Tweet

There are only a few 2004 vintage network start-ups that managed through the difficult 2008-2010 economic drought, which killed off many. These firms are survivors rooted in nutrient soil made up of strong management that tightly weaves business and technical architecture to serve an unmet, yet growing, market need. One of those markets is wireless infrastructure, and the one company that stands out in this space is Ruckus Wireless. Ruckus was founded by Bill Kish, CTO, and Victor Shtrom, CWO, and is managed by Selina Lo, its President and CEO. Ruckus Wireless has been firing on all cylinders. It’s the fastest growing Wi-Fi supplier on the planet in today’s enterprise wireless LAN (WLAN) market and owns the largest market share in the carrier Wi-Fi space. According to Garner, from 4Q10 to 4Q11, Ruckus Wireless, a late entrant into the WLAN market, was the fastest growing supplier of managed enterprise WLAN access points in terms of both unit shipments and revenue – growing 289% and 181%, respectively.  And for the second year, in the carrier Wi-Fi space, Ruckus was identified as the 2011 market leader with a 26.7 % share of Wi-Fi mesh node shipments, according to Dell’Oro. In this Lippis Report Research Note, we explore the service provide trends that are driving Ruckus’ current and future success in the wake of its expected IPO.

Wi-Fi to Address Mobile Data Usage Exponential Growth for Service Provider Market

In 2004, Ruckus first provided solutions for the service provider market, enabling triple play service offerings via bundling its Wi-Fi solutions for in-home distribution. But its service provider offering has evolved to address this industry’s biggest problem: the need for more capacity to cope with the explosive growth of mobile data usage. This stems from limited bandwidth/capacity gains within the licensed spectrum, resulting in poor wireless connectivity – especially within urban jungles from New York to San Francisco
The mobile data explosion is causing mobile service providers to look at anything and everything to solve the capacity shortage. The options include buying more spectrum to new architectures, introducing multi-radio small cells to augment existing macro networks, deploying femotocells within the home and offloading mobile data to Wi-Fi networks that connect to their mobile core.  With mobile data traffic growing faster than their ability to deploy infrastructure to support it, even with 4G/LTE on the horizon, operators are considering and pursuing all options, not just one.

Even as mobile operators adopt LTE networks, spectrum is still an expensive resource. Therefore, for mobile operators, Wi-Fi is now becoming a very cost effective way to add network capacity, because Wi-Fi can often be deployed much faster and at about one tenth the cost of 3G cellular today, considering equipment and installation.
In addition, service providers are eliminating unlimited cellular data subscriptions with a usage-based plan or a limit or cap with an eye on monetizing data traffic. Service providers are not providing programs that incentivize people who have multiple mobile devices to subscribe to cellular service on each of their devices. So Wi-Fi for the bulk of these subscribers is becoming the default wireless option.  
Data also shows that Wi-Fi support is an important purchase criterion in selecting hotels, venues, restaurants, etc. Service providers are being pressed on both sides; that is, on one hand they need to deploy Wi-Fi to lower the overall cost of transporting data. On the other hand users are becoming more familiar with Wi-Fi. In fact, including Wi-Fi in service plans is starting to become a competitive differentiator for mobile operators.

Now service providers are looking at Wi-Fi as a way to inject capacity and lower the cost per bit of transporting data. There is no end in sight for the growth of mobile data usage using Wi-Fi as the preferred wireless connectivity option. 
Considering the huge growth in iPad and tablet computing, Wi-Fi will only become more important as many tablets don’t ship with an Ethernet port or 3G connectivity. Very soon, there will be more devices equipped with Wi-Fi radios than devices with wired Ethernet ports. Wi-Fi is now a mandatory requirement as the bulk of iPads shipped are Wi-Fi only devices. NPD Group recently reported that 65% of all tablets sold within the US were Wi-Fi-only. 
Even iPads and tablets equipped with cellular radios are rarely used as cellular service activation is far below the number of cellular-supported iPads/tablets shipped. Consumers are voting with their wallets and pocketbooks, and the data says that Wi-Fi is what they want, what they like, what they are used to.  Consequently, operators analyzing the growth of iPad/tablet shipments and mobile data usage are embracing Wi-Fi.

Wi-Fi also helps operators add capacity in high-traffic areas quickly and economically, keeping subscribers connected and happy. But conventional Wi-Fi, not designed to support a large number of concurrent users, optimize the use of the unlicensed bands, thwart interference or make efficient use of the channel, hasn’t proven good enough.
Enter Ruckus Wireless. Ruckus is betting that Wi-Fi will be the dominant wireless access technology over the next five years.  Cellular architectures actually need to become more like Wi-Fi architectures, that is, cellular needs to be based on smaller cells.  Smaller cell is the only way to squeeze more capacity out of the spectrum at this point, as there are limited gains to be had from signal processing and structural efficiency. As the service providers are finding out, as soon as they deploy smaller cells, they have to solve the same problems that are already solved in Wi-Fi relating to interference management and co-existence. There is a convergence of the cellular and Wi-Fi architectures when viewed from the RF side now occurring. 

But Wi-Fi will have to adopt cellular’s user authentication architecture. All mobile operators want is to deliver a seamless user experience for their subscribers, allowing switching between wireless technologies without user intervention. Service providers need to offload smartphone and tablet traffic off the cellular networks and onto Wi-Fi networks, which are designed for capacity in dense locations. And mobile operators want this to be seamless so that once the SIM card is authenticated, the device can switch between any wireless network on an application-by-application basis without any user intervention.
On the Wi-Fi side, much engineering is focused to reuse existing services, such as billing, authentication and policy enforcement already in place to support the onslaught of new Wi-Fi users. Initial work to authenticate Wi-Fi subscribers using internal SIM card using the EAP-SIM protocol have already proven successful and straightforward to implement. 
Even more work is being done to build a new class of edge gateways that aggregate Wi-Fi data traffic in huge volumes, bridging the traffic back into the mobile core of the cellular network while directing authentication traffic back into the operator’s existing mobile user databases – making the authentication process transparent and seamless to the user.

Gb Wi-Fi or 802.11ac at 5GHz Changes Everything
 
There’s another important reason why Wi-Fi is being adopted by mobile operators and that’s because there’s quite a bit of capacity available on Wi-Fi once the 5 GHz band is included. In the world’s Top 100 markets, the total amount of wireless spectrum holdings among all carriers amounted to 458 MHz of spectrum. Meanwhile, Wi-Fi (when combining the 2.4 GHz and 5 GHz bands) provides 783 MHz of spectrum.
5 Ghz will be a major driver over the next several years as Wi-Fi shifts from being built for coverage to being built for capacity.  This represents a fundamental shift in objectives from a design point of view. Building for capacity drives design decisions toward higher frequencies, lower and closer AP placement, and restricting Wi-Fi signal propagation.
This shift in Wi-Fi purpose will be a major change over the next couple years, and gigabit Wi-Fi or 802.11ac will be an important technology as it utilizes 5 GHz. To put this into perspective, all Wi-Fi devices, such as smartphones and tablets, are using 2.4 GHz. But suddenly they will have the capability to communicate on 5 GHz, which will be a major move forward for Wi-Fi…sort of like a midlife kicker because there’s more spectrum available in 5 GHz Wi-Fi than in all the potential LTE spectrum in the U.S. for all carriers combined!

Gigabit Wi-Fi or 802.11ac will become very prevalent, initially on mobile devices, driving its wider adoption in the wireless infrastructure. Nearly all of today’s enterprise APs are dual-band capable. This means they can already seek 11n 5 GHz devices within enterprise and service provider networks. Look for Apple and others to announce support for 5 GHz Wi-Fi, this fall, as this event alone will trigger the setting-off of a huge increase in Wi-Fi capacity demand. This will drive the industry to switch over to 11ac access points and introduce multiuser MIMO over the next few years.  
 
The Blurring of Private and Public Wireless Networking

While 3G/4G and Wi-Fi architectures converge, there are business requirements and opportunities driving collaboration between service providers and enterprises to increase Wi-Fi access. In short, there is a business driven evolutionary process taking place now to increase Wi-Fi footprint. 
The line between public and private wireless networking has been blurring for some time. There is a great deal of requirement overlap between enterprises and service providers. In the simplest case, Wi-Fi-embracing service providers require a large footprint of Wi-Fi hotspots. And where Wi-Fi is most useful to service providers is locations where there is a very high density of pedestrian traffic. Deploying Wi-Fi next to the freeway is not that useful. But having Wi-Fi in airports, hotels, stadiums, shopping malls, schools, university campuses and common areas is very useful. These are very important footprints to the service provider in terms of how much traffic the Wi-Fi network can offload from cellular. For service providers to obtain these footprints, they have to work with enterprises. 
On the flip side, enterprises need to work with mobile operators too. Hotels, for instance, need a better way to get 3G and future 4G/LTE signals throughout their properties. This interdependency between enterprise and mobile operators is increasing and, given that Wi-Fi is a technology that is deployed across service provider and enterprises, there is significant opportunity for mutually-beneficial collaboration. 
For example, a KDDI is rolling out Wi-Fi to all locations of the second largest convenient store chain (Lawson’s) throughout Japan. Why is this service provider deploying Wi-Fi hotspots in these convenience stores as consumers usually only spend a few minutes in the store to make their purchase and leave? The reason is that it’s not for the people who go into the store, but for those on the streets outside. In short, it gives this service provider outside coverage. Therefore, by leveraging the enterprise locations with Wi-Fi, service providers can quickly improve their coverage footprint. This is but one example of collaboration between enterprises and service providers, which will ultimately result in service providers offering Wi-Fi as a managed service or cloud-based service to enterprise customers as they utilize the enterprise footprint for public access.
Paradoxically, all mobile devices ship with Wi-Fi universally, yet people use their mobile phone as their desk phone. That is, they use cellular and at times 3G/4G within Wi-Fi zones.  And so enterprises and service providers both need to provide Wi-Fi and cellular coverage to their constituencies. The ability to integrate Wi-Fi and cellular so that service providers are able use a single subscriber management system to support their users, whether they’re using Wi-Fi or cellular, is absolutely critical.
And on the enterprise side, the ability to manage the large number of Wi-Fi or cellular mobile devices or BYOD coming online is also a critical requirement. Bottom line is that there’s a lot of room for service provider and enterprise to collaborate in this new type of wireless network.
Ruckus’s overarching strategy is built around Wi-Fi access for both service providers and the enterprise marketplace. In the next five years, Wi-Fi will become the universal access technology for all kinds of computing devices. Ruckus is relying on the above trends to fuel its business over the next business cycle. It clearly has staked out one of the biggest opportunities in mobile and cloud computing in which to base a business upon. Its performance, thus far, indicates that it possesses the technical and management expertise to execute. Ruckus can only hope that its care and nurturing of a vintage 2004 business will produce one of the greatest 2012 IPOs.

Tweet

On March 30th I met with Dave Husak, the Founder and CEO of Massachusetts Software-Defined Networking (SDN) start-up Plexxi, along with two other employees. For those who don’t know Dave, he’s intense and driven. Out of this two-hour meeting, Dave provided the inspiration to describe SDN as the third epoch of computer networking. In a nutshell, the first epoch was IBM mainframes and SNA, the second is client-server computing and LAN/WANs, with the third being mobile plus cloud computing and SDN. After attending the second Open Network Summit (ONS) last week to sold-out crowds, the main question I walk away with is this: is SDN the third epoch or a new set of features added to layer 2/3 networking? In other words is SDN a new disruptive market or a high-end networking technology like InfiniBand? In this Lippis Report Research Note, I share the top ten observations at ONS and answer the above question.

First Epoch: The first epoch of computer networking started in the mid 1950s with mainframe computers and the first version of sneaker net, that being batch followed by Binary Synchronous Communication (BSC) and SNA over multipoint lines. The public switched network was based upon circuit switching and the national entertainment network as analog broadcast with all but three or four channels. The Internet was non-existent. IBM states that in the past 30 years, businesses have invested some $20 trillion in labor and money in developing CICS and IMS over SNA applications. But by the mid 1980s, IT business leaders were growing increasingly frustrated with this computing model’s high cost plus long application development times, which were often over budget and feature deficient. In short, SNA was viewed as not flexible or too rigid to support a new computing model. Alas the first epoch’s reign of 35 years was coming to an end.

Second Epoch: During the mid 80s, personal computing was heating up, marked by Apple’s 1984 Super Bowl commercial. At the same time, Ethernet hubs were available and growing as the infrastructure for client-server computing. TCP/IP was standardized in this time frame, which defined the second epoch of computer networking as Routing and Switching aggregated traffic and forwarded layer 2 and 3 (L2/L3) packets. This was the golden internet age of networking. This model was/is so powerful that it’s the core of the public switched telephone network, mobile network and national entertainment network. You can’t say that the second epoch is over but you can hear IT business leaders complain loudly that the network is in the way of their needs and business desires to spin up and down applications, move workloads, etc. The same complaints that were voiced in the 1980s are starting to be said now; network operational cost is too high and that networks are not flexible or too rigid to support a new computing model. So is the second epoch’s reign of 35 years coming to an end?

Third Epoch: Computing drives network architecture and over the past few years, computing has fundamentally changed to mobile and cloud with virtualization providing compute density and efficiency. Networking’s Third Epoch is the era in which we are living today, the era of network programmability, and in particular SDN, which enables the democratization of network application programs and features. With SDN, the notion of layering in the forwarding plane in network switches disappears. Indeed the switches become protocol-ignorant, while layering remains meaningful in hosts and at transition points between networks with different control mechanisms. On the computing side, this is the era of mobility, virtualization and the cloud, with applications finally freed from having to be aware of specific details of network plumbing, like IP addresses and ports.

But established vendors such as Cisco, Juniper, HPN, IBM, Brocade, Dell, Arista, Avaya, Alcatel-Lucent, Extreme and others are dialed into the new network requirements. While most of the above firms have either announced their support of OpenFlow and SDN, many will offer programmable Layer 2/3 networks to address 80% of IT business leader requirements, slowing down SDN deployments. Also remember architectural shifts take a long time to materialize.

So is SDN the third epoch or a new set of features added to layer 2/3 switching/routing networks? My top ten observations from attending this year’s ONS may help answer the question.

1) It’s All about OpEx: Early SDN messages were about cheap switching products from Asia being controlled by sophisticated controllers from the likes of Big Switch Networks, Nicira, NEC, et al. But SDN is all about reducing the cost to operate networks. Consider this: it takes one engineer to manage 8,000 nodes in a mobile network but it takes one engineer to manage 75 nodes (switches or routers) in an enterprise network. The industry has prided its self on a value prop based upon capital cost being 25%, operational cost at 60% and facilities being 15%. Centralizing network control is all about reducing operational cost, and if capital cost gets cheaper too, then so be it, but it’s not the driver.

2) First Virtualize then Customize: It’s becoming apparent that SDN pilots and early implementations are all about virtualizing the network. Yes, we have had network-virtualizing technologies for years with VLANs, MPLS, VRF-Lite and Cisco’s latest Easy Virtual Network, but SDN does it without the huge operational cost of configuring each switch and/or router, and there is complete separation of the address space. There are many requirements for virtualizing the network, including offering unique attributes to common users, segmenting departments and businesses, delivering multi-tenant services, and even offering each employee his/her own virtual network where credentials are checked and IT services allowed; this is huge for BYOD and mobile employees. Once a network is virtualized, these logical networks can be customized, thanks to layer 4-7 services being moved into the virtualization domain. This flexibility is huge in the enterprise campus, data center and service provider markets.

3) Limited Number of Real SDN Implementations: There are only approximately 30 to 60 SDN projects taking place around the world, a small number, so expect limitations and setbacks in SDN promises being made.

4) New WAN: One of the highlights of ONS was the keynote from Urs Hölzle, SVP Technical Infrastructure and Google Fellow. Urs demonstrated SDN in the WAN with a custom built 10GbE switch via merchant silicon equipped with 100s of ports of non-blocking 10GbE, OpenFlow support, Open source BGP, ISIS and scale to Tbps. What was striking about this is the reported improved re-route time, convergence time, increased performance and reliability plus greater control and flexibility afforded by SDN in the WAN than offered by traditional hop-by-hop routing.

5) Can SDN Move Down Market? Early SDN adopters and promoters are the largest of data center owners such as Google, Yahoo, etc., that were represented at ONS. The question is can SDN move down market? Only a few firms can afford to build their own 10GbE switch and experiment over the wide area as Urs did at Google. Yahoo!’s principal architect, Igor Gashinsky, was hopeful to be able to access the Linux kernel of switching and routing devices for greater programmability, but there aren’t too many IT organizations that would enjoy that opportunity. But many may find what Igor builds interesting and potentially useful if it was made available to others.

6) Wither OpenFlow? While OpenFlow has enjoyed much industry discussion, privately, many firms, both large and small, expressed that OpenFlow is all but one approach or mechanisms available to program switches.

7) VMware Has a Big Hand to Play: It’s becoming clear that VMware has a huge hand to play in the emerging SDN market. vSwitch, a VMware innovation, started the SDN and network virtualization journey. Its vDS enabled pooling of network ports across clusters via aggregation of vSwitches. To extend or overlay layer 2 virtual networks over layer 3 boundaries, it jointly developed VXLAN with Arista, Cisco, RedHat, Citrix, Intel, et al, and is now a draft IETF RFC. VXLAN extends large layer 2 VM domains well beyond the 4K VLAN limit to 16 million. It is touted as a key standard that avoids proprietary overlay networks plus allowing VM domains to span virtual and physical networks. In addition, its vCloud Director enables alignment of elastic compute and networking diameters. Via vShield, VMware has added virtual firewalls, load balancing, VPN, IPAM, hybrid cloud extensions, and the ability to logically insert partner services, like IDS/IPS and WOC or WAN Optimization controllers. With this growing SDN stack, VMware is in an excellent position to offer APIs to application developers exposing virtual network topologies and other stateful information. 

8) Network Influence/Control Shifts to Virtualization Domain: There are two tectonic shifts that potentially threaten networking as we know it and networking professionals. The first one is the migration to technologies that recognize the relevance in the hypervisor switch of L2/L3 designs. The second shift is L4-L7 services that are cost optimized and compatible with VMs. Let me explain.

With OpenFlow, Open vSwitch and Quantum providing the base network virtualization tools for KVM, Virtual Box and Xen while VMware providing its own tools mentioned above, a shift in network control or balance of power is occurring into the virtualization domain. When networks are virtualized, they can stay in the virtualized domain, traverse physical layer 2/3 networks or some combination of both.

At the heart of virtual networks is how they traverse physical switches and routers. There are layer 2 tunnels and layer 2 over layer 3 tunnels such as VXLAN and NVGRE. There is OpenFlow in “native” mode, which is OpenFlow supported by all of the switches and routers in a network, and OpenFlow in “overlay” mode where only the hypervisor switches are OpenFlow enabled, and the OpenFlow network is overlaid on the physical L2/L3 design using tunnels. Nicira does overlay mode using its custom STT tunneling technology. Big Switch uses plain vanilla OpenFlow so that it supports overlay and native as well as hybrids of the two.

Both firms envision networking being provisioning and controlled from the virtualization domain where virtual networks are created, managed and layer 4-7 services administered. If and when this model comes to fruition then physical networking becomes less strategic as network services move to the virtualization domain. Firms with large virtualized data centers like this model as they have stranded CPU resources, thanks to memory limitations in virtualized servers. Layer 4-7 network servers are CPU intensive but use little memory, a perfect fit to move these services in to the virtualized domain; a sunk cost that is already being managed. In essence, they view it as getting Layer 4-7 services for free.

At ONS, there were many firms offering virtualized layer 4-7 services such as: vArmour with its distributed firewall, Embrane providing layer 4-7 virtualized services, Radware with its load balancer and firewall, LineRate with its ADC, and don’t forget Cisco, F5, Brocade and many others that have virtualized their Layer 4 -7 appliances.

9) SDN Definition…or What You Thought It Was…Will Be Totally Different Next Year: The definition of SDN as an OpenFlow interface on virtual and physical switches that are controlled by a centralized controller will be totally different next year. As Cisco, IBM, Dell, Juniper, HP, Arista, ALU and others wrap their minds and product lines around SDN, it will take a decisively different shape.

Cisco’s CTO and Chief Architect of the Service Provider Division, David Ward provided a glimpse of things to come as Cisco provides programmatic interfaces in a hope to provide new services and functionality by augmenting existing network control, management and forwarding state. Cisco and all networking firms will offer ways to program L2/3 networks and expose network intelligence to applications. Juniper, for example, offered an SDN over Qfabric option to consider. IBM offered a way to ease control of a converged data center fabric of storage and networking with SDN. Dell offered a multi-tenancy data center solution, thanks to an OpenFlow-based SDN.

10) Pervasive SDN: ONS presentations demonstrated pervasive SDN use cases that spanned the service provider market, cloud computing facilities, enterprise campus networking, wide area networking, data centers and mobile infrastructure. Each use case was driven by the centralization of control to both reduce operational cost and increase functionality. In short, SDN promises to reap more from networking at lower operational cost.

So is SDN the third epoch or a new set of features added to L 2/3 switching/routing networks? From what I learned at ONS, you can make the case for both, but pay close attention to observation number nine, that is “SDN Definition…or What You Thought It Was…Will Be Totally Different Next Year” is key. The networking industry is in hyper-innovation mode, embracing SDN concepts such as exposing network intelligence to applications, exploring programmable networking and SDN-like architectures where more control is centralized to reduce operations. I get the feeling that SDN is the third epoch, but as it’s cranked through the meat grinder of the industry, it will take on a form and shape that is indistinguishable from its current form. What do you think?

Tweet

Virtualized server deployment has been propelled en masse, thanks to increased data center efficiency by delivering the same or greater application workload with a reduced number of servers. While this is good news, many IT business leaders are now realizing huge consequences to highly virtualized data centers. Their challenges are rooted in application management plus layer four through seven services, such as WAN optimization, application delivery controllers and security, especially in environments that include multiple hypervisors and a wide variety of workload types and shifting virtual machines. In this Lippis Report Research Note, we provide a model to manage the rapid changes taking place in data center strategies for managing applications plus layer four through seven services via a “virtualization stack” to calm complexity and enable cloud level scale.

The new challenges of enterprise application management in virtualized data centers include what type and location of network intelligence is required when multiple hypervisors and various workloads exist and move around the data center. Also how do operations groups maintain consistent security policy across both virtualized and non-virtualized environments, plus monitor and maintain application flow visibility?

It’s clear that IT organizations are deploying, broadly and with depth, workloads in their virtualized data centers and private cloud environments. Cisco is taking an approach that enables IT leaders to deploy their virtualized environments at scale with simplicity and consistency. A key design goal of Cisco’s is to extend workloads the same posture, operational practices, features, policies and security as they are deployed into virtualized and cloud environments.

Cisco’s approach has manifest into a “Virtualization Stack” and is now organizing its virtualization products around this term. IT business leaders managing large data centers deploy this infrastructure with a life cycle of five to seven years. To extract the most value from this investment, many prefer to deploy this technology from a stack perspective. Virtualized infrastructure needs to be extensible and flexible. As such, Cisco is leveraging its innovations and network intelligence to provide an end-to-end stack that includes four components.

Cisco’s Virtualization Stack: Four Components

The first component of Cisco’s virtualization stack is virtual networking, followed by virtual security, application networking, and orchestration plus provisioning. The key value proposition of Cisco’s virtualization stack is to encompass both physical and virtual infrastructure to extract the highest utility or efficiency of the infrastructure plus the operational groups responsible for its management.

For example, Cisco’s virtualization stack starts with virtual networking, whether it’s the ability to provide networking via software or hardware and leverage the intelligence within each. The second and third components are virtual security and application networking. As workloads are deployed across virtualized and/or physical infrastructure, they require security and other layer four through seven services. Virtual security and application networking assure that applications are serviced within both the virtual and physical domains consistently, leveraging existing investment in appliances, for example, and extending applications to both domains.

The fourth component is orchestration with a dynamic process to provision and deploy virtualized workloads. When different teams deploy workloads, Cisco’s virtualization stack seeks to extend their utility through scalability and broad deployment across the data center. And as workloads move, policies and features need to be consistently moved and applied, whether it’s within a data center, across pods or across data centers.

Product Underpinnings

The product underpinnings of Cisco’s virtualization stack are extensive and include:

Virtual Networking: Starting with virtual networking, Cisco provides the Nexus product line that spans physical to virtualized infrastructure with the same operational practices, Command Line Interface (CLI) and Operating System. Its virtual switch is the popular Nexus 1000V. Where IT leaders seek increased virtualized workload performance by performing switching in hardware, Cisco offers the UCS fabric interconnect and the Nexus 5500.

Virtual Security: Security in virtualized environments is fundamental. In Cisco’s virtualization stack, security means ensuring firewall policies, visibility and monitoring policies are applied consistently across physical and virtual domains. To provide these capabilities, Cisco introduced its virtual security gateway or VSG: a state-full zone-based firewall. In addition, Cisco leverages its physical ASA firewall and now offers the ASA in a virtualized form factor called ASA 1000V.

Application Networking: For application-networking, Cisco provides its popular application acceleration and WAN optimization or WAAS products in a virtual form factor called Virtual WAAS plus a network analysis module or NAM for workload visibility and monitoring.

Orchestration and Provisioning: At the top of Cisco’s virtualization stack is orchestration and dynamic management. Cisco’s Network Services Manager Northbound API is to facilitate automated network provisioning in cloud environments. Cisco’s Intelligent Automation for Cloud is a self-service provisioning and orchestration software solution for cloud computing and data center automation. It helps enable secure, on-demand and highly automated IT operations for both virtual and physical infrastructure across compute, network, storage and applications.

The above virtualization stack is the most extensive and thoughtful in the industry. But how do IT business leaders take advantage of Cisco’s virtualization stack and in the process, also be cloud ready?

Most IT leaders seek to provide workload operations consistency and reduce operational cost. Cisco’s virtualization stack enables the networking team to manage physical and virtual networks. The same is true for the security team; that is they are able to manage physical and virtual security infrastructure while remaining non-disruptive in the way virtualization teams manage virtual and cloud workloads.

Segregation of administrative domains is very important within data center operations and needs to be preserved. So, too, is auditing and compliance as IT business leaders have spent years ensuring that their infrastructure audits meet compliance standards. As workloads—be it mission critical, PCI, etc.—are increasingly being deployed on virtualized infrastructure plus multi-tenant cloud computing facilities, IT leaders need to extend that same compliance posture into virtualized and cloud environments. Maintaining administrative domains and compliance across physical, virtual and cloud infrastructure is a basic tenet of Cisco’s virtualization stack.

While most IT organizations are skilled to design and customize their virtualization infrastructure, others may choose to deploy pre-designed building blocks that have been tested for interoperability and performance. For those, Cisco offers solutions such as virtual desktop, multi-tenant data center, etc., on Vblocks or FlexPod, which is a referenced blueprint to hasten infrastructure deployment. FlexPod is a pre-validated data center solution built on a flexible, shared infrastructure that scales. Vblocks are a combination of EMC software and storage, Cisco UCS, MDS and Nexus products, and VMware virtualization software. Vblocks are complete infrastructure packages sold in one of three sizes, based on the number of virtual machines. Vblocks offer a tested and jointly supported infrastructure with proven performance levels based on a maximum number of VMs. 

Cisco’s virtualization stack offers a model or framework to manage the fast-paced changes taking place in the data center for managing applications plus layer four through seven services to calm complexity and enable cloud-level scale.

Tweet

Network virtualization design or the ability to divide a physical network into multiple logical networks, each with unique attributes, has grown in popularity. IT business leaders have searched for ways to segment their network, providing different and isolated characteristics for different user groups. Network virtualization is very popular in healthcare, education, travel and other industries, but has been too expensive and complex for the broader market to implement, until now. Network virtualization can be implemented via VRF- (or virtual routing forwarding) lite, MPLS, and now with Cisco’s new Easy Virtual Network, all of which, by the way, are far easier to manage and much lower cost than building overlay networks. In this Lippis Report Research Note, we explore network virtualization approaches in campus networking for segmentation or isolation of groups and its simplification properties.

There are multiple drivers to virtualize an enterprise network.
From a business point of view, network virtualization addresses regulatory compliance and security, and simplifies infrastructure consolidation, thanks to mergers and acquisition of two concerns. For example, in financial services, regulators require separation of commercial investment banking from other bank operations. Airports need to support multiple airlines and airport businesses, such as restaurants and kiosks located in terminals, each with different network requirements. A more general-purpose example is network virtualization enabling IP video surveillance flow access being limited to only select staff, providing security of surveillance video access.

To design a virtualized network, a number of standards and best practices have been developed. Service providers utilize MPLS to virtualize networks due to its capabilities and scale but this approach is best for very large corporations and service providers, thanks to its cost. VRF-lite or VPN routing/forwarding is a simpler and lower cost alternative to network virtualization but still too complex to deploy, thanks to multiple lines of code required to configure routers/switches, which is implemented hop-by-hop. To bring the benefits of network virtualization to more corporations, Cisco has launched a new option called Easy Virtual Network or EVN that promises to simplify the configuration and management process making network virtualization a more broadly-available network design option. EVN is supported across the ASR 1000, Catalyst 6500 with Supervisor 2T and Catalyst 4500 with Supervisor 7E with more platforms to come.

What Is Network Virtualization?

Before we dive into EVN, a quick definition of network virtualization is in order. Most IT leaders are familiar with server virtualization, where a single server may support 10, 20 or 30 virtual machines. Consider a DHCP server that may demonstrate relatively low CPU or memory utilization; in effect, it’s not fully utilizing this computing resource. To take advantage of that computing resource, IT would start stacking virtual servers with virtual machines on the physical server, adding applications until CPU and memory are utilized. Network virtualization does the same. Rather than keeping all network topology information such as subnets that are being routed and switched in one global flat routing table, Cisco is enabling the creations of multiple routing tables that are logically separated. But a network administrator may share physical routes within the routing table to create unique separate logical networks.

These logical networks share one physical network and select shared resources too. For example, assume a network operator creates separate networks for two departments, but he/she doesn’t want to buy two separate DHCP servers. The network operator can configure the DHCP server address to be shared between the two logical networks, but all other assets are separated/isolated. User groups in one virtual network do not talk to user groups in another virtual network.

Network virtualization uses the same routing protocols that are already deployed, such as BGP, EIGRP, OSPF, etc., providing the same functionality with the same terms of access lists. In short, network virtualization—like server virtualization—increases the utilization or utility of an invested infrastructure. Just like multiple VMs are layered on top of a single physical server, multiple virtual networks can be layered onto a single network infrastructure by thin slicing the routing table, creating multiple instances.

Multiple Network Virtualization Options

VRF-lite and MPLS provide network virtualization at scale. Some corporations have thin sliced their routing table to create hundreds of different routing instances or what is called VRFs or virtual routing forwarding instances. MPLS-based virtualized networks can scale to hundreds, whereas VRF-lite starts to be cumbersome around 12, thanks to manual configuration of routing instances. EVN can support 32 virtual networks, which is about the level most enterprise IT leaders want to segment their networks. What’s most popular is creating virtual networks for a guest wireless network, building management equipment network, user traffic and video surveillance network. The key factor in choosing VRF-lite, MPLS or EVN is scale or the number of virtual networks plus operational cost associated with configuration and management.

Easy Virtual Network

EVN is the next step beyond VRF-lite, which has been plagued by manual configuration and being cumbersome at scale as the number of VRF instances or different segments increase. EVN addresses this configuration and management complexity or overhead of network virtualization. In EVN, Cisco has simplified the Command Line Interface or CLI commands much like it did for VLANs with VTP or VLAN Trunking Protocol. VTP reduces VLAN administration in a switched network. When a new VLAN is configured on one VTP server, the VLAN is distributed through all switches in the domain. This reduces the need to configure the same VLAN on every switch.

Just like VTP simplified the configuration of VLANs, so too does EVN for network virtualization. With a single command, Cisco’s Catalyst 6500s automatically provision the virtual networks on the core interfaces rather than manually configuring every virtual link. Imagine a network of 50 devices where every device has four neighbors; before EVN, the network administrator would configure each virtual network manually. With EVN, configuration is centralized and distributed to each interface on the core routers.

EVN simplifies the network virtualization configuration process. In addition, EVN simplifies network virtualization manageability and troubleshooting with what is called “routing context” command mode that allows network operations to specify a specific virtual network and issue several EXEC commands to that virtual network. Routing context reduces repetitive entering of VRF names for multiple EXEC commands. All the standard routing commands are much easier to use with routing context such as “show ip route,” “ping,” “telenet,” “traceroute,” etc.

Sharing a network service to multiple virtual networks such as an email server, internet access, DNS, video, a DHCP server, etc., is important and needs to be simple. EVN eliminates the complexity of creating sharing services that was achieved through importing and exporting routes between virtual networks using Border Gateway Protocol (BGP) commands, such as route target, route export, etc. EVN improves shared services with “route replication,” which allows each virtual network to have direct access to a shared Routing Information Base (RIB) in each virtual network.

EVN Deployment

EVN is supported on several Cisco platforms and is backward compatible with VRF-lite. In fact, a Catalyst 6500 supports EVN, VRF-lite and MPLS simultaneously, thanks to a common definition of Virtual Routing Instance between EVN, MPLS and VRF-lite. In addition, commands are common among the three approaches as they share a VRF definition.

In the event that a corporate network had deployed additional products in addition to the ones listed above and do not support EVN, then a hybrid VRF-Lite and EVN strategy can be implemented. As more Cisco products are equipped with EVN, a large EVN virtual network can be created until EVN is the only virtual network protocol in use, if that is a goal.

EVN is the preferred method to deploy a virtual network where IT leaders are seeking to provide traffic separation and path isolation on a shared network infrastructure. As EVN uses existing VRF-lite technology to simplify layer 3 network virtualization, improved shared services support and enhance management, troubleshooting and usability…the two interoperate. Most network operations groups will start deploying virtual networks by building a single VRF and start populating it with a department or service such as guest access. Once network operations confidence in EVN is high, additional virtual networks can be created to segment, isolate and create unique user groups as business process dictates.

For those interested in the benefits associated with virtual network’s isolation attributes, we recommend piloting EVN to gain skills and confidence. Having network virtualization, as a network design option, will come in handy as traffic separation requirements emerge, either through a merger or acquisition, regulation or increasing the utilization of the network asset.

Tweet

SecureX is the network security framework that Cisco launched last year. The company has now deepened SecureX to bolster its ability to provide SecOps greater visibility of applications and network traffic, and control of network security resources to mitigate exploits faster and more effectively by providing context- aware security information brought on by Bring Your Own Device or BYOD plus cloud computing applications and services. Cisco achieves this through its new ASA-CX Context-Aware Security capabilities, expanded support for Security Group Tagging or SGT within TrustSec enabled devices, and the addition of device profiling functionality in the IOS of its routers, switches and wireless access points. All of this security technology works with its Identity Services Engine or ISE—Cisco’s identity and access control policy platform.

One of the key differentiators of the Cisco SecureX framework is the power of its ability to mitigate threats. Much of that power is delivered through ASA CX, continued innovation in TrustSec plus ISE and extension of TrustSec services into the network infrastructure devices. There is no other industry player that offers this totality of threat protection.

Networks Become Context Aware via ASA CX

ASA CX and TrustSec offer important proof points of SecureX. ASA CX delivers context-aware security. Why is context so important to threat mitigation? Without context, security personnel have little information with which to judge the severity of a threat. It’s analogous to someone knocking on your front door at midnight and opening it with no lights on the porch. You just don’t know if it’s your child coming home late, having forgotten her keys, or a criminal with malicious intent. Do you really want to open the door and grant access to your home? Without the level of visibility provided by context awareness, SecOps has been forced to deny access to mobile devices and applications, since it lacked sufficient information to determine if granting access posed a potential threat.

Today’s network and security management tools may provide security personnel with information regarding the type of device accessing a network—be it a mobile device, desktop, IP Phone, etc.—but they don’t have information concerning WHO is using the device as their view is relegated to an IP address and/or User ID. SecOps may have some sense of what the device is but its view is limited. Going back to our midnight-door-knocking analogy, they don’t know if it’s their child or a criminal at the door.

Enter context aware network security. Cisco ASA CX pulls information from the local network, SecureX technologies such as AnyConnect (Cisco’s secure mobility solution) and ScanSafe (Cisco’s cloud-based web security service), plus global threat information from Cisco Security Intelligence Operations or SIO. ASA CX then uses this information to provide end-to-end intelligence, so that SecOps can make informed security decisions. ASC CX combines all of this network intelligence to essentially turn on the porch light for SecOps by providing it with deep visibility into who and what is attempting to access the corporate network.

SecOps will see exactly what device is trying to access the network, how that device is accessing the network (wired, wireless, 3G, VPN), where that device is located (inside or outside the network) and the person using the device. For example, SecOps may see a network access request from “Brian’s” cell phone. ASA CX provides SecOps with a full view of the device and user seeking network access and the applications he wishes to use. In this case, it can identify Brian’s cell phone number, device description such as an iPhone 4 running iOS 5.01 and what he’s trying to access. As a result, SecOps can make more intelligent security decisions and safely enable devices, applications and new use cases. As a result, IT business leaders can feel safe in allowing BYOD and all the productivity improvements it offers.

In addition, once a device has been profiled and a user has been authenticated, Cisco TrustSec is able to attach a security policy to the data coming from that device provided by the Cisco Identity Services Engine. So once that device is allowed onto the network, the network then enforces where it can go and what it can do, thereby extending perimeter access control to the entire distributed network environment.

Equipped with this level of visibility, SecOps is placed into a position where it can comfortably say “yes” to new devices and applications on the network, assuming they fall into corporate policy.

Rich Policy Language

Cisco Prime Security Manager, the management interface for ASA CX, allows SecOps to write security policies that match business security policies. Policies are created on ASA CX via simple written language such as “block application” or “block microapplication,” “allow posting to social network,” but “block games on social network,” etc.

ASA CX generates detailed reports that articulate what is going on in the network, and how effective the policies are being implemented.

ASA CX recognizes a thousand applications plus some 75,000 micro-applications! This means that SecOps can create finely-tuned policy. For example, Facebook is a proverbial gray area application where it has traditionally not been viewed as a business application but there clearly are legitimate business uses for Facebook. Therefore, a policy can be written to allow marketing to view, text, and post videos on Facebook, but block Facebook games. Sales, on the other hand, may have view and text privileges only, while Finance access to Facebook is blocked, altogether.

This level of granularity is great for application control, but Peer-to-Peer or P2P applications, such as Skype, that hop ports and protocols require special attention. Therefore, rather than requiring SecOps write fifty different policies to block Skype and fail because Skype will re-route to a different port or protocol, ASA CX enables SecOps to simply write “Block Skype.”

By defining policy in plain English, rather than with obscure firewall policy commands, policy creation has been abstracted to natural language to promote tighter integration between business policy and enforcement. This rich policy language allows SecOps to define policy simply, providing nearly unlimited degrees of freedom to place business process into policy based upon individual, group, device access, etc.

Visibility and control are not mutually exclusive. As the old adage goes, “you can’t manage what you don’t measure.” ASA CX delivers end-to-end visibility by aggregating intelligence from SecureX and SIO; it provides granular control based largely on that visibility.

TrustSec

Cisco TrustSec is an architecture that consists of authentication, authorization, policy enforcement and value-added network services. The latest version of TrustSec provides visibility as to who, what, when and how devices are accessing the network. In addition, the TrustSec umbrella is now decoupling physical topology from user connectivity type, which provides greater network access options securely.

For example, consider a 900-site corporation that consists of nearly 1,000 VLANs. A mobile executive traveling to one of those 900 sites requires his/her office IT environment to follow him/her to keep productive. Typically, tracking an executive would require a VLAN that’s specific for the executive traffic class in all 900 sites. Firewalls would then use these 900 VLAN IP subnet ranges to authorize the executive traffic. This would require creating VLANs for every classification of user groups in the enterprise and implementing their associated IP subnets in to firewalls. With TrustSec and SGT, NetOps classifies users into groups but does not have to update firewalls with IPs/subnets as their firewall rules and security policy are defined via the abstraction of SGT. Thus, the executive is free to travel the corporation with his/her office IT available at every port he/she connects into without configuring firewalls.

Security Group Tagging or SGT

To achieve this level of secure mobility, Cisco has introduced SGT. During an 802.1x handshake, a 16-bit policy tag is assigned to the user/device pair by inserting it into the device’s data packets which then follows the pair throughout a corporate network. The SGT is linked to context-based access authorization policy for that user/device. Therefore, when that user/device requests access to certain resources, whether Internet or corporate based, the network identifies the tag and permissions associated with it, including such dynamic elements as where the user/device is located and how he/she/it is connecting to the network, granting or denying IT resource access independent upon geographic location and network port. SGTs are much like employee badges that allow or deny access to buildings and resources.

SGT scales very well with over 65,000 available tag categories that can be blended dynamically depending on a set on contextual information. In addition group tags enable efficient use of tag space as one tag category can provide an element of access authorization to a large number of employees based on their role within the organization. TrustSec secures an IT infrastructure for mobility through the support of TrustSec embedded in Cisco routers, switches and wireless access points. TrustSec allows users to access the network without regard to network access type and geographic location—be it in a Starbucks, campus, remote office, home office, etc. In conjunction with Cisco’s ISE, TrustSec delivers network wide visibility into every user and device on the network, and granular control over what network resources they can access.

Consider Avani. She is using both her corporate-provided laptop connected into a wired connection as well as her iPad connected wirelessly. As long as tags and associated policies are defined and allowed for the laptop and iPad, then Avani will be granted access. Even though Avani is using the same user ID and password, Cisco TrustSec may provide very different levels of network access for each device, based on policy, allowing her iPad to only access email, for example, while allowing her laptop to access additional internal resources.

In addition to tag-based geographic and network access type independence, the Cisco ISR G2 and ASR, as well as its wireless access devices also support SGT that includes both policy tagging and tag enforcement functionality on these platforms. Therefore, SecureX is evolving so that SecOps can centrally define policy and expand its enforcement from wired to wireless, and even VPN access, independent upon geographic location.

