but we think it will become a de factor standard for successful, large-scale NAC deployments. Yep, we truly believe it’s that important.

By Robert Whiteley

Check out Robert's research

Posted by Walid Saleh at 04:53 PM in High availability, Robert Whiteley | | Comments (0) | TrackBack (0)

January 16, 2008

Does Your NAC Deployment Work In A Virtual World?

Rob NAC seems to cycle between red hot and long droughts of disinterest. I think it suffers serious issues, but the one that piques my interest the most is virtualization. NAC is in danger of being irrelevant in a virtual world.

Think about it:

  • Server virtualization blurs      segmentation models. What happens when all of the backend server resources are VMs?      First, it means you have to worry about VLANs and subnets all over again.      Second, advanced server tools like VMWare’s VMotion will mean servers are      highly dynamic and can be quickly relocated to anywhere in the datacenter.      But more importantly, it means that you need NAC inside your physical      servers. Imagine you have two VMs located on the same physical server that      can’t communicate as per your access control policy. I’ve already come      across one client deploying virtual NAC appliances on servers to limit      machine connections based on endpoint status.
  • Client virtualization      proliferates MAC addresses and blurs endpoints. Running a hypervisor on a      desktop or laptop allows multiple OSes to run simultaneously, each with      its own virtual MAC address. How do you quarantine the physical machine      and still allow compliant guest VMs to connect? How do you prevent a      compliant VM from transferring data to a non-compliant VM on the same      desktop? You can by restricting IP addresses, installing NAC agents within      each VM, or forcing VPN access — but these present significant granularity      and cost tradeoffs, respectively.
  • Application virtualization      hides setting and blurs endpoint status. Application virtualization will change the way      companies distribute apps to endpoints. But isolating an app in its      environment can create an air gap between the OS and the application. If      you use NAC to scan application settings and not just the basic system      attributes like AV signatures, firewalls, and Windows update, then this      can prove to be a problem. For example, you will not be able to determine      a NAC policy that requires your Internet browser settings be set to medium      or higher.

Bottom line: I think 2008 will see a significant culling of the NAC market and top-tier vendors will be those that handle virtual endpoints efficiently. I’d love to hear your thoughts. Has anyone attempted to marry NAC with a virtual infrastructure?

Posted by Chris Silva at 11:00 AM in Robert Whiteley, Virtualization | | Comments (1) | TrackBack (0)

December 20, 2007

Is Cisco Really Opening Up IOS?

Rob As mentioned in my last post, I was recently at Cisco’s C-Scape. One reporter asked me to comment on my thoughts regarding a specific announcement (if you can call it that): Cisco will begin go to open up IOS. So you’ve probably got the same question I had: ‘What does “open” mean?’ As best I can tell, it means providing some standards-based APIs so that IOS can be controlled by third-party applications and infrastructure. Seems interesting, but I feel there’s more to it than that.

My initial thoughts are:

  • Opening up IOS is an interesting move on the surface. I’m still curious to understand just how open it will become, but let’s take the statement at face value for now. I think it’s a smart – and necessary – move to create APIs so that infrastructure can speak to IOS-enabled devices. If you think about it, the network is one of the least programmable pieces of infrastructure. Tools designed to automate and orchestrate infrastructure elements like servers, storage, and desktop environments are far more sophisticated and matured. The ability to dynamically change the network is a missing component. However, the recent push for virtualization is now shining a bright spotlight on just how statically configured most enterprise networks are. Originally, this was OK, but now that the network is a bottleneck for virtualization, companies are eager to rethink that environment.
  • Cisco would do well to open up IOS to bolster it’s SONA strategy. Let’s face it, SONA is still confusing. I fundamentally believe it is a smart strategy, but it needs more proof points. I think opening up IOS puts more wood behind the arrow for the “network is the platform” message. Most platforms are something you can develop on and are surrounded by an active community for such development efforts. In the case of SONA, Cisco’s network platform community is far behind those developed by Microsoft, Oracle, SAP, and countless other software companies. In terms of building a developer ecosystem, even hardware stalwart Intel is getting into the act these days. I think creating more APIs will at least foster some innovation in terms of how the network exposes services to the rest of the IT ecosystem.
  • We’re slowly beginning to see the effort that’s needed to transform Cisco. I’ve commented a few times on Cisco transforming its business model to look and feel more like a software business. As we’ve published in our research, I think this will be a long, 10+ year journey. Part of inertia stems from decoupling IOS from the hardware appliance and boxes that Cisco has so masterfully sold to-date. Taking bolder steps like opening up IOS will prove they are more committed to a software business model and strategy after all.

Of course, opening up IOS delves into a million challenges, which I will conveniently skip over. I’ll save that for deeper analysis in a future Forrester report. But as always, I’d love to get thoughts and opinions. It’s an interesting time for Cisco (and yes, this will be my last Cisco-specific blog post for the year), but I’d like to hear what others think.