Cisco’s investment in SecureX with ASA CX and expanded TrustSec device profiling plus SGT within its family of network devices offers increased BYOD, cloud computing application and services access, as well as application visibility and control. All of this together makes Cisco the only firm to deliver such a rich set of context-aware security in the industry, allowing IT business leaders to reap the benefits of BYOD and cloud securely.

Tweet

There are multiple definitions of Software-Defined Networking or SDN. But this is common in a new breakout space for the computer networking industry that’s evolving fast. The most common SDN definition is based upon splitting the data plane or the forwarding hardware of an Ethernet switch from its control plane or the logic that controls how packets flow from ingress to egress. But this definition alone is too limited and needs to be expanded. In this Lippis Report Research Note, we offer the industry a broader SDN definition and view.

First, the SDN definition that is based upon OpenFlow is important but too narrow. OpenFlow offers a standard-based Application Programming Interface or API that links an Ethernet switch and a controller. This offers a model in which layer 2 Ethernet switches are low-cost merchant silicon based devices where flows are directed by a centralized controller(s). While this is innovative and different, in reality it’s not that interesting. There needs to be much more to SDN and that can be found in what resides on top and along side of SDN controller(s) and associated benefits, both in terms of network design and operational models that it affords.

From an architecture point of view, what resides on top and along side of the controller(s) is another API or set of APIs that promise to virtualize networking like VMware did for servers. With a yet-to-be-defined API on top of the controller, a software ecosystem needs to flourish.

SDN Software Ecosystem

Applications such as traffic management, device configuration, network analytics and control, public-private cloud connectivity and security, firewalls, load balancing, etc., are examples of applications that could and should spring up in the virtualization domain, thanks to SDN. Much work is being done now to automate the network layer and virtualization stack into the virtualization domain via SDN applications that may or may not ride on top of an SDN controller(s). The centralization of network provisioning of layer 2 and 3 devices, firewalls, load balancers, VM stacks, etc., will be a huge SDN advantage as it lowers the number of operations staff required to manage a large network. Look toward management of physical switches in the management domain of virtualization engines.

SDN Enabled Cloud Bursting

Enabling burst capability where a corporation can move workload between public and private clouds will be an SDN function. While there is layer 2 functionality available in some controllers today, to enable cloud bursting, this will move to layer 3 over time. But most importantly, SDN controllers are solving the security problem of workload mobility between public and private clouds today, which offers a huge network design and business agility advantage over existing approaches.

SDN Virtualized Network Services

While many firms, such as F5, Brocade, Cisco, Citrix, et al, offer virtualized network appliances, delivering such services within an SDN will offer huge server efficiency. For example, in highly virtualized data centers, memory restriction strands CPU capacity. Network appliances, such as firewalls and load balancers, typically consume little memory but much CPU processing capacity. Commodity servers inside of racks tend to be only 40% CPU utilized, thanks to lack of memory to run more applications upon those servers. These servers are, in essence, stranded, but a low memory, high CPU network application, such load balancing or firewalling, can utilize that un-used resource, increasing data center efficiency. SDN offers this efficiency and it’s a huge win. In an SDN environment, there will be a controller somewhere in the network, and if this runs in the virtualplex as an application then all of this server efficiency just comes to the IT architect, in essence, for free.

Open SDN

The SDN market is evolving in an inclusive open fashion. The OpenFlow interface is open by definition. In addition, components of SDN controllers are being distributed to the open source community, such as Big Switch Network’s FloodLight. Also, FlowScale, a load balancer, RouteFlow which provides virtualized IP routing services over OpenFlow hardware, Open vSwitch and other projects including layer 2 provisioning, VM Migration, etc., are creating an open SDN environment.

Mobile Market Shows the Way

The mobile market may show the way of how SDN will progress. The national mobile infrastructure is well automated to the point where a single network engineer can mange some 8,000 nodes. Most, if not all, large enterprises and cloud providers would welcome such efficiency. In addition, the mobile market, thanks to Apple’s iPhone and iPad plus Google’s android, has shown how a vibrant software ecosystem can add tremendous value and user choice. An SDN software ecosystem would offer IT business leaders with applications that change the nuts and bolts of networking suited to highly-virtualized environments plus solve some of the industries largest problems and opportunities, especially around cloud bursting and workload mobility. If SDN is able to automate network provisioning in enterprise and cloud computing facilities much like mobile networks today would fundamentally change the network operational model.

A Broader SDN View

The definition of SDN needs to be sufficiently broad enough to communicate the above value. To achieve that, SDN will move well beyond an OpenFlow-based definition to an application and capability definition. SDN promises to commoditize network hardware and provide a standard-based application development platform taking much of the features and functionality that exist inside custom proprietary software and driving it into an open SDN space.

But perhaps even more important is how SDN is implemented. In short, SDN promises to be deployed on under-utilized servers that IT organizations already own and operate. SDN promises to completely revolutionize the way in which we do networking. Trends in virtualization and cloud sourcing are only going to get stronger over time. Stranded CPU capacity in virtual engines is a significant previously unavailable resource to tap into and utilize. Running SDN controllers and applications in that domain is, in essence, free to IT organizations.

Think of it this way: IT business leaders will be taking this huge expensive IT infrastructure they currently own and operate to run SDN software and controllers in capacity that they weren’t capable of using anyway. That is a huge win. Add commoditized network hardware to the equation plus network application/service innovation to the mix, and you have a network environment for the new age of cloud computing. This is the promise of SDN and why it’s so important to every corporation, cloud provider and networking vendor.

Tweet

The Unified Communications market has twisted and turned over the past eighteen months, thanks to mobile and cloud computing plus the huge uptick in web plus video collaboration. This market has recovered from the 2009/2010 downturn with a gusto as providers expand UC to include collaboration and mobile platforms while targeting the red hot Small- to Medium-sized Enterprise (SME) market that consist of some seven million employees. With only a third of SMEs having a communication strategy plus less than a quarter with a deployed UC solution, the SME market is huge and wide open. In this Lippis Report Research Note, we take a look at Avaya’s and Siemens’ new UC offering for the SME market from a traditional voice vendor perspective and explore non-traditional SME offerings from Apple, Google, Facebook, Cisco, Microsoft, et al.

The UC market is no longer. It use to be that UC was defined as an integrated launch point for a wide range of communication services, such as real-time voice, voice-mail access, text messaging packages, etc. Then the stock market crashed and slowed down UC growth. During 2009 and 2010, mobile and cloud computing took off and fundamentally changed enterprise computing and communications. Companies took to video communications as a way to both cut travel and operational cost while improving productivity. Case in point, Camp Dress McKee, a worldwide player in water treatment design and build, consolidated their real estate offices, thanks to centralizing engineering and getting close to customer projects though outpost or smaller offices. High definition video conferencing was the enabler of this operational transformation.

UC vendors took note and started changing their UC platforms to embrace BYOD or mobile end points, collaboration and video. The UC market is now a mUCC market for Mobile, Unified Communications and Collaboration. Yes, some are experimenting with cloud-based UC offerings, but with mixed results, so we defer on this topic for now. As with most other economic recoveries, small business usually leads the way. This time around is no different, and the mUCC vendor community is targeting this market segment with a vengeance.

Note that some think that iPhones or Android devices are all that is needed in the SME. But this solution does not scale past a few employees, as business critical communications need reliability and quality. Try closing a deal over a mobile phone or transferring calls between employees or conducting group calls, and it becomes abundantly clear that a first-rate company needs a first-rate communications system that includes fixed, mobile and conference solutions.

While we use the “m” in mUCC to denote mobility, this is just a point of emphasis that mobility is now being integrated into the UCC environment, and it by no means is to be construed that fixed endpoints are not part of SME solution. For this Lippis Report Research Note, we focus on the new mUCC market for SME. To do so, we profile Avaya’s and Siemens’ latest launches.

Avaya offers a few options for SME, such as the IP Office, which it has been busy consolidating multiple products from the Nortel acquisition. In addition, it recently announced the availability of Avaya Flare® Communicator for iPad as a download from the Apple App Store. Avaya Flare Communicator is a free software application for both iPad and its own Android-based Avaya Desktop Video Device (ADVD). Avaya Flare Communicator provides secure mUCC capabilities over Wi-fi and 3G networks.

Avaya Flare Communicator for the iPad is enabled by the Avaya Aura® 6.1 UC architecture, which delivers integrated applications to a range of fixed and mobile devices, providing consistency between mobile and fixed endpoints. Some of its capabilities are integrated enterprise directory to easily launch IM, voice call or email. While being mobile, manage two simultaneous voice calls using the iPad, multi-tasking real time communications with internet access. Reduce mobile expenses by using the data channel and avoiding roaming charges while traveling across different cellular networks

Siemens Enterprise Communications offers its all-in-one mUCC suite with recent updates to improve mobility, increasing business efficiency and lowering costs for SME. The upgrades to OpenScape Office and the HiPath 3000 voice platform include a new UC client for tablets, OpenScape Web Collaboration and a UC plug-in for Microsoft Outlook 2010. According to Siemens, these solutions help SMBs better serve their customers and reduce communications costs.

OpenScape Office has been designed to support the increased use of smart phones and tablets, offering a new mobility UC client that extends desktop capabilities to mobile endpoints. In addition, OpenScape Web collaboration has been extended to OpenScape Office MX and LX plus mobile phones and tablets. Unique to Siemens is its embrace of virtualizing its mUCC applications. The
OpenScape Office LX and HX can now run on VMware.

From a user point of view, OpenScape Office is now equipped with a UC plug-in for Outlook 2010, and Open Directory Service that enables access to corporate directories for ease of access. Siemens has had great success with OpenScape Office, having seen it grown some 67% last year.

While we just provide a snapshot of Siemens and Avaya here, Cisco, ShoreTel, Mitel, Microsoft and others offer SME mUCC solutions too. Interestingly here is that Google, Apple Facebook and Microsoft are all positioning to play a larger role in the SME mUCC market. Google offers a suite of services that integrate across desktop and mobile devices leveraging Android, Google Docs, Google Calendar, Google Messenger, Google Voice, Gmail Google Video, and of course circles, et al. Microsoft has been challenged with Lynx as a voice platform, but it now owns Skype, and look for it to offer a mUCC suite for the SME. Facebook is a wild card as rumors circulate that it’s working on a Facebook OS for mobile devices that some project will offer a social mUCC platform.

Apple seems contempt to ride the BYOD trend into the enterprise market without packaging a SME mUCC solution. Apple continues to push the envelope and deliver many of the features promised by the UC vendors for years, such as FaceTime and Siri. The real opportunity for the traditional mUCC vendors is to embrace Apple’s iPad, iPhone and MAC, adding enterprise strength and scale to FaceTime, Siri, contacts, calendar, icloud, etc. Most of the mUCC vendors still view Apple as a consumer device and opt more often than not to develop on Android. That is a mistake.

The SME market is the huge opportunity for the mUCC vendors, but it’s also an opportunity for non-traditional players too, as only 25% of the market has decided upon its mUCC direction. Siemens and Avaya as well as many of the other vendors are all moving in the right direction to integrate mobility, video and collaboration. But some Big Data analytics may very well show all that is needed is enterprise integration plus scale to Apple and Google mobile endpoints on desktop and fixed point phones.

Tweet

Computer networking vendors have been increasing the speed and port density of their Ethernet switches while reducing power draw and price per port. But while Ethernet switching hardware marches on linearly, thanks to 10, 40 and 100GbE, networking software is taking a different historical path as the pace of compute and network technology evolution has diverged, with networking lagging. Highly virtualized server deployment has broken traditional networking approaches on multiple levels, for example. In response, the industry is now developing a “virtualized infrastructure” or “stack” to add network flexibility. To close the technology gap, Software-Defined Networking (SDN) is promoted as the new “organizing principle” to deliver network software and service value. While it will be, likely, years before SDN’s organizing principles take hold, I propose that these two industry activities are inexplicably linked and phased; here’s why…

Software-Defined Networking

There are multiple definitions of SDN. Making it even harder to pin down SDN, the definitions are evolving too. But this is common in a new breakout space for the computer networking industry that’s evolving fast. For this Lippis Report Research Note, we take the SDN definition that is based upon splitting the data plane or the forwarding hardware of an Ethernet switch from its control plane or the logic that controls how packets flow from ingress to egress. This split of data and control planes opens up an innovation injection point into networking that has not been previously available.

During 2011, a market has opened up for controllers. Currently Big Switch Networks, Nicira Networks and NEC are offering standalone centralized controllers. But limited controllers are also available in open source software, OpenStack and VMware’s vSphere/vCloud too. In addition Cisco’s IOS, Juniper’s Junos, Arista’s EOS, etc., are distributed controllers that may interoperate with centralized controllers in the future. In fact, Arista’s EOS already supports OpenFlow, OpenStack and vSphere/vCloud.

The link between the separated data and control plane is an open interface called OpenFlow. Now some end their SDN definition here, but this is just the beginning as the real promise of SDN are the applications that will reside upon the controller to address a wide range of networking issues and opportunities. In fact researchers at Princeton and Cornell are developing the Frenetic programming language that provides high-level network abstraction that gives programmers direct control over the network, allowing them to specify what they want the network to do without worrying about how to implement it.

One can imagine a wide range of applications residing upon a controller such as WAN optimization, traffic engineering optimization, load balancing, security services, etc. In essence, the control plan allows network services that are currently deployed as appliances to be virtualized appliances/applications much like applications that reside on top of a VM. It gets even more interesting, as a centralized control plane can be easily split in to many little control planes, each of which sees its own slice of the data plane topology. In traditional networking where control and data planes are one and the same and in each box, it is much harder to merge control planes and split data planes. It’s possible, but harder to keep complexity and stability in check over the long term. Splitting control plans can have huge value in public cloud multi-tenant or private cloud multi-team networking.

SDN and OpenFlow are at the early stages of its industry matriculation. But one thing is clear: SDN is an organizing principle whereas network software is developed by both network vendors and third parties, and network services are virtualized. SDN thus represents a new industry order and structure as to how value is added to networks. But I digress. The real issue today is solving network inflexibility in the face of highly virtualized data centers.

Enter the “Virtualized Stack” or Virtualized Infrastructure”

Virtualized server deployment has been propelled en masse, thanks to increased data center efficiency, by delivering the same or greater application workload with a reduced number of servers. While this is good, many IT business leaders are now realizing huge consequences to highly virtualized data centers that span from IP address change management to application management.

At the IP address level, networking has become extremely rigid within virtualized environments, slowing down process, limiting moves and changes as well as elongating the time to spin up an application that resides within a VM. Necessary network services to support the virtual cloud infrastructure, such as IP address assignment and management, are still performed largely with manual tools and processes, such as spreadsheets shuffled between various departments or operational groups, which can result in days of delay for something as simple as assigning an IP address to a VM. Contrast that with the virtual server administrator. Virtual instances of servers and machines can be dynamically provisioned, migrated and shut down by a virtual server administrator in minutes.

Moving up the stack, challenges are rooted in application management plus Layer 4-7 services such as WAN optimization, Application Delivery Controllers and security, especially in environments that include multiple hypervisors, a wide variety of workload types and shifting virtual machines.

For example, the new challenges of enterprise application management in virtualized data centers include: what type of and location of network intelligence is required when multiple hypervisors and various workloads exist and shift? Also how do operations groups maintain consistent security policy across both virtualized and non-virtualized environments consistently? And how do operations groups monitor and maintain application flow visibility?

Cisco

Cisco, for example, is addressing these issues via its Virtualization Stack and is now organizing its products around this initiative. Three components define Cisco’s virtualization stack, those being: 1) virtual networking, 2) virtual security and application networking services and 3) orchestration and provisioning. An important part of Cisco’s strategy is the virtualization of appliances such as its VSG or Virtual Security Gateway, the ASA 1000v, the support of VXLAN, the Nexus 1000v, etc.

Brocade, F5, Citrix

But F5, Citrix and Brocade are all virtualizing their appliances, moving away from physical single application appliances to an integrated virtualized suite. One can imagine that these virtualized applications will some time reside upon an SDN controller as their next stage of evolution. In addition each application delivery vendor has a way for programmers to control application network behavior. For example, Brocade recently launched OpenScript, a Perl-based scripting language used to modify the content of and control delivery of packets at Layer 4 through Layer 7 on its ServerIron ADX products. These scripting languages could be standardized and reside within an SDN controller.

Embrane

A good example of what the virtualized Layer 4-7 future may hold is that of a start-up firm called Embrane.

Embrane has virtualized server load balancing, firewalls and VPN termination and placed them upon a distributed software platform called heleos. Heleos runs on x86 servers and any hypervisor. It leverages a distributed virtual architecture that decouples network services functionality from the underlying physical infrastructure and hypervisor technology that it says provides high scalability, flexibility and performance.

IBM & NEC

IBM and NEC offer the best example of a commercial SDN offering with OpenFlow. NEC’s pFlow OpenFlow controller that resides within an IBM server manipulates IBM System Networking G8264 OpenFlow switch’s flow table. The link between the two is OpenFlow 1.0.0. The NEC pFlow controls traffic, discovers topology, gathers stats and other functions while the G8264 forwards traffic based upon these flow commands.

What’s impressive about the IBM/NEC SDN solution is that it has customers such as: Tervela validated the IBM and NEC OpenFlow solution ensures predictable performance of Big Data for complex and demanding business environments. Selerity’s IBM and NEC’s OpenFlow solution improved real-time
decision-making for global financial markets. Stanford’s IT Department chose IBM and NEC’s OpenFlow solution to deliver network capacity on-demand to its academic community. What’s important about these use cases is that IBM is communicating SDN via OpenFlow’s value in business terms, which will only increase as industry adoption accelerates.

In essence the SDN market has started, and as its technology underpinnings solidify, many of today’s network services will fall under the SDN umbrella. In fact, nearly all network vendors are launching SDN programs as a new way to communicate existing product value and their evolution into a SDN. Just like the Appian Way where all roads lead to Rome, all network services may very well lead to an SDN.

Tweet

During the middle of 2012, a few firms will introduce core switches for campus networking. Many of these products will be based upon merchant silicon such as HP Networking’s A10500 Series Enterprise Core Switch. While these products will boast performance advantage, they will find it difficult to win share against established firms such as Cisco’s Catalyst 6500, thanks to its investment in network services. In this Lippis Report Research Note 184, we explore the importance of network services and their role in campus network design.

Modern corporate networks are under increasing pressure to support a wider variety of applications, thanks to mobile and cloud computing, desktop virtualization plus video traffic having skyrocketed. Not only are bandwidth rates increasing from 1 to 10 to 40 GbE, but most importantly, network services are needed to manage and support a different application portfolio mix and network access methods. Network services such as firewalls, WLANs, network diagnostics and monitoring plus application performance acceleration are needed to deliver a consistently excellent user experience. Cisco recently announced an upgrade to its popular Catalyst 6500 with the availability of the Supervisor 2T or Sup2T that included re-vamped high performance service modules to deliver these network services.

By all counts, Cisco’s upgrade of the Catalyst 6500 via its new Sup2T is its most ambitious and thoughtful yet for the venerable platform. The Sup2T is a 2-Terabit (Tb) platform that triples the previous Sup720 performance. Thanks to the support of Virtual Switching System (VSS), the platform allows two 2 Tbps switches to combine into a single 4 Tbps virtual switch. The Sup2T is a major upgrade to the most widely-deployed switching platform in campus and data center networking in the industry. But while these performance numbers are impressive, it’s the new Catalyst 6500’s network services that deliver most of the value, which is partially found in the Sup2T’s Policy Feature Card or PFC that increases NetFlow monitoring and a new TCAM design offering improved Access Control List (ACL), Quality of Service design options, encryption security and many other features.

Cisco’s Catalyst 6500 is the firm’s most successful product with over 700,000 systems and110 million ports installed, worth some $42 billion in revenue over the years. This product’s success increases the stakes for Cisco as it introduces a major upgrade. Cisco had to consider backward and forward customer migration, increased competition and pricing pressure, especially as competitors are starting to offer core switches based upon merchant silicon. In short, Cisco had to eliminate the trade-off of innovation versus investment protection and find a way to deliver both simultaneously. The Lippis Report conducted the most comprehensive testing of the Catalyst 6500 Sup2T at Ixia’s iSimCity in November 2011 to verify Cisco’s performance and upgradability claims. While it’s impossible to test all of the Catalyst 6500’s new 200-plus features within the Sup2T, we rather focus on a select few that will have the widest impact on IT business leaders’ product acquisition decision process. The full report is found here; below are highlights.

Compatibility, Upgradeability and Investment Protection Test

In this test, we look to measure how smooth the upgrade from Sup720 to Sup2T is. What IT business leaders are looking for are incremental network upgrades with minimal disruption versus major disruption that usually accompanies a significant and, at times, a not so significant network upgrade. Therefore, we swap out Sup720 for Sup2T and bring up existing service modules and line cards. Remember that line cards represent the largest investment in switching equipment, so we demonstrate that older line cards interoperate at high performance when the new Sup2T replaces the Sup720.

Results: We found that upgrading the Catalyst 6500 from Sup720 to Sup2T within the 6513-E chassis was straightforward and compatible with existing line cards and service modules. Those who invested in the E series chassis (i.e., 6503-E to 6513-E) and purchased line cards and service modules will find that this investment is protected and enhanced as new network services such as NetFlow, TCAM architecture improvements, encryption, deeper QoS granularity, Access Control Lists (ACLs), dry-run and atomic commit, et al, are added during supervisor upgrade from 720 to 2T.

We verified backward compatibility of the 6513-E Catalyst 6500 Sup2T with existing service modules, bus-based and CFC-based line cards along with feature and performance benefits afforded by the Sup2T (PFC4). We further verify the upgradability of existing modules which currently employ the DFC3 (B and C) daughter card with feature and performance benefits afforded by the DFC4 upgrade. We also verify the migration of current IOS configuration (as applicable to existing line cards) as well as their use of existing interface transceivers (e.g., SFP & X2). Finally, we verify the Sup2T when combined with the 6513-E chassis enables high-performance (dual-fabric) line cards to operate in the upper 6 slots.

In the same 6513-E chassis, we replaced the Sup720 for Sup2T, upgraded the line cards in slots 1 and 2 for the new 6908s, upgraded the DFC4 daughter cards in slots 12 and 13 and kept the same service modules. All of this was done while the Catalyst 6500 was operational. The Sup2T triples the performance of Sup720 while adding greater network service features such as Flexible NetFlow monitoring, Mac-Sec of 802.1ae based encryption security, WLAN integration and firewall protection.

Switching Performance Test

Switching performance in enterprise networks is becoming increasingly important, as IT responsibility has been split between employees and IT departments, thanks to BYOD or Bring Your Own Device, and IT consumerization. As a result, the number of devices on the network has increased significantly as employees bring smartphones and other mobile devices into the work force. These devices and their applications are driving unforeseen network requirements in terms of performance and support of both IPv4 and IPv6 as many mobile devices are now set for IPv6 as the default.

For IPv4 and IPv6, dual stack implementations are most popular where desktops and mobile devices run both IPv4 and IPv6, therefore, the network infrastructure needs to support both equally at high performance. IPv6 performance has not been on par with IPv4 until now. To demonstrate how the Catalyst 6500 upgrade with Sup2T has improved IPv6 performance, we measure IPv4 and IPv6 unicast and bidirectional traffic performance via RFC 2544.

Results: We test the Catalyst 6500 for throughput between popular enterprise network frame sizes ranging from 256 to 9216 byte size packets. We find that each WS-X6908-10G delivers IPv4 and IPv6 throughput at the theoretical maximum possible for packet sizes ranging from 256 to jumbo size 9216 at 10GbE.

IP Multicast Test

IP Multicast traffic has been on the rise, thanks to the increased use of video services within the enterprise. Efficient use of multicast is important to interactive video, video surveillance, video dissemination, etc. Consider 500 to 1000 video surveillance cameras that need to stream their video to five or more locations within the enterprise, for regulation, storage, monitoring, etc. This is a popular requirement in gaming, retail, healthcare, etc. Streaming five streams per camera consumes a lot of bandwidth; therefore, using IP multicast reduces bandwidth consumption making video and other point-multipoint services efficient. Therefore, we test IP Multicast performance on the new catalyst 6500 Sup2T. This test stresses the packet replication ASIC built into the 6908-10G line cards for both point-multipoint and mesh or multipoint-multipoint configurations.

Results: For the point-multipoint configuration, the Catalyst 6500 Sup2T demonstrated zero packet loss or 100% throughput at line rate while a single 10GbE source was broadcast to 92 receivers.

For mesh multipoint-multipoint configuration, the Catalyst 6500 Sup2T demonstrated throughput performance that ranged from 49.8 Mpps to .53 Mpps for packet sizes that varied between 256 bytes to jumbo size or 9216 bytes. We find that the replication engine that is resident on Catalyst 6500 6908-10G line cards delivers multicast performance scale as there is no performance penalty for point-multipoint and multipoint-multipoint. This is due to the Sup2T having an improved hashing algorithm to support larger IP Multicast flows over the Sup720.

Access Control List Test

Access Control List or ACL are important tools in the configuration and customization of network attributes, especially with the Catalyst 6500. In the Catalyst 6500 upgrade with Sup2T, the TCAM has been both increased and its architecture improved. For ACL, one major concern was the lack of visibility of overflowing the TCAM when new ACL scripts were submitted, which would disrupt network operation. Updating ACLs occur infrequently and over a long period of time. As such multiple network engineers working on the same network may not even be aware of previous ACL updates. Further, an ACL update may drive multiple ACE (ACE = Access Control Entries), which occupy more TCAM resources than anticipated and thus over consume this resource. Therefore, Cisco developed the ACL Dry Run and ACL Atomic Commit to mitigate this scenario from occurring.

Results: We verify that this new efficient use of TCAM and
ACL safeguards perform as stated.

System Network Test Configuration: MPLS/VPLS/VSS

To test MPLS/VPLS and VSS throughput performance, we populate two Catalyst 6500 WS-C6513-Es with eight 10GbEports each via 6908-10G modules connected directly to Ixia test equipment. The Catalyst 6500s are connected via8 x 10G Distributed EtherChannels. This configuration created a full end-end 80Gbs path of full-mesh traffic; typical in the real world.

The test data result show that throughput performance is consistent independent upon protocol that being MPLS, VPLS and VSS. A contributing factor to the differences in throughput is found in different headers associated for each protocol. This result could not occur in the older generation of Catalyst 6500 with Sup720 with its 40Gbs per module backplane access speed.

Network Encryption with 802.1ae MACSec

We tested performance for 802.1ae MACSec to verify that there was no throughput performance degradation when encryption was enabled minus the additional 16 byte overhead of 802.1ae keys. MACSec encryption has become increasingly popular and important to campus network design, but previous switch performance degraded when forwarding encrypted traffic. Here we verify that the Catalyst 6500 does not suffer throughput performance degradation while MACSec traffic is being forwarded.

We tested the Catalyst 6500 via the cPacket Networks cTapSmart 10G passive probe to verify traffic flows were either MACsec encrypted or unencrypted. We found that there is no material difference in throughput performance, other than 802.1ae encryption key overhead, thanks to 16 additional bytes per packet.

Conclusion

We found that upgrading the Catalyst 6500 from Sup720 to Sup2T was straightforward and added significant value in the areas of MACsec encryption, improved ACL capabilities and IPv4/IPv6/MPLS/VPLS/VSS throughput performance. In addition, we found that the Sup2T supported existing service models, such as Network Analysis (NAM), Wireless (WiSM), Application Control Engine (ACE20), Firewall Service Module (FWSM) plus 6148A-GE, 6148E-GE with POE/POE+, 6724-SFP line cards plus 6704 and 6716 line cards after a trivial DFC3 to DFC4 daughter card swap. We found that line cards can be swapped and upgraded while the Sup2T is operational, avoiding off-hour scheduled downtime. In addition, we found that existing interface transceivers SFP and X2 being used in a Sup720 Catalyst 6500 can be reused with the Sup2T. Finally, we found that Sup720 IOS configurations may be copied and migrated to a Sup2T via a flash drive successfully upon boot up.

Much of the throughput performance advantages and scale of network services is due to custom ASICs resident in theSup2T, 6908-10G line cards and DFC4 daughter cards. We were particularly impressed with the ease of upgrade, the new ACL dry run and atomic commit plus MACsec performance.

For existing customers of Cisco’s Catalyst 6500 Sup720, we anticipate upgrade experiences similar, if not simpler, than ours as this test was conducted under tight time constraints with limited resources. It’s no wonder why the Catalyst 6500 is so popular as it offers a wide variety of network design options such as MPLS/VPLS/VSS. With the new upgrade to Sup2T and supporting line cards, we verify that throughput performance doubles over the Sup720 for IPv6, IP Multicast, MPLS/VLPS and VSS.

New entrants in the campus core market such as HP Networking A10500 later this year that boast pure performance without network services will find a chilly reception awaits them.

Tweet

In this Lippis Report Research Note 183, we provide our very popular annual top 10 2012 industry predictions that were provided by Andre Kindness, senior analyst at Forrester Research, Nick Lippis, CEO of Lippis Enterprises, and Zeus Kerravala, principal at ZK Research. We take a look into the year ahead and provide our view as to what will come to pass. This Research Note is based upon the “2012 Networking Industry Predictions” Lippis Report podcast.

The following are our top 10 2012 Networking Industry Predictions.

Prediction One

2012 Is the Year of Data Center Fabrics: The back half of 2012 starts the kick-off of aggressive data center fabric deployments. While Cisco has been shipping FabricPath and Arista has been shipping MLAG and ECMP, Juniper will join the market with its long anticipated Qfabric, Avaya will be shipping a broader VINA enabled product set along with Brocade’s expanded VDX switches with VCS. Alcatel-Lucent and Huawei too will be shipping their version of SPB. In short, there will be plenty of product and options available from which to choose.

Prediction Two

Voice over LTE Goes Live: Verizon will aggressively deploy Voice over LTE to match AT&T’s talk while you surf on mobile devices functionality. AT&T will then respond with a Voice over LTE initiative. This will drive a huge wave of growth for internet infrastructure companies as VoIP enters the mobile market. Expect to see a robust year for Acme Packet, BroadSoft, Infoblox, Tekelec and many others.

Prediction Three

Repatriation of Holiday: Obama grants a repatriation holiday allowing large IT firms such as Cisco to bring billions of dollars back to the US market, and puts it to work by making two large acquisitions; one of them will be security and the other storage related.

Prediction Four

Wither Polycom: Amidst tremendous pressure from Cisco’s video communication and telepresence business, Polycom continues its slide. Polycom ends 2012 as an acquired company.

Prediction Five
 
The Year of Software-Defined Network Marketing: The SDN/OpenFlow industry marketing machine kicks in with all major networking companies wrapping their existing products around the SDN message. In addition, the SDN controller market starts up with data center switches equipped with controller plug-ins. All new networking concerns seeking VC dollars have SDN/OpenFlow in their business plan. Case in point: look at “Embrane.” While there is will few SDN revenue dollars made in 2012, marketing messaging will be loud.

Prediction Six

Huawei Enterprise Business Division Comes On Line: Huawei will climb to the number four spot in worldwide network switching at the expense of low cost providers. HP Networking will be the hardest hit, losing at least two points of Asia market share.

Prediction Seven

Network IPO Market Comes Back: At least four large networking IPOs occur, including Arista Networks, Ruckus Wireless, Infoblox and Palo Alto Networks, fueling liquidity into the networking market once again.

Prediction Eight

IBM Becomes a Networking Thought Leader: IBM System Networking will coalesce its networking investments around virtualized network infrastructure and SDN, renewing its place as a thought leader in the networking industry.

Prediction Nine

Brocade Gets into WLAN Market: Brocade will buy into the WLAN market by either acquiring Meru Networks, Aerohive or Meraki to shore up its enterprise network switch by offering a unified access value proposition.

Prediction Ten

Application Acceleration Market Fundamentally Changes: Citrix, Riverbed, Cisco, Brocade and F5 will start to compete in the application acceleration or delivery market by offering integrated WAN acceleration, Application Delivery Controllers or ADCs and security network services in both appliance and virtual form factors. Those who are able to tag and steer applications to network services while adding policy will win a larger percentage of market share.

In addition to the top ten predictions above, software network engineers will be the new rage in 2012 as the market shifts toward a value proposition rooted in software and network services. In addition, Cisco will dominate market share and thought leadership.

Tweet

The Fall 2011 Open Industry Network Performance and Power Test Report is now available. Since our Spring 2011 test, we added four products from three vendors to the 11 products from eight vendors already tested. We now have data on 15 data center switching products from nine vendors in the new report to be released after Thanksgiving. Our cloud networking test of 10 and 40GbE is now the industry benchmark for cloud networking. In fact, only those companies that are sure of their product(s) enter the test at Ixia’s iSimCity. We found that 40GbE is hard, and thus you have to give credit to the vendors that go through the testing—in this test, those vendors are Extreme Networks, Brocade and Alcatel-Lucent. These firms have high performance data center switching product that is Enterprise and Cloud service provider ready. In this Lippis Report Research Note, we share our the top 10 findings from this round of testing. Lippis Report subscribers can download the 125-page report here, free of charge.

To assist IT business leaders with the design and procurement of their private or public data center cloud fabric, the Lippis Report and Ixia have conducted an open industry evaluation of 10GbE and 40GbE data center switches. These test were conducted at the Ixia iSimCity Santa Clara, CA, laboratories.

The Lippis Report test, based on independent validation, communicates credibility, competence, openness and trust to potential buyers of 10GbE and 40GbE data center switching equipment as the tests are open to all suppliers and are fair, thanks to RFC and custom-based tests that are repeatable. The private/public data center cloud 10GbE and 40GbE fabric test was free for vendors to participate and open to all industry suppliers of 10GbE and 40GbE switching equipment, both modular and fixed configurations.

While Lippis Report subscribers can download the full report here, below are our top ten findings from conducting these three rounds of testing. The Fall Lippis/Ixia test proved to show that the industry is advancing at a breakneck pace. And we do expect to see more products being submitted for test in the March 26th Spring 2012 test. Based upon three series of industry test, the following top ten findings have become evident.

1) 10GbE Top of Rack (ToR) and Core Switches: 10GbE ToR and core switches are ready for mass deployment. There have been 15 new switches since Interop 2011, and there will be 15 more launched during 2012.

2) Fastest Ethernet Switches under the Milky Way: We are in the 500 ns ToR and 2 us core switch era. For core switches, the Extreme x8 is two to nine times faster than any other core switch we have tested. ToR switch latency will decline to 100s of ns within two years, thanks to better merchant silicon plus Phy-less designs. Core switch latency will decline to ns area with 40 & 100GbE speeds plus the next generation of merchant silicon.

3) Merchant Silicon Proves Its Value: Most switches entering the Lippis Report test are based upon a new generation of merchant silicon. They are based upon a single chip design from Broadcom, Fulcrum or Marvell. Broadcom currently leads this space and is becoming the Intel of the networking industry.

4) Switch Vendors Differentiate Products Mostly on Software: There are differences between suppliers at both the box and system level. At the box level, we find latency, congestion, power and software differences. We also find differences in how these vendors propose building cloud networks. There is difference in cloud network architecture approach, such as support for TRILL, SBP, MLAG and/or ECMP. There are differences in network services and virtualization aware support.

5) Ability to Support Storage Engagement: Most core and ToR switches demonstrated throughput performance without loss and low latency variability to support storage enablement. Most switching firms will be offering a range of convergence options during 2012, including ToR switches with direct fiber channel connections and/or FCoE, ATA over Ethernet and iSCSI over Ethernet support.

6) 40GbE Is Ready: 40GbE support as a downlink from ToR to End of Row (EoR) and in the core at density is here, ready and performs as advertised. In addition 40GbE cost is approximately 3 to 4 times that of 10GbE, making 40GbE favorable from a pricing point of view too. There are plenty of ToR switches that support multiple 40GbE options such as Alcatel-Lucent OmniSwitch 6900-X40, IBM BNT RackSwitch G8264, Arista 7504 Series Data Center Switch, Dell/Force10 S-Series S4810, etc. In the core switch market, there is only one company with high-density 40GbE, and that’s Extreme BlackDiamond X8 with 192-40GbE. But we expect at least four more high-density 40GbE core switches to be launched in 2012. Note, at times, we did some observe difficulty with preamble and equalization at the physical QSFP+ level causing packet loss, but this we mitigated through software control.

7) Low Power Consumption: Power consumption in networking devices is dropping precipitously. All ToR and core switches offer low power consumption with energy cost over three-years estimated between 1.3% and 4% of acquisition cost. Two of the most impressive results we observed was that of Extreme Networks’ BlackDiamond X8 Core switch and Brocade’s VDXTM 6730-32 Data Center ToR Switch. The Extreme X8 consumed a low 5.2W/10GbE; that’s nearly as low as a Christmas bulb. Brocade’s VDXTM 6730-32 Data Center ToR switch consumed a low 1.5W/10GbE; that’s about 20% of the power a Christmas bulb consumes! In addition to power consumption all switches support front-rear or rear-front airflow in support of hot/cold aisle designs.

8) Virtualization Scale Support: All switches in this test are able to support far greater numbers of VMs and physical servers than their physical ports allow; that is, their logical networking scales to support very large virtualized data center infrastructure.

9) 10/40GbE Recommended as Cloud Network Fabric: From server connections to ToR to core switching plus storage enablement and virtualization aware software 10GbE is recommended as the fabric for cloud networking environments. We recommend that IT business leaders take full advantage of server I/O at 10Gbps bandwidth and low latency as it will provide the highest performance and greatest data center design options moving forward. With 10GbE ToR switch cost per port in the $350 to $670 range, core switch cost per 10GbE port in the $1.2K to $6K range plus 40GbE cost per port in the 3 to 4 times of 10GbE, Ethernet technology is well segmented for data center needs. 10GbE and 40GbE switches have the logical networking to support highly virtualized infrastructure with dense VM:physical server ratios of 30:1 to 60:1. With ToR and core switch latencies in the 500 ns to 2 microsecond range, the industry’s 10GbE switches possess the raw performance and capacity to support storage enablement, albeit this area is evolving.

10) Software-Defined Networking/OpenFlow: While not tested during these past three rounds of test, software-defined networking or SDN and OpenFlow will be increasingly important during 2012 as companies seek to differentiate their high performance switch products with increased features and functionality. SDN with OpenFlow promises to offer such added value.

The next Lippis Report test at iSimCity is scheduled for the week of March 26, 2012. We expect more 40GbE products in the Spring.

Tweet

During the weeks of October 10 and October 31, 2011, at Ixia’s iSimCity, the Lippis Report conducted its third industry test of cloud networking data center switches operating at 10 and 40GbE. In just six short months, the industry has moved forward by breaking all previous records of data center switch speed, power consumption, port density and bandwidth. We added four products from three vendors to the eleven products from eight vendors already tested. We now have data on fifteen data center switching products from nine vendors in the new report to be released after Thanksgiving. During May 2011 Interop, we had eleven vendors provide verbal commitment to participate in this Fall industry test (remember it is free for vendors to submit products to test). As the deadline for signed agreements came, this field of eleven dropped to three because their products were simply not ready. 40GbE is hard, and thus you have to give credit to the vendors that go through the testing—in this test, those vendors are Extreme Networks, Brocade and Alcatel-Lucent. These firms have high performance data center switching product that is Enterprise and Cloud service provider ready. In this Lippis Report Research Note, we share our insights gained from testing all these products and provide the topic cloud networking industry trends taking shape now.

To assist IT business leaders with the design and procurement of their private or public data center cloud fabric, the Lippis Report and Ixia have conducted an open industry evaluation of 10GbE and 40GbE data center switches. These test were conducted at the Ixia iSimCity Santa Clara, CA, laboratories. The resources available for this test at Ixia’s iSimCity are out of reach for nearly all corporate IT departments with test equipment on the order of $9.5M, devices under test on the order of $2M, plus costs associated with housing, power and cooling the lab plus 22 or so engineers from around the industry. It’s our hope that this industry effort will remove performance, power consumption and latency concern from the purchase decision, allowing IT architects and IT business leaders to focus on other vendor selection criteria, such as post sales support, platform investment, vision, company financials, etc.

The Lippis Report test, based on independent validation at Ixia’s iSimCity, communicates credibility, competence, openness and trust to potential buyers of 10GbE and 40GbE data center switching equipment as the tests are open to all suppliers and are fair, thanks to RFC and custom-based tests that are repeatable. The private/public data center cloud 10GbE and 40GbE fabric test was free for vendors to participate and open to all industry suppliers of 10GbE and 40GbE switching equipment, both modular and fixed configurations.

Ixia supplied all test equipment needed to conduct the tests while Leviton provided optical SPF+ connectors and optical cabling, and Siemon provided copper and fiber optic QSFP+ cables and transceivers for 40GbE connections. Each 10GbE supplier was allocated lab time to run the test with the assistance of an Ixia engineer. Each switch vendor configured its equipment while Ixia engineers ran the test and logged the resulting data.

While we can’t just yet release data on the latest round of testing, we can share with some of the records that were broken. We measured for the first time core switch latency in single digit microseconds and single digit Watts/10GbE power consumption. Also for the first time, we measured power consumption in top of rack switches power consumption in very low single digits. We measured how fast core switches can forward packets at very high density being 256 0GbE plus 24 40 GbE ports, and this was only a third of this switch’s port density. We measured congestion, IP Multicast, cloud simulation, latency and throughout for 24 40GbE, a first in this series of industry test.

In just six short months, data center Ethernet core switching has increased in speed by nearly a factor of 10, its power consumption dropped by nearly 50% while port density increased by nearly 3 times. In ToR switching, power consumption is down by over 50% while these products add 40GbE uplines and storage enablement such as direct Fiber Channel and/or Fiber Channel over Ethernet connections. With all of these advances, the one thing that is holding steady is pricing as the industry serves up more features for the same or slighly more dollars.

The Fall Lippis/Ixia test proved to show that the industry is advancing at a breakneck pace. And we do expect to see more products being submitted for test in the Spring 2012 test. Based upon three series of industry test, the following trends have become evident.
Faster Forwarding: While the Fall test showed new records in latency measurements—that is, how fast a switch can forward packets at zero packet loss or 100% wire speed throughput—switching products will get even faster. While it’s anticipated that the Fall core switch latency records will not be broken in 2012, ToR switches will show significant improvement getting into the range of 100ns with 100Mbs Etherent uplinks.

Hybrid Cut-Through and Store and Forward Switching: To make switches faster, merchant silicon vendors have taken a new look at packet forwarding. It used to be that Ethernet switches were either cut-through (CT)—where packets were not stored for processing—or store and forward (S&F)—where packets were stored, processed then forwarded. Now switches use both forwarding techniques, where the first few hundred packets are forwarded via S&F and the rest, CT.

IP Multicast Rises in Importance. With the huge increase in video traffic, IP Multicast performance and, in particular, how switch replicator chips perform will be increasingly scrutinized. We tested the lowest latency of IP Multicast during the Fall test, indicating that switch speed of forwarding IP Multicast is becoming an important product selection criteria.

40GbE Arrives in 2012: Due to 40GbE component shortages in Asia, most vendors could not participate in the Fall test. These shortages will abate over the next quarter, creating a wave of new 40GbE modules and products during 2012. With 40GbE being 3 to 4 times the cost of 10GbE, look for a quick ramp up in ToR uplink and core switching modules.

The Rise of Merchant Silicon: Merchant silicon from Broadcom, Fulcrum MicroSystems and Marvell manufacture low-cost chips for network switches that have lowered the risks for new entrants into the hot data center Ethernet fabric market. In the last few months alone, 10 companies announced new products based upon one of the above merchant silicon 10 and 40 Gbps Ethernet chips. We expect to see enhancements to network virtualization, support for software-defined networking and a focus on buffer architecture.

New Set of Best of Breed Products: With merchant silicon competing with custom ASICS, a new class of best of breed products has emerged with more to follow during 2012. These products will be pushing the envelope on packet forwarding speed, power consumption, port density, storage enablement and network virtualization, thanks to VXLAN/NVGRE support and software-defined networking.

Software-Defined Cloud Networking: As best of breed Ethernet data center switches get more powerful while consuming less power, these products will need to tap into a growing software base to add value to these networking products. Software-Defined Cloud Networking or SDCN promises to ignite a cycle of innovation that shifts competitiveness to network software that enables firms like Cisco, HP, Extreme Networks, IBM, Arista Networks, Force10/Dell, Avaya, Huawei, Brocade, Juniper Networks, Alcatel-Lucent, Enterasys and others to compete by rapidly adding software features to low-cost merchant silicon-based network products. There are two approaches to SDCN: 1) OpenFlow based that defines an open interface between switches and a controller or 2) hypervisor virtual network controllers that plug directly into switches.

The next Lippis Report test at iSimCity is scheduled for the Spring of 2012. We expect more 40GbE products plus the observation and measurement of the above trends.

Tweet

Cisco recently launched its VPN Internal Service Module or VPN ISM, which is a VPN accelerator for the Integrated Services Routers Generation 2 (ISR G2). The VPN ISM allows for greater VPN performance, meaning a larger number of faster VPN connections for both client-to-site and site-to-site communications. This module expands the range of branch office network design options allowing IT designers to architects lower cost and higher performance Wide Area Network (WAN) design paid for by arbitraging WAN facilities/operational cost and capital cost. In addition to the enterprise market, the VPN ISM supports the National Security Agency’s or NSA’s Suite B cryptographic algorithms in hardware, boosting performance of previous Suite B implementations by a factor of three to five, depending upon application. In this Lippis Report Research Note, we review the VPN ISM with a focus on the new WAN design options it affords for both federal government and enterprise IT departments.

The ISR G2’s routing security portfolio is second to none, literally, and Cisco’s 70.3% market share is indicative of the market’s acceptance of this fact. The ISR G2 security portfolio boasts firewall, IPS, a range of VPN services, voice and video security plus the recent integration of ScanSafe cloud web security services. The previous G1 ISR was equipped with a VPN accelerator module, and many Cisco customers have been waiting for the same on the newer G2 platform. They need not wait any longer. The VPN ISM is the VPN accelerator for the ISR G2. The VPN ISM delivers two to three times performance increase, meaning a larger number of VPN connections supported as well as faster VPN processing. While this scaling up of VPN support is important, especially with the boom in mobile devices requiring VPN services, it’s the VPN ISM’s support for the NSA’s Suite B that will further open up federal government spend to Cisco.

U.S. Federal Government and Suite B

U.S. federal government VPN IPsec applications require the support of the NSA Suite B set of cryptographic algorithms. Suite B for IPsec VPN is defined in RFC 4869. The NSA defines a set of Suite B algorithms for a range of government communications spanning from proprietary or personal data, to critical but unclassified, to secret to top secret. In short, if a vendor wants to be part of the U.S. federal government network, it must support Suite B. There is a very large list of vendors that support Suite B at various levels, all of which can be found on the FIPS 140-1 and FIPS 140-2 vendor list here.

As Cisco’s VPN ISM supports Suite B in hardware, it’s highly likely that it’s the fastest implementation in the industry for IPsec applications, but this needs to be verified via independent lab performance test. Cisco claims that its VPN ISM support of Suite B is three to five times faster than its previous implementation.

Enterprise Branch Office IPsec/SSL VPN Design Options

For enterprise branch office networks, the VPN ISM in the ISR G2 delivers VPN acceleration that support a greater number of mobile VPN clients while also reducing backhaul requirements to corporate offices/data centers. In short, IT architects will be able to support a larger number of faster VPNs connections. And with Cisco web access security service, ScanSafe, offloading public cloud VPN connections from corporate networks to the internet, less bandwidth will be used between branch offices and data centers, freeing up WAN bandwidth for private corporate application access and communication use.

The VPN ISM also fits into Cisco’s SecureX architecture. One of the key attributes of SecureX is distributed security enforcement to the closest enforcement point. In essence, security enforcement is pushed out throughout the network avoiding the pitfalls and vulnerabilities of centralized enforcement, delivering security services efficiently via the network. ISR G2 with ScanSafe was a proof point of SecureX’s distributed enforcement architecture attribute. VPN ISM is another proof point. Rather than connecting to a centralized head-end (Adaptive Security Appliance) ASA 5500 residing within a data center for all IPsec VPN connections and slowing down the WAN, a local branch office VPN ISM providing VPN connections offloads some of this IPsec VPN traffic from traversing the WAN. So in essence, the VPN ISM lightens the WAN load of VPN traffic, increases VPN performance and distributes security enforcement to the closest user point of network access.

Site-to-Site VPN Connections

While the above discussion focuses on IPsec VPN support, site-to-site VPN connectivity offers both security as well as the option for IT architects to choose to run IP traffic either over private WAN bandwidth such as MPLS, Frame Relay or private lines, or the internet via broadband connections, etc., to ISPs. The VPN ISM offers a range of site-to-site VPN options, including DMVPN (Dynamic Multipoint VPN) and GETVPN (Group Encrypted Transport VPN). DMVPN is primarily used for internet-based site-to-site VPN traffic via dynamic routing on tunnels while GETVPN is used for the transport of VPN traffic over private WANs via dynamic routing. DMVPN offers peer-to-peer protection while GETVPN offers group protection, thanks to their different encryption styles. Just to round out Cisco’s VPN technology, its EzVPN is the basis for its client-to-site AnyConnect IPsec offering, supporting software client VPN access for mobile and fixed endpoints.

VPN Branch Network Design Options

With the addition of Cisco’s VPN ISM within its popular ISR G2 and the hardware support of Suite B, Cisco should find a warm welcome from the U.S. federal government as it looks to speed up the various VPN connections supported with Suite B. For enterprise IT architects and designers, this module, along with Cisco’s ScanSafe, provides a range of design options to support various kinds of VPN traffic, be it client based for mobile and fixed endpoints or site-to-site. The VPN ISM module ranges in price between $2.0 to $4.5K list, but this module will be acquired via router bundles by most which affords reduction in price by some 20 to 40%. The IT architect could cost justify this upgrade with WAN arbitrage. That is the reduction of backhaul traffic over private WANs and its associated cost trades off WAN facilities operational cost for capital cost, which is usually a favorable trade-off, especially if the capital investment reduces operational cost by 15% annually. But in addition to economics, there is increased performance and greater scale of VPN connections. The tools available to IT architects—such as siphoning off web/cloud bound traffic via ScanSafe, reducing backhaul traffic, distributing security, choice of internet or private WAN VPN, etc.—thanks to VPN ISM, offer a range of WAN/VPN design options to meet various cost reduction and performance enhancement goals.

Tweet

By all counts, Cisco’s upgrade of the Catalyst 6K via its new Supervisor 2T, or Sup2T, is its most ambitious and thoughtful yet for the venerable platform. The Sup2T is a 2 Terabit (Tb) platform that triples the previous Sup720 performance. Thanks to the support of Virtual Switching System (VSS), the platform allows two 2 Tbps switches to combine into a single 4 Tbps virtual switch. The Sup2T is a major upgrade to the most widely-deployed switching platform in campus and data center networking in the industry. But while these performance numbers are impressive, it’s the new Cat6K’s network services and pricing that deliver most of the value. From a services’ point of view, the Cat6K stands alone.

Cisco’s Cat6K is the firm’s most successful product with over 700,000 systems and 110 million ports installed, worth some $42 billion. This product’s success increases the stakes for Cisco as it introduces a major upgrade. Cisco had to consider backward and forward customer migration, increased competition and pricing pressure especially as many firms are starting to offer core switches based upon merchant silicon. In short, Cisco had to eliminate the trade-off of innovation versus investment protection and find a way to deliver both simultaneously. A detailed review of the new Cat6K with Sup2T finds that Cisco has navigated well by incorporating customer feedback from multiple theaters and industry segments in the form of some 200 features, most of which are incorporated into ASICs, something with which merchant silicon based switching firms cannot compete.

Merchant Silicon versus Custom ASIC

There will be an increase in the number of core switches offered from various vendors during 2012 thanks to the availability of merchant silicon, but these products, for the most part, will be focused on primarily performance while falling short on network services. Network services are hardware and software features that provide the tools, customization and design options for IT architects to optimize their networks and applications to either run faster and maintain secure, reliable, high-quality user experiences whether it’s for video traffic, virtualized desktops, general purpose office productivity or client facing web traffic.

For example, consider something as mundane as counters. In the Cat6K Sup2T and new modules, there are more than two million counters, enough to have separate counters for every protocol, including IPv4, IPv6, multicast, unicast, MPLS, etc. What this says is that Network Operations engineers will be afforded a level of granularity and visibility into the network well beyond anything they previously could gather. But I digress; let’s focus on the big picture of the new Cat6K.

The New Cat6K by the Numbers

The last major upgrade for the Cat 6K was the Sup720-10G in 2007, which was the first management module with 10GbE uplinks. The Sup2T enables 40GbE interoperability and interface speed transition as the Cat6K will support 100MbE, 1GbE, 10GbE and now 40GbE in a modular chassis platform. The performance leap on the 2 Tb portfolio is complemented by a quadrupling, or more, of the NetFlow, Access Control List and Quality of Service capacities of the platform to meet the increasing manageability, security and service demands of enterprise networks. The platform now offers 720 Mpps of IPv4 and 360 Mpps of IPv6 performance, roughly a twofold increase over the previous generation. In a word, the Cat6K scales logically.

What Cisco engineering has done is tripled the performance, quadrupled the platform scalability and added new network services—several of which are industry firsts and all of which protect investment by being backward compatible with these forward innovations. For example, central forwarding line cards that started shipping in 2003 are supported in the Sup2T. The E-series chassis and power supplies that started shipping in 2004 are supported with the Sup2T. For a large segment of the Cat6K installed base, all that is required is the install of the new Sup2T to gain increased performance, scale and network services. This is perhaps one of the easiest refresh offers Cisco has ever made.

Network Services Rich

As for network services, the Cat6K supports some 2,600 features that the market has demanded. Most of these features were developed over time with many firms depending upon them to run their networks. In addition to hardware backward compatibility, Cisco had to be software backward compatible too by supporting these 2,600 features, which are supported in the Sup720 and the wiring closet Sup32, in the Sup2T. Some of these features include IPv6, multicast, NetFlow, MPLS, etc. But clearly the market does not stand still, and Cisco engineering has added some 200 new innovations to the Sup2T, some of which will also be supported on previous versions of supervisor engines.

Interestingly enough is that with backward support of new network services supported on the Sup720, IT architects can choose to move these Cat6Ks down a network layer and place the Sup2T Cat6Ks in the distribution and core, extending the entire portfolio of network services from access, distribution and core. Some of these new innovations are Flexible NetFlow, Role-based Access Control, Virtual Private LAN Service (VPLS), Bridged Domain Technology, etc. Following are a few of the next generation innovations introduced with the Sup2T.

NetFlow: NetFlow scalability in the Cat6K Sup2T has increased fourfold with larger tables being supported in the ASICs. Up to 13 million NetFlow entries are possible in a single system. That is up to eight times the visibility afforded by the previous generation of NetFlow hardware. Over time, most networks will have a mix of 1GbE, 10GbE and 40GbE; this new version of NetFlow introduced sample NetFlow so NetOps does not have to export all traffic to collector, a huge complexity and time reduction. Also NetFlow visibility is now protocol independent, meaning that it does not matter if a network is running IPv4, IPv6, MPLS, Unicast, Multicast, etc. In addition, select modules, rather than the central supervisor, are able to export NetFlow to the NetFlow collector offering yet another way to scale.

MACsec: From a security perspective, the Cat6K Sup2T natively supports MACsec, or IEEE 802.1AE, embedding it within line cards offering line-rate, hop-by-hop encryption and decryption. In addition to the new Cat6K, the Nexus 7K, Cat 3K and Cat 4K currently support MACsec, thereby enabling end-to-end secure communications much like IPSec and SSL but over the LAN.

Role-Based Access Control List (RBACL): Access Control Lists, or ACLs, can now be programmed in role-based scenarios controlling user access to IT resources. Roles can be finance, human resources, marketing, engineering, sales, executive management, etc. Role-based access control allows NetOps to configure which IT resources each user is allowed to access for each type of job role, thereby controlling their access to servers, applications, WAN connections, etc. Role-based access control is an addition to the Sup2T’s ACL Dry Run, which first tests if ACL changes will fit in the ACL Ternary Content-Addressable Memory or TCAM before they go live with the configuration. Using ACL Dry Run will help avoid potential network disruption since NetOps engineers will know whether the ACL changes will be supported in hardware before implementing them. If an ACL change does not pass the Dry Run, then the system will indicate which resources are being exhausted, allowing the NetOps staff to adjust the ACL accordingly.

Network Virtualization: The new Cat6K Sup2T boosts its network virtualization capabilities that enables physical infrastructure to be logically divided. For example, airports, such as Zurich, Munich, Toronto, etc., use network virtualization to change gate attributes as an airline carrier completes the boarding process and transitions the gate to another carrier. They also use network virtualization to separate out kiosk vendors from operations from WLAN AP guest access to airline carrier support, etc. Governments network virtualization to logically segment departments while they share the same physical building/floors/office spaces. Universities use network virtualization to logically segment administration, research, faculty and student interests. Just as with other previously-mentioned capabilities, Sup2T increases the scalability for network virtualization up to fourfold with support for up to 4K MPLS VPNs, 32 instances of (VPN Routing and Forwarding) VRF-lite, native VPLS in hardware, allowing for VPLS-facing interfaces to be any interface in the system, and more.

New Service Modules

Admittedly, the Cat6K with the Sup2T is not the fastest Ethernet switch on the market with 2 Tbps of switching capacity. Cat6K doesn’t need to be the fastest given its place in campus networking and mid-range data centers. However, it does need more than enough performance to never be the bottleneck in IT delivery while providing a wide range of software options to control traffic and optimally design enterprise IP networks. Cisco engineering has done this with 2 Tbps, and 4Tbps with VSS, far greater capacity of most, if not all, campus and mid-range data center networks operating at a range of 10/100/100, 10GbE and soon 40GbE. For higher performance, Cisco offers the Nexus 7K with 9 Tbps of switching capacity for data center switching designs.

To increase performance in the Cat6K, it’s not just the supervisor engine that’s been upgraded. New service modules, such as the new Wireless Service Module 2 (WiSM-2), Adaptive Security Appliance Service Module (ASA-SM) firewall, Network Analysis Module 3 (NAM-3) and Application Control Engine 30 (ACE30) load balancing were introduced to take the Cat6K with Sup2T to the next level of hardware-based services processing. Remember, service modules allow IT business leaders to reduce the number of devices in their network they need to manage, improving energy efficiency and reducing carbon footprint. These new service modules have been upgraded for performance and scalability, as services performance has to scale with network performance. For example, the ASA-SM offers a threefold increase in performance with 15-20 Gbps of stateful application firewalling. NAM-3 has been upgraded in performance by a factor of fifteen, allowing application visibility and analysis at 15 Gbps. The WiSM-2 scales up to 20 Gbps of throughput and support for up to1,000 centrally-managed access points, a threefold increase in performance and scalability.

Integrated and Virtualized Network Services

Unique to a Cisco environment is that service modules and appliances basically share the same operating system, meaning that there is operational consistency between the two platforms. For example, if an IT architect implements an ASA appliance and ASA-SM, NetOps will experience the same operating system, management and look and feel between the appliance and service module. This consistency allows NetOps to best utilize and manage network services independent of physical packaging and network location, thereby increasing operational efficiency and innovation injection. Thanks to network services being integrated into the Cat6K, and the ability to virtualize services, IT architects are afforded design choices where they can regulate the number of appliances versus service modules in their network by choosing to utilize service modules more over time and obtain their green benefits too. Note that the ASA-SM and ACE-30 can be virtualized or divided between users/groups, thereby extending their reach throughout a corporate network and reducing the number of appliances in the process.

Cat6K with Sup2T Pays to Upgrade to 10GbE

From a pricing point of view, it’s best to think of the Cat6K with Sup2T as the device to transition a campus and mid-range data center network from 1GbE to 10GbE. With 1GbE in the access layer, via upgraded Cat4K with Sup7-E and/or Cat3K / 3750X, connected to a Cat6K with Sup2T in the distribution layer providing 10GbE to the core, Cisco estimates that this configuration will be 20% less costly than a similar configuration utilizing the Sup720 and older versions of the Cat4K and 3K. This design provides for 10GbE between access, distribution and core. In essence, Cisco is paying IT leaders 20% to upgrade to 10GbE with a new generation of switching.

Economics plays a large role in network design. From an economics perspective, Cisco is responding to competitive pressure with new pricing and design options with this Cat6K upgrade. While the Cisco Cat6K Sup2T represents increased performance, what IT business leaders will find is that for typical configurations independent of data center or campus, 1GbE, or 10GbE, the overall cost of a Cat6K network is actually reduced by 20 to 25%. For example, the 48 port 10/100/1000 copper line cards were sold in two versions: centralized and distributed forwarding modes. The centralized forwarding mode is priced at $15K and comes with 256MB of memory, while distributed forwarding is $22.5K. New Ethernet line cards (6800 Series) have Distributed Forwarding Card 4 (DFC4) daughtercards by default and come with 1GB of memory that are priced at the same $15K as the centralized forwarding mode cards, closing the price gap between centralized and distributed forwarding mode to the lower cost centralized pricing. IT architects are offered distributed forwarding performing line cards, which are higher performance throughout the system, at a third of previous generation cards. This is but one important example that demonstrates that the Sup2T is a price reduction over Sup720 around 10GbE.

New Network Design Options and Economics

Campus networking traffic patterns are dominated by north-to-south flows, thanks to the centralization of IT application delivery within data centers. While over time, an increase in east-to-west flows may occur thanks to peer-to-peer applications, north-to-south flows are getting thicker and denser especially as the industry adopts virtualized desktop computing and real time video communications. These thicker north-to-south flows are being accentuated as more applications are being hosted in corporate data centers and private cloud facilities for IT complexity and cost reduction. At the same time, enterprise mobile computing has skyrocketed with the adoption of iPhones, Android-based devices and iPads. For example, Gartner predicts that 55 million tablets will be sold worldwide by the end of 2011. Thanks to lower power output antennas on these new mobile devices, the density of WLAN APs are also increasing to provide coverage. This is creating a challenge to roam seamlessly without user experience interruption.

Mobile and cloud computing economics and increasing traffic volume are driving a new model for campus networking. It’s a model that seeks to increase wired and wireless network bandwidth, scale logical networking and extend network services such as security throughout the enterprise network via centralized management control methods. It’s a model that also seeks greater visibility and control of flows to optimize performance and apply resources where needed. Network virtualization, where physical network infrastructure is logically segmented to assign different network attributes to various groups/departments/entities, has become a mandatory requirement in some industry segments. And from a design point of view, high reliability needs to be systemic as all corporate productivity is flowing across this IT asset.

For those with Cat6K-based networks, installing the Sup2T offers a range of new network design options and economics. For example, encryption is now embedded and integrated. Network services are increasingly becoming virtualized, offering greater reach, cost effectiveness and lower carbon footprint. 10GbE and 40GbE speeds can be strategically placed where bandwidth is needed. NetOps is offered a common look and feel between appliances and service modules, reducing operational cost and increasing efficiency. Logical networking can scale to support more IPv6, more WLAN APs and users, greater visibility into the network via NetFlow, greater stateful application firewalling, etc. It’s clear that Cisco engineering has made tremendous efforts on security with TrustSec, taking ACLs to the next level, NetFlow’s deeper visibility, network virtualization via MPLS or VPLS for segmentation and bringing parity to IPv6 and IPv4.

Cisco is paying customers to upgrade to both the Cat6K Sup2T and 10GbE. Obviously, there’s additional capital cost to spend to gain the return, but from a historic perspective, the upgrade cost is a fraction of previous switch generations. With the Cat6K Sup2T upgrade, IT business leaders gain a wide range of network services, some of which are mentioned above, that will prove to be invaluable as IT marches on toward an IT delivery model dominated by mobile and cloud computing with nearly everything becoming virtualized.

Tweet

Back in November of 2009, I wrote Lippis Report Research Note 136 titled “HP Plans to Acquire 3Com Accelerating a New IT Convergence Era.” In that Research Note, I wrote

“When 3Com is fully integrated into HP what kind of networking revenue and market share can HP gain? ProCurve + 3Com is approximately $2B of revenue now. With the existing product lines can HP generate $5B, $10B or more of network revenue over five years? Time will tell.”

Well after nearly two years, HP Networking or HPN’s North America (NA) layer 2/3 Ethernet switch market share by revenue is nearly the same, bouncing between 5% and 6.1%, according Dell’Oro, with HPN’s Q2CY11 NA switch revenue share being down to 6%. Considering HPN’s limited results after significant investments in sales, channels and marketing, including its “proof-of-concept” plus “A Catalyst for Change” Cisco Trade-in program, not to mention engineering investment, the question is can HP make it in networking? We attempt to answer that question in this Lippis Report Research Note.

Market Share Analysis: 2% Growth Comes from Asia and RoW

HP had approximately 6% WW (Worldwide) layer 2/3 Ethernet switch market revenue share with its ProCurve product line before the 3Com acquisition, according to Dell’Oro. Post 3Com acquisition, HPN’s WW Ethernet switch revenue market share rose to approximately 10%, thanks to 3Com’s 4% share contribution, and stayed that way for three quarters until Q1CY11 where an additional 2% was gained thanks to increases in APR (Asia and Pacific Rim) and RoW (Rest of the World) theaters, according to Dell’Oro. In short, HPN’s NA switch market share has been flat since it acquired 3Com. From a WW switching perspective, HPN’s share of ports has also been flat with 20% share in Q1CY10 to 20.2% share in Q1CY11, according to Dell’Oro. In this same period, NA share of ports has been on a steady decline but with HPN maintaining share thanks to gains in APR and RoW.

In short, in nearly two years, HP gained 2% of WW layer 2/3 Ethernet switch revenue market share, all of which came in Q1CY11 and held during Q2CY11, according to Dell’Oro, and is directly attributed to APR and RoW markets. Its bright spots are in routing and WLANs, which increased 2.5% and 2.2% in revenue share, respectively, between Q1CY10 to Q1CY11. Its IPS/IDS revenue share has been steadily declining, losing .3% share over the same period.

Yes, it’s very difficult to gain share in an established market as HPN has discovered. HPN’s value proposition has been grounded as a lower cost alternative to Cisco, a firm that’s greater than 20 times HPN but sells architected solutions.

Huawei Could Shut Down APR and RoW

HPN’s growth is coming from APR and RoW theaters, which is understandable considering that HP obtained H3C, the once Huawei/3Com joint venture (JV) when HP acquired 3Com. Remember that Huawei and 3Com entered into a JV back in the early 2000s called H3C with the hope that H3C could produce lower cost networking products that 3Com would sell in NA while opening up the Chinese market. In Lippis Report Research Note 16, Bruce Claflin, 3Com’s then President and CEO, had hoped that H3C would deliver success much like Amdahl did over IBM in the 1980s and 1990s when Amdahl gained huge market share from IBM in the Front End Processor (FEP) business by offering similar products priced well below IBM.

Fast forward to late 2006 when Huawei agreed to sell its stake in H3C to 3Com. Huawie had a non-compete agreement with 3Com post the sale of its stake in H3C, which has since expired, allowing Huawie to more aggressively and organically pursue the Ethernet switch market. And it has, as in early 2011, Huawie announced a new Enterprise Business Division.

Surprisingly H3C’s massive product portfolio has not made it into the HPN NA channel, partly explaining HPN’s flat NA share growth. H3C’s products were to be HPN’s competitive advantage. More alarming for HP, however, is the prospect that Huawie’s Enterprise Business Division will bring its enterprise product portfolio right to H3Cs Asian customers, cutting off HPN from this bright spot. Also when H3C was partly owned by Huawei, the Chinese government was tremendously supportive of H3C, but since H3C is 100% owned by HP, the Chinese government has no incentive to support H3C and will more than likely shift its support to Huawie when its Enterprise portfolio is ready. The danger here is that in the quarters to come, HPN’s APR and RoW market could start to dry up. Much of the future growth for H3C had been pinned on continuing its China dominance. But wait it gets worse.

Huawie is threatening to hijack Bruce Claflin’s and now HPN’s low cost networking value proposition and use it for its own advantage. First Huawie will more than likely go after the H3C installed base in Asia then onward to NA and Europe. One possible scenario has HPN competing with Huawie as to who is the lowest cost provider of networking. This would push HPN up market and force it to change its value proposition to an architected solution, where it will find Cisco. HPN has started to move in this direction with its recently announced FlexNetwork Architecture. This scenario would, in essence, squeeze HPN between Huawie on the low end and Cisco on the high end. If networking gets into a price war game, Huawei could out low price HPN and that should be the major concern to HPN as it represents an estimated $800 million a year in revenue.

But Huawie will face stiff headwinds in NA as Huawei has a credibility problem with most North American buyers. IT business leaders know it as a low cost provider and that Cisco did a good job of raising the visibility of how Huawei tried to steal intellectual property source code. Therefore, while Huawei could have some impact in NA, the most immediate opportunity for Huawei enterprise is in China, specifically the install base that H3C had built.

Lacking Data Center Network Strategy and Products

HP certainly has product to support one of the most comprehensive data center visions in the industry. HP has servers, storage, a huge services group and network products. HPN’s FlexNetwork architecture is an interesting vision if an IT architect wishes to extend a fabric across an entire campus, branch and data center but the underlying architectural detail and products are missing. The A12500 series has been available for two years, but not in NA in any great numbers. HPN recently said that it will be available in the 2H2011. The new A10500 data center switch was announced in May but is scheduled to ship some time in the second half of 2012. HP’s networking strategy in highly virtualized data centers is limited to its Virtual Connect product. HPN’s data center networking share according to Infonetics, and UBS is estimated at 6% versus Cisco’s 81%. This is where the networking market is at its hottest versus HPN’s strong hold in education and low cost networking.

For a company with the portfolio size of HP and its strength in data centers, it’s curious that HP is the only mainstream network vendor that doesn’t have a good data center fabric story. Cisco clearly does, as does Brocade, Juniper, Extreme, Dell/Force10, Arista Networks, Alcatel Lucent, IBM, Mellanox, etc. HP doesn’t, and it’s surprising, considering its large position in the data center market. It would be refreshing to hear HP communicate what a unique HP data center architecture looks like tied into mainstream industry pain points.

How Can HPN Win?

How can HPN turn this around and participate in an effective way, utilizing its deep assets of broad product line, services, software, support, brand, financial strength and low price points to bring value to both customer and shareholders? Certainly HPN has product but it needs to bring the H3C products to NA and wrap the services group around them. HPN needs high performance and low latency 10GbE and 40GbE data center switching products since 10GbE represents some 25% of the total Ethernet switch market and growing, according to Infonetics. HPN recently announced a family of Top of Rack (ToR) switches called the 5830-switch family targeted for 2H2011 availability, but few details are available. HPN should consider acquiring Arista Networks, which may cost it two quarters of switching revenue but would add between 5 and 10% to its switch revenue and plug a major hole in its networking product line.

In addition, HPN needs leadership consistency as HPN has transitioned leadership from Marius Haas, previous HPN GM who left HP for KKR in May, to now Bethany Meyer, a marketing executive who is interim SVP and GM of HPN. Bottom line: HPN needs to create leadership stability. The first order of business for whomever is to lead HPN should be to communicate what the unique HPN vision is as it’s still not clear to the market. In short, what is it about the HP data center and HPN that’s going to create a competitive advantage over Cisco, IBM, Dell and Oracle other than low cost. For example, consider Cisco’s data center vision, which is very clear. Cisco’s data center business advantage architecture is a system’s approach that bundles products together to deliver business outcomes.

The above is a straight-line approach to winning an established game, but HP needs to do something big and radical that is out of the box but meets market needs. It could consider acquiring Xsigo, a firm that recently released its server-based fabric as an alternative to processing at the network layer. This could be an approach that disrupts what networking actually is in the data center. HP would best be served to develop a compute centric view of the world. Clearly some IT business leaders will buy into this model while others may not, but one thing is certain and that is data center computing buyers tend to be closer to the CIO, offering HP a potential competitive advantage.

HPN needs to develop a new vision for computing and networking, and deliver it via a bold strategy and vision that’s disruptive rather than “we sell cheaper than everybody else.” HP has the brainpower and financials to develop a disruptive approach to data center networking; they just need the thought and executive leadership. In short, HPN needs to lead this industry and not just be a fast follower.

Tweet

In Lippis Report 172, I mentioned three huge trends that are starting to interact with each other creating a perfect storm that is gripping the tech industry. One of those trends is the creation of a software ecosystem in the networking market, thanks to the Clean Slate program out of Stanford University that has spawned the Software-Defined Networking (SDN) initiative and open controller protocol called OpenFlow. I spent a week in the Valley talking to people at Stanford and many industry executives from Cisco, Juniper, Marvell, Big Switch, Nicira, Arista, IBM and others. In this Lippis Report Research Note, I share with you what I learned. OpenFlow-based SDN is being both hyped and in its current state, limited, but it does represent a new paradigm that has the industry abuzz, filled with possibilities.

Centralized Controller Model

OpenFlow is a protocol, or API, that modifies forwarding tables in network switches. It sits between a switch and controller. The controller can run on a centralized computer/server that has an Über view of the network and its topology. When a packet enters a switch and the forwarding table does not contain a path for the packet, it’s passed to the controller. The controller then searches the packet’s destination address and defines a table entry with associated attributes to create a path through the network, which the packet and subsequent packets are to follow. The controller then sends a message to each switch in the path the packet will traverse via the switch’s OpenFlow API, which modifies the switch’s forwarding table. Every subsequent packet with the same destination address will then be forwarded based upon this table in cut-through mode. The first store-and-forward stage takes about 50ms; yes, a long time, but it can be significantly shortened. Subsequent packets being forwarded in cut-through mode travel at switch latency, which for 10GbE Top-of-Rack (ToR) switches is between 500ns and a few microseconds.

Now this search method is a bit controversial as some claim that all that the controller needs is a large TCAM to compute the table flow. Some worry that a Cartesian explosion may occur, corrupting the calculation, but this is an engineering problem with an engineering solution, perhaps via multi-staging the flow tables.

This centralized controller model can scale as has been proven in distributed computing models used by all the major cloud providers. An example at Stanford demonstrated that a network of 35,000 PCs with approximately 2,000 switches generated 15 to 20k flows/sec. A controller can support 2M flows/sec at half a 2007 PC processor capacity. Further, modern 48-port ToR switches can request 100s of flows/sec with controllers supporting 2M flows/sec, which means that a single controller can support 10s of thousands of ToR switches. In short, a centralized controller-based OpenFlow SDN can theoretically scale.

How an OpenFlow SDN Is Different than Today’s Network Architecture

The above model departs significantly from today’s network architecture in a few key ways. First there is the concept of a centralized controller(s) versus a distributed packet forwarding architecture based upon topology discovery. There may be separate links for control and data plane communications, which would also be a significant departure from today’s single physical network that supports both control information and data forwarding. There is no layer 2 and 3 construct in an OpenFlow SDN, which has been the semantics of computer networking over the past twenty plus years.

Software-Defined Network Ecosystem

Further, on top of the controller is another API, yet to be fully defined, that enables application developers to write network applications without knowledge of the underlying network structure. In short, the API abstracts the network, allowing the programmer to focus on what she/he needs to accomplish versus how to configure the network to comply. The creation of a software ecosystem creates the possibility of a new network paradigm where low cost Asian switches populated with SDN software force an economic collapse of the existing network market. While this is highly unlikely, it does warrant careful observation and mitigation planning on the part of established vendors.

An OpenFlow SDN offers significant differences, which is why there is such excitement surrounding OpenFlow. The genius of the approach is the separation of data and control plain so that SOA-based application developers and researchers can layer applications onto the network, injecting innovation at speed via a software ecosystem. Further centralized controller-based networks such as the national cellular network plus dense compute management have proven to reduce operational cost and increase control in complex systems.

There is an industry group called the Open Network Foundation, or ONF, that is promoting the use and interoperability of OpenFlow SDN enabled switches. The above OpenFlow SDN example is primarily an academic description as OpenFlow is well regarded as the leading open implementation to date for providing SDNs within the research community. But there will be many networking concerns introducing controllers that reside in the switch. Further, the definition of a controller is a bit vague as some define it as a network operating system, such as Cisco’s IOS or NX-OS, Juniper’s JUNOs, Arista’s EOS, etc., while others define it as a management entity, performing configuration changes. But before we dive into this, let me explain a few problems that an OpenFlow SDN may solve.

Innovation at Speed: The institutions that were created to assure interoperability and inject innovation into our industry have become too cumbersome and slow such that networking has fallen behind compute and storage advances. The way innovation is injected into networking today is that a proposal is made to a standards group, such as the IETF, IEEE, etc., and all interested parties compete for the best ideas or technical advantage. This process can take a few years just to modify a few bits in the header of a packet. Then, once the standard is completed, companies build to it, which can take another eighteen to twenty-four months. This approach is not serving the industry any longer, and there needs to a more rapid way to inject innovation. An OpenFlow SDN promises such an approach where applications can be added to the network rapidly, thanks to the abstraction of layer 2 and 3 forwarding.

Traffic Engineering: Fine-grained traffic engineering utilizing a variety of forwarding actions is an application that service providers and enterprises seek to optimize application performance.

Tagging vs. Table Manipulation: There is much agreement in the industry that the network has become too ridged in virtualized data centers, restricting the movement of VMs between racks, data centers, etc. Further, as appliances such as firewalls, load balancers, IPS, etc., have become virtualized, there needs to be a method to steer traffic to them to service an application. The industry has responded to this by proposing the placing of tags on packets to guide its path to the right VM, appliance. An OpenFlow SDN implementation could simply modify switch-forwarding tables to guide the application through a chain of appliances mitigating tagging and offering applications appliance servicing within highly virtualized infrastructures.

The Real World

An OpenFlow SDN is new, and it’s unrealistic to think that it’s without challenges; here are some OpenFlow challenges.

Trust: The single largest issue an OpenFlow SDN has is trust. Will IT business leaders trust it within their networks, especially their data center? If a controller is sourced from a new company, how comfortable will the IT team be that it’s modifying switch-forwarding tables? How many controllers are needed for a particular load? What will the support model be? How complicated will it be to manage multiple controllers?

Interoperability: The current construct of OpenFlow requires knowledge of the switch’s hardware semantics of L2/L3/VLAN architecture; therefore, each controller implementation may be different and thus unclear how controller interoperability is achieved. Further, it’s unclear how applications written for one controller will work on another.

Network Stability: This issue may be linked with trust, but it’s unclear why a third-party controller should search packets to define a path through the network topology. Rather, why not use existing network operating systems for what they are good at—topology discovery, etc.—so that IT business leaders are more comfortable running OpenFlow-based SDN applications on top of a stable network. In short, will OpenFlow controllers introduce instability?

Controller Placement: If we take the definition of a controller to include existing network operating systems, then there will be both distributed and centralized controllers within a network. From a design point of view, how does an IT architect approach distributed versus centralized controllers and what are the trade-offs?

It’s unfair to expect that a new approach to networking would have the above issues all sorted out before deployment. These are not barriers to entry but rather challenges that the OpenFlow SDN community will work on over the next one to two business cycles. Let me be clear…OpenFlow-based SDN is a very big deal and is being embraced by all vendors including established firms and start-ups. What is driving most companies is the promise of a software ecosystem to inject innovation and value into their network products.

Established firms will support OpenFlow SDN via OpenFlow client reference implementation within their switches but will add proprietary extensions that differentiate their OpenFlow version from others. Cisco, Juniper, Arista, et al, will differentiate based upon how much of their network operating system they expose. Established firms should have an advantage over smaller ones in attracting software developers as their installed base is much larger.

Tweet

It seems like every week or so there is news of a massive cyber attack where criminals get away with stealing credit card and other personal data on the order of tens of millions of individual records. Sony, Bank of America, Epsilon, Nintendo, the International Monetary Fund, the US Senate and CIA are but a few of the targets for high-profile cyber attacks that took place in 2011. According to a recent study by the Ponemon Institute, “cyber attacks have recently become more harsh and recurrent. At least 90% of the IT practitioners surveyed claimed that they had experienced one or more cyber breaches within the last year, and 89% of these respondents could not identify the source of these breaches.”

To mitigate and avoid these breaches and protect credit card information, the Payment Card Industry (PCI) Security Standards Council issued PCI Data Security Standard (DSS) 2.0 in late 2010. The emphasis of PCI DSS 2.0 is two-fold: 1) provide increased protections not addressed in the previous standard (i.e., wireless and virtualized infrastructure) and 2) maintain compliance. As all of the breached organizations above were in compliance at some time but failed to maintain it, this exposed their customers to hackers and ultimately being breached. In short PCI DSS 2.0 is about being vigilant about maintaining security.

In the data center, virtualized servers are now defined within PCI and guidance is given on how to secure them given that all hypervisors are deemed insecure. In addition, wireless detection methods were expanded to address the variety of retailer capabilities.

IT business leaders who support any organization that stores, processes or transmits credit card data are required to ensure PCI 2.0 compliance not only during an assessment but continually to avoid the fate of the above-mentioned organizations. The key to a successful PCI assessment is to simplify this major effort. Some tech firms are assisting this effort through validation and assessment of compliance prior to installation. In this Research Note, we review Cisco’s PCI Solution 2.0 as it offers a unique network-based approach that is comprehensive, holistic and end-to-end. It has been tested in a simulated retail environment and assessed for compliance by a Qualified Security Assessor, QSA, and Verizon Business.

Cisco’s PCI Solution 2.0

The Cisco PCI Solution 2.0 is built on network security best practices, proven Cisco products and partner technologies that meet Payment Card Industry security standards. Because PCI covers many parts of the network, no single product or technology meets all PCI technology requirements. Therefore Cisco’s updated PCI Solution 2.0 is an architectural approach that maps to the updated PCI DSS 2.0 requirements. This comprehensive perspective allows retailers to see the bigger picture to prepare and design across the relevant parts of the enterprise. Cisco’s PCI Solution 2.0 is a holistic approach as it spans an end-end architecture.

Cisco’s approach provides templates and services that simplify PCI compliance. This simplification enables customers to maintain compliance year round, not just during assessments. Detailed information, including product configurations from validation efforts, is included in the Cisco PCI Solution 2.0 Design and Implementation Guide (DIG) to provide additional guidance and best practices.

Simplifying PCI Compliance

As a first step toward simplifying compliance, Cisco recommends segmenting the IT infrastructure and isolating cardholder data from the rest of the network. As with any complex problem, breaking a problem down into smaller solvable pieces reduces the complexity and simplifies the solution. Cisco’s approach reduces the scope of audit via network segmentation. Without network segmentation, the entire IT infrastructure is in PCI scope, which drives cost and complexity significantly upward. While segmentation sounds easy, it’s a bit more challenging in a virtualized data center infrastructure.

PCI Compliance in the Virtualized Data Center

Most IT business leaders are challenged with complex PCI audits within virtualized infrastructure as well as rogue wireless access detection. These two areas, virtualized infrastructure and rogue wireless access detection, tend to be the two largest pain points. Confusion around virtualization and security has existed for several years until the PCI standards body clarified that all hypervisors are considered insecure. With so many organizations having virtualized their data centers, this detail results in extra compliance considerations to protect cardholder data. Before virtualization, traditional infrastructure could be easily protected with a firewall appliance, as this device was placed directly in the path of traffic. In highly-virtualized environments, traffic is not as well-behaved, offering IT managers a challenge to restrict cardholder data.

Cisco’s Virtual Security Gateway (VSG), along with its Nexus 1000k virtual switch, intercepts and steers traffic to either VSG or firewall appliances before it gains access to cardholder data, providing a means for segmentation and access restriction in virtualized data centers.

Therefore to be PCI DSS 2.0 compliant, both physical and virtualized infrastructure need to secure and restrict access to cardholder data. Cisco does this with both its own VSG solution as well as with technology partners such as EMC, VMware, VCE and HyTrust.