By Robert Whiteley

Check out Robert's research

Posted by Rachel Dines at 02:20 PM in Enterprise mobility, Robert Whiteley | | Comments (0) | TrackBack (0)

December 17, 2007

Thoughts From Cisco’s C-Scape

Rob It’s that time of year. You know: shopping for the holidays, wrapping up end-of-year projects, and the annual Cisco analyst conference, now called C-Scape. OK, so maybe it’s not that big, but it has become an interesting event that acts a proxy for the overall networking industry. This year was a dramatic difference from years past. Namely, it was a lot more conversation with many more panels and breakouts. However, it was also noteworthy in that there was really no news! Cisco didn’t use this as a venue to announce any products or major initiatives. In fact, when I bumped into Matt Hamblen he commented that many of the journalists in attendance were bored! However, there were some interesting nuggets for those that follow Cisco:

  • Chambers made the “next market transition” feel real.John Chambers loves to get up and give what my colleague, Chris Mines, calls the “Internet economics pitch.” Basically, he talks about how the network/Internet underscores global productivity and he’s predicting another period of 4-5% in worldwide productivity gains. Sounds good, but John is also an excellent, charismatic salesman. This year, though, he did a much better job to create a panel to discuss this trend (conveniently held via TelePresence). The result was a much more tangible impression for this market transition, which Cisco is equating to Web 2.0. Going into C-Scape I felt Cisco was riding a trend. Leaving, I feel like in typical Chambers fashion they are correctly predicting the next major market transition that will fuel their growth.
  • They finally defined Web 2.0! It was brief, but a quick definition was flashed up that read “technologies that enable user collaboration.” This was a much needed reality check. Before, it felt like Cisco was using fuzzy logic, along the lines of: Web 2.0 = collaboration = video = TelePresence. However, they did a much better job of weaving unified communications, WebEx, podcasts, and a few other Web 2.0 components to make me feel like they’re actually in tune with the broader scope.
  • But they still overused virtualization. Any brownie points they gained on Web 2.0, they lost on “virtualization.” Chambers defined virtualization as “Any content to any device across any network” (or something like that). I guess that technically fits the textbook definition of virtualization, but it’s not the market’s definition. This could be an example of John being ahead of the market again, but it left me thinking they are contorting virtualization to fit a more Cisco-friendly content. Shocking!
  • Giancarlo gave a good overview of the new development organization. Charlie Giancarlo usually gets up and gives a good vision and strategy speech right after Chambers. However, this year he did it with the help of his entire development organization. Why is this important? I finally feel like there’s a good bench of executives that are in-tune with the new company strategy. They talked at length about collaboration, video, and the shift towards a more software-oriented business model (which we predicted).

I think this last point was perhaps the most subtle, yet important, takeaway from the whole event. Cisco is finally moving to a company that no longer rises and falls with just Chambers. One notable omission from leadership, though, was the newly acquired CTO, Padmasree Warrior. A new addition to Cisco from networking competitor Motorola, her presence and the lack of even a mention of her name seemed strange. Is there something holding up her formal debut? Is this a result of a non-compete?

By Robert Whiteley

Check out Robert's research

Posted by Rachel Dines at 09:17 AM in Robert Whiteley, Virtualization | | Comments (0) | TrackBack (0)

December 06, 2007

Cisco’s New CTO: A Sign Of Succession Planning?

Rob Let me first say that I haven’t actually spoken to Cisco on the topic, but I find the news of the new CTO to be very interesting. It was recently announced that Padmasree Warrior would be coming over from Motorola. And just a few days later, the announcement came out regarding the change in its development organization.

Why all the changes? Well I can only speculate, but I think Padmasree can help in two major ways:

  1. The effort to free Charlie Giancarlo up some more. I realize he is the “Chief Development Officer,” but he has basically continued the role and responsibility of a CTO. I think this is an attempt to get him some technical reprieve so as to enable him to focus on the eventual succession of John Chambers.
  2. The need to seriously figure out its consumer strategy. The addition of Warrior will continue the executive level support for Cisco’s consumer technology (Giancarlo’s previous experience with Linksys), but adds much needed attention to the Scientific Atlanta portion of the house, where Moto was the top competitor.

I’m definitely looking forward to C-Scape next week to see how they tie together all these organization changes. Hopefully our 2008 predictions are accurate, but regardless, it should be an interesting year for Cisco.

I’d love to hear comments and thoughts form readers though. Is this part of succession planning? Is it a subtle move to push a stronger consumer strategy?

By Robert Whiteley

Check out Robert's research

Posted by Walid Saleh at 02:51 PM in Robert Whiteley | | Comments (0) | TrackBack (0)

December 05, 2007

Cisco In 2008: The March Begins As Cisco Transforms Into A Software Company

Rob Cisco is at an interesting crossroads. It’s approaching a $40B run rate, which it has achieved mostly through hardware sales. In fact, we recently did a full analysis of Cisco’s business and its current position looks rock solid (see our Q3 analysis here). But how many $40B+ vendors out there sell mostly hardware? None. Cisco has shed its primary network-only bias and is on the way to becoming more of an overall IT vendor, but the competition is stiff. Companies like HP, IBM, and Microsoft have strong software and services revenue streams — as well as a significantly more mindshare with the CIO. As Cisco moves “up the stack” to compete with these IT juggernauts it will inevitably change its business model. I anticipate 2008 will be a turning point for Cisco as it:

  1. Infuses software development talent. Software engineers abound at Cisco, but they’re not exactly working on enterprise applications; they’re mostly IOS engineers. Cisco’s move up the stack requires a strong portfolio of collaboration, unified communication, and platform applications well beyond what they have today. Cisco will have to acquire this talent and absorb a platform or application company of considerable size. BEA would be a logical, but lofty choice to truly build out “the network as a platform.”
  1. Embraces virtualization. This one impacts many aspects of Cisco. First, it needs to continuously nurture the VMWare relationship, which was cemented with a $150 million investment. More importantly, though, Cisco needs to embed its own software intellectual property throughout virtualization infrastructure. Virtualization is blurring boundaries and virtual servers, storage, mainframes, and desktops all need built-in Ethernet switching — and today that’s not Catalyst code. I would even go so far as to predict VM SKUs for some of its datacenter technology.
  1. Redefine carrier partnerships to become consumer friendly. Cisco has a healthy relationship selling big iron to worldwide service providers, but it’s also using them as a channel to bolster its consumer-facing strategy. To do so, I think Cisco will need to enhance two areas: voice and the digital home. I think Cisco will build out its FMC software strategy with an acquisition of a vendor like Kineto, which would make them attractive player for North American UMA telcos — and an attractive supplement to the carrier-class WiMax IP it picked up from Navini. For the digital home, Cisco wants to "be the platform for work and play" and part of the "human network." I don’t buy it with its current strategy and I don't think this comes from selling Linksys at Best Buy because: 1) the experience is NO where near that of a consumer device like TiVo; 2) it's still too complicated to setup; and 3) it's valueless without an Internet connection. Cisco needs to take an increased role in shaping the services that are user experience-oriented. It can't keep treating retailers and service providers alike as a distribution channel. At the very least, they need a closer connection between content and their networking technology and pick a service provider or two that gets them deeper into the home

By Robert Whiteley

Check out Robert's research.

Posted by Chris Silva at 02:08 PM in Robert Whiteley | | Comments (2) | TrackBack (0)

November 30, 2007

Virtualization + Open Source = A Revolution in Networking

Rob My recent research has focused on the impact of server, storage, and desktop virtualization on your networking infrastructure – and I’ll write more about that in a future post. In short, it’s a boatload of unintended consequences.

In a recent conversation with Vyatta, I got thinking: what’s virtualization’s impact on the networking industry? We already see a handful of networking companies investigating the option of selling “VM” SKUs for their network appliances. These virtual appliances completely change the economics of consuming network infrastructure, although there are server performance specifications that must be considered. But imagine if the premium you pay today for all of your networking intelligence is suddenly free. That’s right… free! Think about it.

Your network is commoditizing rapidly. Routing, switching, VPN, and even firewalls are not the top criteria that determine tier one networking vendors. Manageability, supportability, reliability, and price are the factors which thin the field. As these functions mature – as do the communities that support them – we see viable open source alternatives. The interesting part comes when you can deploy open source appliances as a workload on a virtual server – providing you with the manageability and reliability of a mature virtual infrastructure player like VMWare. Add a vendor like rPath to the mix and you can even ease updating and patching.

Why not deploy open source VMs in your branch to create a more economical branch-office-in-a-box? I know there’s a lot of momentum behind this topic from the router vendors, which are all creating Linux blades to run app workloads in the branch. Doesn’t it make more sense to run your network as a server workload than run your branch applications as a workload on your router? I’d love to hear readers’ thoughts on this.

My research is investigating how feasible virtual network infrastructure is. My questions are around performance, governance (are IT organizations too siloed to ever take advantage of this?), and process related elements like change management. In a time measured in virtual minutes, is your networking vendor keeping pace?

By Robert Whiteley

Check out Robert's research.

Posted by Rachel Dines at 09:27 AM in Robert Whiteley, Virtualization | | Comments (1) | TrackBack (0)

Search this blog

Enter your email address:

Delivered by FeedBurner

I&O Podcasts

You should follow these analysts on Twittersmall

Stephanie Balaouras

Elizabeth Herrell

Evelyn Hubbert

Natalie Lambert

Glenn O'Donnell

Galen Schreck

Chris Silva

James Staten

Chris Voce

Doug Washburn

Simon Yates

The rest of the I&O team
on Twittersmall

Rachel Dines

Christian Kane

Categories

Archives

More...

Forrester IT Blogs

Entire contents ©2009 Forrester Research, Inc. All rights reserved. Forrester® is a registered trademark belonging to Forrester Research, Inc. Any use of the Forrester name is subject to Forrester's Citation Policy, available at www.forrester.com. The content on this Weblog is available for your informational and non-commercial use only. Usage by a company or organization for promotional, sales or advertising purposes must adhere to Forrester's Citation Policy and must be approved by the Forrester Citation Team. The views expressed by outside contributors and links to outside websites do not represent the views of Forrester, its management or employees. All content on this Weblog has been made available on an "as-is" basis, and Forrester shall not be liable for any direct or indirect damages arising out of use of this Weblog.