Rogue Wireless Access Detection

Rogue access point detection is a PCI requirement. Even if a merchant does not use wireless technology within its stores, it still must have a method for detecting unauthorized access points that may have been inadvertently or maliciously deployed. The PCI Council expanded the flexibility of the requirement to allow for several methods, including Wireless IDS and NAC/802.1x to detect rogue wireless access points.

Unified Wireless and Cisco’s Identity Services Engine (ISE) technology offer technical solutions for these methods that have been validated by Verizon Business to successfully address these requirements. In addition, Cisco offers CleanAir technology, which monitors the entire frequency spectrum, surpassing the security requirements of PCI.

Risk Management

While a portion of PCI compliance is addressed through technology, it’s also addressed with process and compliance audits. One of the largest challenges is to maintain compliance between audits. Many retailers seek the lowest cost solution to achieve PCI compliance during the audit, but this may very well be penny wise and pound foolish. For example, some retailers conduct a visual inspection of Ethernet switches quarterly to ensure that unauthorized wireless access points are not connected into the corporate network, thereby opening a door to rogue access. The difficulty of this approach is that quarterly physical scans only work during inspection day. The day after the quarterly scan someone can plug in a wireless access point, putting the site and cardholder data at risk until the next quarterly inspection. A more continuous and secure approach is the implementation of wireless IDS, IPS, CleanAir and ISE, where every single wave is monitored and wireless devices plugged into the corporate network are detected assuring continual PCI compliance.

How to Approach PCI Compliance?

PCI can be an overwhelming topic. How do IT and small business leaders approach PCI compliance? To simplify PCI, Cisco offers three recommendations.

Recommendation One: Reduce PCI Scope. Scope means all systems and people that are touching cardholder data (i.e., firewalls and IT administrators). Are there people accessing cardholder data who shouldn’t be? If they are, then remove their access by restricting access to the systems that contain cardholder data. Are there systems or applications or networks that are touching cardholder data that don’t need to? Segment and narrow the scope of the Cardholder Data Environment (CDE) with network addressing and filters to decrement the risk as much as possible. If the CDE is smaller, the cost of the audit will be smaller as will be the complexity of maintenance. Standardizing network and system architectures across branches can also decrease cost and complexity as it allows auditors to sample same store/branch footprints and data center designs.

Recommendation Two: Secure the Perimeter. With a new smaller PCI scope implemented, the perimeter of that scope needs to be secure. Firewalls configured to only allow business-justified access to the cardholder data environment and IDS need to be installed. In addition, administrative access to this environment needs to be locked down to the bare minimum with complete logging for audit trails.

Recommendation Three: Maintain and Simplify. It’s not good enough just to segment and reduce the scope of cardholder data and then protect the perimeter. IT business leaders need to maintain and simplify their PCI recommended implementation. Cisco’s solution utilizes RSA technology to provide real-time alerts, tuned logs and compliance management dashboards that assist in maintaining compliance. The firms mentioned in the opening paragraph were all in compliance at some point in time, but they were not when they were breached. So take these requirements seriously.

Implementing a PCI Solution 2.0

The above three recommendations will go a long way toward reducing cost and keeping an organization’s systems PCI compliant. Cisco has made a huge commitment in its thoughtful approach to PCI DSS 2.0 compliance where it offers an end-end architecture that has been assessed and documented. A critical element of the Cisco PCI Solution for Retail 2.0 is Cisco network architecture and validated network designs. Cisco network architectures have been designed for stores, enterprise data centers and the Internet edge to support e-commerce operations, store employees, customers and teleworkers. Cisco’s PCI solution also supports wireless 3G technology deployments and multiple store formats, including pop-up stores, and convenience stores, in addition to typical small, medium and large stores.

Cisco’s PCI Solution 2.0 offers thought leadership for those seeking to simplify their PCI deployments; Cisco’s new PCI DIG is an in-depth, roadmap for organizations looking to achieve PCI compliance. It addresses technologies such as virtualization, wireless and mobile payments. As the number of high profile and alarming plus brazen cyber attacks occur, IT business leaders would be well-served to review Cisco’s PCI Solution 2.0 and Design and Implementation Guide.

Tweet

The tech sector is at a crossroads. In just 18 short months, mobile and cloud computing has fundamentally changed business assumptions and technical underpinnings of IT delivery. And in the process IT business leaders are fundamentally changing their buying requirements and corporate IT investments challenging existing vendor relationships. The tech sector served up corporate IT along technical lines of computing, networking, storage and applications, but these lines are blurring as every major multi-billion dollar IT firm now seeks to deliver vertical offerings comprised of a single rack of compute, storage and networking to address scale and simplicity associated with the new mobile and cloud computing models. Cisco, IBM, HP, Dell and Oracle all are repositioning their data center offers to address the market opportunity and shift to assist IT leaders building iBusinesses. In this Lippis Report Research Note, we dive into Cisco’s Data Center Fabric as it’s the furthest along at integrating compute, networking and storage access for corporate advantage offering a glimpse of IT’s future.

What’s driving a new fabric or structure of data centers is rooted in the interplay between technology and business opportunity. The efficiency of server virtualization to reduce energy consumption and increase server utilization drove its massive deployment that was boosted by an economic cycle starving for efficiency. At nearly the same time, mobile computing, thanks in large part to Apple’s iPhone and iPad plus Google’s android- based devices, introduced a new tier of computing that unleashed increased corporate productivity, evident in today’s productivity boom. Equipped with a new IT delivery model that is both more flexible and centralized, IT business leaders have begun en masse to build private cloud facilities.

The iBusiness

The end result is the construction of iBusinesses that possess simultaneously lower IT cost and the ability to quickly address market dynamics, thanks to faster application deployments plus a nimbler and mobile workforce. While it’s too early to aggregate the benefits of iBusiness in terms of productivity improvements, market share gains, IT expense as a percentage of corporate revenue and other metrics, early adopters are experiencing improvements that span IT departments and most importantly, corporate operations.

In short, a Data Center Fabric of compute, networking and storage reduce IT operational cost, the largest budget component of IT Total Cost of Ownership (TCO) and provide the foundation for a faster responding business that is able to exploit the value of mobile and cloud computing to corporate advantage.

Data Center Fabric Requirements

A core set of data center fabric requirements is emerging, thanks to early adopter deployments that possess the following attributes fundamental to iBusinesses.

Scale: Computational density is increasing at a fast pace with the ability to support hundreds to hundreds of thousands of servers per data center. This increased density of computing is also driving higher virtualization ratios as the ratio of virtual to physical servers is increasing from 10:1 to soon 60:1, which taxes the logical network of MAC address, /32 IP host route table size and ARP entry size. The ability to support both east-west and north-south traffic flows over an increasingly 10GbE and 40GbE low latency, non-blocking, high performance network fabric has become paramount as small queries from mobile devices drive a tsunami of east-west plus north-south data center traffic flows, all of which must be combined and transmitted back to the mobile device at millisecond speeds.

Mobility: As virtual machines (VMs) are moved within and between racks of computing and between data centers plus between private and public cloud facilities, the ability of the Data Center Fabric to support such moves is fundamental. VM aware Data Center Fabrics support VM mobility, allowing IT business leaders to maximize efficiency while enabling a degree of freedom to move containers of IT workloads (data, applications, VMs) as business requirements demand.

Consolidated IO: A significant cost reduction strategy and performance enhancement is the deployment of a single physical 10GbE and soon 40GbE network that supports both storage and network traffic. Cost savings is found in reduced cabling requirements, storage and network switches as well as server network and storage interface cards.

Consolidated Management: As compute, storage and networking converge into a single virtualized Data Center Fabric, the ability to manage these resources across operational groups become increasingly important. Not only is the technology converging, but IT organizational design is under review to focus this human resource into a services organization rather than siloed technology departments. The ability to manage the Data Center Fabric as a centralized resource that is partitioned to unique IT departments is an aid to organization re-design. It’s very helpful that a common look and feel for all resources be available so as to hasten a learning curve and accelerate cross-discipline service delivery.

Cloud Enabled: The combination of the above attributes results in a Data Center Fabric that is cloud-enabled, meaning that containers of workload are movable not only within a data center but also between them and into private and public cloud facilities. The ability to move workloads provides IT leaders with the tools to expand and contract their IT resources and shop their IT needs from a wide range of cloud providers, assuring executive management that their IT cost is competitive.

iBusiness Outcomes

Those who have deployed a Data Center Fabric are rewarded with favorable business outcome results. Cisco’s Data Center Fabric unifies network services, networking and storage plus computing through its Unified Network Services (UNS), Unified Fabric (UF) and Unified Computing System (UCS), respectively. Early adopters have benefited by viewing and procuring their data center assets from this unified holistic perspective versus compute, network and storage separately. For example, Kindred Healthcare saved approximately $6.6M on just cabling cost for a 1,000-server data center, thanks to its deployment of a Data Center Fabric. Additional operational savings was gained by a reduction in the number of management points the operations group has to manage too. To Kindred’s surprise and delight they noticed that the Data Center Fabric enabled different groups—the virtualization team, the network team, and the storage team—to work together as one on a common platform versus in silos; a huge help to hasten deployments especially as Kindred has been growing through acquisitions.

Other early adopters are Almaviva wine producers that saw its revenue increase 2 to 3%, thanks to its data center fabric deployment that also reduced its cabling and power consumption cost by 70% and 60%, respectively. Tutor Perini Corporation was able to reduce its device count and power consumption by 60% and 38%, respectively. Coca Cola was able to consolidate 80 servers down to four, plus reduced cabling 30 to 60%. Terremark saw a 30% improvement in application performance and server density increased by a factor of four. The Apollo Group, owner of the University of Phoenix and other educational properties, doubled the size of its network without an increase in IT staff, lowered per-port switching cost while increasing port volume and freed up several rows of space in its data centers. Avago Technologies, a manufacturer, accelerated batch processing by 30 to 40%, increased business flexibility and decreased operational cost by 40% while adding a third data center. CareCore National, a health benefit management concern, increased business agility by being able to launch new lines of business in just two weeks, down from six months. These iBusinesses’ benefits were gained, in large part through the insight and leadership of IT executives and their deployment of Cisco’s Data Center Fabric architecture.

Cisco has been investing heavily in its Data Center Fabric portfolio. It owns some 80% of the data center switching market and in just two short years, possesses the number three-market share ranking for x86 blade servers worldwide, behind HP and IBM, according to an IDC report released in May. Over the past quarter, Cisco has added to its UF portfolio with the new Nexus 3000, 5548 and 5596 switches. It has expanded its Fabric Extender (FEX) offering to include the adapter and VM FEX, a key technology in converged IO plus virtualization aware networking. To increase mobility of workloads, it has added IP address location independence with its OTV (Overlay Transport Virtualization) and LISP (Location ID/Separation Protocol) features to its Nexus Operating System. Fiber Channel over Ethernet (FCoE) can traverse more devices, thanks to a new director-class multihop FCoE feature available on the Nexus 7000 and MDS 9500. Data Center LANs, SANs and virtualization infrastructure can now be managed via a single pane of glass, thanks to the Cisco Data Center Network Manager. On the computing side, Cisco has expanded the UCS server portfolio with multiple form factors, including Blade and Rack-Mounted, and in the process, has broke three world performance records. Cisco has followed up that with a new set of I/O components for UCS, which was just announced on July 13th.

At the crossroads of the tech industry are two paths; one is a legacy approach of building data centers by acquiring compute, storage and networking gear separately with IT professionals integrating these components. The other road is one of vertically-integrated offerings of compute, storage and networking where IT professionals focus on automating business processes turning their corporation into an agile iBusiness. I advise choosing the latter.

Tweet

Being close to customers has proven to be a good strategy over the past business cycle as IT business leaders have invested in their branch offices. New customer-based applications continue to be added at the branch level expanding revenue generating opportunities while at the same time video communications have increased significantly for both client and employee interactions. In addition to corporate applications and video, internet access and cloud-based applications have boomed too over the past business cycle thanks to smartphones and mobile tablets connected to local branch Wireless Local Area Networks or WLANs. All of this would be fine if for not one issue…all application and communication traffic is being forced to backhaul over the same (wide area network) WAN/VPN to either connect to corporate data centers, public clouds or the internet. In this Lippis Report Research Note, we explore a new cloud-enabled branch office strategy from Cisco that’s simple, eliminates backhauling of internet-bound traffic while increasing security, visibility and management. What’s fascinating about this new approach is that the Return on Investment or ROI is very short as it’s paid by WAN arbitrage.

Branch office WANs are usually based upon Metro Ethernet, MPLS, frame relay networking, etc. Integrated services routers such as Cisco’s ISR G2 dominate the market and provide a range of services in one hardware platform, including routing, switching, WLAN, unified communications, an application development environment, UCS platform, firewall, IPS, VPN, etc. IT business managers have come to see the ISR as a branch IT platform where they can enable multiple sets of functionality to simplify management plus maintenance and extend that functionality over time.

And extend functionality they have. Branch office networking is being equipped with a wide range of corporate applications, IP-based voice and video communications plus internet access and increasingly cloud-based applications. Most, if not all, of the traffic associated with these applications flow over the WAN to a data center where corporate applications and IP voice and video communications are routed to their respective corporate servers. Traffic flows bound to the internet and cloud providers are routed to the corporate firewall to perform policy and/or security control then off to the internet, all of which is expensive and adds latency.

Keep in mind upload versus download speeds. A small query from an iPhone, iPad or Android-based device connected to a branch WLAN will send a small message to a server over the internet which usually responds with more than ten times the amount of downstream traffic, most of which flows over the data center internet access link and branch office WAN. As mobile cloud computing has expanded significantly over the past eighteen months so has its consumption of branch WAN and data center Internet access bandwidth. At the same time, video communications has been added to branch offices for a wide range of purposes, including real-time video content, Telepresence meetings between employees plus employees and customers, employee training, making content experts available to customers, etc. The combination of all these flows over the branch office WAN is forcing many IT leaders to either increase WAN plus their data center internet access bandwidth, or prioritize applications and do without.

Cloud-Enabled Branch Office

A new option is now available that does not require any new hardware, either in the branch office or data center. This new option is called the cloud-enabled branch office. This strategy separates internet-bound traffic from corporate applications and internal communications. Separating internet-bound traffic at the branch level eliminates this traffic from flowing over the WAN and consuming data center Internet access bandwidth. This separation of traffic provides more WAN bandwidth for corporate applications and communications, which is sorely needed in most enterprises as video to the branch has become a requirement. With increased WAN bandwidth for video too, lower latency should be observed, increasing user video experience.

The cloud-enabled branch office approach not only increases WAN and data center internet access bandwidth by re-directing internet- and cloud-bound traffic to local internet access, but in the process solves a lingering issue with which most IT leaders have been struggling and that is inconsistent and complex branch office web security solutions. In addition, Cisco’s approach offers a quick and easy deployment model for cloud-based web policy and security to protect against zero-day threats with no impact to ISR router performance.

Traditionally, IT teams had the choice to backhaul all traffic to a central point to filter and secure, or to deploy additional web security hardware at each location. These options can add additional latency and have inconsistent policy enforcement as well as vastly increased management and maintenance overheads. Cisco ISR Web Security offers the ability to deploy and enforce centralized policy and security across a distributed enterprise; avoiding the cost and complexity of backhauling traffic while minimizing management overhead.

Cisco’s ISR Web Security with Cisco ScanSafe

Cisco is approaching the cloud-enabled branch office solution by integrating its ISR Web Security solution and ScanSafe into IOS for the ISG G2. IT leaders who own and run branch office networks with ISR G2s can cloud enable them with a software update. Additional Command Language Interface or CLI commands cloud enables the branches plus provides authentication and centralized identity services.

Cisco ISR Web Security with Cisco ScanSafe integrates into authentication services, such as Active Directory, to enable branch offices to enforce granular security and control policy protecting branch office users from malware. ScanSafe provides centralized management and reporting controls for web content/url filtering. This provides one management point for policy, reporting, maintenance and management. That is a global view provided to IT operations with the ability to make changes of policy, etc., that are implemented globally from a centralized location.

By cloud enabling the branch office, backhaul bandwidth related to internet traffic can be eliminated from the WAN, which reduces cost and provides a higher web performance experience. For multinationals with thousands to tens of thousands of branch offices around the world, the backhaul reduction plus centralized management, maintenance, policy definition and control of web traffic afforded by ISR Web Security and ScanSafe reduces complexity and saves operational cost.

Another way to view this option is the backhaul reduction potentially postpones a WAN and data center internet access upgrade, which funds cloud-enabled branch office activation. A calculation of this trade off and its potential cost savings is advised. The larger the number of branch offices, the shorter the ROI and the larger the potential savings.

Cloud-enabled Branch Office Solution Evolution

From the above, it’s clear that Cisco is enabling ScanSafe via its ISR G2 offering as part of its cloud-enabled branch strategy. ISR G2 customers will benefit from Cisco’s ability to inject new cloud-based services into the ISG G2 platform. This approach to add value extends existing ISR G2 investment. With the ISR G2 integrating networking, communications, security plus computing, it’s expected that additional features and functions will be added through software upgrades such as the cloud-enabled branch. Look for interesting management advantages in the coming quarters.

With cloud-enabled branch office networking, employees can access the internet and cloud services without backhauling. In addition, ScanSafe delivers a range of security features that mitigates threats plus provides IT leaders with centralized control and policy definition.

As enterprises increasingly utilize mobile and cloud computing, the cloud-enabled branch office affords IT business leaders an approach to do so securely. For example, a major benefit of cloud computing is the reduction of in-house application development as IT leaders seek to augment their application portfolio mix with cloud-based applications. Therefore, armed with a method to increase the use of cloud computing at the branch office level, IT business leaders will find new flexibility in branch office application delivery. In short, the cloud-enabled branch office provides an IT deployment model for IT leaders that allow cloud services to be deployed with centralized policy definition and control plus management.

Tweet

In Lippis Report 172, I mentioned three huge trends that are starting to interact with each other creating a perfect storm that is gripping the tech industry. One of those trends is the creation of a software ecosystem in the networking market, thanks to the Clean Slate program out of Stanford University that has spawned the Software Defined Network (SDN) initiative and open controller protocol called OpenFlow. I spent a week in the Valley talking to people at Stanford and many industry executives from Cisco, Juniper, Marvell, Big Switch, Nicira, Arista, IBM and others. In this Lippis Report Research Note, I share with you what I learned. OpenFlow-based SDN is being both hyped and in its current state, limited, but it does represent a new paradigm that has the industry abuzz, filled with possibilities.

Centralized Controller Model

OpenFlow is a protocol, or API, that modifies forwarding tables in network switches. It sits between a switch and controller. The controller can run on a centralized computer/server that has an Über view of the network and its topology. When a packet enters a switch and the forwarding table does not contain a path for the packet, it’s passed to the controller. The controller then searches the packet’s destination address and defines a table entry with associated attributes to create a path through the network, which the packet and subsequent packets are to follow. The controller then sends a message to each switch in the path the packet will traverse via the switch’s OpenFlow API, which modifies the switch’s forwarding table. Every subsequent packet with the same destination address will then be forwarded based upon this table in cut-through mode. The first store-and-forward stage takes about 50ms; yes, a long time, but it can be significantly shortened. Subsequent packets being forwarded in cut-through mode travel at switch latency, which for 10GbE Top-of-Rack (ToR) switches is between 500ns and a few microseconds.

Now this search method is a bit controversial as some claim that all that the controller needs is a large TCAM to compute the table flow. Some worry that a Cartesian explosion may occur, corrupting the calculation, but this is an engineering problem with an engineering solution, perhaps via multi-staging the flow tables.

This centralized controller model can scale as has been proven in distributed computing models used by all the major cloud providers. An example at Stanford demonstrated that a network of 35,000 PCs with approximately 2,000 switches generated 15 to 20k flows/sec. A controller can support 2M flows/sec at half a 2007 PC processor capacity. Further, modern 48-port ToR switches can request 100s of flows/sec with controllers supporting 2M flows/sec, which means that a single controller can support 10s of thousands of ToR switches. In short, a centralized controller-based OpenFlow SDN can theoretically scale.

How an OpenFlow SDN Is Different Than Today’s Network Architecture

The above model departs significantly from today’s network architecture in a few key ways. First there is the concept of a centralized controller(s) versus a distributed packet forwarding architecture based upon topology discovery. There may be separate links for control and data plane communications, which would also be a significant departure from today’s single physical network that supports both control information and data forwarding. There is no layer 2 and 3 construct in an OpenFlow SDN, which has been the semantics of computer networking over the past twenty plus years.

Software Defined Network Ecosystem

Further, on top of the controller is another API, yet to be fully defined, that enables application developers to write network applications without knowledge of the underlying network structure. In short, the API abstracts the network, allowing the programmer to focus on what she/he needs to accomplish versus how to configure the network to comply. The creation of a software ecosystem creates the possibility of a new network paradigm where low cost Asian switches populated with SDN software force an economic collapse of the existing network market. While this is highly unlikely, it does warrant careful observation and mitigation planning on the part of established vendors.

An OpenFlow SDN offers significant differences, which is why there is such excitement surrounding OpenFlow. The genius of the approach is the separation of data and control plain so that SOA-based application developers and researchers can layer applications onto the network, injecting innovation at speed via a software ecosystem. Further centralized controller-based networks such as the national cellular network plus dense compute management have proven to reduce operational cost and increase control in complex systems.

There is an industry group called the Open Network Foundation, or ONF, that is promoting the use and interoperability of OpenFlow SDN enabled switches. The above OpenFlow SDN example is primarily an academic description as OpenFlow is well regarded as the leading open implementation to date for providing SDNs within the research community. But there will be many networking concerns introducing controllers that reside in the switch. Further, the definition of a controller is a bit vague as some define it as a network operating system, such as Cisco’s IOS or NX-OS, Juniper’s JUNOs, Arista’s EOS, etc., while others define it as a management entity, performing configuration changes. But before we dive into this, let me explain a few problems that an OpenFlow SDN may solve.

Innovation at Speed: The institutions that were created to assure interoperability and inject innovation into our industry have become too cumbersome and slow such that networking has fallen behind compute and storage advances. The way innovation is injected into networking today is that a proposal is made to a standards group, such as the IETF, IEEE, etc., and all interested parties compete for the best ideas or technical advantage. This process can take a few years just to modify a few bits in the header of a packet. Then, once the standard is completed, companies build to it, which can take another eighteen to twenty-four months. This approach is not serving the industry any longer, and there needs to a more rapid way to inject innovation. An OpenFlow SDN promises such an approach where applications can be added to the network rapidly, thanks to the abstraction of layer 2 and 3 forwarding.

Traffic Engineering: Fine-grained traffic engineering utilizing a variety of forwarding actions is an application that service providers and enterprises seek to optimize application performance.

Tagging vs. Table Manipulation: There is much agreement in the industry that the network has become too ridged in virtualized data centers, restricting the movement of VMs between racks, data centers, etc. Further, as appliances such as firewalls, load balancers, IPS, etc., have become virtualized, there needs to be a method to steer traffic to them to service an application. The industry has responded to this by proposing the placing of tags on packets to guide its path to the right VM, appliance. An OpenFlow SDN implementation could simply modify switch-forwarding tables to guide the application through a chain of appliances mitigating tagging and offering applications appliance servicing within highly virtualized infrastructures.

The Real World

An OpenFlow SDN is new, and it’s unrealistic to think that it’s without challenges; here are some OpenFlow challenges.

Trust: The single largest issue an OpenFlow SDN has is trust. Will IT business leaders trust it within their networks, especially their data center? If a controller is sourced from a new company, how comfortable will the IT team be that it’s modifying switch-forwarding tables? How many controllers are needed for a particular load? What will the support model be? How complicated will it be to manage multiple controllers?

Interoperability: The current construct of OpenFlow requires knowledge of the switch’s hardware semantics of L2/L3/VLAN architecture; therefore, each controller implementation may be different and thus unclear how controller interoperability is achieved. Further, it’s unclear how applications written for one controller will work on another.

Network Stability: This issue may be linked with trust, but it’s unclear why a third-party controller should search packets to define a path through the network topology. Rather, why not use existing network operating systems for what they are good at– topology discovery, etc.–so that IT business leaders are more comfortable running OpenFlow-based SDN applications on top of a stable network. In short, will OpenFlow controllers introduce instability?

Controller Placement: If we take the definition of a controller to include existing network operating systems, then there will be both distributed and centralized controllers within a network. From a design point of view, how does an IT architect approach distributed versus centralized controllers and what are the trade-offs?

It’s unfair to expect that a new approach to networking would have the above issues all sorted out before deployment. These are not barriers to entry but rather challenges that the OpenFlow SDN community will work on over the next one to two business cycles. Let me be clear…OpenFlow-based SDN is a very big deal and is being embraced by all vendors including established firms and start-ups. What is driving most companies is the promise of a software ecosystem to inject innovation and value into their network products.

Established firms will support OpenFlow SDN via OpenFlow client reference implementation within their switches but will add proprietary extensions that differentiate their OpenFlow version from others. Cisco, Juniper, Arista, et al, will differentiate based upon how much of their network operating system they expose. Established firms should have an advantage over smaller ones in attracting software developers as their installed base is much larger.

New companies such as Big Switch Networks and Nicira will focus on solving particular problems in the data center, service provider and enterprise network that existing layer 2/3 networks either don’t solve or don’t solve easily. Virtualization of both servers and desktop are two prime areas, and I expect a suite of SDN Virtualized Applications to emerge from these firms and others.

The service provider market is perhaps the biggest OpenFlow SDN winner as early experiments have shown that the existing three-tier service provider architecture of packet switching, optical core and edge may shrink over time to just two, thanks to traffic management applications.

OpenFlow SDN has successfully introduced the concept of controller-based networking and the controller market. OpenFlow 1.1 is in standardization process and once completed, will be the first defined open controller API to communicate between network and controller, offering greater control of cloud network resources and management. But perhaps the greatest contribution an OpenFlow SDN will offer is the potential to usher in a wave of fast-paced innovation not seen before in the networking industry.

Tweet

Three strong trends are taking shape that are so powerful they threaten the status quo of the networking industry. These trends are more like storms than new markets; in fact they represent a major industry discontinuity. The first storm is happening now and is represented by merchant silicon for 10 and 40 GbE chips lowering the barrier of entry for new entrants in the Ethernet switch market. The second storm is much weaker but promises to be just as big, or bigger, than the first. This second storm is the creation of a software ecosystem in the networking industry, thanks to initiatives such as Software Defined Networks (SDN), OpenFlow, Arista Network’s EOS Central, etc. The third storm is the paradigm shift in enterprise IT spending thanks to mobile and cloud computing. These three storms are starting to interact and feed upon each other, forming a perfect storm in the networking industry. The perfect storm is already doing damage, as all major IT firms position product portfolios to navigate through it and prepare for its aftermath of making existing networking legacy.

IBM, for example, sees the perfect storm as an opportunity to optimize performance of IBM systems for new and emerging workloads like cloud computing and analytics that require instant access to information by investing in networking. In this Lippis Report Research Note, we focus on IBM’s networking strategy and analyze its potential impact.

IBM created the System Networking group to organize its network resources and execute its strategy. It’s a strategy to implement a data center fabric that ushers in a smart compute model that federates storage, compute, memory and I/O into pools of resources that are brought together to meet business requirements. It recently acquired BLADE Network Technologies (BNT), which produces blade and Top of Rack (ToR) data center switching gear, network-aware virtualization technology, load-balancing and management software. From an organizational point of view, IBM System Networking includes BNT and an IBM group that used to be called Data Center Networking that possesses Fiber Channel and InfiniBand assets. System Networking also maintains working relationships with networking leaders such as Brocade, Cisco, Juniper Systems and Mellanox.

IBM has been selling system networking solutions with its servers and storage offerings for decades. Systems and networking are now more interconnected, making it important to continue partnering with core networking providers like Brocade, Cisco and Juniper while enabling closer connections with IBM servers by increased investment in systems networking technology.

But why did IBM enter the System Networking business and why now? In short, IBM executives saw an opportunity to gain control of a critical data center asset, address customer needs, and add a key component to deliver on its vision of Smarter Computing. From discussions with IBM executives, they stress common concerns of their largest data center customers, which have propelled IBM into the System Networking business. Clearly, Cisco’s launch of Unified Computing System or UCS and the forecasted perfect storm also factor heavily into IBM’s calculus. IBM is hearing demand and seeing a shift in the networking industry that has opened a door for it to be a leader in data center enterprise networking, or System Networking, as IBM now calls it.

Cloud Spec Scale

The largest data center customers are implementing cloud spec facilities that are boosting up their infrastructure spend and deployment by an order of magnitude in many cases. Yes, that’s ten times the size of their normal data centers. This scale has created unique problems that challenge linear approaches and are focusing IT business managers to seek alternative solutions to scale.

The old model of increasing capacity of memory, compute, I/O, and storage, etc., by acquiring more servers does not work any longer. IBM seeks to solve this scale problem with Smarter Computing that delivers elastic services to federate a pool of resources that are brought together to meet business needs for Big Data analytics and private and public clouds. Resources could be memory, I/O, compute or storage. The goal is to bring together the right proportion of resources to solve a particular workload.

Why Networking Is Important to IBM

To deliver on Smarter Computing, IBM realized that to offer a federated pool of resources, it needs a network fabric that connects these assets, and thus this is what System Networking is all about. IBM let other industry players connect high-density blade and rack system with their network gear. This left IBM out of the innovation loop and control allowing others to set the rate and pace of network innovation.

The need to own the network and provide IT business leaders with vertical IT expertise has become apparent. If the data center rack is the new computer, and multiple racks are the new super pod, how does a supplier make this system look and feel like one large computer? It all starts with connecting these elements together in a very smart fashion using physical connections and software to orchestrate resources and infrastructure simpler than today’s approach.

How can IBM make dense IT infrastructure simpler to deploy and manage as its largest customers deploy ten times more infrastructure? Most IT business leaders translate this into the need for rack infrastructure management, configuration management, and database technology to keep track of IT assets, etc. While IBM has director and utility tools, System Networking is a critical component of Smarter Computing. IBM executive management figured that System Networking will play an even more important role in solving new IT business leader requirements that include simplifying massive amounts of IT infrastructure installation and orchestration, be it physical or virtual.

At the high end of the enterprise computing market, IT business leaders are acquiring IT assets like airlines buy airplanes and hotel builders buy property. Both airlines and hospitality concerns worry about the same thing: use or occupancy rate management. Airlines want to ensure that they have the right size aircraft for a particular flight route so that few, if any, seats are left empty.

As IT business leaders scale up their data centers to cloud spec, thanks to IT service demand, how do they ensure that the capacity acquired is effectively utilized and not over or under designed? Most, if not all, IT business leaders have embraced server virtualization as the key technology affording efficiency gain.

Without System Networking, IBM management realized that it was unable to address IT business leaders’ full virtualization requirements. The data center network needs to be virtual machine aware. In fact, this is one of the biggest reasons why IBM acquired BNT as IBM needed BNT’s network virtualization expertise.

More Business Goes Online

The reason why IT business leaders are deploying so much more infrastructure is that more of their business is going online. Just think about your average day. When communicating to each other we text, email, VoIP and videoconference. When you want to go see a movie, you book it online. You bank online. You pay your bills online. You trade stock online. You make airline reservations online. You read news online, your photos are stored online, office productivity tools are online, etc. As more and more business goes online, the scale of IT infrastructure needed increases.

In addition to more business going online, IBM’s big analytics business needed networking too to be first class. IT business leaders are putting in place more analytic systems, decision support systems and data warehousing systems so they can mine their depositories of vast amount of information that they have about customers, business, products, competitors and supply chain, etc., so they can make smart important business decisions.

This is why data warehousing, data mining, smart analytics or solving the big data equation is so important to IBM. This is why IBM acquired Netezza. Now, what is the difference between a good data warehousing engine and a great one? The answer: how fast data can be transported to and from the analytic engine, or how fast is the network. For IBM to be a successful player in smart analytics and be recognized as the clear leader in this large and very important market, it realized that it needed to be in the networking business.

Controlling TCO at Scale

As data centers have been scaling up, so too has Total Cost of Ownership or TCO. For every dollar that CFOs spend on servers and storage, they spend between 15 and 25 cents on networking. IBM is not able to control a customer’s TCO as it has no control over 15 to 25% of the IT budget. Therefore, how could IBM profess to solve the TCO equation when it can’t provide a credible solution to 15 to 25% of the TCO problem? IBM needed to have a voice and solution for TCO, thus this too factored into its thinking of re-entering the networking industry.

The change in IT buying requirements is the first of three storms that IBM saw as IT business leaders are building private clouds and experiencing scale issues associated with them. Data center buying criteria is changing as scale, density, deployment, orchestration management, efficiency and utilization, security, being able to extract meaningful decision support information out of information repositories, as well as cost of ownership become high priority items. The merchant silicon storm stirred up by companies such as Broadcom and Fulcrum Microsystems got IBM’s attention. IBM got a close up look at this storm, as BNT built its new ToR switches with Broadcom’s Trident-1 10GbE and 40GbE chips and decided to invest by acquisition. It was these two storms and its forecast of a third in the creation of a network software ecosystem emerging that in the end tipped IBM’s hand and led it into the data center system networking industry, or System Networking, as IBM now calls it.

The New IBM

IBM realized that not having System Networking was a competitive disadvantage especially in its analytical systems business. There was an underlying reliance on the network that IBM didn’t control. IBM realized that System Networking is a strategic asset, and it needed to invest.

IBM is now a three-stack business with its platform business including compute, storage and networking, then software and lastly, services. Software is the biggest business followed by services, and then its platform business. Without networking, IBM’s business model was incomplete. How can you drive innovation in software and smart analytics, etc., and all the services to go around it, if you have one or two missing pieces in the platform equation?

Others to Follow

IBM is not the only large vertical IT player to beef up its networking business. Clearly there is HP, Oracle, IBM, Dell and Cisco. Cisco possesses a different portfolio mix than the others with its dense networking portfolio. HP, on the other hand, possesses approximately $2.5 billion worth of networking products/revenue, but lacks data center networking.

Consider Oracle and IBM—they are both focused on the data center. With Oracle’s recent acquisition of Sun, it too is viewing the perfect storm as an opportunity to enter the networking market. But the fundamental thing that is different about IBM is that it is singularly focused on the data center. This contrasts with Cisco’s network focus while HP strives to be the low cost alternative to Cisco, plus its huge consumer line of products, such as printing and personal computing. Dell, on the other hand, is focused on transitioning away from the personal computing market into higher margin businesses, networking being one of them.

What all of these firms are searching for is a new networking model to emerge, and the perfect storm may very well provide it. With low cost merchant silicon that competes with custom ASICs, network switching is fast, low latency, low power consuming and low cost. With software defined networking (SDN), a new software ecosystem could emerge that challenges established network services and in the process, starts an innovation race between established vendors and a new software industry. SDN is critical if a new networking model is to emerge as it could enable innovation that differentiates common merchant silicon-based network switches. In short, the perfect storm could enable the large IT vendors to leapfrog into a new system networking paradigm.

IBM has its work cut out for itself. BNT has expanded from Ethernet embedded blade server switches to ToR switches. IBM will enter the aggregation space with the implementation of technologies such as TRILL (Transparent Interconnection of Lots of Links) and 802.1Qbg, the Edge Virtual Bridging (EVB) standard that will seek to break the model of large centralized mainframe like modular switches. And, through partners such as Brocade, Cisco, Juniper and Mellanox, IBM System Networking offers a portfolio of Fibre Channel and Infiniband as well as Ethernet solutions, for servers and storage from network edge to core. IBM’s point is that if servers and storage can scale out then why can’t networking?

IBM is developing new networking products that it hopes would enable it to change the networking landscape and how people think of networking. It seems that IBM System Networking is working on a scale out networking model that allows IT business leaders to start smaller and expand as needed without large upfront capital outlays. It is looking to make networking a bit smarter.

IBM System Networking is focused on building what it calls “a scalable fabric,” which connects servers, storage and networking. Thus IBM advocates to keeping network intelligence close to servers and storage making its fabric fast, low cost, virtual and reliable.

Time will tell how successful IBM is in System Networking, but one thing is for sure, cloud computing has kicked up quite a perfect storm for it.

Tweet

Even during the most difficult recession in decades, videoconferencing endpoint unit shipments increased according to Frost and Sullivan. In fact, unit and revenue growth rates are projected to be on a tear with an 18.3% and 16.5%, respectively, compound annual growth rate between 2009 and 2015. Why so bullish? Consider Camp Dresser McKee (CDM), a global water treatment design and build firm who, during the downturn, invested in high-quality video conferencing, not only to save on travel cost and executive wear and tear but to transform its business processes. CDM has been able to consolidate offices in regional centers for design engineers while close to customer projects outposts are linked back to centralized design centers via high-definition video conferencing. The value gained is far greater than travel cost savings as the capital spend on video conferencing has reduced corporate operational spend and increased efficiency while at the same time making them more competitive.

Take CDM and multiple it by the tens of thousands, and that’s why video is not only here to stay, but thrive. What pauses IT business leaders is not whether they should deploy real-time video communications, but how to deploy it pervasively so that any employee on any video enabled endpoint can video conference/communicate with any other employees and/or customers, partners, suppliers, etc. So the questions are can video be deployed pervasively at scale while maintaining a high-quality experience? Are corporate networks equipped to handle the load? How are endpoints with different codex normalized so that anyone can communicate with anyone else independent upon endpoint device, be it a web conferencing, Telepresence room, desktop video, smartphone, tablet, etc? Even if IT could deploy such a system, how would it be managed, configured, monitored and troubleshot when problems arise?

While many video conferencing vendors are developing approaches to this problem, Cisco has been working on it since September 2008 when it first introduced Medianet. With the Tandberg acquisition plus investments in unified communications, collaboration, business video and Borderless Networks, Cisco is now able to expand Medianet to put its customers on a journey to deliver on a corporate wide any-to-any video communication service; designed to be borderless over time.

What is Medianet?

To address pervasive enterprise video communications, Cisco has developed “Medianet Architecture” to optimize the experience of consuming rich and real-time media content as it flows throughout a corporate network. Medianet architecture is a borderless network service within Cisco’s Borderless Network Architecture. Medianet obtains much of its service by embedding Medianet technology within Cisco’s network infrastructure of switching and routing products and now video enabled endpoints.

The key attributes of Medianet Architecture are that it provides end-to-end IP video services to video enabled endpoints such as Telepresence rooms, unified communications and collaboration, desktop video streaming, digital signage, enterprise TV, video surveillance, etc., with the network providing a set of Medianet services to assure a high-quality experience depending upon the endpoint’s video display resources. These Medianet network services include traffic differentiation and QoS to assure good and consistent user experience. In addition, the network with embedded Medianet technology provides interoperability services to support multiple video formats and endpoints. Autoconfiguration is another Medianet network service to discover video endpoints then setup configuration with best practices and autoregistration to track entity. Lastly, a video management service that provides session visibility, network load impact and policy definition rounds out the set of network services enabled by Medianet.

Cisco’s Medianet Architecture

With Medianet technology embedded within the network, the network becomes smarter about video traffic, applications and services. Also with Medianet technology embedded into endpoints, video endpoints become smarter to connect to and communicate with the network so that visibility and policies extend from the endpoint across the network. While the above discussion has focused within a corporation, in fact Cisco’s Medianet Architecture is being extended outside of the enterprise boundary through cloud services to enable Service Provider-to-Business, Business-to-Business and Business-to-Consumer connections with the hopes of creating a truly borderless video service.


Just in case you missed it, yes, Cisco is delivering video-enabled client software to endpoints, with the first ones being IP video surveillance cameras, digital media players, followed by WebEx with Tandberg Telepresence not far behind. Eventually, popular mobile endpoints such as iPad, iPhone, Android devices, etc., will be supported through third parties.

Smarter Endpoints via Media Services Interface

So what value does Cisco client software add to these endpoints? First the software is called Media Services Interface or MSI, and the idea is to place basic network intelligence into the endpoint to assist it in auto-configuration and improve user video experience. For example, MSI enables the endpoint device and its location to be identified for security purposes and delivers auto-configuration assist.

Smarter Networks

To deliver high-quality video throughout the enterprise and beyond, Cisco’s Medianet Smarter Network consists of three capabilities:

Media Monitoring: First, to provide a consistent end user experience, Cisco has developed Media Monitoring. There are three capabilities within the Media Monitor: IPSLA Video Operation (IPSLA VO), Performance Monitor and MediaTrace. Performance Monitor evaluates the network traffic which gives NetOps visibility of running video streams over the network to observe network impact/load. Another feature within Media Monitoring is Mediatrace, which provides a tool for NetOps to traverse the network hop-by-hop following the real-time flow of video traffic through the network to aid in troubleshooting and problem resolution. To assure the network can support a video session being requested, IPSLA VO transmits synthetic traffic, without probes, over the network to assure the network possesses the capacity to transmit video in high-quality. This is, in essence, the ability to launch a real-time pre-planning tool.

Cisco Prime Collaboration Manager: Second, simplified video deployment and management is enabled through Cisco Prime Collaboration Manager or CM 1.0, which is an integrated monitoring, analysis and troubleshooting tool. CM 1.0 provides end-to-end visibility and isolation of video issues for TelePresence sessions, endpoints and the network. In addition, CM 1.0 provides a complete inventory of all video-related assets, including endpoints, network devices and service infrastructure, which helps control costs and aid in network planning.

CM 1.0 currently supports TelePresence, but Cisco plans to expand it to support Tandberg, WebEx, in future releases.

Media eXperience Engine: The Media eXperience Engine (MXE) appliance provides any-to-any media adaptation and analytics for endpoint video interoperability. Those with TelePresence are familiar with MXE, but it is an important enabler of video to a wide variety of devices and part of the strategy to enable video and collaboration on mobile devices. .

Video Conferencing on ISR G2: Also in the launch, but separate from Medianet, Cisco is adding video conferencing to the ISR G2 with its packet voice/data module (PVDM3) DSP (Digital Signal Processor) to provide ad-hoc video conferencing at the branch level. This optimizes resources within the branch office for video conferencing and avoids video conferencing traffic over the network.

For example, when video conferencing is made available to branch offices, multiple video streams are forced to traverse the wide area network (WAN) on route to a centralized MCU (Multipoint Control Unit) for mixing being controlled by UC Manager. The result is that the WAN can easily be consumed with video traffic especially in the branch where WAN bandwidth is at a minimum with user experience suffering. With Medianet, ISR G2s are equipped with PVDM3, which provides local mixing keeping video traffic local in the branch, assuming participants are local. Further, video is controlled by CUCM and CUCME. In addition PVDM3 also provides ad-hoc and MeetMe conferencing, too, enabling spontaneous video conferencing sessions to occur.

Medianet Example

To bring Medianet to life, consider a Cisco use case. Cisco Borderless Networks IT uses Media Monitoring to expand the use of video conferencing throughout the network. They especially benefit from the ability to monitor the conditions on the network without the use of probes, which helps them make better business decisions and make more efficient use of resources. Cisco is rolling out Media Monitoring to enhance its Cisco Virtual Office (Teleworker) service to hundreds of endpoints and the expectation of thousands of video endpoints by the end of 2011.

Summary

Cisco has built an approach, a blueprint and yes, an architecture to organize and harness the power of corporate video communications. While there are multiple forms of video collaboration and many more will emerge, the key in any enterprise video architecture is to allow innovation to flourish and not to limit choice. In short, endpoint devices and their video applications should be embraced. Where value can be created is in assisting these endpoints to connect to others, both similar and different, and simply communicate consistently and at scale. This is what Cisco’s Medianet architect seeks to deliver. It possesses the attributes to achieve these goals that put a company on a journey to exploit video communications for all its business benefit.

Tweet

There is no escaping the fact that cloud computing is a fundamental change in the IT industry that is in the early stages of its adoption curve. Yes, we hear a lot about Amazon’s Elastic Compute or EC2, Rackspace, Microsoft’s Azure, etc. And yes, there are multiple definitions and cloud markets such as PaaS, IaaS, SaaS, UCaaS, etc. So it’s no wonder that most IT executives think of cloud computing in terms of servers, real or virtualized, applications and power spend. And yes, the primary reason that cloud computing is a reality is because we can scale compute power. But for those building private and public clouds as well as those supplying them, a critical eye is turning toward networking as a fundamental differentiator. With IT giants hording some $300B in cash on hand, we expect networking to be a target for acquisition. In this Lippis Report Research Note, we review the large providers of IT and assess their networking capabilities.

There are a few reasons why networking has become so much more important and fundamental to IT than in previous business cycles. First as the world economy emerges from the recession, large IT suppliers have been increasingly verticalizing their data center offerings to include compute, storage and networking. For example, HP acquired 3Com, Cisco entered the server business with UCS, IBM acquired BLADE Network Technologies, and Oracle acquired Sun, which possesses networking expertise.

In addition to wanting to gain an increasing share of IT data center spend, the large multi-billion dollar IT giants of HP, IBM, Cisco, Dell, Oracle, etc., are all realizing that networking is fundamental to data center performance, meaning application performance. This is especially true in cloud spec data centers and demanding financial data centers. As traffic flows have shifted to a mix of east-west plus north-south as storage is being cannibalized by networking thanks to converged IO, a new approach and design to networking is emerging. This new cloud network is characterized by low nanosecond latency, low power consumption with switches connected together in fewer boxes/tiers. The large IT firms have realized that if they don’t offer networking then they are at a competitive disadvantage. It also doesn’t hurt that networking is a high-margin business, and those without it have margin envy.

Conventional thinking is that a “fat tree” or two-tier spine/leaf network architecture is the path of the future, and it very well may be. But there is new thinking in networking being promoted by the Open Networking Foundation (ONF) with what they call Software Defined Networking. Yes, it’s unfortunate that SDN is being reused again, but be it as it may, ONF offers an approach to networking that promises to scale higher than today’s network architecture.

Open Networking Foundation

Today’s network switches are built with specialized hardware that run specialized software operating systems. The network operating system contains a control and management plane while the hardware provides a data plane of passing packets between ports. ONF is promoting the splitting of control and data plane, and in doing so, networking can not only scale higher than today’s approach but it can be virtualized too, much like VM virtualized servers. The idea here is to open up the networking market for innovation and a radically new approach to address performance, scale and power consumption.

The ONF was started by IT executives of Deutsche Telekom, Facebook, Google, Microsoft, Verizon and Yahoo with 17 member companies, including major equipment vendors, networking and virtualization software suppliers, and chip technology providers.

SDN comprises of two basic components: a software interface (called OpenFlow) for controlling how packets are forwarded through network switches, and a set of global management interfaces upon which more advanced management tools can be built. The first task of ONF will be to adopt and then lead the ongoing development of the OpenFlow standard (www.openflow.org) and encourage its adoption by freely licensing it to all member companies. ONF will then begin the process of defining global management interfaces. The hope is that SDN will help networks become both more secure and more reliable.

SDN proposes splitting control and data planes so that the data center network can be completely virtualized. That is the right operational model for networking, where you treat the physical infrastructure as a generalized resource pool of switching capacity, and all of the services intelligence is done at edge in software, and the physical network does one thing and one thing only—forwards IP packets. In short, SDN makes the data plane a low cost, low function packet forwarding machine and places intelligence closer to servers. This is versus today’s integrated model where data, control and management plane are resident in each switch where intelligence is distributed throughout the network fabric.

HP Networking and Its Converged Infrastructure

So how does ONF fit into networking being acquired by the large IT firms? Well first, let’s review which IT firms are networking rich and poor. Clearly Cisco is networking rich with over $41B in revenue and by far the largest share of switching and routing under the Milky Way. HP is a distant second in networking. Networking represents approximately $2B of revenue to HP; with HP annual revenues of approximately $126B, networking represents less than 2% of revenue. Cisco is 20 times larger than HP Networking. So why is HP management so interested in networking? For the reasons stated above, plus Cisco’s market gap at nearly $100B with over $40B in cash while HP’s market cap is $89B with $10B in cash. That’s a pretty telling stat that a firm with nearly three times revenue is valued less. It’s hard to say that HP is networking rich when it’s 1/20th the size of its nearest competitor. Further, most of HP’s networking products are focused on the enterprise campus market and not the data center. In fact, in the hot 10GbE market, HP is nearly absent. But HP is on a mission to grow its share of networking. Part of that mission should be 10GbE solutions for its Converged Infrastructure offering.

IBM System Networking and Its Dynamic Infrastructure

IBM has recently acquired BLADE Network Technologies, a blade switch firm that also offers Top-of-Rack (ToR) switches and recently announced its IBM BNT RackSwitch G8264, a 10/40 GbE ToR switch. IBM sees the above market dynamics too and is investing in networking. It recently formed a new group called IBM System Networking that focuses on delivering data center networking solutions. System Networking includes BNT along with its partnerships with Cisco’s Nexus, Brocade, Juniper plus its management solutions of Tivoli. IBM is clearly building its network portfolio to include networking solutions with its Dynamic Infrastructure offering. System Networking clearly needs a core or modular switch capable of high density 10 and 40GbE.

Dell Networking and Its Virtual Integrated System Architecture

Dell possesses a significant portfolio of networking and storage gear. Its relationship with Cisco has gone the way of HP’s relationship with Cisco, although Dell still sells Cisco Nexus 5000 and select Catalyst switches. Dell’s networking brand is PowerConnect Ethernet switches that are mostly ToR and range in port speeds of 10GbE to fast Ethernet. It too, like HP, has a very limited 10GbE portfolio confined to its PowerConnect 8000, which is a 24-port ToR switch. It does not possess 48-port 10GbE ToR or a core switch that can connect 10GbE at density. For cloud spec networking, Dell is networking poor. But Dell is a big supporter of ONF, and it may just be biding its time to enter the networking market with the hopes of a technology disruption that SDN promises.

Oracle’s networking business is primarily in adaptor cards and network modules for Sun servers. The new Sun Network 10GbE Switch 72p is a 72-port ToR switch with 40GbE uplinks. It has an impressive converged I/O product portfolio too, but like IBM, Dell and HP, it lacks 10GbE density needed for cloud networking.

Clearly IBM, HP and Oracle need broader networking portfolios, especially in 10 and 40GbE if they want to offer a complete vertical solution of compute, storage and networking to data center buyers. They have the money, the market need, and there are multiple options available to them.

Acquisition Targets?

Arista Networks is the hottest networking start-up in years and would instantly broaden any of these firms networking portfolios with high performance, low latency and low power networking products that are setting the bar for cloud networking. For $20B, Juniper Networks could be acquired too with its new QFabric architecture and installed base of both communication service providers and cloud providers. Brocade’s market cap is $2.8B and comes complete with both networking and storage, including directors, switches, routers, fabric-based software applications, host bus adapters, converged network adapters, mezzanine cards and storage area network switch modules for bladed servers. It has $892M of debt and $416M of cash.

Extreme Networks has a market cap of $312M, which is slightly lower than its annual revenue with $137M of cash on hand with no debt. It has a broad product portfolio and will be making one of the most significant announcements at Interop. As one of the first firms with 10GbE networking, Force10 Networks possesses a broad networking portfolio that spans the campus to the data center. It’s getting ready to IPO, which may force the hand of one of the large IT providers to buy it before this liquidity event. Mallanox has a market cap of nearly $930M with annual revenue of approximately $160M and about $253M in cash on hand. Mallanox, which recently acquired Voltaire, is a leader in the Infiniband market but also has Ethernet switching and 10GbE NICs. It knows high performance networking and converged I/O and works with nearly all of the top IT providers. Avaya’s VENA is also a potential acquisition target if presented to Avaya’s board at the right price.

For those firms looking to leapfrog networking technology, they should keep an eye on Nicira Networks, which is a real-world provider of SDN type solutions. Nicira proposes splitting control and data planes so that the data center network can be completely virtualized, where the physical infrastructure is a generalized resource pool of switching capacity, and all software service intelligence is at edge.

But Cisco’s data center fabric business is firing on all cylinders. Its March 31st announcement introduced a new 48-port 10GbE ToR switch with 40GbE uplinks, the Nexus 3000 and the Nexus 5548 UP and 5596 UP 10GbE switches. But more than switching, it expanded its Fabric Extender offering, introduced workload mobility through Location ID/Separation Protocol or LISP and Overlay Transport Virtualization or OTV, enhanced its Ethernet storage director for multi-hop FCoE, and converged network and storage management into Cisco Prime. In addition, it added to the UCS server portfolio with the UCS C260, C460, B230 and B440, which use Intel Xeon Westmere EX processors. When Intel announced the Xeon update, Cisco demonstrated nine new world records on industry benchmarks including three world records for the C260 (record for application servers is notable), four for the C460 and two for the Cisco UCS B230. Not bad for a networking company.

All of the large IT firms now realize that networking is on the critical path to application performance and cloud computing scale. The IT industry has $300B plus of cash and equivalents to spend. Networking will take a significant portion of that spend as HP, Oracle, IBM, Dell, et al, seek to offer data center solutions that include compute, storage and networking.

Tweet

In the Lippis Report, we have discussed the fundamental changes shaping a new data center network architecture. These drivers are massive virtualization, a sea change in traffic patterns that are now dominated with east-west flows on top of existing north-south traffic, ultra low latency, the emergence of cloud spec data centers, etc. As a result, data center networking attributes are changing with requirements of traffic, steering in virtualized infrastructure, avoiding manual network changes as VMs move, removing oversubscription (thanks to spanning tree), streamlining network tiers to hasten east-west traffic flows, etc. The industry is responding to these changes and requirements with new approaches to data center networking, such as the Open Networking Foundation, Cisco’s FabricPath, Juniper’s QFabric, Brocade’s VCS, Avaya’s VENA, Nicira Networks’ network virtualization software, etc. In this Lippis Report Research Note, we explore a key technology to enabling two-tier network fabrics, and that’s link aggregation and its various approaches, including Multi-Chassis Link Aggregation Group, Transparent Interconnection of Lots of Links (TRILL) and Shortest Path Bridging (SPB).

Over the past year, firms such as BLADE Network Technologies, an IBM Company, Force10 Networks, Juniper Networks and Voltaire/Mellanox have introduced 48 port10GbE top-of-rack (ToR) switches. Before Interop in May, there will be six more companies making similar announcements. With 10GbE priced at $300 per port and below for server connections, the transition from 1 to 10GbE is on its way in the data center. Now most, if not all, of these switches possess two 40GbE uplinks. Also by Interop, at least two firms will announce Core switches with dense 40GbE capability. So the question is how are these ToR products being connected so as to address the changes mentioned above?

One Thousand Plus Servers Connected at 10GbE
Consider a 1,024-server data center where all servers are dual home connected into the fabric via 10GbE. This example could be a Global 2000 company data center, but many Global 2000 companies and service provider hosting companies have larger scale requirements in the tens of thousands of servers to over one hundred thousand. In this example, approximately 2,048 10GbE connections are needed. Consider this requirement using traditional approaches.

If designing this data center fabric with traditional spanning tree protocol (STP)-based networking, there would be blocked links between access and distribution. The IT architect would rely upon a three-tier structure that forces an oversubscription of nearly 8:1 between access and aggregation, and 2:1 between aggregation and core, or a total of 16:1 oversubscription. There would be 64 access switches, 8 aggregation switches and two Core switches required and four pods to house access and aggregation switches. In addition, east-west traffic flows are forced to traverse these network tiers, incurring delay with every passage of a switch.

To eliminate the oversubscription and reduce latency, a two-tier network architecture can be utilized. One approach is to use 43 of the new 10GbE ToR switches to connect servers. Connecting ToR switches would be some number of Core switches with enough capacity to support 512 40GbE or 2,048 10GbE connections, if non-blocking is a requirement. The Core switches would need to be connected together too at very high speeds and densities. Yet another approach would be to use Core switches to connect servers. Assuming a Core switch capable of supporting 256 10GbE ports, then eight Core switches would connect servers. Now, if the IT architect required non-blocking, then a Core switch would need to terminate 48 10GbE for each ToR switch or 256 10GbE links for each server facing Core switch. There lies the rub; with such large numbers of parallel 10 or 40 and eventually 100GbE links, there needs to be a way to aggregate and route between ToR and Core switches.

Enter link aggregation. The two-tier architecture allows the level of oversubscription and blocking to be designed and managed by choosing the number of links to be aggregated.

Key to this design is the elimination of STP with some number of multi-links between ToR and Core that eliminate oversubscription, and enable a non-blocking fabric, assuming the switches are designed with enough backplane capacity to support packet forwarding equal to the sum of leaf ingress bandwidth. High spine switch performance is fundamental in the two-tier leaf-spine architecture as it collapses the aggregation layer in the traditional three-tier network. Further, by connecting every switch together in a full mesh via link aggregation connections, every server is then one hop away from each other, reducing latency and providing VM mobility service.

There are multiple approaches for connecting ToR/leaf and Core/spine switches at high bandwidth via some type of link aggregation.

Multi-Chassis Link Aggregation Group or MC-LAG covered in project IEEE 802.3ad allows one or more links to be aggregated together to form a Link Aggregation Group. MC-LAG is a method of inverse multiplexing over multiple Ethernet links as if it were a single link. This layer 2 transparency is achieved by the LAG using a single MAC address for all the device’s ports in the LAG group. LAG can be configured as either static or dynamic. Dynamic LAG uses a peer-to-peer protocol for control, called the Link Aggregate Control Protocol LACP.

TRILL or Transparent Interconnection of Lots of Links is an emerging IETF protocol based upon a link state routing algorithm IS-IS that broadcast routes available to all TRILL connected devices for pair-wise optimal unicast paths. TRILL is invisible to routers as it runs over layer 2 links such as Ethernet and PPP.

Shortest Path Bridging or SPB is an IEEE 802.1aq standard solution for shortest path frame routing in multi-hop Ethernet networks with arbitrary topologies. SBP, like TRILL uses IS-IS link-state routing protocol to advertise both topology and logical network membership. SPB packets are encapsulated at the edge either in mac-in-mac 802.1ah or tagged 802.1Q/802.1ad frames and transported only to other members of the logical network. Unicast and multicast are supported, and all routing is on symmetric shortest paths.

MC-LAG vs. TRILL vs. SPB

As you would expect, there is debate over which approach is best, MC-LAG vs. TRILL vs. SPB. It doesn’t help that TRILL is an IETF standard, while SPB and MC-LAG are IEEE. Picking a winner is complex as there are pros and cons to each, and all protocols have their supporters in the vendor community. MC-LAG may be the most widely supported protocol but lacks link state routing to define paths. Some even question if you need IS-IS at this level of the network.

From an implementation point of view, many firms are betting on SPB, such as Brocade in its VCS, Avaya in the VENA, Alcatel-Lucent in its OmniSwitches. These firms like SPB for its following advantages:
SPB scales to support 100s to 1000s of multi Terra bit switching enabling a non-blocking two-tier network fabric;
SPB creates logical trees, which can be extended out of the data center and into the campus increasing SPB’s usefulness.

SPB service provider deployments are planned for 2011 and they believe SPB offers increased scalability over TRILL. Further, SPB will interoperate with carrier infrastructure to allow seamless data center-data center connections in the near future. This is an interesting and compelling option in that SPB could be the link that connects private and public clouds via a single data center fabric.

SPB advocates boast that for network architects/designers and operations, there is a quick learning curve as SPB uses the existing IS-IS protocol, and for service providers, SPB is already available through OAM (Operations, Administration and Maintenance), enabling it to be managed through existing management services.

Perhaps the biggest proponents of TRILL is IBM and Cisco, which has its FabricPath offering based upon it, and Data Center Bridging before that. Its proponents point to TRILL’s advantages of multi-pathing that delivers higher throughput between leaf and spine connections. TRILL too can be extended out of the data center into the campus and cloud as service providers offer TRILL connections. It’s also backward compatible with classic bridges, and was developed by Radia Perlman, the inventor of Spanning Tree Protocol.

Juniper’s QFabric

Then, in addition to the above, Juniper recently announced its QFabric architecture, which disaggregates the data, control and management planes. Its QFNodes are ToR switches, which are connected to its QF Interconnect chassis and managed via QF Director management platform. There are two separate connections for data and control plane traffic, with control traffic on a 10GbE link while data traffic runs at 40GbE. It’s not clear if the QFabric is a cell based data gram architecture, or if it uses Ethernet data grams. If QFabric is a cell based architecture, then it would not utilize TRILL, SPB or MC-LAG for inter-switch high-speed aggregated connections and routing.

Enter the Open Networking Foundation

Then, there’s Open Networking Foundation (ONF) started by Deutsche Telekom, Facebook, Google, Microsoft, Verizon and Yahoo with 17-member companies, including major equipment vendors, networking and virtualization software suppliers, and chip technology providers. ONF is proposing a new approach to data center networking it calls Software-Defined Networking (SDN).

SDN comprises of two basic components: a software interface (called OpenFlow) for controlling how packets are forwarded through network switches, and a set of global management interfaces upon which more advanced management tools can be built. The first task of ONF will be to adopt and then lead the ongoing development of the OpenFlow standard (www.openflow.org), and encourage its adoption by freely licensing it to all member companies. ONF will then begin the process of defining global management interfaces. The hope is that SDN will help networks become both more secure and more reliable.

Nicira Networks is a real world provider of SDN type solutions. Nicira proposes splitting control and data planes so that the data center network can be completely virtualized, like VMware did for servers. That is the right operational model for networking, where you treat the physical infrastructure as a generalized resource pool of switching capacity, and all of the services intelligence is done at edge in software, and the physical network does one thing and one thing only…forwards IP packets. 

MC-LAG, TRILL and SPB offer a linear approach to scaling data center networking while Juniper’s QFabric and ONF’s SDN offer new departures in the design and architecting of data center and cloud computing networking. While QFabric and SDN are interesting, they need to be developed and understood, but represent a new approach to networking that our industry has not seen. Over the next several years most IT architects will choose the linear approach as QFabric and SDN become fleshed out and their pros and cons articulated.

Tweet

Cisco recently launched its SecureX architecture that extends perimeter-based network security to secure modern IT, recognizing the huge growth in mobile and cloud computing. SecureX is a multi-layer architecture built upon Cisco’s AnyConnect client, its global footprint in real-time threat intelligence found in SIO (Security Intelligence Operation), Cisco TrustSec, including policy servers of NAC manager and server appliances, ASA firewall and the security enforcement features of its switches and routers. SecureX is an architecture to Cisco’s network security products and service to work together in an effort to create deeper defenses and contain exploit infestation if, and when, they occur. Fundamental to SecureX is the concept of “context aware” policy across the enterprise, including remote endpoint devices, centralized policy creation with distributed security device and network enforcement. SecureX provides for innovation injection points through APIs (Application Programming Interfaces) for management and SIEM or Security Information and Event Management. In this Lippis Report Research Note, we explore SecureX with a focus on how context increases defenses and keeps IT assets safer.

SecureX offers something for everyone…such as a simpler, yet richer, management model for SecOps, deeper levels of security for users within and outside the corporate network, centralized policy creation that extends beyond the corporate firewall, and increased protections for users as they utilize mobile endpoints to access corporate and cloud-based applications. IT business leaders should be pleased with better protections and compliance tools, especially as their vulnerabilities increase with mobile endpoints seeking network access growing.

SecureX is not just about extending security to mobile devices but to capturing contextual information in the use of policy creation. Contextual information includes user and device identity plus location, login time of day, plus which specific applications users attempt to access too, and this information is not only collected upon login but during their entire network connected session. Context aware policy allows IT leaders to use this information in the creation of policy with the end result of either allowing or denying access to IT resources, independent upon endpoint device and method of which access is attempted. And this context aware policy attribute of SecureX, over time, will be extend beyond normal data traffic streams to apply consistent unified policies to application, video or voice traffic also.

And while SecureX is security, in reality, it’s bigger than just security, because security is a necessary integrated attribute to enable mobility, video, voice and web collaboration, etc. To create a secure IT environment, IT services need to interact with security services with minimum to no user intervention that steals productivity. In short, SecureX seeks to make Cisco security and network devices work better together through context aware policy so access and deny decisions are improved, and are built upon so that anomalistic behavior remediation is automated post access through traffic monitoring.

Use cases have changed dramatically since a new tier of computing has emerged, that being smartphones and tablets. For example, a laptop could be plugged into an iPhone, which is streaming video into the corporate network. The network should be able to differentiate between data traffic, video traffic, phone traffic and even iPhone application traffic, then monitor all of those traffic types for behavior so if a Virtual Machine (VM) is launched on the laptop, the network recognizes this new entity and performs a new series of monitoring. Security needs to be much smarter as the combinations and permutations of acceptable user behavior are fundamentally changing.

So where does this monitoring come from? Is it centralized, distributed, within appliances, in the cloud? The answer is all of the above. It’s in the network infrastructure and highly distributed. The SIEM ecosystem plays a role, TrustSec provides monitoring as does SIO, ASA, IPS, etc. The network infrastructure itself is monitoring behavior that’s outside of parameters/rules/policy that have been established for each network connection, and can take defined action when anomalistic behavior is identified. With monitoring and enforcement being so highly distributed, the chances of capturing anomalistic behavior increases significantly. Anomalistic behavior can occur anywhere, so depending upon where alerts are triggered, what type of traffic is involved, the kind of device being used, the location, the identity of the user, the time of day, etc., it’s this contextual information that adds color to tripping anomalistic behavior and remediation options.

SecureX is much like Cisco’s self-defending network concept, but with a global perspective and tools to extend contextual base security to the Cloud, virtualized environments and out to the growing mobile workforce. And this extension of security services is the biggest challenge with which IT business leaders struggle. IT leaders want to push context aware policy into their virtualized datacenters, their Cloud(s) and to mobile users, because it solves a large set of security problems. In fact, security concerns is one of the primary gating factors limiting enterprises from deploying these new innovative IT services that offer favorable business processes outcomes.

Context Is Fundamental to Access Decisions

We already have perimeters and defenses within the enterprise, but IT has gone mobile, thanks to smartphones, iPads, tablets, etc. Also, applications are selectively moving into the Cloud as well. SecureX is a security architecture delivering control to SecOps and IT business leaders to extend their IT services to mobile workers, enabling them to embrace a new tier of computing and a new way of application delivery via the Cloud.

SecureX adds the concept of context aware policy to the principles of visibility and control as context provides insight into threats as employees are working outside of defined enterprise perimeters. The type of context that’s important includes identity—such as who are you, where are you located, the device that you’re using and can I trust the device—and what resources are you seeking to access. All of this contextual information needs to be considered when a firewall is determining network resources it will allow access to. In addition, contextual information may also instruct the network to enforce encryption on a session based on who you are and where you’re trying to go.

Policy Driven

To make contextual information work, a policy wrapper needs to surround context elements of personal identity, device identity, location, time of day and application access request. That is empowering the network to being able to create a uniform policy, such that the network is able to intelligently negotiate a variety of context options that are being considered when individuals attempt to access IT resources. This is the perfect job for a policy appliance.

To add context information to firewall decisions, Cisco is leveraging key pieces of its security product portfolio. For example, its TrustSec architecture provides access control plus encryption, which is the first and most critical piece of context information. Within access control, a device’s security posture is assessed, the end user is identified, and their device is profiled, all of which is used to make an intelligent decision to grant or deny network access. In addition, the network can “tag” a user’s data stream, so that as the stream transverses throughout the enterprise IT infrastructure, the network can enforce defined policy independent upon the stream’s destination(s). For example, once the user has passed access control, should this user decide to search for a payroll server location, the network may recognize that he/she is not allowed access, thanks to defined policy, and the network can drop the requests and log the event. This set of sequences is a benefit of TrustSec.

Access Control and Contextual Information

With trusted systems on the inside of an enterprise network providing enforcement through policy of mostly fixed endpoints, such as desktops and IP phones, the question on most IT business leaders’ minds is how to extend these protections to the exponentially-growing mobile community and non-user network devices. IT leaders are confronted with an increasing number of both mobile endpoints and non-user endpoints, such as printers, video surveillance, wireless access points, etc., attempting to access their network and IT assets. To protect IT assets, IT leaders are seeking a process in which all devices connecting to the network, independent upon inside or outside the perimeter, are profiled to analyze device function and apply appropriate policy. For example, an IP camera may be identified during profiling and then a policy applied that allows IP cameras to transmit data, but not allowed to request data. In addition, during post access control, the network then monitors the IP camera to assure policy is applied while the IP camera is connected to the network.

This type of contextual information to build another level of defense is also extended to the virtualized data center environment. For example, once a virtual server comes online, policy can be applied to it, which is then communicated to the entire infrastructure. Policy may allow a virtual server to pass traffic between VMs on a select number of hypervisors. In addition, these VMs may also recognize that the new virtual server can do X and Y with these VMs but not Z. This level of control granularity enables SecOps to define virtual environment behavior in a meaningful way.

The Network Can Be the Firewall

Clearly policy management is an integral component of SecureX. To define policy, Cisco offers the Cisco TrustSec solution, which can be deployed using the NAC Appliance or with a network-centric 802.1X strategy, combined with the Access Control Server. These solutions offer posture assessment, remediation and quarantine functionality. Device profiling for non-authenticating devices such as IP Cameras, printers, WLAN access points, etc., are placed on guest services with triple-A services. The aggregate of these features with the ability to create centralized policy that can be pushed out to the entire network infrastructure creates, in essence, a highly-distributed firewall. If a firewall’s job is to allow or deny access to IT resources, then SecureX turns the entire network into a highly-distributed firewall, where every component of the network is now analyzing and processing traffic.

Enforcement and Layers of Context

Context aware policy enforcement is performed with network infrastructure such as network switches, routing, firewalls, IPS, VPN, etc. There are layers of context: who are you, and should you be allowed to go to this website; or who are you, and what should I do with the types of email that you’re creating, or the traffic you’re generating based on who you are? It’s a meta context environment that asks, “Who are you in a dynamic environment?” In this dynamic environment, a higher-level policy may ask, “When you’re inside the network, there’s one set of rules. But if you leave the network, policy moves and perhaps changes with you.” For example, an exchange between two users may be allowed while both are inside the network. The network could allow certain content to pass between the users. But if one moves outside the network, then the network could stop some content from moving between them. Another example of enforcement due to anomalistic behavior could be a user logging in from within his/her New York network while another login request comes in from the same user located in Shanghai, China; the network needs to make a decision about which one of these users is authentic, and what action to take upon both users.

Networking Is Much More than a Connectivity Service

Enforcement is performed in both security appliances and network infrastructure. This elevates the network beyond a connectivity service to a secure IT service where it provides visibility, context and control, thanks to SecureX. When a network utilizes 802.1X for access control, the network is not only providing connecting, but also enforcement, for example. A SecureX network is creating and analyzing policy tags, performing enforcement of policy, dynamically identifying new devices, monitoring traffic, communicating with policy server(s) and making decisions about which access rules to apply to a device.

Protecting Mobile Users

The key architectural approach to SecureX is that the mobile device is equipped with a thin client, that being AnyConnect with the heavy processing burden of threat intelligence, mitigation and enforcement left in the Cloud or at the corporate head-end. Cisco’s AnyConnect plays an important role in SecureX to protect mobile devices as it leverages a huge resource of threat intelligence. SIO collects and analyzes traffic of approximately 5 billion emails per day, 3 billion Web requests per day and 700,000 network sensors or IPS; expand that to include approximately 100 million endpoint devices that are equipped with an AnyConnect client, and SecureX provides the most comprehensive real-time threat intelligence telemetry and mitigation to endpoints.

All of these numbers can be boiled down through a few examples. Consider a user—with a laptop equipped with an AnyConnect client—is attempting to log into her/his corporate network. At the point of login, the network will identify the user, her/his role and which resource she/he is attempting to access. For example, Bill from finance is requesting access to the payroll server. Policy may be defined as Bill can only have access while he’s inside the network perimeter, but not outside. Further, if Bill’s inside the network perimeter, policy may dictate that access to financial servers are encrypted via MACsec. No need for Bill to take any action, as a MACsec tunnel is established automatically as a matter of policy.

Mobile Internet Browsing

Consider an AnyConnect iPhone mobile user browsing the Internet with Cisco’s ScanSafe dynamically managing the Web interaction. With the endpoint’s VPN connection terminated on an ASA firewall, behavior is monitored. If anomalistic behavior occurs, such as malware activity traversing terminated VPN connections, ASA, in conjunction with ScanSafe and SIO, can extract that information and analyze it. In the event that a virus is propagating on iPhone-based smartphones, SecOps can be notified with a message such as “This is a warning. There’s something big happening on iPhone smartphones, and it’s happening in this part of the world. SIO is analyzing this information, will create and distribute a signature fix shortly.” This type of message can be pushed to all AnyConnect VPN terminating devices: “There’s an iPhone virus coming on. SecOps is blocking it for the moment, and in the next few minutes, we’ll distribute a signature to destroy this virus.”

A SecureX Ecosystem Is in the Works

There are two innovation inject points into SecureX to enable an ecosystem for management and SIEM. The management API offers an approach to a wider and consistent management view of network and security resources. SecOps often requested a super management platform where visibility and control is available from one tool. Unfortunately there is just too much information to display in one management window. But if multiple management tools/windows consulted the same policy data and shared this information, then a more consistent view of network assets can be obtained. An API to enable this type of information sharing would enable NetOps to manage its switched environment and be able to control not only switches, but also gain visibility in a security context of what policies have been applied to that switch. This concept can be extended to all network element management where they share policy information.

While not detailed in Cisco’s SecureX architecture, Cisco did announce a new SIEM ecosystem last month as it placed CS-MARS in end-of-life. This SIEM ecosystem will contribute to the contextual element of SecureX. For example, there are a number of ecosystem partners in place providing sophisticated types of analysis as they deepen their interaction with Cisco’s network infrastructure products. These partners collect and gather real-time alarm information and are correlative to global SIO. The combination of Cisco’s SecureX and its SIEM ecosystem will be able to span threat intelligence from local machines to the global footprint of SIO, offering an expanse of security information that can be put to work to protect assets and mitigate threats once detected. These real-time local and global threat intelligence assets can also be interfaced with a policy engine to not only identify and control devices requesting network access, but to monitor behavior within and outside a corporate network.

The value benefit to a SIEM ecosystem and SIO feeding real-time global information to a policy server is best described through example. Should a device suddenly begin behaving anomalistically, the network can automatically identify the device and its closest switch, and take action, such as lock the device and redirect it to a remediation server. That is, SecureX will be able to perform infection containment and control, thanks to adding real-time local intelligence to the policy sever, thereby changing policy on the fly based upon contextual information.

SecureX is Cisco’s latest attempt at integrating security deep into the network infrastructure as this infrastructure expands to mobile devices, cloud service providers and virtualized infrastructure. Its core component is context aware policy that is centrally administrated with enforcement highly distributed. SecureX is a modern security architecture for a new age of mobile and cloud computing.

Tweet

The data center switching market is heating up. To address the scale issues posed by mobile and cloud computing nearly every network vendor is launching its own version of a 10/40/100 GbE fabric to connect servers and storage to the internet. At the heart of this fabric is a two-tier (Fat-Tree) network made up of leaf/ToR and spine/Core switches. Here leafs connect servers and spines connect leafs while also being interconnected in a logical mesh. The protocols to create this logical mesh are based upon IS-IS link state routing, but each vendor is taking a unique approach with Cisco using its FastPath, Alcatel-Lucent and Avaya using SPB (802.1aq Shortest Path Bridging) while Brocade VDX is based upon TRILL (Transparent Interconnection of Lots of Links). Juniper recently announced QFabric but has not detailed what it’s using for logical meshing. At the center of new data center design are leaf and spine switches. In Lippis Report Research Note 166, we detailed the latest ToR switches. In this Lippis Report Research Note 167, we dive into performance and power consumption measurements plus the use of SPB of Alcatel-Lucent’s OmniSwitch 10K, a new entry into spine/core data center switching market.

During December 6-10, 2010, the Lippis Report and Ixia conducted the industry’s first 10GbE data center switching evaluation of Top-of-Rack and Core Ethernet switches at the modern iSimCity lab in Santa Clara, CA. We evaluated Alcatel-Lucent’s OmniSwitch 10K, Arista’s 7504 Series Data Center Switch, BLADE Network Technologies’, an IBM Company, IBM BNT RackSwitch G8124 and IBM BNT RackSwitch G8264, Force10 Network’s S-Series S4810, Hitachi Cable’s Apresia 15000-64XL-PSR, Juniper Network’s EX Series EX8216 Ethernet Switch and Voltaire®’s Vantage™ 6048. We are conducting a second round of test scheduled for the week of April 4-8 at iSimCity, and it is open to all suppliers of 10 and 40 GbE data center switching.

There were three Core/Spine Switches evaluated for performance and power consumption in the Lippis/Ixia test. These participating vendors were:

Alcatel-Lucent OmniSwitch 10K
Arista 7504 Series Data Center Switch
Juniper Network EX Series EX8216 Ethernet Switch

These switches represent the state-of-the-art of computer network hardware and software engineering, and are central to private/public data center cloud computing infrastructure.

If not for this category of Ethernet switching, cloud computing would not exist. The Lippis/Ixia public test was the first evaluation for every Core switch tested. Each supplier’s Core switch was evaluated for its fundamental performance and power consumption features. The Lippis/Ixia test results demonstrate that these new Core switches provide state-of-the-art performance at efficient power consumption levels not seen before. The port density tested for these Core switches ranged from 128 10GbE ports to a high of 256 10GbE.

IT business leaders are responding favorably to Core switches equipped with a value proposition of high performance, high port density, competitive acquisition cost, virtualization aware services, high reliability and low power consumption. These Core switches currently are in high demand with quarterly revenues for mid-size firms in the $20 to $40M plus range. The combined market run rate for both ToR and Core 10GbE switching is measured in the multibillion-dollar range. Further, Core switch price points on a 10GbE per port basis are a low of $1,200 to a high of $6,093.

Their list price varies from $230,000 to $780,000 with an average order usually being in the million plus dollar range. While there is a large difference in list price as well as price per port between vendors, the reason is found in the number of network services supported by the various suppliers and 10GbE port density.

We compare each of the above firms in terms of their ability to forward packets: quickly (i.e., latency), without loss or their throughput at full line rate, when ports are oversubscribed with network traffic by 150%, in IP multicast mode and in cloud simulation. We also measure their power consumption.

Alcatel-Lucent launched its new entry into the enterprise data center market on December 17, 2010, with the OmniSwitch ™ 10K. The OmniSwitch was the most densely-populated device tested with 256 ports of 10GbE. The test numbers below represent the first public performance and power consumption measurements for the OmniSwitch™ 10K running software version 7.1.1.R01.1638. The Alcatel-Lucent OmniSwitch™ 10K Modular Ethernet LAN Chassis is the first of a new generation of network adaptable LAN switches. It exemplifies Alcatel-Lucent’s approach to enabling what it calls Application Fluent Networks, which are designed to deliver a high-quality user experience while optimizing the performance of legacy, real-time and multimedia applications. So how did the OmniSwitch 10K do?

RFC 2544 Layer 2 and 3 Latency Test

The OmniSwitch 10K was tested across all 256 ports of 10GbE. Its average latency ranged from a low of 20,561 ns or 20 μs to a high of 36,823 ns or 36 μs at jumbo size 9216 Byte size frames for layer 2 traffic. Its average delay variation ranged between 5 and 10 ns, providing consistent latency across all packet sizes at full line rate. What this means is that the OmniSwitch 10K can be counted on to forward packets at these latencies without much variation which is extremely important for predictable performance.

For layer 3 traffic, the OmniSwitch 10K’s measured average latency ranged from a low of 20,128 ns or 20μs at 64Bytes to a high of 45,933 ns or 45μs at jumbo size 9216 Byte size frames. Its average delay variation for layer 3 traffic ranged between 4 and 10 ns, providing consistent latency across all packet sizes at full line rate.

RFC 2544 Layer 2 and 3 Throughput Test

The OmniSwitch 10K demonstrated 100% throughput as a percentage of line rate across all 256 10GbE ports. In other words, not a single packet was dropped while the OmniSwitch 10K was presented with enough traffic to populate all of its 256 10GbE ports at line rate simultaneously for both L2 and L3 traffic flows. Not a single packet was dropped while 2.5 Tbps of traffic passed through its line cards and backplane.

RFC 2889 Congestion Test

The OmniSwitch 10K demonstrated nearly 80% of aggregated forwarding rate as percentage of line rate during congestion conditions. A single
10GbE port was flooded at 150% of line rate. The OmniSwitch did not use HOL blocking, which means that as the 10GbE port on the OmniSwitch became congested, it did not impact the performance of other ports. There was no back pressure detected as the Ixia test gear did not receive flow control frames. This was not the same for the Arista 7504. See the full test report here.

RFC 3918 IP Multicast

The OmniSwitch 10K demonstrated 100% aggregated throughput for IP multicast traffic with latencies ranging from 9,596 ns at 64 Byte size packets to 28,059 ns at 9216 Byte size packets. The OmniSwitch 10K demonstrated the lowest multicast latencies of all vendors.

Cloud Simulation Test

The one test that was not RFC based is a cloud simulation that was developed by the Lippis Report and Ixia. This test determines the traffic delivery performance of the DUT (device under test) in forwarding a variety of north-south and east-west traffic in cloud-computing applications. This test measures the throughput, latency, jitter and loss on a per application traffic type basis across M sets of 8-port topologies. The following traffic types are used: web (HTTP), database-server, server-database, iSCSI storage-server, iSCSI server-storage, client-server plus server-client. The north-south client-server traffic simulates Internet browsing; the database traffic simulates server-server lookup and data retrieval, while the storage traffic simulates IP-based storage requests and retrieval. When all traffic is transmitted, the throughput, latency, jitter and loss performance are measured on a per traffic type basis.

The OmniSwitch 10K performed extremely well under cloud simulation conditions by delivering 100% aggregated throughput while processing a large combination of east-west and north-south traffic flows. Zero packet loss was observed as its latency stayed under 28μs.

Power Consumption Test

The OmniSwitch 10K represents a new breed of cloud network spine switches with power efficiency being a core value. The OmniSwitch consumes 13.3 Watts/10GbE port with a TEER (Telecommunications Energy Efficiency Ratio) value of 71. TEER is a measure of network-element efficiency quantifying a network component’s ratio of “work performed” to energy consumed. Larger TEER values are better and the OmniSwitch is second only to Arista in TEER value while Juniper’s EX8216 measured a 44 TEER. You can download the OmniSwitch 10K test report here:

The OmniSwitch 10K power cost per 10GbE is estimated at $16.26 per year. The three-year cost to power the OmniSwitch is estimated at $12,485.46 and represents less than 3% of its list price. Keeping with data center best practices, its cooling fans flow air front to back, which is the norm except for Juniper’s EX8216 which pushes air from side to side unless a third party cabinet from vendors, such as Chatsworth, enclose the EX8216 to support hot-aisle and cold-aisle deployments.

Discussion:

The OmniSwitch™ 10K seeks to improve application performance and user experience with deep packet buffers, lossless virtual output queuing (VOQ) fabric and extensive traffic management capabilities. This architecture proved its value during the RFC2889 layer 2 and layer 3 congestion test with a 78% aggregated forwarding rate when a single 10GbE port was oversubscribed at 150% of line rate. The OmniSwitch™ 10K did not use HOL blocking, back pressure or signal back to the Ixia test equipment with Aggregated Flow Control Frames to slow down traffic flow. Not tested but notable features are its security and high availability design for uninterrupted uptime. The OmniSwitch™ 10K was found to have low power consumption, front-to-back cooling, front-accessible components and a compact form factor. The OmniSwitch™ 10K is designed to meet the requirements for mid- to large-sized enterprises data centers.

To demonstrate how the OmniSwitch™ 10K operates as a lossless fabric plus its ability to deliver carrier class quality of service (QoS), Alcatel-Lucent conducted two separate sets of tests; its data is available here. The lossless fabric test configured 256 x 10GbE ports connected with fully meshed traffic running at wire-speed via Ixia test equipment. The objective of this test was to demonstrate that as fabric and management modules were pulled and inserted into the OmniSwitch™ 10K chassis, zero loss at 100% load would result, and the fabric would be lossless. With fully meshed traffic running through all 256 GbE ports, the following modules were changed.

1. Fabric module was pulled out.
2. Fabric module was inserted back.
3. Management module (a fabric resides on this module) was pulled out.
4. Management module was inserted back.
5. Management module was pulled out causing a management failover in addition to fabric failover.
6. Management module was inserted back.

The result of the lossless fabric was that the fabric was lossless as the above modules were pulled and inserted.

The carrier class QoS objective was to demonstrate no packet loss at wire-speed with P0-P7 (priority) traffic running in fully meshed scenario as in the test above. The carrier class QoS test configured 256 x 10GbE ports connected with fully meshed traffic, priority 0 to 7, running at wire-speed via Ixia test equipment. In this scenario, the OmniSwitch™ 10K delivered zero loss with consistent store-and-forward average latency in range of 132,357 ns to 139,448 ns. See this test report details.

Cloud Network Architecture

There are three approaches to connect spine switches together to create a network fabric. MC-LAG (Multi-Chassis Link Aggregation Group), which allows one or more links to be aggregated together to form a Link Aggregation Group, TRILL and/or SPB are emerging standards that design a solution for shortest path frame routing in multi-hop Ethernet networks with arbitrary topologies, using an existing link-state routing protocol technology.

While there is debate over which approach is best, SPB has the following advantages. SPB deployments are planned for 2011 and offer increased scalability than TRILL. Further, SPB will interoperate with carrier infrastructure to allow private-public or private-private or public-public data center-to-data center connections. For network architects/designers and operations, there is a quick learning curve as SPB uses the existing IS-IS protocol, and for service providers, SPB is already available through OAM (Operations, Administration and Maintenance), enabling it to be managed through existing management services.

Paramount in the two-tier leaf-spine architecture is high-spine switch performance, which collapses the aggregation layer in the traditional three-tier network connecting spine switches together. The above captures the major trends and demands that IT business leaders are requiring from the networking industry. The underpinnings of private and public data center cloud network fabric are 10GbE switching with 40GbE and 100GbE ports/modules. 40GbE and 100GbE are in limited availability now but will be increasingly offered and adopted during 2011. Network performance including throughput performance and latency are fundamental switch attributes to understand and review across suppliers, because if the 10GbE switches an IT leader selects cannot scale performance to support increasing traffic volume plus shifts in traffic profile, not only will the network fail to be a fabric unable to support converge storage traffic, but business processes, application performance and user experience will suffer too.

During 2011, an increasing number of servers will be equipped with 10GbE LAN on Motherboard (LOM) driving 10GbE network requirements, and in 2012, high-end servers will be equipped with 40GbE LOM starting 40GbE’s growth curve. In addition, with nearly 80% of IT spend being consumed in data center infrastructure with all IT assets eventually running over 10GbE switching, the stakes could not be higher to select the right product upon which to build this fundamental corporate asset. Further, data center network equipment has the longest life span of all IT equipment; therefore, networking is a long-term investment and vendor commitment.

We review the Alcatel-Lucent OmniSwitch 10K from a perspective of performance and power measurement, mesh protocol support and key product features. Alcatel-Lucent has entered the data center switching market with a very competitive Core/spine switch. Clearly there are differences between Core switch vendors, and it’s advised to conduct a detailed review. For starters Click here for a copy of Alcatel-Lucent’s OmniSwitch 10K plus cross-vendor test results report.

Tweet

During December 6-10, 2010, the Lippis Report and Ixia conducted the industry’s first 10GbE data center switching evaluation of Top-of-Rack and Core Ethernet switches at the modern iSimCity lab in Santa Clara, CA. We evaluated Alcatel-Lucent’s OmniSwitch 10K, Arista’s 7504 Series Data Center Switch, BLADE Network Technologies’, an IBM Company, IBM BNT RackSwitch G8124 and IBM BNT RackSwitch G8264, Force10 Network’s S-Series S4810, Hitachi Cable’s Apresia 15000-64XL-PSR, Juniper Network’s EX Series EX8216 Ethernet Switch and Voltaire®’s Vantage™ 6048. We are conducting a second round of test scheduled for the week of April 4-8 at iSimCity, and it is open to all suppliers of 10GbE data center switching. We learned a lot about these products, both in the lab and out. In this Lippis Report Research Note, we dive into the Top-of-Rack 10GbE switches we tested as they represent a new generation of products that exhibit low power consumption, low latency, high performance and are all based upon new single chip designs from Broadcom, Marvell or Fulcrum Micro.

The Top-of-Rack (ToR) switches tested at iSimCity were the:

BLADE Network Technologies, an IBM Company, IBM BNT RackSwitch G8124 and IBM BNT RackSwitch G8264;
Force10 Network’s S-Series S4810;
Hitachi Cable’s Apresia 15000-64XL-PSR;
Voltaire®’s Vantage™ 6048.

All of these ToR switches utilize a new single chip design, but mostly from different silicon suppliers. With a single chip provided by chip manufacturers Broadcom, Marvell or Fulcrum Micro, vendors are free to invest resources other than ASIC development, which can consume much of a company’s engineering and financial resources. With merchant silicon providing a forwarding engine for their switches, these vendors are free to choose where to innovate, be it in buffer architecture, network services such as virtualization support, 40GbE uplink or fan-in support, etc.

The Lippis/Ixia test results demonstrate that these new chip designs provide state-of-the-art performance at efficient power consumption levels not seen before. In addition, price points on a 10GbE per port basis for ToR switches are a low of $351 to a high of $520.

IT business leaders are responding favorably to ToR switches equipped with a value proposition of high performance, low acquisition price and low power consumption. These ToR switches currently are the hot boxes in the industry, with quarterly revenues for mid-size firms in the $10 to $15M plus. We compared each of the above firms in terms of their ability to forward packets: quickly (i.e., latency) without loss or their throughput at full line rate, when ports are oversubscribed with network traffic by 150 percent, in IP multicast mode and in cloud simulation. We also measured their power consumption. Click Here for a copy of BLADE’s G8124 and G8264 plus cross-vendor test results report and Click Here for a copy of Force10’s S4810 plus cross-vendor specific report.

Latency Measurement Anomalies

When evaluating five products from four companies, there are bound to be anomalies. One anomaly was found during latency measurement. As both BLADE and Force 10 use the same Broadcom chip in their G8264 and S4810 ToR switches, respectively, one would expect their latency measurements would be close, but the S4810 showed lower latency values. As it turns out, the Broadcom chip allows switches to forward in cut-through and/or store-and-forward mode. The G8264 was configured and tested in cut-through mode while the S4810 and all other switches were configured and tested in store-and-forward. Test equipment, such as Ixia and others, measure latency very differently in these two forwarding modes.

During store-and-forward testing, test equipment subtract packet transmission latency, decreasing actual latency measurements by the time it takes to transmit a packet from input to output port. This makes comparisons between the two-latency measurement testing methodologies difficult. Also other potential device specific factors can impact latency too. But looking at the bigger picture, latency is being measured in the hundreds to thousands of nanoseconds across various packet sizes, making these switches the fastest forwarding engines in the market.

One of the biggest surprises was Voltaire’s Vantage 6048 ToR latency results, which were the highest of the group by nearly a factor of 2. Voltaire, now owned by Mellanox, used the Marvell 10GbE single chip code named Lion. The Hitachi Apresia 15000-64XL-PSR showed low latency results but it had other difficulties. For example, the largest frame size supported is 9044, excluding it from the 9216 byte size packet tests. Further, there is no latency data for the Apresia 15000-64XL-PSR at 64 bytes due to configuration difficulties during testing. The 15000-64XL-PSR could not be configured to maintain a VLAN at 64 bytes which eliminated packet signature to measure latency at this packet size.

A big surprise and delight found was how low the average delay variation was for all suppliers. Average delay variation was in the 5 to 10ns range, meaning that all of the above ToR switches deliver their latency results reliably.

Throughput

The results of RFC 2544 throughput testing should be boring with all ToR switches showing 100% throughput at line rate. The only anomaly here was the Apresia 15000-64XL-PSR during layer 2 forwarding, dropping packets at between 128 to 2176 packet sizes.

Congestion Testing

RFC 2889 congestion testing was telling too. Here the IBM BNT RackSwitch G8124 and IBM BNT RackSwitch G8264, Force10 Network’s S-Series S4810 and Voltaire®’s Vantage™ 6048 performed as expected, that is, offering 100% line rate under congestion conditions without head of line blocking and using back pressure or pause messages to control the flow of traffic. Here again, Hitachi Cable’s Apresia 15000-64XL-PSR showed head of line blocking and low throughput especially at the higher packet sizes of 2176 bytes.

IP Multicast

For RFC 3918 IP Multicast Throughput No Drop Rate testing, the IBM BNT RackSwitch G8124 and IBM BNT RackSwitch G8264 and Force10 Network’s S-Series S4810 performed flawlessly, exhibiting 100% line rate throughput and nanosecond latency with the G8124’s average latency 700ns and below. The IBM BNT RackSwitch G8264 and Force10 Network’s S-Series S4810 IP multicast performed as expected as they are both based upon the same Broadcom chip. The G8264 demonstrated a slight advantage of 100ns at the higher packet sizes while Force10 showed approximately 100ns advantage at the lower packet sizes. The Apresia 15000-64XL-PSR and Vantage 6048 do not support IP Multicast at this time.

Cloud Simulation

The one test that was not RFC based is a cloud simulation that was developed by the Lippis Report and Ixia. This test determines the traffic delivery performance of the DUT (device under test) in forwarding a variety of north-south and east-west traffic in cloud-computing applications. This test measures the throughput, latency, jitter and loss on a per application traffic type basis across M sets of 8-port topologies. The following traffic types are used: web (HTTP), database-server, server-database, iSCSI storage-server, iSCSI server-storage, client-server plus server-client. The north-south client-server traffic simulates Internet browsing, the database traffic simulates server-server lookup and data retrieval, while the storage traffic simulates IP-based storage requests and retrieval. When all traffic is transmitted, the throughput, latency, jitter and loss performance are measured on a per traffic type basis.

This test is telling too as it’s designed to be a simulation of real-world cloud-computing traffic. The results here show that the IBM BNT RackSwitch G8124 and G8264 delivered the lowest latency consistently across all protocol types. The Apresia 15000-64XL-PSR performed very well in this test too, followed by Force10’s S4810 followed by Voltaire’s Vantage 6048. Anomalistically, both the Force10 S4810 and Vantage 6048 spiked in terms of latency for east-west database-server, HTTP and iSCSI-Storage traffic flows. Both IBM BNT RackSwitches and Force10’s S4810 tested in cut-through mode.

Power Consumption

Power consumption or energy efficiency has become a paramount concern in data centers as the cost of power and cooling start to dominate TCO (total cost of ownership) over a three-year period. The ToR switches tested offer the lowest power consumption of switching products evaluated in public industry test. Their power consumption measured in WATTS per 10GbE via ATIS methodology ranged from 3.6 to 5.5. We then projected annual cost per 10GbE to be between $4.36 to $6.70, with the Apresia 15000-64XL-PSR offering the lowest power consumption. The IBM BNT RackSwitch G8264 and Force10’s S4810 were very close at $4.78 and $4.91, respectively, with the G8264 having a slight advantage. Of the 48-port 10GbE ToR switches, Voltaire’s Vantage 6048 consumed the most energy at 5.5Watts/10GbE.

While not confirmed, the IBM BNT RackSwitch G8124 may be based upon the Fulcrum single chip set, code named Bali, as well as Arista’s 7124 and Force10’s S2410. The Apresia 15000-64XL-PSR may be based upon the Broadcom Trident single chip. There are rumors in the industry too that large networking firms may start to utilize merchant silicon rather than build their own, as these chips offer a quicker path to market and are delivering solid performance, latency and power efficiency results.

While I detail ten recommendations in the test report, here I’ll focus on one. 10GbE ToR switches are ready for mass deployment, delivering full line rate
throughput at zero packet loss and nanosecond latency plus single- to double-digit delay variation. In addition, these ToR switches offer low power consumption with energy cost over a three-year period estimated between 3 and 4% of acquisition cost. Clearly there are differences between vendors, and it’s advised to conduct a detailed review. For starters Click here for a copy of BLADE’s G8124 and G8264 plus cross-vendor test results report and Click Here for a copy of Force10’s S4810 plus cross-vendor specific report.

Tweet

There are powerful market forces changing IT delivery. IT application delivery is becoming increasingly centralized thanks to data center server virtualization plus mobile and cloud computing. Desktops are being virtualized, too, thanks to network speeds that deliver low latency and high bandwidth, creating a thin client user experience that is indistinguishable from a thick client but at lower desktop management cost. One serious implication of this concentration of IT in data centers is that a new IT security model is needed as mobility brings greater threat exposure while virtualization changes traffic patterns and the rules of security appliance placement. In this Lippis Report Research Note, we present a new model for IT security in the virtualized mobile and cloud-computing era.

Users are demanding IT support commercial mobile computing platforms in the enterprise market, driving nearly exponential growth of these devices within corporations. And while commercial mobile computing use, that is Apple’s iPhone/iPad and Android smartphones and tablets, rises, it’s pushing applications, data and IT critical resources into private and public data center cloud facilities. In short, IT is shifting toward both mobile and cloud computing simultaneously, as the two are inextricably linked. Factor in the need for geographically and time independent access to IT services on any end point device, and you have the making of a major shift of centralizing application delivery to geographically dispersed end points that can scale globally.

This pull to centralize IT applications is driven by technology innovation of mobile and cloud computing with financial and performance gains afforded virtualization. But while there are material business benefits to this IT transition, there are risks too. Threats continue to increase, especially as mobile computing expands the diameter of access to data center resources. Virtualization provides huge efficiency benefits but changes the way in which security devices, such as firewalls, need to work to secure applications.

For example, traditional network services are frequently placed in-line or in the flow of traffic, that is firewall, IPS, VPN tunneling etc., forming a line of layer 4-7 network services. But as applications are virtualized, their movement may take them out of the path of traffic flow, thus creating difficulty to maintain network services to Virtual Machines (VMs) and their applications. In most data centers, a mix of physical and virtual network services is emerging as well as a mix of virtual servers and physical servers based upon old and new investment. What IT business leaders demand is that their investment in physical and/or virtual network services support both virtualized and non-virtualized applications, so they may extract the highest value from their IT dollars and that the same level of security services are applied to both virtualized and non-virtualized applications. This is a hard problem to solve and requires new thinking in network security.

The New Approach to Network Security

Before we dive into security architecture, a new approach to network security thinking is in order. Traditionally, network security was based upon the hard-shell and soft-core concept; that being, build a perimeter of firewalls and IPS equipment creating a hard shell around IT assets, but keep the internal network free of security services—that is a soft core. Then security layering was added to this model by offering defenses in depth to harden the soft core. While these approaches are still valid, thinking needs to be expanded in step with the directions of IT.

Modern day network security architecture needs to defend, extend, prevent and comply. By defend, we mean mitigate threats as the number of exploits/malware, etc., continue to rise. Network security services need to be extended to support virtualized data centers as well as mobile users and cloud-computing facilities. Network services need to prevent business loss, be it data loss prevention and business continuity. And lastly network security needs to assure compliance of government legislation/regulation/orders to mitigate risks of non-compliance.

Applying this new thinking in network security to major user behavior scenarios and IT assets creates both a broad security blanket that is also deep. For example, systemic across the enterprise, progressive IT business leaders are developing cloud security, desktop virtualization security and, for those engaged in on-line transactions, a PCI solution. These three security services support IT assets in need of protections, such as application security, mobile user experience security, virtualization security, service security such as encryption plus infrastructure security, e.g., firewall, IPS, VPN.

Cisco’s Data Center Virtualization Security Approach

There are only a few IT firms that can deliver the depth and breadth of this type of a security approach. These firms are Cisco, IBM, HP, Microsoft, Oracle and perhaps CA. For this Research Note, we focus on Cisco as it possesses all the technologies to deliver on a broad data center virtualization security solution. In the above example, Cisco’s ScanSafe would provide email and web application security. Its AnyConnect mobile client provides mobile security for VPN and cloud access. Service security is delivered via TrustSec, an architecture providing policy, identify and encryption services. For infrastructure security, its ASA (or Adaptive Security Appliance) security product combines firewall, IPS and VPN, while infrastructure security services are also embedded in its switch and router product lines. While all of the above products have been in production for some time, Cisco has launched an innovative approach to solving one of the biggest virtualization security problems, and that is to virtualize firewall services and to steer traffic to it as application flow changes from in-line to off-line as occurs when applications become virtualized.

Virtual Security Gateway

Within Cisco’s Unified Network Services (UNS) umbrella of products, it has launched its data center firewall called VSG or Virtual Security Gateway, and provided it management and policy services via its VNMC or Virtualized Network Management Center software. VSG is an example of a virtual service node, as compared to physical ASA security appliance. The key underpinning technology to VSG is the Nexus 1000V and vPATH, which enable traffic to be re-routed or steered to the virtual firewall nodes…more on this below.

VSG is a proof-point of Cisco’s ability to solve the firewall problem within virtualized infrastructure; that is how to provide firewall services to flows destined to and between various VMs. vPATH, a software module within the Nexus 1000V softswitch, steers traffic to VSG, which blocks or allows traffic flow to its destination. Further, VSG assures that the correct network security service is applied, and a VM’s policies follow it as it moves between physical servers. VSG policy is centrally managed through the VNMC umbrella management platform.

By inserting vPATH technology/software into the Nexus 1000V virtual switch, hypervisors and VM’s traffic is re-directed as needed to deliver network services, such as firewall.

vPATH

In the case of VSG, through VNMC, policy is created to define what type of traffic needs to be redirected, and then what action to take upon that traffic once it arrives at the firewall. As traffic reaches a server or Nexus 1000V, it is intercepted as it’s destined for a particular VM by vPATH, which redirects it to VSG for inspection. VSG then performs its network security service, then forwards the traffic, if allowed, to its destination just like a firewall appliance operates. vPATH intercepts traffic and sends it to VSG while VSG performs its security service and decides if traffic will be forwarded to the destination VM.

Fast Path

vPATH also benefits from a concept called fast path. Fast path is similar to a cut-through method in that once traffic has been forwarded to VSG for firewall services, for example, the remaining traffic flow, it’s routed directly to its VM destination. Note that fast path can be utilized for most network services. Fast path obviates the need to route all traffic through VSG once the first packet of the flow has been processed by the firewall. Therefore, all traffic does not require packet-by-packet inspection, speeding up flows and reducing processing and latency.

For example, if the first packet of a flow passes through VSG without alteration then the rest of the flow should pass uninspected as the security rules are the same. However, this wouldn’t be the case for an IPS system, where the entire payload is inspected to assure there is no malware residing in the flow.

A key benefit of vPath is that it intelligently steers traffic via flow classification and redirection to associated VSGs to implement security policies in a virtual environment. Fast path offload: Policy enforcement of flows are offloaded by VSG to vPath thanks to Fast path and deliver improved efficiency and performance of firewall services to virtualized applications. These capabilities, along with physical firewalls, help IT leaders to regulate how virtualized and non-virtualized applications receive firewall services. In addition, as VMs move between physical servers, firewall settings do not need to change as they follow the VM move within the data center. Thus VSG is mobility aware and is VLANs and topology agnostic enabling flexibility not seen before in virtualized data center environments.

Going back to the need for a modern approach to network security, the combination of Cisco’s ASA, VSG, AnyConnect and Security Intelligence Operations or SIO start to deliver the attributes of defend, extend, prevent and comply to IT business leaders concerned with protecting modern IT business assets. For example, AnyConnect 3.0 provides security services for remote and mobile end points via client software on laptops, tablets and smartphones with centralized policy control. In short, AnyConnect provides protections against the increased network diameter afforded by mobile and cloud computing. SIO is one of the most comprehensive and globally expansive threat detection services that update Cisco IPSs with exploit signatures in near real time, thanks to its global threat correlation service. SIO is based upon over 1 million sensors (Cisco IPS) distributed around the globe from which it sends and receives updates and is staffed with over 500 security experts.

So as servers and applications are virtualized and computing goes mobile and to the cloud, a new modern approach to network security is taking hold. With Cisco, its network security architecture and products of ASA, VSG, AnyConnect and SIO span the new nature of borderless IT to offer business leaders protections as they manage their business and exploit the value created by this new cycle in Information Technology.

Tweet

Any IT business leader knows that the single most important technology driving data center design change is server virtualization to the point that a virtual machine (VM) is now the data center building block. As server virtualization marches on until nearly every physical server has been virtualized, networking in a virtualized environment is being forced to fundamentally change too. By networking, I mean not only layer 2 and 3 forwarding but network services too, such as application controllers, WAN optimizes, firewalls, etc., which are fundamental for mission critical application performance, cost reduction and high application availability especially where service level agreements are required.

Adding new applications to a data center has become highly complex, thanks to all the routing paths that need to be set-up to provide connectivity and reach of network services plus the configuration and policy set-up for network services specific to the application. Then, once the application is operational, it’s hard to virtualize it and move it via v-motion, et al, while keeping set-up and policies intact, especially routing paths. The current state of rigid networking consumes time and cost, but most importantly limiting the speed and agility in which new applications can be delivered and businesses react to market dynamics. This is a nasty problem, riddled with complexity and associated cross-administrative operational cost limiting the number of applications that can be virtualized until this problem is solved.

An entirely new approach to deploying, provisioning and managing data center network services in a virtualized environment is needed, and Cisco is addressing this need with its Unified Network Services or UNS. Cisco’s UNS is not just a suite of its layer 4-7 network service offerings such as ACE, WAAS, etc., but a framework for transparently inserting network services into a virtual server environment for steering traffic to network services on a per-VM basis plus an extensible and integrated policy management architecture. The key word in UNS is “unified,” as UNS makes network services available to both physical and virtual servers and their associated applications via steering traffic to network services hosted in appliances/modules/blades or within a VM. UNS promises to help reduce the costs to deploy new applications plus to enable more applications to be virtualized. In short, UNS offers an approach to deploy, provision and manage new applications without the network set-up complexity mentioned above. In addition, it also promises to remove network complexity associated with virtualizing applications and their moves. UNS is a main pillar of Cisco’s Data Center Business Advantage architecture, along with Cisco’s Unified Fabric and Unified Computing Services. These pillars combine to form the tightly-integrated next generation data center components including the network, storage, application services, virtualization layers and network services.

Cisco’s UNS is addressing mobile (v-motion) applications and their associated changing or dynamic network topology requirements by steering traffic to appropriate network services that are centrally controlled via policy. These network services such as firewalls, application controllers, WAN acceleration, load balancing, etc., can be packaged in appliances, modules, server blades and/or other form factors and/or increasingly as a virtualized service. UNS is a modern approach to applying layer 4-7 network services to both non-virtualized applications and VMs, while in the process solving some of the most complex problems associated with virtualized infrastructure.

Dedicated Hardware Services to Virtualized Network Services

Traditional network services are frequently placed in-line or in the flow of traffic, that is firewall, IPS, load balancing, application controllers, WAN acceleration, etc., forming a line of layer 4-7 network services. But as applications are virtualized, their movement may take them out of the path of traffic flow, thus creating difficulty to maintain network services to VMs and their applications. In most data centers, a mix of physical and virtual network services is emerging as well as a mix of virtual servers and physical servers based upon old and new investment. What IT business leaders demand is that their investment in physical and/or virtual network services support both virtualized and non-virtualized applications so they may extract the highest value from their IT dollars. This is a hard problem to solve and requires new thinking in networking which is what UNS is focused upon delivering. In short, UNS allows a mix and matching of physical and virtual network services to support either virtualized or non-virtualized applications through a more flexible approach to networking and policy management. So how do IT architects create this level of flexibility?

In a UNS environment, the physical placement of network services in appliance/modules/server blades, etc., or virtualized form is moot, offering IT architects a new degree of freedom to access these services anywhere in a virtualized infrastructure. A network service can be offered to a VM and its associated traffic, independent upon its form factor, be it a physical appliance, dedicated module or virtualized network service as long as the VM and softswitch send traffic to the appropriate service as the application moves around the data center.

That’s important as traffic patterns have shifted from primarily north-south to a mix of east-west and north-south, resulting in the need for network services to offer far greater flexibility in their reach to service VMs and the applications they contain. And as network services are logically wrapped around a VM via policy, they receive the benefit of all moving together, solving one of the biggest virtualization problems in the industry, manually intensive change management. Parallel to making network services accessible independent upon location and its packaging is the added benefit of virtualizing network services as this will decrease the number of hardware appliances in a data center, reducing complexity, total cost of ownership and energy consumption.

Unified Network Services Is a Platform for Inter-Cloud Mobility and On-Demand Provisioning

But perhaps even more important than solving the immediate change management problem is that unified network services deliver a set of attributes that put in place the tools and ability to deliver elastic IT services between clouds—the holy grail of cloud computing. With core network services unified, a degree of flexibility is gained far beyond current technology and offers a platform in which service advertising and registry can occur so that a “provision proxy” can automate network service configuration to meet new IT service delivery needs in near real time; but this is a topic for another day. The important point is that a unified network service is a platform that all large IT firms, cloud providers and enterprises will be investing in over the next business cycle.

Cisco’s Unified Network Services or UNS

In this Research Note, we review Cisco’s UNS, the most comprehensive approach to data center and cloud network service deployments in the industry thus far. UNS addresses the on-demand provisioning problem so sought after in virtualized infrastructure. That is when IT leaders need to allocate resources from within or between a private or public cloud on demand and quickly, UNS will respond to a capacity request so that network services are provisioned in the right order, at the right capabilities and within minutes rather than months. In short, UNS’s vision is to enable on-demand network service delivery and on-demand provisioning to accommodate VM container workload mobility within the construct of an Enterprise’s IT model or service architecture.

The Virtual Security Gateway

UNS is both a vision of on-demand service provisioning and the products that enable its construct. Within UNS, Cisco has launched its data center firewall called VSG or Virtual Security Gateway, and is on a path of virtualizing its data center service products including the Wide Area Application Services or WAAS, et al, and providing them with consistent policies via its VNMC or Virtualized Network Management Control software. VSG is an example of a virtual service node, as compared to physical ASA security appliances. The key underpinning technology to VSG is the Nexus 1000v and vPATH, which enable traffic to be re-routed or steered to the virtual firewall nodes; more on this below.

Cisco’s VSG offers a model of how network services are virtualized and in the process, solves some of the biggest server virtualization problems while delivering added flexibility value. VSG is a proof-point of Cisco’s ability to solve the firewall problem within virtualized infrastructure; that is how to provide firewall services to flows destined to and between various VMs. vPATH, a software module within the Nexus 1000v softswitch, steers traffic to VSG, the firewall, which blocks or allows traffic flow to its destination. Further, VSG assures that the correct network security service is applied and a VM’s policies follow it as it moves between physical servers. VSG policy is centrally managed through the VNMC umbrella management platform.

Central to UNS is vPATH technology that confers the same VSG benefits discussed above to Cisco’s new Virtual WAAS or vWAAS WAN acceleration offering. vPATH is fundamental to UNS as it delivers unification by being the same underlying infrastructure for both VSG and vWAAS. Therefore, by inserting vPATH technology/software into the virtual switch, hypervisors and VM’s traffic is re-directed as needed to deliver network services, such as firewall, WAN acceleration, etc.

vPATH

In the case of VSG, through VNMC, policy is created to define what type of traffic needs to be redirected, and then what action to take upon that traffic once it arrives at the firewall. As traffic reaches a server or Nexus 1000v, it is intercepted as it’s destined for a particular VM by vPATH, which redirects it to VSG for inspection. VSG then performs its network security service then forwards the traffic, if allowed, to its destination just like a firewall appliance operates.

The closest analogy to describe vPATH’s function is network-based application recognition. That is NBAR analyzes traffic and classifies it, and then performs a function such as prioritization. Thus, vPATH intercepts traffic and sends it to VSG while VSG performs its security service and decides if traffic will be forwarded to the destination VM.

Fast Path

vPATH also benefits from a concept called fast path. Fast path is similar to a cut-through method in that once traffic has been forwarded to VSG for firewall services, for example, the remaining traffic flow, it’s routed directly to its VM destination. Note that fast path can be utilized for most network services. Fast path obviates the need to route all traffic through VSG once the first packet of the flow has been processed by the firewall. Therefore, all traffic does not require packet-by-packet inspection, speeding up flows and reducing processing and latency.

For example, if the first packet of a flow passes through VSG without alteration, then the rest of the flow should pass uninspected as the security rules are the same. However, this wouldn’t be the case for an IPS system, where the entire payload is inspected to assure there is no malware residing in the flow. Fast path will evolve to support various traffic scenarios too.

Network Service Chaining

Cisco’s UNS provides a solution to the challenge of providing network services to traffic flows within a virtualized infrastructure that stick to VMs as they move and change physical location in the data center. The next challenge is to provide virtualized network service chaining. Chaining network services is the ability to create a single policy for traffic flows as it ingresses to a VM for multiple network services. For example, a policy may apply firewall, load-balancing, WAN-optimization, etc., to a flow and route that traffic through subsequent services, as opposed to having to create unique policies, intercept each one and route traffic accordingly. Chaining is a huge operational time saver, and it hastens the flow of traffic within the data center. vPATH is one underlying mechanism that can steer traffic to services in the right chain/order.

The UNS Value Proposition

From a data center network design perspective, UNS is developing a set of network service building blocks that brings physical network service appliances and virtual service nodes into virtualized environments along with the tools to apply policies to govern their use. As more and more data centers become virtualized so too will network services. In addition, as physical and virtual data centers will co-exist for many years to come, the ability to offload physical network appliances with virtualized ones as well as pass traffic between them offers a transition path and a means to extend the life of existing appliance investments.

As mentioned above, physical data centers are equipped with stacks of appliances offering load balancing, WAN acceleration, firewalls, IPS, etc. Now with service chaining and vPATH, all of these physical and virtualized appliances can be put to work servicing VMs and their applications. Most importantly though is that UNS offers a way to control network services so that VMs, virtual applications and mobile workloads can be scaled up and down plus moved within a dynamic network that allows provisioning services easily. For all intents and purposes, the industry has not had a multi-service chaining mechanism in the physical world. IT operations have done this manually via provisioning VLANs, policy routing, Web Cache Communications Protocol or WCCP, etc. But the old approach is static, and when servers, applications, appliances, etc., move or change, manual intervention is required. The beauty is that chaining network services in a virtualized infrastructure enables elastic scale-up and scale-down much more seamlessly.

Why Unify Network Services

One of the key strategic elements behind UNS is to change the mindset in which IT leaders deploy network services. Traditionally network service appliances were deployed at the edge of the data center or in front of a specific application server. But servers and application are often moved creating the manual re-configuration problem discussed above. Having common accessible network services in private and public data center clouds could offer huge provisioning benefits. For example, there could be, potentially, a vWAAS instantiation in Amazon EC2, Rackspace, GoGrid, etc, which IT leaders who have deployed WAAS in their branch offices could leverage, meaning their WAN would be accelerated thanks to a common WAAS image in the branch and cloud providing that network service independent upon these two application deployment models. This new network services deployment model attempts to blend the worlds of Cisco’s borderless and data center initiatives to the fullest extent.

What’s the intrinsic value of making a network service virtualization? In the case of vWAAS, Cisco is able to give IT leaders flexibility of placement and IT delivery. vWAAS is easier to scale up, licensed in a “pay as you grow” model, offers fewer devices to manage with less power and cooling cost plus is overall more flexible in its placement. In addition, vWAAS and WAAS can both offer WAN acceleration services to virtualized applications thanks to vPATH increasing the usefulness and value to both. vWAAS may be deployed by cloud providers too, which could offer IT leaders a WAN acceleration option independent upon application hosting.

Distributed Deployment with Centralized Management

Value is gained by being able to deploy network services in a distributed fashion, thanks to UNS. UNS changes network service deployment from a centralized model to distributed. But while virtualized network services are distributed, its management is centralized, offering operational efficiency and deployment flexibility. Distributed network service deployment with centralized management is the only approach that works as virtualized network services tend to be distributed widely. In fact, large data centers and clouds will see their instantiations of a particular service grown from a few hundred to thousands, if not more. Therefore, centralized management of virtualized network services provide the control knobs to provision, develop policy, steer traffic, etc., for thousands of virtualized network services distributed throughout a virtualized infrastructure. For example, in Cisco’s UNS, vWAAS and VSG run in their own VM, either on a single physical server or multiple physical servers, offering a highly distributed network service option.

Other companies, such as A10 and at least five others, are virtualizing their application delivery offering too. And cloud service providers are seeking virtualized network services, which will offer IT business leaders the ability to deploy applications from either private or public clouds with a common set of network services over time. For example, many public cloud providers would like to place load-balancing services on top-of-rack and deploy it in a small-medium-large type format. Further, many would also like to place load-balancing services on a compute platform to give customers the ability to deploy load-balancing pseudo-traditionally. That is to deploy network services where a compute platform would be largely dedicated to that service, or, alternatively, distributed so that it does not necessarily reside top-of-rack, or centralized, but resides “logically” next to a VM or sets of VMs so that as VMs move the network service benefit followings.

UNS: A Product Set or Next Evolution of Networking and Computer Services

Now Cisco isn’t the only IT firm developing a unified network service framework, but it is the only company that has all the components to deliver a comprehensive and thoughtful solution. For example, HP, IBM and Oracle do not develop load balancing, application delivery, WAN acceleration or softswitch network services, placing them at a disadvantage. Oracle, HP and IBM usually partner with others for these services such as F5, Riverbed, VMWare, etc., eliminating the opportunity for this level of virtualization and unification development. In HP’s case, its networking gear is increasingly made in China which lacks the forward-looking foresight to get in front of this opportunity. IBM usually does a really good job here, but it’s limited on these major network service components.

Many of the niche players, such as F5, Riverbed, Infoblox, A10, et al, will and are virtualizing their network service appliances and will do it very well, emerging as feature functional leaders. But these firms’ virtualization strategies will lack the broad view of multiple network services and most importantly, how the network nodes (L2-3 infrastructure) or hypervisor can steer traffic to them. To gain a broader UNS view and solution, these firms could organize a consortium to develop a comprehensive UNS strategy and implementation that matches Cisco’s UNS. But consortium is driven by committee, which usually moves slowly. Cisco’s UNS framework will be emulated by others while key technology layers can be standardized, such as Cisco’s proposed VN-Link for traffic steering to physical devices from a virtual/softswitch. Hopefully, an ecosystem can be created that allows all vendors to participate, because UNS is not just another vision and product line, but it’s the next evolution of networking and computing services.

Tweet

In an effort to offer a multi-vendor SIEM (Security Information and Event Management) solution, Cisco is placing its SIEM product, CS-MARS, in end-of-life and in its place, offering the industry its first SIEM ecosystem. Cisco acquired MARS six years ago in December 2004. MARS provided traditional event management and security monitoring along with limited forensic capabilities and compliance reporting. But the market demanded a broader cross-vendor SIEM solution rather than a SIEM focused primarily on Cisco products. In response Cisco has launched a SIEM ecosystem to support deep event monitoring, forensics and compliance reporting across a heterogeneous enterprise network. IT has also expanded the role of its Cisco Security Manager or CSM to support policy management and troubleshooting across a wider range of Cisco products. In this Lippis Report Research Note, we examine the new distribution of security responsibilities that now stretch across Cisco CSM and its new SIEM ecosystem with an eye toward stronger defense of IT assets.

IT business leaders were requesting Cisco develop deeper forensics and compliance across multiple areas within MARS. But the MARS architecture was not designed for such long-term storage, long-term data indexing and look-ups required for conducting forensics and compliance in a manner that IT business leaders are demanding. So in June of 2010, Cisco launched a SIEM ecosystem to provide a scalable and cross-vendor approach for IT business leaders to conduct deep forensics and compliance capabilities. Real-time security monitoring capabilities, which MARS provided, are being blended into the CSM.

CSM started as a policy manager for multiple Cisco devices such as routers, switches, firewalls, VPN, IPS, etc. But Cisco recently announced its 4.1 image for CSM that incorporates security-monitoring capabilities that enable policy troubleshooting. For example, essentially event logs will flow into CSM. CSM will determine if a stream of event logs rise to the level of a security problem or if it needs to make policy changes and execute those changes in real time via a closed-loop system. CSM does not deliver forensics or long-term compliance reporting. This is province of the Cisco SIEM ecosystem.

The SIEM Ecosystem

Both MARS and CSM have been missing the capability to conduct broad multi-vendor security monitoring, compliance reporting and forensics in a heterogeneous vendor environment. In fact, most, if not all, security vendors are guilty of this. Clearly market reality dictates that most enterprise IT organizations utilize multiple devices and/or software that contribute to IT security defense.

Therefore, to align its security products and IT defense approach with the reality of the market, Cisco has started a SIEM ecosystem consisting of the five largest SIEM suppliers. The five vendors in the ecosystem are RSA, ArcSight, LogLogic, Splunk and netForensics. Cisco’s exit of the SIEM market has created the opportunity for it to partner with these top SIEM providers covering 75% +/- of the enterprise market.

The power of a SIEM is to accept logs from multiple devices and make sense of them, meaning it weaves them together by way of correlation. The larger the number of log streams to a SIEM from various security appliances, the greater its ability to correlate. The goal of a SIEM is to gather data from all deployed security appliances, which ends up delivering an exponential lift with respect to the security intelligence gain obtained from correlating large streams of data.

With the Cisco SIEM ecosystem, Cisco is now able to deliver heterogeneous capabilities that cover security monitoring analysis, compliance and forensics capabilities, and some specifically, LogLogic, deliver long-term log management capabilities. To assure confidence that Cisco security and networking equipment interoperate with these five SIEM suppliers, Cisco has conducted extensive interoperability testing with each supplier. This is key for IT business leaders who have an operational SIEM deployed need to be assured that either the introduction of a new SIEM or security device will interoperate with their existing SIEM. This is key for Cisco CS-MARS customers who will be looking to transition to a new SIEM. Note that end-of-life is a multi-year process so co-existence and transition are important attributes for the ecosystem to contain.

Conduit between SIEM and Cisco Security Products

The interface or conduit that enables information transfer between Cisco products and its SIEM partners is device specific. The interface could be SysLog, SDEE or Security Device Event Exchange, and depends upon what conduit the end security device uses, be it an IPS, firewall, switch, router, etc. The conduits have not evolved yet, although at some point in time, they may.

The Interoperability, Validation and Testing Lab

To demonstrate Cisco interoperability, Cisco has created a Cisco-compatible logo, which a partner earns after they have passed through what is called the “IVT Lab” meaning Interoperability, Validation and Testing Lab. One of the key outputs of the IVT Lab is interoperability assurance plus license rights to display the Cisco-compatible logo, and a set of deployment guides to assist a Systems Engineer (SE) or an IT security department to deploy a partner’s SIEM product alongside Cisco’s firewalls, switches, routers or email plus web security products, etc. The detailed deployment guides offer various configurations of the SIEM ecosystem partners and Cisco products.

To gain the Cisco-compatible logo, a partner needs to be tested against Cisco security products, which are approximately eight devices in its latest software versions. These include Cisco Cross-Device, Firewall, IPS, ASA, E-mail Security Appliance (ESA), Web Security Appliance (WSA), etc. The Cisco-compatible logo says that each partner has been tested for that set of core security devices. Over time Cisco plans to test SIEMs across the entire Cisco security product line.

The IVT Lab and associated Cisco-compatible logo essentially level-sets SIEM partners so all have validated and verified support for core Cisco security products. From a support perspective, Cisco’s TAC can take the lead on support. Cisco has developed relationships with its ecosystem partners by tying them into its TAC processes. In the event that SECOPS has an issue with, say, Splunk or RSA, Cisco TAC has a streamlined process that places customers in touch with the right person at RSA, Splunk and its other partners.

Greater Defense through Faster Innovation Absorption

Clearly Cisco products bring value to their ecosystem partners. For example, Cisco’s firewall team produces the number one firewall in the world, developing features or functionality nearly every quarter or at least twice a year.

Before the ecosystem was in place, a lag between Cisco innovation launch and SIEM ability to support new features was common. For example, SIEM vendors may not understand what the new features are meant to do or how they’re used. Therefore, as part of the SIEM ecosystem, Cisco is committing to assure that as new innovations/features are rolling out across its security portfolio, SIEM partners understand how Cisco recommends they be used which will speed SEC OPS innovation absorption.

Pulling It All Together

Cisco’s new approach to heterogeneous network security is based upon an ecosystem of SIEM providers that it provides interoperability testing, new feature training, TAC support and deployment guides. The SIEMs will aggregate event logs from a wide range of Cisco and other company security appliances to deliver cross-vendor IT forensics and compliance reports. Cisco’s CSM is the policy manager and troubleshooting platform going forward and will enjoy expanded support of Cisco’s security products. Therefore, policy management and troubleshooting services will be delivered through CSM, while the SIEM ecosystem delivers broader cross-vendor IT forensics, event monitoring and compliance reports.

IT business leaders are benefited with a broader multi-vendor approach to event monitoring, forensics and compliance reports as well as centralized policy management and troubleshooting of Cisco products. This new approach should increase IT defenses while simplifying the management of their Cisco security products.

Tweet

Ethernet networking is now the single most important data center technology to assure the new IT economic model of centralized application delivery. Yes that’s right—Ethernet as the data center fabric is the stability point in data center design that will dictate if a data center or cloud facility can scale to support huge application and storage traffic loads. And if you think that Ethernet switch performance is not important then you would be as right as the engineers who designed the Tacoma Narrows Bridge. In this Lippis Report Research Note, we explain why network performance of data center Ethernet switching products matter more now than ever.

Data centers are becoming IT black holes where no application can escape the gravity of its economic force. A few facts are in order:

Mobile Applications and Devices Soar: Mobile application use is expanding exponentially, thanks to the popularity of the iPhone and increasingly Android smartphones. Most important about this is the traffic load these applications are placing on data center Ethernet fabrics. The vast majority of mobile applications are hosted in data centers and/or public cloud facilities. The application model of mobile devices is not to load them up with thick applications like Microsoft Word, PowerPoint, Excel, etc, but to load them with thin clients that access their application and data in data centers, private and/or public cloud facilities. As of this writing, there are some 205,000 plus smartphone applications.

A New Tier of Computing Emerges: A new and rapidly growing tier of computing has emerged in 2010. This tier is the Android tablet and iPad. According to the Wall Street Journal, sales of tablet devices (Android plus iPad) are expected to hit 19.5 million units in 2010 and 54.8 million in 2011. In contrast, Garter predicts that PC shipments will be 352 million units in 2010. In just six short months, tablets now represent some 6% of PC shipments and are expected to displace nearly 10% of PC shipments by 2014!

What is important about this new tier of computing is its application model, which is nearly the same as smartphones. That is these 10s of millions and growing numbers of tables are relying on data centers plus private/public cloud facilities for their applications placing further traffic load on Ethernet data center fabrics.

Virtualized Desktops: 2011 will be the year of the virtualized desktop. Frustrated with Microsoft’s enterprise application licensing, plus desktop support model, IT business leaders will turn toward virtualizing desktops at increasing numbers in 2011. The application model of virtualized desktops is to deliver a wide range of corporate applications hosted in data centers and/or private/public clouds over the enterprise network. While there are no estimates to the traffic load this will place on campus and data center Ethernet networking, one can only assume it will be huge.

Storage Traffic over Ethernet Fabric: Converged I/O or unified networking where storage and network traffic flow over a single Ethernet network will increasingly be adopted in 2011. A single converged network adaptor or CNA plugged into a server provides the conduit for storage and application traffic flows to traverse over an Ethernet fabric. The number of suppliers offering CNAs has grown significantly, including Intel, HP, Emulex, IBM, ServierEngines, QLogic, Cisco, Brocade, etc. In addition, the IEEE opened up the door for mass deployment as it has ratified the key Ethernet standards for lossless Ethernet. What will drive converged I/O is the reduced cost of cabling, NIC and switching hardware.

The above trends are just starting to take hold. Over the next five years, a sea change in IT delivery will occur. It’s clear that the number of mobile smartphones and tablets will only increase as will their reliance data center hosted applications. Virtualized desktops too will force an increase in centralized application delivery while storage traffic increasingly flows over Ethernet fabrics. Corporate application portfolios will change dramatically as will their application traffic profiles with loads being ever more unpredictable. There will be surprises or unforeseen changes that may very well accelerate these trends.

From a data center design point of view, IT architects discovered over three years ago that they can scale compute resources to nearly unlimited dimension thanks to multi-core processors, virtualization and cloud spec design. And with centralization comes huge corporate advantage that being centralized complexity to manage IT more effectively. But more importantly is the fact that IT represents on average only 2% of corporate revenue but has a profound impact on the other 98% of corporate operational spend and competitiveness. With application centralization, IT business leaders can more easily control IT and target it toward reducing corporate operational spend through streamlined business processes or launch new services to respond to market dynamics.

At the center of this massive application centralization transition is networking as it ties compute, storage and internet access together. Ethernet networking, in particular, is now the single most important data center technology to assure the new IT economic model of centralized application delivery. Now most corporations and cloud providers are scaling up their data center bandwidth with 10GbE. In fact, over the last quarter, many networking companies have reported greater than 60% shipment growth in their layer 2 and layer 3 fixed and modular Ethernet switches. So the above trends are driving network demand.

But IT architects and business decision makers need to understand the underlying performance and power consumption metrics of the switches they deploy. The only way to be assured that the Ethernet fabric that is being deployed now in the data center will scale to support increasing application load and storage traffic is to review public, independent, credible and repeatable network throughput and latency performance numbers across multiple vendors.

During the mid 1990s, Scott Bradner of Harvard University and Nick Lippis of the Lippis Report offered independent comparative Ethernet switch performance test evaluations to guide IT business leaders with their purchase decisions. But network purchase decisions have much greater weight to them now as over 80% of IT budgets are spent in the data center. Further, HP wouldn’t have purchased 3Com or IBM wouldn’t have purchased BLADE if they didn’t realize how critically important networking has become to successful data center and cloud computing design.

It’s for the above reasons the Lippis Report has teamed with Ixia to deliver an open data center fabric evaluation of 10GbE switches. Several network equipment manufacturers will participate in this industry-first evaluation, including Alcatel-Lucent, Apresia, Arista, Blade, Juniper Networks and Voltaire. The testing, which is taking place at Ixia’s iSimCity location in Santa Clara, will use Ixia’s Xcellon-Flex load modules to evaluate the performance of the participating vendors’ top-of-the-line 10 GE data center devices.

We’ll publish a report on our findings in mid January so stay tuned.

Tweet

For as long as I have been following Avaya—and it’s been a decade since it was spun out of Lucent back in October of 2000—it has undergone three fundamental transitions. First, Don Peterson, Avaya’s first CEO, managed to fix Avaya’s balance sheet after Lucent saddled it with heavy debt. He also pointed the way toward IP telephony in his six years at the helm. Then came Louis D’Ambrosio, with high energy and confidence, to point Avaya in the direction of unified communications, and a software and services business model, while bringing the company private in 2007 through TPG Capital and Silver Lake Partners. In 2008, Charlie Giancarlo became chairman, while Kevin Kennedy took the helm, ushering in a new wave of innovation and nimbleness while re-engineering sales and channels plus absorbing the Nortel enterprise business. Yes, what a long, strange trip it’s been, but Avaya is now the most innovative in its history and well positioned for the post-recession business cycle. In this Lippis Report Research Note, we examine Avaya’s prospects and challenges.

If Peterson’s contribution to Avaya was “Righting the Ship,” and D’Ambrosio’s was “Energy and Purpose,” Kennedy is ushering in “Nimbleness and Innovation.” With each phase of executive leadership came a resetting of corporate culture. Peterson and the executive management team nearly all had AT&T/Lucent culture where the enterprise business was a rounding error. D’Ambrosio brought a customer focus, energy and big blue reliability. Both of these cultures were grounded in East Coast high tech. Kennedy reset the culture button to a West Coast pace of “go, go, go” with phased product roadmaps, advanced technologies and broad channels to market. The new Avaya has taken shape with a slew of product announcements and new technologies. Here are a few of its most novel directions:

The Flare Experience: In September of 2010, Avaya introduced the Flare Experience, which is a new human-machine metaphor to easily conduct videoconferences and collaboration. Flare seeks to provide a seamless video experience from desktop to softphone to video conferencing systems to android tablets, etc. The most notable aspect of Avaya Flare™ is the introduction of the Avaya Desktop Video Device, an android tablet that creates video sessions with the ease of dragging and dropping contacts from an address book to the center of the screen via touch screen technology. Key to Flare’s innovation is the linking of presence, directory and call establishment/tear down between Avaya one-x Communicator 6.0, the Avaya Video Conferencing solutions based upon joint development work with LifeSize, the Avaya Desktop Video Device, Avaya Video professional and managed services as well as Avaya’s web.live. But it’s the Avaya Aura collaboration server in the back end providing the magic code to create an enterprise wide video experience.

What’s impressive about Flare is that Avaya has created a user interface that integrates voice, video, web conferencing, IM, presence, email, contacts, calendar, messaging, browsing, business applications and social networking that’s controlled by touch. Desktop or user interface design is usually not offered by communications companies, other than phones, so this is a significant innovation point for Avaya.

The Skype Relationship: With Skype and Avaya being owned in part by Silver Lake Partners, a friendly business channel was easily created. For years, most industry observers and IT business leaders sort a way to integrate Skype calls into enterprise communications and collaboration. Avaya was the first to do so by granting access to U.S. customers to Skype Connect™, from their existing UC endpoint via a SIP connection between Avaya Aura and Skype. The Avaya-Skype link becomes more feature rich in the second half of 2011 when federation is established so that Avaya and Skype business users can engage and interact via presence, IM plus voice and video. Beyond the cool factor, there are hard economic reasons why a Skype connection makes sense for Avaya customers. There are three value points…those being low international calling rates, access to Skype’s global community and inter-company collaboration via modern communications.

The SME Roadmap: To show how nimble Avaya has become, when it acquired the Nortel enterprise business in late 2009, it had six products focused at the same Small to Medium Enterprise (SME) market. Those products were Avaya IP Office, Integral 5, PARTNER ACS, Norstar, BCM and SCS. The road to a single product was introduced in January 2010, and the Avaya IP Office was chosen as the SME platform. In 10 short months, Avaya has integrated the full feature sets of PARTNER ACS and has added support for BCM IP handsets into the Avaya IP Office 6.1 image. The next major software revision for IP Office is 7.0, due out in early 2011, and if all goes well, it will include complete BCM and Norstar features plus handset support. The integration value is huge as there are fewer products with overlapping features to support the large SME market simplifying IT executives’ lives, plus channel partners and Avaya’s businesses.

The Avaya Virtual Enterprise Network Architecture or VENA: With the Nortel acquisition, Avaya picked up the enterprise data networking group and associated products that include Ethernet switching, unified branch, WLAN, network access and network management portfolios. To organize these products and demonstrate an investment cycle, Avaya recently launched Virtual Enterprise Network Architecture (VENA). VENA focused the Avaya product set on a major inflection point occurring in the industry; that is virtualization in the data center as well as on the desktop via VDI and storage. There are clear problems with existing network architecture and design that has focused on physical versus virtual ports since the mid 1980s. New thinking in network design is needed if IT business leaders are to reap the benefits of virtualization as it spreads throughout an enterprise.

VENA defines a virtual service network layer that maps IT services to unique virtual networks that run over a virtual services fabric, which is built upon enhanced IEEE Shortest Path Bridging. According to Avaya, this provides resiliency, simplicity and a consistent interconnect that transparently supports co-existing services. In short, applications and IT resources are assigned to virtual networks that are independent of physical ports, allowing more freedom and much less operator intervention during changes to applications, Virtual Machines, etc.

Avaya’s Prospects

One thing is clear, and that’s Avaya is not tree hugging any technologies or products from the past. It has aligned its UC, contact center and data businesses with major market demands. The Flare Experience is a bold new approach to UC and video collaboration matched only by Cisco and in part Microsoft. It has executed the Nortel integration with speed rivaled only by much larger high-tech firms Cisco and IBM. It could not have picked a better market inflection point than virtualization to add value and investment for its data-networking portfolio. Avaya seems to be firing on all pistons from an operations, engineering, channel expansion and product innovation points of view. If its bets are right, it should be rewarded with market share gain.

Avaya’s Challenges

Avaya does have challenges too. By keeping the data networking group, it has, in essence, become a little Cisco, being about one eighth its size. But Avaya does enjoy very loyal data networking customers, particularly in the financial services industry, which date back to the days of Wellfleet and Synoptics. Avaya and Cisco could not be more different, however. If Avaya is a voice company with some data networking, Cisco is a data networking concern with voice technology. While Cisco and Microsoft have significant pull through sales of communications for their data networking and software, respectively, Avaya does not. Avaya has to compete for data networking and communications business, by and large separately, unless and until it provides a compelling value proposition to supply an architected solution consisting of networks, communications, collaboration and contact center.

Opportunity: Service Delivery Process

One of Avaya’s biggest opportunities lies within its ability to add value to a company’s “service delivery process,” thanks to its rich customer data afforded by Avaya’s Contact Center (CC) business. For example, just this past July, the Avaya CC business introduced the Avaya Aura CC Suite, which is designed to enable end-to-end service experience management. The Aura CC Suite’s Assisted and Automated Experience categories include multi-channel work assignment, self-service and proactive contact applications that drive communications and transactions with customers via voice, email, web chat, SMS or social media. Aura CC Suite also delivers a Performance Management category that includes Avaya’s analytics and reporting platforms, Avaya Call Management System and Avaya IQ, which provide companies detailed customer information that helps to improve profitability and customer retention. In addition workforce optimization and workforce management capabilities were added under the Avaya Aura WFO category.

Service is a key competitive differentiator during this economic cycle where the service economy is the bright spot, and 82% of millennials stop doing business with a company after one bad CC experience. Avaya’s CC customers are equipped with vast customer touch points with every interaction, be it voice, chat, IM, email, etc., being a data point of needs. And Avaya does have a loyal CC customer base. Paradoxically Avaya and Harley Davidson are similar in the fact that both enjoy customers who never switch products. A Harley rider would be hard pressed to switch to another motorcycle as would an Avaya CC customer.

It’s all of these tools to monitor and control customer touch points that deliver so much value to customers and Avaya that it can now be leveraged to another level. Avaya can add value to its enterprise customers by synthesizing, aggregating and monitoring the huge number of customer touch points it offers its customers to afford them deeper market knowledge and allow them to be more adaptive, responsive organizations that deliver differentiated experiences and favorable business outcomes.

Key Avaya platforms are Aura—especially as it invests to make Aura a media-agnostic application platform with special attention to video—and Agile Communications Environment (ACE). ACE facilitates the development of communications-enabled business applications to speed workflow. ACE 2.2 includes an Event Response Manager—a new packaged application that reduces downtime and increases efficiency by automatically notifying the right people with the right skills to respond to and manage unexpected events, such as inventory shortages, security breaches, disasters, stock crashes, etc. A new ACE developer toolkit seeks to make it easier to embed timely and personalized communications into business applications. With Avaya ACE, enterprises can communications-enable their business applications up to 80% faster than by using traditional methods, according to Avaya.

Leveraging Avaya’s huge DevConnect community to write applications around Aura that leverage Avaya’s UC and CC resources while riding over VENA is one sure way to elevate Avaya’s importance and consideration in the Enterprise market. With Avaya’s new nimbleness and innovation, it clearly has the ability to weave its UC, Collaboration, CC and Data products and services around “service delivery process” for its customers, as well as differentiate itself in a significant way. If there isn’t a value proposition around all of Avaya’s products and services, then it may find itself competing in four separate markets, with four separate customers, channels and competitors.

Tweet

Little-known Voltaire is a powerhouse in High Performance Computing (HPC) networking with a full line of InfiniBand switches and performance software. It has been in this market since 1997 and has amassed big system partnerships to distribute its products such as HP, IBM, Oracle, NEC, et al. But seeing the multibillion-dollar market for 10Gb and higher Ethernet switching as the new high performance data center fabric has motivated Voltaire to enter this mainstream market. Note the InfiniBand market is slightly north of $200m annually. Its motivation has materialized in the introduction of two top-of-rack switches and one core switch plus Unified Fabric Manager software for physical and virtual infrastructure management and Voltaire Messaging Accelerator (VMA) software which reduces application latency increases application performance. In this Lippis Report Research Note, we profile Voltaire and layout its strengths and challenges.

Products

Voltaire is leveraging its experience in HPC networking to launch into the high performance Ethernet fabric market. Case in point, Converged Enhanced Ethernet (CEE) has many of the same characteristics and capabilities inherent in InfiniBand giving Voltaire a leg up in Ethernet based converged I/O. Assets and best practices of Voltaire include storage enablement, developing server software to reduce application latency and increasing performance in scale-out network design. This design center has manifested into its three Ethernet switch products.

Top-of-Rack

Voltaire offers the VantageTM 6024, which is designed for low-latency environments with layer 2 or 3 forwarding requirements. Its other ToR switch is the new VantageTM 6048, offering twice the port density as the 6024 in the same 1U form factor and is targeted at the private cloud market. Price per port of the 6048 is one of the lowest in the industry at $480 list, thanks to its single chip switch design enabled by Marvel’s silicon.

Voltaire also has a cross-certification relationship with BLADE network technologies in which BLADE’s switches are certified to interoperate with Voltaire’s core switch the Vantage TM 8500 and software.

Core Switch

Connecting ToR switches and storage is the job of the Vantage TM 8500, which is a layer 2 core switch 15U high with 12 slots capable of connecting 288 10GbE ports with 11.52 Tb/s of non-blocking backplane. Voltaire boasts 0.6 – 1.2 microseconds of port-to-port latency and power consumption as low as 10 watts per port. Most of its HPC engineering experience is transferred into the Vantage 8500 as it uses CEE technology to provide capabilities such as a lossless switching fabric, and supports Fibre Channel over Ethernet (FCoE) traffic, Ethernet multi-pathing, I/O virtualization, fabric-wide congestion management and QoS. The key aspect of the 8500’s ability to scale is its use of multi-pathing to eliminate over-subscription and creating a non-blocking switching fabric between networked 8500s.

A key financial point in both the 8500 and 6048 is the low transceiver cost, which can be as large and at times larger as switch cost itself. Voltaire’s SPF+ and SR optic transceiver cost is $390 list, which is half of HP and nearly a third of Brocade’s.

Unified Fabric Manager or UFM

UFM software manages all Voltaire Ethernet switches plus third-party switches from BLADE and HP ProCurve, for example as a single data center fabric; in essence it’s a fabric manager with built-in provisioning automation and monitoring. This is the same approach that Voltaire has taken with its HPC product line where much of the innovation it created has gone into UFM for Ethernet. What’s different about UFM is that it provides visibility of the physical fabric and application workloads that are running over it.

UFM software creates a data center object model that changes dynamically according to resource allocation across servers, storage and networking to support different applications. The object is built via connectors to UFM from various data center orchestration tools through a UFM API which feed UFM configuration information. For example, if a new application is to be brought online, that request may sit in a queue until resources are available. An orchestrator will allocate resources for the application request, and at the time the resources are being allocated, the orchestrator will consult and inform UFM as to what resources are best utilized for this application based upon its profile. As resources are allocated, Data Center operations can monitor the application for usage, congestion, bandwidth allocation, service level agreements, etc.

UFM offers a different way of managing applications’ resources, especially during changes of both physical and virtual infrastructure. Data center applications are equipped with policy that governs their resources such as quality of service, service levels, bandwidth allocation, etc. During application changes, data center operations are forced to reset policy for the application network switch by switch via CLI, which creates complexity and delay. During an application change, UFM automatically programs all switches involved in the new configuration of the application keeping its policy intact. UFM has been certified with BLADE, IBM, HP, et al.

Voltaire Messaging Accelerator (VMA) Software

VMA is another technology that was designed for HPC environments, which is now ported to Ethernet fabrics. VMA is multicast application acceleration software and is mostly used in the financial services industry within exchanges, hedge funds, co-location facilities and other trading environments that rely heavily upon multicast traffic. VMA speeds up applications by bypassing the operating system while supporting standard socket interfaces multicasting applications choose.

A Two-Tier Flat Network Fabric Design

A Voltaire network is by definition flat, consisting of a two-tier network fabric. With both the 6048 and 8500 supporting multipathing between ToR and core and between cores, this architecture can scale in size while maintaining application performance and available bandwidth between any two end points. Depending upon the level of multipathing between 6048 and 8500 will determine how high the architecture does scale. For very large data centers needing to connect thousands to tens of thousands of servers in a non-blocking configuration, a group of 8500s could connect servers and form the network fabric.

Strengths

Voltaire enjoys a unique view and experience base of HPC which has been a specialized market. But as Ethernet goes mainstream as a data center fabric, so too do HPC attributes. Here lies Voltaire’s opportunity; can it morph its approach to the HPC market to Ethernet? Its UFM and VMA software is a unique approach to fabric management and accelerating certain types of multicast applications. It recently introduced VSA or Voltaire Storage Acceleration software, which enables a storage server pair to process up to a million I/O operations per second (IOPS) and deliver more than 10 GB/s of data.

Voltaire’s approach to Ethernet networking is to offer low cost, high performance hardware to deliver a connectivity service and accelerate messaging and storage traffic via specialized software. It stands out from other Ethernet providers when it comes to fabric management by introducing new concepts of virtual networking and logical application representation.

Challenges

Time will tell if Voltaire can win marketshare with its Ethernet strategy. Ethernet data center fabrics are a multi-billion dollar market today; that creates great opportunities but there are much larger and fierce competitors too. Voltaire gains 90% of its annualized $67m of revenue from the HPC InfiniBand market. Its Ethernet revenues are approximately $6.4m annually.

It faces competitors such as Cisco, HP, Force10, Brocade, Alcatel-Lucent, Avaya, Extreme, Juniper, Arista, BLADE, H3C, et al. All are larger than Voltaire, with the possible exception of Arista, and all are US-based firms, with the exception of H3C, while Voltaire is headquartered in Ra’anana, Israel. True, Voltaire does have great distribution and OEM relationships with HP, IBM, NEC, Bull, Fujitsu and SGI, but these are mostly for InfiniBand environments. While both HP and IBM offer Voltaire Ethernet switches as part of their 10 GbE portfolios, it’s difficult to see HP selling Voltaire’s Ethernet offering for long when it just acquired 3Com and has a full Ethernet portfolio. IBM recently purchased BLADE for $400m, and perhaps it may choose to acquire Voltaire too to bolster its networking position.

Bottom-line:

Voltaire has proven to understand high performance environments, and its Ethernet products will benefit from this experience. It offers low cost, low power and low latency networking products with unique fabric management, application and storage acceleration software. It’s being proven in the market too with a growing roster of enterprise data center and cloud customers providing great proof points to how a Voltaire flat Ethernet fabric delivers value.

Tweet

A Comprehensive Approach to Corporate and Government Energy Cost Savings and Carbon Reduction

Being green is increasingly being forced upon IT business leaders from their management, government regulations and societal pressures. Ask a recent college grad what is the number one societal contribution they would like to make with their career and the answer is “make the world greener.” The workforce is changing worldwide with a sense of personal and corporate social responsibility to reduce carbon emissions, and choose sustainable materials and processes to power our lives and deliver products and services. And being green is no longer a luxury that IT leaders can choose as governments, boards of directors and presidential directives issue mandates forcing energy efficiency upon IT executives.

From an IT perspective, much work has been done to reduce data center energy consumption and cooling by virtualizing servers and consolidating data centers. In addition, IT vendors continually work to deliver products with increased feature sets that consume less energy. But one company in particular has taken its core competency and found a way to not only make its own products more energy efficient but everything its products touch, too. That company is Cisco Systems.

A Broader View of Energy Management

Cisco is providing tools and knowledge to IT business leaders to assist them in complying with energy efficiency mandates. And while much attention has been focused on data center energy reduction, a much larger target for energy conservation is IT and non-IT energy consuming assets that are sprawled throughout enterprise and government facilities—this means networks, personal computers, printers, lighting, HVAC, etc. But in addition to energy management of electrical device sprawl, energy consumption can also be avoided by using communication and collaboration tools such as Webex, virtual office teleworking and TelePresence. These collaboration tools allow users to work at home and engage in meetings over the web or via high definition videoconferencing versus traveling, thus avoiding dollar and carbon emission cost of travel. These concepts and initiatives are part of Cisco’s Borderless Networks Green service, one of the key network services within Cisco’s Borderless Networks Architecture.

The key concept of Cisco’s Borderless Networks Architecture is the removal of boundaries or borders that create common trade-offs and compromises IT business leaders and users have come to despise. Cisco’s Borderless Networks Architecture is comprised of five pillars that enable borderless connections of anyone, anytime, anywhere and from any device securely, reliably and seamlessly: 1) Mobility through the Motion service, 2) Green or enabling energy cost savings and carbon reduction through EnergyWise, 3) integrated network Security via TrustSec, 4) Application Performance to increase network and application agility, visibility and control with Application Velocity Network Service and 5) Video/Voice services to offer the best possible video experiences to users via the Medianet technologies. These borderless network services are delivered by core infrastructure including switching, routing, security, wireless and wide area application services (WAAS) infrastructure products. It’s the integration of these services into existing network infrastructure and their control via policy and management that enables a borderless experience to occur. In short, a borderless network eliminates friction points and user plus operational frustration associated with common IT use cases such as application access from desktop, laptop, tablet, smartphone, etc. For example, the Borderless Networks Green service enables IT executives to reduce their carbon emissions, save on energy costs, transform their business while satisfying increased IT demand. In this Lippis Report Research Note, I focus on the Borderless Networks Green service as it offers a comprehensive approach to energy management.

Borderless Networks Green Service

There are three main drivers why organizations are looking for ways to be greener—those being cost reduction, sustainability mandates and corporate responsibility. Being a green, socially-responsible organization improves corporate image, which is usually accompanied by increased revenue opportunities. And many companies are in search for effective ways to achieve operational cost savings through green IT practices, especially during the past three years given economic conditions. That is why corporate executives seek to enhance their firms’ image/brand and comply with energy reduction mandates while reducing operational costs, all through green initiatives.

To help customers achieve their green goals, Cisco’s Borderless Networks Green service exploits the network as a platform to extend green borders. This is done in three ways: 1) transform the workforce by making it more flexible with collaboration applications such as TelePresence, Webex, Virtual Office, etc., 2) enable energy cost savings with innovations such as EnergyWise that measures and manages energy usage, and 3) improve network efficiency through virtualization, consolidation plus product and system life-cycle management. As Cisco EnergyWise is a fundamental and unique green enabler, we focus on this technology first.

Cisco EnergyWise is a system-wide framework for energy management that is integrated into Cisco Catalyst switches, routers and building controllers. Every device that connects into the network can eventually have its energy managed, monitored and optimized by Cisco EnergyWise. This concept of using the network as a system to coordinate activities which provide benefits that aren’t available from a single device is a key principle of the Cisco’s Borderless Networks Architecture. EnergyWise delivers on this principle by adding energy management to Cisco’s Borderless Networks services.

Cisco EnergyWise

Cisco EnergyWise is being released in phases. The first phase was launched in January, 2009, and focused on reducing energy usage of Power over Ethernet (PoE) devices. These devices include IP phones, wireless access points, security cameras, etc. The second phase, launched in March, 2010, added the ability to control PC and laptop power. PC and laptop power control is accomplished with a product called Cisco EnergyWise Orchestrator. Orchestrator is a client-server architecture designed to scale up for large organizations. A small software client runs on each PC, collects energy usage information and allows Cisco EnergyWise Orchestrator to distribute centrally-managed, time-based energy policies to each workstation such as shut down after 6:00 p.m. and power up after 8:00 a.m. In addition, EnergyWise Orchestrator can request “on-demand” power reductions. EnergyWise Orchestrator also receives power usage statistics from PCs distributed throughout an enterprise or government facilities, which can be aggregated and displayed in different variations via its sustainability dashboard. As PCs and laptops are sprawled throughout enterprise and government facilities, Cisco EnergyWise Orchestrator is able to manage up to 60% of power used by IT devices, thus the impact of Cisco’s energy management solution is material.

Cisco is extending the reach of EnergyWise to control power of more IT and non-IT devices. The EnergyWise framework includes open APIs that enable an ecosystem of partners to offer comprehensive energy management solutions to meet customer needs of all kinds. For example, recently Cisco announced partners that allow EnergyWise to manage Smart Power Distribution Units from Schneider APC, WTI (Western Telematic, Inc.), Server Technology, Raritan and CyberSwitching. These partnerships extend energy monitoring and reporting to data centers, and expand energy management capabilities to clientless devices like printers, copy machines and digital media displays. .

Business Transformation Applications that Reduce Energy Consumption

While most, if not all, networking concerns stress energy efficiency of their products, Cisco’s Borderless Networks Green service takes this to an entirely different level through energy efficient collaboration applications that transform how corporations conduct business. Collaboration applications, such as Cisco’s WebEx, TelePresence and Virtual Office, reduce travel needs and improve productivity while achieving great in-person work experiences. Underneath these collaboration applications is Cisco’s Borderless Networks infrastructure that ensures security, availability and performance of these business applications with services such as Medianet and Cisco TrustSec.

Product Power Efficiency Gains

Cisco’s Borderless Networks Green service addresses reduced energy consumption of IT assets, such as PCs, laptops, PoE devices, and networking equipment such as routers and switches, plus collaborative applications. And while offering this broad view and tool set for IT business leaders to manage energy policy, Cisco has not taken its eye off the ball of engineering innovations and improvements in network products to ensure energy efficiency. For example, StackPower is a new innovation for the Cisco Catalyst fixed switching products that distribute power across a stack of switches in a unique and efficient way. Further, Cisco recently introduced a 48-port switch that consumes only 40 watts of power…that’s less power consumption than most light bulbs.

Virtualized Data Center Infrastructure Delivers Energy and Resource Efficiency

In addition to EnergyWise, product energy improvements and collaborative applications, Cisco’s Borderless Networks Green service extends green initiatives to the data center too via virtualization. Data center consolidation and server virtualization are solutions that help IT business leaders maximize the usage of existing resources while contributing to data center efficiency. These solutions include VMware and Cisco’s UCS (Unified Computer System). In addition to server virtualization, firewall and WAAS services have become virtualized as well as bandwidth via Storage Area Networking. Desktops too are being virtualized. All of these initiatives contribute to reduced footprint for rack space, cabling and HVAC requirements. Less power is consumed while the data center is more efficient with improved operations, thanks to more flexible use of resources and bandwidth.

Some text to space apart the download boxes

The benefits of Borderless Networks Green service are workforce flexibility and improved productivity, energy cost savings and network efficiency. While some of these improvements are difficult to measure, there are solid ROI examples. GE, for example—a Fortune 500 company that adopted Cisco’s TelePresence—reduced its travel and lodging expenses by 40% while reducing executive management wear and tear. Parque Escolar works with the Portugal Ministry of Education and was able to reduce Portugal schools’ energy consumption by more than 33% by implementing Cisco EnergyWise Orchestrator. Brunel University is saving $143,908 per year thanks to energy control of power usage through EnergyWise.

Cisco’s Borderless Networks Green service offers a range of options to manage corporate and government energy consumption, and the value/cost savings that EnergyWise brings to IT business leaders today will continue to multiply as Cisco delivers more platforms and partner devices that can be monitored and managed from centralized management applications such as Cisco EnergyWise Orchestrator or LMS. While IT executives are implementing virtualization and collaboration applications based upon their own merit, much can be gained by viewing these IT projects through a green prism. For it’s the totality of device energy management along with business transformation collaborative applications and virtualization that may very well define a modern green business.

Tweet

One significant trend that has emerged during the current business/economic cycle is that IT projects that reduce cost are winners. This savings trend is as strong as I have experienced in my twenty-five years within the IT industry. In particular, it’s propelling data center consolidation, server virtualization and mobile computing projects. As enterprises consolidate data centers and miniaturize them with virtualization, cloud-computing providers are busy offering a new lower cost IT delivery economic model. In short, a new tier of computing has emerged were endpoint devices are mobile and applications are delivered via corporate data centers and cloud computing facilities. This new model of computing that also increases convenience and productivity is lacking in one important area; network security for both mobile endpoints and the ability of data center security appliances to keep up with application demand.

And keeping up with application demand is one of the most challenging tasks IT business leaders are encountering. Not only has information demand skyrocketed during this business cycle but content in the form of web pages has become dynamic, where a single page request opens a multitude of connections pulling content from various sources to satisfy user expectations of real time information access. For example, a single web page request can easily spawn more than fifty network connections over physical and virtual infrastructure placing extraordinary demands on network speed, latency, reliability and security. For the uninitiated, just point your browser to any of these sites—disney.com, cnn.com, nytimes.com, et al—and notice rich content in action. As the page is presented, it serves up video, photos, audio, rich text and more, all of which are pulled from various sources within a data center fabric over virtual and physical infrastructure. The calculus IT leaders are seeking to solve includes massive growth in information demand plus Brownian motion traffic flows, thanks to dynamic content plus densely packed data centers, thanks to virtualization. Even with consolidation and virtualization information/application, demand is forcing the overall data center market size to expand from 108 million sq. ft. in 2009 to a projected 117 million sq. ft. by year end 2010, according to Frost & Sullivan. Part of the solution to IT leaders’ calculus problem is found in a data center network fabric that supports millions of connections/session of east-west and north-south traffic flows securely.

To put the mobility trend into perspective, Apple sold over 3.3 million iPads in its first 3 months; the highest uptake of any endpoint device. Google activates 100,000 Android-based phones per day. Cisco recently announced its CIUS android-based table for business use with tight links to its unified communications (UC) and videoconference systems. Every major UC provider will be offering similar devices while traditional computer vendors serve up android-based tablets over the next few quarters. The iPad and Android tablet is a new tier of computing, which are driving users to access applications over mobile and wireless networks in addition to their wired and VPN networks.

And therein lays the rub. In today’s modern IT world, applications are being extended over multiple networks, e.g., wired, wireless, mobile and remote, where users shift their application access back and forth between these different network access methods and expect the same or consistent experience. Security is paramount to user experience and IT asset protection. While IT security executives have fortified their defenses of IT assets within corporate boundaries or perimeters, exponentially growing numbers of mobile endpoints being connected into corporate networks and data centers present significant security challenges that are unfortunately outside the control of IT.

The nature of mobile smart phone endpoints is to combine personal and business IT services, thereby creating a unique user experience. Part of that experience includes information access from a plethora of online destinations, such as public WIFI hotspots, SaaS applications, e.g., Salesforce.com, workday.com, netsuite.com, etc, corporate VPN, and a wide range of personal sites for social networking, banking, music, videos, news, communications, etc. Therefore, for every employee equipped with a mobile endpoint, security vulnerabilities and threats are opened unless IT mitigates with network security. Clearly mobile devices are becoming ubiquitous, and there are security solutions available, such as VPN support, data wipe after loss, cloud-based security services, etc. But mobile devices need a security solution that works in real time, meaning it’s always-on protection and provides comprehensive coverage.

For example, mobile endpoints, and thus corporate assets, need to be protected from users accessing the corporate network from insecure home WIFI networks and hackers. Internal applications need to be secured against attacks such as SQL injection/data leakage, request forgery/impersonation, cross site scripting/phishing, etc. SaaS access needs to be secure against unauthorized access, exposure from password reuse, layer 7 attacks and more. Also the same level of reporting for mobile users as wired users needs to be supported to assure activity/audit trail, regulatory compliance plus governance and reporting. In short, IT needs the same level of control over mobile endpoints as it does over devices within the corporate perimeter without ruining the mobile experience.

Mobile Endpoint Policy and Enforcement

The most important aspect of real-time mobile security is policy enforcement as it places control of corporate asset and SaaS access back into the hands of IT. Not only does policy and enforcement mitigate threats from being transmitted from mobile endpoints onto corporate networks, it makes them safer devices, too, by providing a means to adhere to corporate policy as corporate devices, even though they are used for business and pleasure. This is important as many mobile devices are purchased by employees, part of the huge consumerization trend that has been building over the last five years. With IT able to administer policy with a means of enforcement, mobile devices can deliver personal and business IT services. Employees may purchase mobile devices but if they require access to corporate IT, then the endpoint has to comply with corporate policy and IT needs a means to enforce such policy. In short, policy and enforcement enables IT to extend the corporate perimeter around mobile devices to creating a virtual perimeter around IT assets.

Consider the following example of policy and enforcement creating a virtual perimeter… A user may be accessing an SaaS application while at his/her desktop. This flow traverses the corporate firewall with associated policy and enforcement. When this user is outside the corporate perimeter, he/she could access the SaaS application directly without corporate policy or enforcement opening vulnerabilities. However, with mobile policy and enforcement, this same user could access the SaaS application with the same policy, enforcement and protections as available when within the corporate perimeter mitigating any vulnerability. Solutions to this usually require the mobile device to first pass through the corporate firewall or a security cloud service where IT controls policy before the user connects to the SaaS application.

New Security Performance Demands

With mobile endpoints under corporate IT policy and enforcement, this huge security vulnerability can now be managed and mitigated. At the same time that mobile devices are becoming ubiquitous, data center security appliances are failing to keep up with the huge demand for information and application access. As more compute power is concentrated into smaller spaces, traffic volume increases exponentially, and security appliances need to adjust accordingly.
Consider how web sites serve up a rich media web page. Every time a user requests a webpage, its server typically needs to request 50 to 100 different objects just to display the one webpage requested. Now consider a data center with thousands of servers and five-thousand connections per second of requests each spawning 50 to 100 server requests. The backend east-to-west traffic flows between servers are one to two orders of magnitude larger than the north-to-south user request flows with the combination of both flows being immense.

New Firewall/IPS Performance Metrics Needed

From a security point of view, not only is firewall throughput an important performance metric, but “connections per second” is becoming more important. A high number of “connections per second” supported assures IT that backend server flows are being screened without delaying user experience. In addition to the number of connections per second, another performance measurement is “maximum connections” supported per second to assure that the number of server-to-server flows to deliver a webpage can be securely delivered. The combination of throughout, connections per second and maximum number of connections can be defined as “true scale performance.” Typically a firewall can deliver hundreds of thousands of connections per second, but this is too slow for most demanding data centers by at least a factor of 2 to 3. Typical maximum number of simultaneous connections supported per firewall is around a few million, which is too low by at least a factor of 4 to 6. Also consider a more realistic throughput measurement other than a range of UDP packet sizes, which is common in the industry. Real world throughput performance numbers that represent a mixture of traffic profiles is a better measurement to assure throughout quoted is throughput experienced.
In addition to raw security performance, data center rack space too needs to be carefully managed as IT executives quickly start running out of rack space as they consolidate. Security appliances need to reduce their footprint as many appliances occupy 16 to 24 RU or a half rack of space and more consuming footprint, energy and cooling resources. Expect security appliances to start delivering on the above performance metrics at up to an 8th of their size or 2 RU high if not smaller.

Threat Protection

To assure this security infrastructure protects IT assets at the rate in which cybercriminals and hackers wish to penetrate it, the industry is serving up cloud-based threat protection. A few suppliers have launched cloud-based security services, which collect anomalistic data throughout the internet and corporate networks via sensors, analyze/correlate the anomalies with reputation scores and when a new exploit’s signature is detected, the cloud transmits mitigation code/signature updates to corporate IPSs. The speed in which this process takes place is a competitive differentiation. Those that send updates every five or so minutes have the best chance of mitigating exploits from cybercriminals which tend to change IP address every hour to avoid detection. IT business leaders will know when cloud-based threat protection becomes highly reliable. It’s at that point that suppliers will start offering “guaranteed protection” that incorporate penalties to suppliers if protection is penetrated.
Policy and enforcement of mobile devices creates a virtual perimeter while true scale performance enables security appliances to keep up with application demand and new traffic flow realities. Smaller security appliance footprint allows IT executives to maximize data center space while minimizing energy and cooling. Cloud-based threat protection keeps the security infrastructure updated in near real time with signatures to mitigate threats throughout the corporate and virtual perimeter. In short, IT business leaders gain control and manage mobile security vulnerabilities while delivering applications to users securely at speed with small footprint consumption. Mobile, data center consolidation and virtualization plus cloud computing are powerful trends rooted in economic efficiency and increased information demand. To maximize the value of these investments, a new security model is needed.

Tweet

Major IT Delivery Transitions IT Business Leaders Are Managing
Application owners and developers have been deploying and writing applications as if networks had no boundaries or were borderless. By “application owners” I mean IT departments chartered with IT application delivery and management. By “application developers” I mean in-house corporate software developers, independent software vendors (or ISVs) and software companies. There has always been a disconnect between applications and network architects where developers write applications to run over a network as long as there is connectivity. In addition, service-oriented architecture (SOA) based applications call for greater application componentization, which increases messaging between application components, resulting in the network having a direct impact on application performance. In essence, application owners, developers and application standard bodies assume that networks are borderless as the industry is organized around the OSI model where knowledge and skills at one layer, e.g., the network is not necessarily taken into account at another layer, i.e., the application. Therefore, the normal state of affairs is that network designers have been tasked to optimize applications to improve user experience especially when the application was not written to run over a particular kind of network. This status quo does not scale and needs to be re-thought.

Business Drives Applications that Drive Computing that Drive Networking

Every cycle of computing has brought with it this discontinuity between applications and networks with the possible exception of mainframe computing and SNA. Minicomputer applications designed for local ASCII terminal connections were extended over the Wide Area Network (WAN) and via virtual terminals. Client-server computing applications designed to run over Local Area Networks (LANs) were extended over the WAN. At first the internet was text based until the mid 1990s when the web was developed, bringing graphics, audio and video to a network that needed a massive upgrade to support new media rich applications.

IT today is no different. Application developers are writing mobile applications at a frenzied pace thanks to Apple’s iPhone and iPad, Google’s Android, RIM’s Blackberry and now Cisco’s CIUS plus Avaya’s Flare, etc. Legacy enterprise applications are being extended to mobile platforms too with the assumption of a suitable network for delivery. At the same time, applications are being increasingly centralized into consolidated data centers creating greater distance between users and their applications plus data. Some estimate that over 80% of enterprises have undergone a data center consolidation process, which is significant, but we are just at the beginning of the centralization trend.

Thanks to the economics and performance offered by server virtualization, much more consolidation will occur with associated challenges. For example, IT leaders require application tracking as applications are moved from Virtual Machine (VM) to VM as they tune/optimize their virtual infrastructure or respond to peak loads as well as manage VM failovers. In addition to virtualization, massive data centers we call cloud-computing facilities are being built to host applications at scale plus offer infrastructure, platform and other IT services. According to the Yankee Group, 56% of IT business leaders seek to take advantage of cloud-computing technology and build their own private cloud center while 24% seek a fully-managed cloud-computing facility. In the same study, 32% of IT business leaders will seek a hybrid cloud approach that is, connect their private cloud to a service provider’s public cloud. While these market numbers are impressive, they could be much higher as IT leaders express that their top three concerns as they consider cloud services is application performance issues, according to IDC.

In addition to increased mobile and cloud-computing trends, video communications, both on-demand and real-time, have become the largest percentage of internet traffic type. In fact, Cisco Systems recently predicted that by 2014 video traffic will be greater than 94% of all global internet traffic!

This disconnect between applications and network architects will more than likely continue as application owners/developers/standards continue to view networks without borders and boundaries. However, for most network architects, there is no single network, but a wired network, wireless, campus, wide area, data center, branch office network, telecommuting network, mobile network, etc. In fact, most enterprises have a diverse infrastructure in which they are tasked to delivery applications over and for those applications to perform at high standards. The good news is that network designers and architects are starting to build borderless networks that anticipate unforeseen application changes, are equipped with a portfolio of application performance features and simplify deployment and management of IT services…more on this below.

Application Performance Challenges

From the above discussion, it’s clear that enterprise-computing applications are being demanded and stretched over increasingly borderless networks. Consider that the number of small or remote offices and mobile employees are increasing significantly. It’s impossible to argue the mobile computing surge with over 3.3 million iPads shipped in the first three months of its launch, and new entrants such as Cisco and Avaya offering CIUS and Flare tablets, respectively, for business users. In addition, data centers are being consolidated with cloud computing, offering further consolidation and centralization of applications. Applications are changing too as developers add rich media features, and video becomes a dominate application type. Employees, customers, partners and suppliers will be accessing applications over ever-larger distances, via a plethora of endpoints and different networks.

To assure applications perform their task and deliver an excellent user experience, network architects and designers will be increasingly challenged with network capacity being taxed as a wider application portfolio competes for network resources. Today’s model of application performance optimization is to implement appliances within remote sites and data centers, which increases certain application performance, but at the high capital and operational expense of increased network complexity. In addition to network capacity and complexity issues, latency or application transaction delay and how to efficiently utilize data center resources are challenges faced by network architects as they seek to maintain high application performance over a borderless network. Relating specific application transaction problems to network behavior to ascertain if a correlation exists is yet another challenge.

Application Performance Creates Corporate Value

At the center of application performance is corporate performance. The ability of IT leaders to respond to executive management directives is directly linked to corporate performance. Executive management may be challenged with a competitive threat or a new market opportunity, etc., requiring fast corporate response. IT leaders who can execute directives quickly have built an agile business capable of changing when markets or customers shift under them, placing their corporation in a better competitive position to serve its customers and prospects. For example, consider a retail store under competitive pricing pressure where executive management decides to respond with an alternative offer. IT may be able to display the new offer via digital signage quickly allowing the business to respond.

Key to business agility is the IT attribute of rapid innovation absorption–that is, the capability to deploy new applications and technologies at the speed of business opportunity. Most IT infrastructures consist of innovation and features which are already in place, but IT organizations require knowledge, skills and tools to put them to work when needed.

A borderless network that is capable of application performance delivers these attributes of innovation absorption and business agility. In addition, IT resource utilization can be optimized, and most important to users is that they gain an excellent IT experience independent of geographic location, endpoint device or application, which in the end improves productivity.

As an example of optimal resource utilization, consider Cisco’s ISR G2 branch office router that integrates unified communications, wide area application optimization, network security, LAN/WAN networking plus supports its AXP (or Application eXtension Platform), which run applications at the branch office router. In one branch office, an IT manager can deliver networking, security, voice and video communications and host applications while gaining visibility to applications. This type of resource utilization not only saves on capital cost and energy spend, but offers IT operational efficiency, rapid application deployment and innovation absorption.

To gain the full value of corporate applications, their performance must deliver excellent user experience. An excellent experience should not only occur while working in the office or at home, but anywhere in between, even while talking on a mobile endpoint. Independent of geographic location, a user accessing his/her business services and/or personal services should be the same seamless experience. Application performance is key to excellent experience and should be consistently good whether sitting at a desktop watching a video or engaged in a Web conference, and then immediately transitioning to an iPhone for example. The user should have an excellent experience at the highest level afforded by his/her endpoint. To deliver this seamless user experience, application performance technology needs to be incorporated in corporate IT infrastructure, endpoint devices or a combination of both.

That is, networking silos need to become an integrated network without borders. For applications to offer the best possible user experience, then the use of application acceleration technology as appliances or an overlay needs to be integrated into the network fabric and into network operating systems. This technology, which has improved application delivery for specific applications, needs to become systemic and fully distributed throughout the network fabric. The integration or pervasiveness of application acceleration technology within networks and endpoints is its natural evolutionary next step. Over the next few months we’ll see vendors such as Cisco, HP Networking, Juniper, Riverbed, Citrix, Blue Coat, et al, start to deliver on this vision.

Tweet

Networking is entering a new phase or era. During the 1990s, new networking markets opened up, creating multi-billion dollar opportunities for the vendor community and corporate cost savings for IT business leaders. First, it was shared LANs and routing, then switched LANs, then Frame Relay to speed up WANs, then SNA over IP, then remote access via dial-up and VPN, then MPLS, then IP telephony, then Wireless LANs etc… and now, it’s video and cloud networking. You get the picture. But what we didn’t realize as we build these networks is that they are silos with disparate management systems and unique access methods resulting in operational cost overlap and, most importantly, user frustration as they transition application use from desktop, to mobile end point, to remote endpoint. In short, we built boundaries around applications in the form of networks and it is the dismantling of these borders that vendors are now starting to deliver and differentiate upon. It’s not just Cisco that communicates borderless networks, but HP Networking, Juniper, Brocade, Extreme, Avaya, Force10 and others too. Why is the industry entering a new age of borderless networking and what’s in it for IT business leaders, is explained in this Lippis Report Research Note.

As each new wave of computing entered corporate IT departments, a new set of networking requirements arose. To connect remote 3270 terminals via SNA to mainframes, IT implemented an analog multipoint wide area network or WAN. To connect remote ANSI terminals to minicomputers, IT departments implemented pools of dial-up modems and private line WANs. To connect personal computers (PCs) via Client-Server computing, IT departments implemented Local Area Networks or LANs via LAN switches, which we now call wired connections. To connect multiprotocol LANs over the corporate WAN, IT departments implemented routed networks. To gain access to LAN based applications while remote, IT departments implemented Virtual Private Networks or VPNs. And, as computing and applications go mobile, IT has been implementing Wireless Local Area Networks or WLANs. In short, each network was deployed to service a certain computing style and application set. These networks are silos, and with advances in technology, IT business leaders can now design one borderless network to provide a broad array of common access methods to support a plethora of endpoints and applications.

Siloed networking frustrates users, as each access network performs differently depending upon its access method. Siloed networking also frustrates IT, as each siloed network has its own management system creating inefficient IT operations. In addition, siloed networking does not meet today’s IT “any access” requirements.

There are boundaries or silos that need to be broken down in many places of the network. In today’s modern IT world, applications are being extended over multiple networks e.g., wired, wireless, cellular, remote, virtual, etc where users need to shift their application access back and forth between these different network access methods and expect the same or consistent experience. In short, networks need to be borderless so that applications can be accessed independent upon network entry point and IT operations efficient. This “any access” trend is accelerating as IT business leaders seek to connect not only traditional desktops and laptops, but smartphones, notebooks, tablets, iPads, cameras and building control systems into a common general purpose network that support multiple logical network topologies.

Crossing purpose-built silos is difficult for applications, as bandwidth and quality of service issues limit application portability thus their usefulness. These different access methods offer limited consistency resulting in user frustration when they shift application access from desktop to mobile smartphone to VPN and back again.

And this shifting of application access between different networks and endpoints is only going to increase. Apple sold over 3.3 million iPads in its first 3 months, the highest uptake of any endpoint device. Google activates 100,000 Android based phones a day. Cisco recently announced its CIUS android-based table for business use with tight links to its unified communications (UC) and videoconference systems. Every major UC provider will be offering similar devices while traditional computer vendors serve up android-based tablets over the next few quarters. The iPad and Android tablet is a new tier of computing which will drive users to access their applications over mobile and wireless networks in addition to their desktop and VPN networks.

If IT business leaders are unable to get ahead of this curve and think of network access from an architected and unified design point of view, than unfortunately, their users and IT cost will be more frustrated and expensive, respectively, than others. Siloed networks are friction points as they create boundaries between network access types degrading user experience, which results in decreased productivity and increased IT operational cost. The result is a high total cost of ownership and less then optimal user experience, and thus decreased corporate productivity. The status quo of siloed networking is about to change.

Cisco’s Borderless Network Architecture

From a design point of view, borderless networking requires three core attributes: 1) reliability, 2) security and 3) seamlessness. Cisco was the first to articulate a vision for borderless networks, which has resonated with IT business leaders as it represents a solution to their pain. For example, Cisco’s borderless network architecture is built upon five services: 1) mobility or users in motion, 2) Energy efficiency called EnergyWise, 3) integrated network security via its TrustSec architecture, 4) application performance and 5) video management, control and distribution via its MediaNet. These borderless network services are built within switching, routing, security, wireless and wide area application services or WAAS infrastructure products. It’s the integration of these services into existing network infrastructure and their control via policy and management that enable a borderless experience to occur.

Juniper’s New Network

But Cisco is not the only supplier to grasp the problem siloed networks create. Juniper Networks is working to a similar end, albeit it hasn’t articulated it well. It provides VPN, LAN Switching, mobile security through its acquisition of SMobile and is working toward a flat cloud Ethernet fabric through its project Stratus and New Network initiatives. For example, Juniper plans to integrate SMobile security into its JUNOS Pulse endpoint software for network connectivity and acceleration breaking down the boundary between LAN based and mobile network access.

HP Networking’s Converged Infrastructure

When HP Networking launched its comprehensive network portfolio in April of this year it emphasized the elimination of network silos. The HP Networking portfolio strives to eliminate redundant equipment by integrating wired and wireless environments with security from edge to core. From an IT operations perspective, this translates into a “single pane of glass” for management, configuration, deployment and monitoring these networks as if one. HP Networking hopes to implement a common policy management to reduce human error of network operations while creating a consistent user experience across access mediums.

Brocade One

Brocade has jumped on the borderless bandwagon also in June of this year with the introduction of its “Brocade One”. Brocade One emphasizes the convergence of wired, wireless and cellular networking to offer a seamless user experience. In addition, Brocade One describes its view of a simplified virtualized data center network fabric that scales to cloud spec. In essence, Brocade One is about eliminating the boundaries around wired, wireless and data center networking.

Arista Network’s VM Tracer

Arista Networks doesn’t use the terminology of borderless networking either, but its recent VM Tracer strives to eliminate the boundaries between physical and virtual networking environments. VM Tracer does this by being integrated into Arista’s EOS linking Arista switches to VMware’s vCenter. This linkage creates an adaptive infrastructure in which the network responds to changes in the VM network while also providing complete visibility into the virtual machine network.

Extreme’s DirectAttach

Extreme Networks has focused on removing two network boundaries; the wired and wireless boundary and the physical to virtual network boundary. For the latter, Extreme has introduced its Direct Attach approach to data center networking that eliminates the virtual switch layer, simplifying the network and improving performance.

Force10’s Open Automation

Force10’s focus in eliminating boundaries is in the data center between physical and virtual networks. Force 10′s Open Automation initiative seeks to align dynamic data center changes with network configuration and policies, a huge barrier to virtualized data center management and scale.

While each of the above suppliers are at different points in their borderless network initiatives, the direction is clear. The boundaries between siloed networking are coming down be it in the data center, campus, branch office or home. For IT business leaders this means simplified operations and management as a key attribute is the “single pane of glass” approach to network management for siloed networks. The big surprise and delight will be found in enhanced user experience, as borderless networking strives to deliver a common access method for all networking types while enabling applications to be extended across a plethora of different endpoints, depending upon endpoint capabilities and network resources.

In essence, borderless networking’s value proposition is that it enables a corporation to be more adaptive or agile while increasing user experience and reducing operational cost. With the majority of IT business leaders trading off reductions in operational spend for an increase in capital expenditure, borderless networking is the right solution at the right time.

Tweet

It hasn’t been since the mid 1990s that the networking industry was focused on multi-protocol integration or convergence. But the industry is gearing up for a major innovation and competitive cycle fueled by the multi-billion dollar addressable market for data center network fabrics. Over the last eighteen months, every major Ethernet infrastructure provider has been talking about two and three tier network fabrics for high-end data centers.

Companies such as Cisco, Arista Networks, HP/3Com, Force10, Voltaire, Extreme, Brocade, Juniper et al have announced network fabrics for data centers with five thousand and more servers with and without storage enablement. Juniper talks of a one-tier fabric through their Project Stratus work with IBM to be available some time in the future. Brocade recently introduced its Brocade One, which is a converged data center fabric. Extreme Networks launched its DirectAttachTM that eliminates virtual plus blade switch layers. HP has FlexFabric, a virtualized fabric for the data center. Cisco launched its FabricPath Switching System or FSS for the Nexus 7000 that enables massive scale of a two-tier fabric.

In this Lippis Report Research Note, we review the architectural attributes of two tier network fabrics.

The IT industry is at an inflection point as service delivery is becoming more and more centralized thanks to data center consolidation, virtualization, cloud and mobile computing. It is estimated that a third of all IT spend is concentrated in the data center, and this trend is only building thanks to favorable economics, motivating IT business leaders to centralize IT delivery.

The impact of this trend is more and more dense data centers made up of servers in the thousands to tens of thousands and higher. It is at the scale of 5,000 plus servers that a new network fabric is required for high-end data centers. High-end data center design is challenged with increasing complexity, the need for greater workload mobility and reduced energy consumption. Traffic patterns have also shifted significantly, from primarily client-server or as commonly referred to as north-to-south flows, to a combination of client-server and server-server or east-to-west plus north-to-south streams. These shifts have wreaked havoc on application response time and end user experience, since the network is not designed for these Brownian motion type flows.

The main requirements for high-end data center network fabric are low latency, large flat layer 2 domains to enable workload mobility, low power consumption, simplicity of design and significant bandwidth. Storage enablement, meaning consolidated I/O or virtualized I/O, is a growing priority and a new fabric that can support FiberChannel over Ethernet, iSCSI over Ethernet, iWARP over Ethernet or Infiniband over Ethernet, is a major plus. One salient observation is that it’s pretty clear that Ethernet is the network fabric of choice, as it is the only network protocol that enjoys continual innovation such as TRILL, Data Center Bridging, IEEE’s 802.1AQ, link aggregation, multi-pathing, and as recently ratified by the IEEE 40 Gbs and 100 Gbs speeds.

With the above requirements in mind, let us review data center network design options.

Three Tier Data Center Fabric

A three-tier network architecture is the dominant structure in data centers today and will likely continue as the optimal design for many networks. For most network architects and administrators, this type of design provides the best balance of asset utilization, layer 3 routing for segmentation, scaling and services, plus efficient physical design for cabling and fiber runs. By three tiers we mean, access switches/Top-of-Rack (ToR) switches, or modular/End-of-Row (EoR) switches that connect to servers and IP based storage. These access switches are connected via Ethernet to aggregation switches. The aggregation switches are connected into a set of core switches or routers that forward traffic flows from servers to an intranet and internet, and between the aggregation switches. It’s common in this structure to over-subscribe bandwidth in the access tier, and to a lesser degree, in the aggregation tier, which can increase latency and reduce performance. Inherent in this structure is the placement of layer 2 versus layer 3 forwarding that is Virtual Local Area Networking or VLANs and IP routing. Also common, is that VLANs are constructed within access and aggregation switches, while layer 3 capabilities in the aggregation or core switches route between them.

But within the high-end data center market, where the number of servers is in the thousands to tens of thousands plus and where north-south plus east-west traffic is significant, is where a new structure is needed. It is within these data centers where applications need a single layer 2 domain.

Two-tiers of network fabric

A two-tier fabric is designed with two kinds of switches: one that connects servers, and the second that connect switches creating a non-blocking, low latency fabric. In short, there are server facing and fabric facing switches. We use the terms ‘leaf’ switch to denote server facing or connecting switches and ‘spine’ to denote fabric facing or switches that connect leaf switches into the fabric. Together, leaf and spine switches create the fabric.

Many IT leaders in Global 2000 firms will have deployed both two and three tier network structure, as different deployment models are used for different applications. For these leaders, a network equipment supplier that possesses product architecture flexibility, meaning an end-to-end product solution that accommodates tier two and three fabrics would be advantageous. This flexibility is found in product that supports layer 2 and layer 3 forwarding, as well as, a variety of line cards to offer design options.

A common network Operating System (OS) of products configured for two and three tier structure is important as IT operations gain efficiency to manage fabrics, as configuration and management are consistent. In addition, a common network OS offers rapid absorption of innovation to IT operations, as new OS features are available at the same time to all fabrics. The benefit of using a common product set to build tier two or three fabrics offers value around operational efficiency, training, sparing and ease of evolution between fabric deployments. In short, the network fabric needs to be simple and general purpose versus purpose built, which a common set of products creating tier two or three fabrics offer.

A Unified/Converged Fabric

The concept of a unified fabric is to virtualize data center resources and connect them through a high bandwidth network that is very scalable, high performance and enables the convergence of multiple protocols onto a single physical network. These IT resources are compute, storage and applications, which are connected via a network fabric. In short, the network is the unified fabric and the network is Ethernet.

The industry tends to focus on storage transport over Ethernet as the main concept behind a unified/converged fabric with technologies such as Fiber Channel over Ethernet or FCoE, iSCSI over Ethernet, iWARP over Ethernet and even Infiniband over Ethernet. But this is a narrow view of a unified/converged fabric which is being expanded, thanks to continual innovation of Ethernet by the vendor community and standards organizations such as the IEEE and IETF.

Ethernet innovations such as FCoE, Data Center Bridging or DCB, IETF’s Transparent Interconnection of Lots of Links or TRILL, CEE or Converged Enhanced Ethernet, link aggregation, IEEE’s 802.1AQ have enhanced Ethernet networking to support a wide range of new data center fabric design options. In addition to these protocol enhancements, the IEEE has ratified its work on defining 40Gb and 100Gb Ethernet, significantly increasing Ethernet’s ability to scale bandwidth. To demonstrate how Ethernet is evolving to be the unified fabric for high-end data centers, we explore Cisco’s new FabricPath Switching System innovation in this white paper.

The decision to implement a two or three tier network structure comes down to scale. For high-end data centers, a two-tier structure meets the requirements of low latency, movable workloads, scale, simplicity, etc. Many global 2000 concerns will have deployed both a two and three tier network fabric for their high end and less dense data centers.

When shopping for network equipment to construct two and three tier network fabrics, look for suppliers that support both rich Layer 3 routing services and scalable Layer 2 Ethernet capabilities to ensure choice and flexibility of three tier and scalable two tier fabric implementations. Such suppliers offer products that can be configured in multiple use cases and topologies where modules are inter-changeable, skills transferable and operations common between both fabric approaches.

But make no mistake about it, it’s a two-tier network fabric that IT business leaders and data center architects have gravitated toward for high performance computing, cloud scale data centers and just plain high end data centers of 5,000 and above servers.

Tweet

Networking has become “rigid”. Yes I know it’s almost absurd to attribute inflexibility or rigidity to networking. Look what TCP/IP has done for us. There are nearly 2 billion people connected to the internet and according to the Internet World Stats internet user growth rate increased by 380% between 2000-2009. With 2 billion people and growing online, accessing a plethora of applications via a wide range of end-points there is no doubt that the internet and TCP/IP has been a much bigger success than anyone would have imagined back in the early ’90s. But there’s always a give and take between computing and networking where one drives and changes the other. Right now we are in a compute innovation cycle that’s driving a fundamental change in networking which screams out the need for more flexibility.

Sure networking has increased from a bandwidth point of view and the IETF has added new protocols and network services, but it hasn’t kept up with compute innovation. As data centers pack more compute power and operating systems (OS) per physical server, thanks to virtualization, the need to move containers of OS plus applications and data around have sky rocked. In addition, traffic patterns have shifted tremendously as client-server or north-south flows are layered on top of server-server or east-west flows. And yes, there are new networking approaches being offered by vendors and standard organizations such as Cisco’s FlexPath, Juniper’s Stratus, Brocades VCS, Extreme’s Direct Attach, Force 10’s Open Automation, Arista’s Multi-Chassis Link Aggregation, BLADE’s Unified FabricArchitecture, the IETF’s TRILL and LISP and IEEE’s 802.1AQ, but these may be short term solutions to a much bigger networking problem.

Computing has always driven network design as mainframes drove SNA and analog multi-point wide area networks (WANs) during the ’70s. Mini-computers drove peer-to-peer networking protocols like DecNet, OSI and TCP/IP in the ’80s. Client-Server computing drove LANs and TCP into the mainstream in the early ’90s. The Web drove the internet in the 2000s and now server virtualization and cloud computing is once again changing fundamental networking requirements to make them more flexible.

The rigid label is a powerful one as it creates frustration by not addressing or enabling new business processes. Every time a network protocol or architecture was labeled as too rigid it was replaced and in the process a new market emerged on the scale of tens of billions of dollars. SNA was labeled as too rigid to support peer-to-peer networking. The T1 multiplexer market of the late ’80s and early ’90s was too rigid to support data traffic and thus routing replaced it. The PSTN and TDM were too rigid as they doled out bandwidth in 56Kbs chunks and were unable to support internet and VoIP traffic. The national entertainment network is rigid too as it doesn’t support two-way communications and it also will be replaced slowly but surely.

So where is networking not flexible enough? It’s in virtualized data centers. Some analyst groups estimate that 30% of workloads are virtualized and increasing. Since virtualization or a VM is the new atomic layer of data centers, networking is falling short in public as well as private clouds. Ideally, all resources (compute, storage, and networking) would be pooled, with services dynamically drawing from the pools to meet demand. Virtualization techniques have succeeded in enabling processes to be moved between machines, but constraints in the data center network continue to create barriers that prevent agility, for example, VLANs, ACLs, broadcast domains, Load Balancers, Firewall/IPS Security settings and service-specific network engineering.

The well understood problem is that when a VM is moved from one physical machine to another the network, load balancers, firewalls/IPS, broadcast domains, etc., have to be reconfigured. There is no automation in place, meaning that the network is not flexible or agile enough to make the changes required. Now this problem has scale to it as it’s a growing requirement of both IT executives managing corporate IT assets and service/cloud providers.

There are market solutions available today and more are coming that address “network automation” which enable the network to reconfigure itself as a VM and/or workload is moved within a data center. Cisco’s Nexus 1000V, HP Network Automation software and its Virtual Connect approach, Force 10’s Open Automation, Blade Network Technologies VMReady Network Virtualization, Arista Network’s Virtualized Extensible Operating System or vEOS and others are addressing the problem of network agility or lack thereof in virtualized environments.

But the problem gets bigger and more complex when distance and cloud provider entities become engaged. None of the solutions above address moving a VM from one physical server to another over large distance, be it around town, across state lines, across the country or the globe. Some are using IF-MAP as a registry, sort of like facebook for computers that publish their resources and use this information to automate network configuration to support large distance VM moves.

The problem gets larger yet when workloads move from a private cloud to a public cloud. (Definition note: There is no single definition of a workload, so for my purpose here I assume a container including a VM and associated applications and data that can be moved as simply as drag and drop or some other string of instructions). In short, all the software that is needed to compile and run an application for a set of users is a workload. The network inflexibility problem grows even larger when moving workloads between public clouds.

Now is this a real problem? You bet it is. Consider the value also of portable or mobile workloads to Enterprise and service providers. Workload mobility means capacity on demand, business continuance, and disaster recovery, etc. In addition, as IT leaders explore public and private cloud alternatives, they will want to move workloads from their data center to a provider’s and move the workload back when and if required. For reasons of security and trust, IT business leaders will demand mobility. For example, if your cloud provider goes bankrupt, then you will want to move your workload out quickly. If your cloud provider’s performance drops again then you could move your workload out. If your cloud provider is the target of a terrorist attack or is turned into a large botnet then you can move your workload out.

In addition to security and piece of mind, mobile workloads will fundamentally change IT delivery, capital structure and most importantly business models and processes. Once IT can move workload anywhere in their data center, across their data centers or to a provider they have tiered with, the question becomes when and how fast does IT move workload? If IT can perform all the provisioning in software and enable workload moves to occur transparently and safely with address, identity, security preservation, enabled trust, control and interoperability across providers, then the question is when does IT need to move workload? This level of mobility is an industry-wide initiative as it offers significant and material business value. Business value is created as IT could move workload in a follow- the-sun model, following the lowest cost per kilowatt-hour model; workload could move to avoid a disaster, or for capacity on demand, or for lowest cost of workload execution, etc.

So how can data center networks become more flexible? A key element of the solution is agility or the ability to dynamically grow and shrink resources to meet demand and to draw those resources from the most optimal location. Today, the network stands as a barrier to agility and increases the fragmentation of resources, which leads to low server utilization and prevents portable or mobile workloads.

Tweet

In Lippis Report 151: A Two or Three Tier High-End Data Center Ethernet Fabric Architecture? we detailed the new two tier data center Ethernet fabric that is becoming conventional wisdom amongst business leaders of high end data centers and cloud computing service providers. The networking industry is headed for a major innovation and competitive cycle fueled by a multi-billion dollar addressable market for data center network fabrics. Over the last eighteen months, every major Ethernet infrastructure provider has announced or taken a position on two tier network fabrics for high-end data centers. Companies such as Cisco, Arista Networks, Force10, Voltaire, HP/3Com, Juniper, Extreme, Brocade, BLADE Network Technology, et al have announced network fabrics for data centers with two thousand and more servers that either support storage enablement or not. In this Lippis Report Research Note, we review why it is Ethernet that will be the network fabric of high performance computing or HPC and cloud computing deployments.

For high-end data centers, HPC plus private and public cloud computing networks connecting thousands of servers, a new set of requirements have emerged. Low latency and high performance are the two driving requirements. Yes, there are more, especially when the fabric needs to enable converged storage, but let’s focus on latency and performance for now. Traditional three tier (server access, distribution and core) fabrics designed primarily for north-south traffic flows, that is client-server computing utilized spanning tree protocol (STP) and slower speed Ethernet (100Mbs to 1Gbs). Thanks to web 2.0, mash-ups and social networking sites east-to-west or server-server traffic flows have spiked requiring networks to support both north-south and east-west flows.

As most network engineers know, STP was designed to avoid loops that confused Ethernet as it was designed as a bus topology. STP shuts down redundant links between common switches to maintain the bus. Therefore, connecting access switches to distribution switches utilizing STP would require that network engineers over-subscribe the links between switches as only half of the bandwidth could be used. Oversubscription would also create blocking of packets between points too. To avoid this design, nearly every major switch manufacturer offered link aggregation that is the ability to shut off STP and aggregate links between switches. While this was and is a benefit, the down side has been that vendors only offered the ability to aggregate two links, which still drove oversubscription and blocking.

Recently, industry players such as Cisco and Arista Networks have offered the ability to scale up aggregation of links from 16 to 32, while at the same time delivering multipathing that allows packets to be forwarded across multiple links to arrive at its intended destination. Switch-processing capacity to support these massive inter-switch links have been increased too. These design changes, along with Ethernet’s innovation march, has ushered in the two-tier network design fabric option.

A two-tier fabric is designed with two kinds of switches; one that connects servers and the second that connect switches creating a non-blocking, low latency fabric. We use the terms ‘leaf’ switch to denote server connecting switches and ‘spine’ to denote switches that connect leaf switches. Together a leaf and spin architecture create the network fabric.

In late June 2010, Cisco announced its’ FabricPatch Switching System or FSS and its’ F-Series modules that support 32 ports of 10GbE of auto-sensing 1/10GbE and is essentially for server access and aggregation. FabricPath provides a new level of bandwidth scale to connect Nexus switches and delivers a new fabric design option with unique attributes for IT architects and designers. FabricPath is a NX-OS innovation, meaning that its’ capabilities are embedded within the NX-OS network OS for the data center. FabricPath essentially is multipath Ethernet; a scheme that provides high-throughput, reduced and more deterministic latency, and greater resiliency compared to traditional Ethernet.

FabricPath combines today’s layer 2 or Ethernet networking attributes and enhances it with layer 3 capabilities. In short, FabricPath brings some of the capabilities available in routing into a traditional switching context. For example, FabricPath offers the benefits of layer 2 switching such as low cost, easy configuration and workload flexibility. What this means is that when IT needs to move VMs and/or applications around the data center to different physical locations, it can do so in a simple and straightforward manner without requiring VLAN, IP address and other network reconfiguration. In essence, FabricPath delivers plug and play capability, which has been an early design attribute of Ethernet. Further, large broadcast domains and storms inherent in layer 2 networks that occurred during the mid 1990s have been mitigated with technologies such as VLAN pruning, Reverse Path Forwarding, Time-to-Live, etc.

The layer 3 capabilities added to FabricPath deliver scalable bandwidth allowing IT architects to build much larger layer 2 networks with very high cross-sectional bandwidth eliminating the need for oversubscription. In addition, FabricPath affords high availability as it eliminates STP, which only allows one path and blocks all others, and replaces it with multiple paths between endpoints within the data center. This offers increased redundancy as traffic has multiple paths in which to reach its final destination.

FabricPath employs routing techniques such as building a route table of different nodes in a network. It possesses a routing protocol, which calculates paths that packets can traverse through the network. What is being added to FabricPath is the ability for the control plane or the routing protocols to know the topology of the network and choose different routes for traffic to flow. Not only can FabricPath choose different routes, it can use multiple routes simultaneously so traffic can span across multiple routes at once. These layer 3 features enable FabricPath to use all links between switches to pass traffic as STP is no longer used and would shut down redundant links to eliminate loops. Therefore, this would yield incremental levels of resiliency and bandwidth capacity, which is paramount as compute and virtualization density continue to raise driving scale requirements up.

Designing A 160 Tbps Data Center Fabric

As an example to how multi link aggregation, the elimination of STP, high switching capacity and 10GbE connections create a highly scalable two-tier layer 2 Ethernet fabric, we use Cisco’s FSS and its’ F-Series module in the Nexus 7000. The following details the design of a 160 Tbps switching fabric with FabricPath and the F-Series module for high performance data centers using Cisco’s Nexus 7000 switches. This architecture can support over 8,000 servers connected at 10GbE or 4,000 servers dual homed at 10GbE with attributes of being non-blocking, low latency (5 microseconds), high bandwidth, reliability, plus simplicity of workload movement.

To build a 160 Tbps two-tier fabric, thirty-two Nexus 7018 switches populated with F-Series 10GbE modules would connect servers. These thirty switches are leaf switches. Each leaf chassis provides 256 10GbE ports to connect servers and another 256 10GbE ports to connect into spine switches. Therefore, each leaf is directly connected to each spine with sixteen FabricPath ports at 10GbE equaling a total of 256 10GbE ports for each leaf switch. There are sixteen spine switches each accepting 512 10GbE FabricPath ports. A single leaf chassis connects 256 10GbE ports into a spine equaling approximately 2.5Tbs. Multiplying each thirty-two leaf’s contribution into the fabric yields 80Tbs. As Ethernet is full-duplex, the total fabric switching capacity is 160
Tbps. Therefore, 160Tbps of switching fabric is available across all thirty-two leaf chassis. As 256 10GbE equals 2.5 Tbs, which also equals 16 FabricPath links to each one of sixteen spine switches, yields 2.5 Tbs, the fabric is non-blocking.

As for layer 2 and layer 3 forwarding, the job of the spine is to forward packets from leaf switches at layer 2, creating a single tier fabric. A key attribute of this architecture is that each 16-way FabricPath links are Equal Cost Multipathing or ECMP. What 16-way FabricPath ECMP provides are two benefits: 1) It delivers more paths for traffic to flow, which increases available bandwidth in the fabric and 2) as they’re distributed across all switches, diversity of routes is enabled to distribute packet forwarding. In essence what 16-way FabricPath ECMP provides is a very low latency, high bandwidth approach to supporting both north-to-south and east-to-west traffic flows simultaneously.

While the above is a Cisco deployment example Arista’s new 7500 series of Ethernet switches support 6 Billion packets per second at wire speed. The 7500s can be configured into a massive two-tier network fabric thanks to it support of 32 port MLAG (Multi-Chassis Link Aggregation) affording the connection of 18,000 to 30,000 servers.

Ethernet continues to evolve. The IEEE recently ratified the 40 and 100 GbE standard with vendors such as Force 10, Cisco, Arista, Extreme, BLADE, Brocade, Voltaire, HP et al announcing support and scheduling product delivery. While the above two-tier network example provides the perspective from the large switch provider, below is BLADE Network Technologies perspective, a company focused on server connectivity.

BLADE Network Technologies believes that as Ethernet delivers new levels of speed and intelligence, it will be the dominant two-tier network fabric for high-end next-generation data centers.
For many applications, low latency is a key requirement, and latency is an area where two-tier networks excel. Studies of stock trading exchanges have shown that tens of milliseconds of delay in data delivery can represent a ten percent drop in revenues, and delays of even five microseconds per trade can cost hundreds of thousands of dollars. Industry-specific requirements for uncompressed data and end-to-end deterministic latency within tens of microseconds make attaining such performance even more difficult. These factors have combined to make raw switching speed a top priority, and today’s best-of-breed 10 Gigabit Ethernet switches achieve can operate with under 700 nanoseconds of port-to-port latency while consuming a miniscule amount of power equivalent to that of standard light bulbs.

As next-generation networks get flatter – driven by latency and bandwidth requirements – emerging Layer 2 technologies such as the IETF’s Transparent Interconnection of Lots of Links or TRILL, enable this trend. The idea behind TRILL is to replace spanning tree as a mechanism to find loop free trees within Layer 2 broadcast domains. Using a routing protocol to build forwarding trees within a Layer 2 broadcast domain enables the flexibility and efficiency to route Layer 2 traffic, just like one would Layer 3 traffic, without the overhead associated with Layer 3 packet processing. TRILL will offer important features, such as support for both broadcast and multicast, load splitting along multiples paths, support for multiple points of attachment, and no tangible delay in service after attachment.

In the data center, bottlenecks are moving from the CPU and memory access to the I/O of the servers. Today’s multi-core servers are now able to sustain a great amount of traffic, requiring fast, flat networks, especially now that virtualization is widely deployed. Analysts have predicted that the 10G market will double year-to-year in 2010 and 2011. More servers using 10G increases the requirement for 40G and 100G in upstream networks. With 10G widely available and 40G coming online, Ethernet networks can enable data and storage traffic to use a single wire, using FCoE or iSCSI for example, and provide the raw speed that makes Ethernet with its economies of scale, to supplant InfiniBand for HPC requirements.

The reason Ethernet will be the network fabric for high-end data center networks is that the vendor community continues to innovate and build upon this protocol. Ethernet innovations are many and are beyond bandwidth increases from 10Mbs, 100Mbs, 1Gbs, 10Gbs, 40Gbs and 100Gbs, which are obvious. Link aggregation, multi-pathing and so much more propel Ethernet’s relevance and suitability to new challenging networking requirements.

Tweet

In the Lippis Report Research Note 150, we discussed the new industry group called Unified Communications Interoperability Forum or UNIF and compared it to other industry consortium charted to deliver interoperable solutions. While interoperability is sorely needed in the UC industry, it looks like Microsoft killed its changes of broad industry success before it started. What I hear from both UCIF members and non-members is that UCIF is controlled by Microsoft, and thus, lacks a large cross section of industry players as well as major UC providers. With its current structure, UCIF will make limited headway on its charter. In this Lippis Report Research Note, we review UCIF and its’ opportunities.

There is no doubt that the unified communications and collaboration industry needs interoperable solutions. Video traffic, in particular, is growing exponentially, which will not abate anytime soon. Driving growth is the new mobile video market with devices being equipped with real time video applications from companies such as Apple with its’ iPhone 4.0 FaceTime feature and Cisco’s Cius tablet. There is a real-time mobile video chat for Android too via the Movicha client application. In addition, every major UC supplier will launch a tablet based, end user device this year with tight links into its UC and video collaboration infrastructure. In short, the next generation office phone is a tablet. The combination of consumer and business mobile video device options will drive demand for interoperability, not only between mobile end points, but into corporate video conferencing systems too.

There needs to be a base line of interoperability standards for presence and call management also. Yes SIP or session initiation protocol does provide a base line, but many have built proprietary extensions minimizing interoperability options.

Now is a great time for an industry wide consortium of suppliers, service providers, IT executives and analysts to contribute to a set of interoperability standards with associated certification testing. Before UCIF was established Microsoft drove the initiative with limited to no input or invitation from its competitors. This approach has alienated nearly every major UC supplier from participating in UCIF, and therefore, don’t expect to see Cisco, Avaya, ShoreTel, Mitel, NEC et al to contribute. From this point of view, Microsoft killed UCIF before it even started.

But UCIF can make a contribution especially in the area of real time video collaboration between mobile, desktop and video conferencing system end points. For example, Microsoft could open up its’ Real Time Video (RTV) and Real Time Audio (RTA) codec protocols so that mixed vendor video endpoints can communicate with Office Communicator endpoints natively. With LifeSize, Polycom, HP and Microsoft being the UCIF founding members, their contribution to video collaboration interoperability could have a large impact on the real time video conferencing market.

For example, I use a LifeSize Express 220 video conferencing system, and as a standalone device that connects to other video conferencing systems via IP, H.323 or SIP, it’s magnificent. It would be great to connect with clients that have video enabled their desktop and mobile endpoints too. The larger the universe of potential video endpoints that one can connect to, the greater the value a real time video system provides. This would be a great charter for UCIF, which is to contribute open standards and certification testing that enable mobile, desktop and corporate video conferencing systems to interoperable.

However, for UCIF to deliver on its charter, it would have to dissolve and restart with Cisco, Avaya, Mitel, ShoreTel, and a larger role for Siemens, plus service providers, analysts and IT executives all being stake holders. You cannot have a closed group defining open standards. It just does not work that way.

Tweet

It hasn’t been since the mid 1990s that the networking industry was focused on multi-protocol integration or convergence. The industry is gearing up for a major innovation and competitive cycle fueled by the multi-billion dollar addressable market for data center network fabrics. Over the last eighteen months, every major Ethernet infrastructure provider has been talking about two and three tier network fabrics for high-end data centers. Companies such as Cisco, Arista Networks, HP/3Com, Force10, Voltaire, Extreme, Brocade, Juniper et al have announced network fabrics for data centers with five thousand and more servers with and without storage enablement. Juniper talks of a one-tier fabric through their Project Stratus work with IBM to be available some time in the future. Brocade recently introduced its’ Brocade One, which is a converged data center fabric. Cisco just launched its’ FabricPath Switching System or FSS for the Nexus 7000 that enables massive scale of a two-tier fabric. In this Lippis Report Research Note, we review the architectural attributes of two and three tier network fabrics and review FSS and its accompanying F-Series 10GbE module.

The IT industry is at an inflection point as service delivery is becoming more and more centralized thanks to data center consolidation, virtualization, cloud and mobile computing. It is estimated that a third of all IT spend is concentrated in the data center and this trend is only building thanks to favorable economics, motivating IT business leaders to centralize IT delivery.

The impact of this trend is more and more dense data centers made up of servers in the thousands to tens of thousands and higher. It is at the scale of 5,000 plus servers that a new network fabric is required for high-end data centers. High-end data center design is challenged with increasing complexity, the need for greater workload mobility and reduced energy consumption. Traffic patterns have also shifted significantly, from primarily client-server or as commonly referred to as north-to-south flows, to a combination of client-server and server-server or east-to-west plus north-to-south streams. These shifts have wreaked havoc on application response time and end user experience, since the network is not designed for these Brownian motion type flows.

The main requirements for high-end data center network fabric are low latency, large flat layer 2 domains to enable workload mobility, low power consumption, simplicity of design and significant bandwidth. Storage enablement, meaning consolidated I/O or virtualized I/O, is a growing priority and a new fabric that can support FiberChannel over Ethernet, iSCSI over Ethernet, iWARP over Ethernet or Infiniband over Ethernet is a major plus. One salient observation is that it’s pretty clear that Ethernet is the network fabric of choice as it is the only network protocol that enjoys continual innovation such as TRILL, Data Center Bridging, link aggregation, multi-pathing, and soon, 40 Gbs and 100 Gbs speeds. With the above requirements in mind, let us review data center network design options.

Two and Three Tier Fabrics

A three-tier network architecture is the dominant structure in data centers today and will likely continue as the optimal design for many networks. For most network architects and administrators, this type of design provides the best balance of asset utilization, layer 3 routing for segmentation, scaling and services, plus efficient physical design for cabling and fiber runs. By three tiers, we mean access switches/Top-of-Rack (ToR) switches, or modular/End-of-Row (EoR) switches that connect to servers and IP based storage. These access switches are connected via Ethernet to aggregation switches. The aggregation switches are connected into a set of core switches or routers that forward traffic flows from servers to an intranet and internet, and between the aggregation switches. It’s common in this structure to over-subscribe bandwidth in the access tier, and to a lesser degree, in the aggregation tier, which can increase latency and reduce performance. Inherent in this structure is the placement of layer 2 versus layer 3 forwarding that is Virtual Local Area Networking or VLANs and IP routing. Also common, is that VLANs are constructed within access and aggregation switches, while layer 3 capabilities in the aggregation or core switches route between them.

But within the high-end data center market, where the number of servers is in the thousands to tens of thousands plus and east-west bandwidth is significant, is where a new structure is needed. It is within these data centers where applications need a single layer 2 domain.

Two-tiers of network fabric

A two-tier fabric is designed with two kinds of switches: one that connects servers, and the second that connect switches creating a non-blocking, low latency fabric. In short, there are server facing and fabric facing switches. We use the terms ‘leaf’ switch to denote server facing or connecting switches and ‘spine’ to denote fabric facing or switches that connect leaf switches into the fabric. Together, a leaf and spine architecture create the fabric.

Many IT leaders in Global 2000 firms will have deployed both two and three tier network structure, as different deployment models are used for different applications. For these leaders, a network equipment supplier is needed that possesses product architecture flexibility, meaning an end-to-end product solution that accommodates tier two and three fabrics. This flexibility is found in product that supports layer 2 and layer 3 forwarding, as well as, a variety of line cards to offer design options.

A common network Operating System (OS) of products configured for two and three tier structure is important as IT operations gain efficiency to manage fabrics, as configuration and management are consistent. In addition, a common network OS offers rapid absorption of innovation to IT operations, as new OS features are available at the same time to all fabrics. The benefit of using a common product set to build tier two or three fabrics offers value around operational efficiency, training, sparing and ease of evolution between fabric deployments. In short, the network fabric needs to be simple and general purpose versus purpose built, which a common set of products creating tier two or three fabrics offer. This type of flexibility will enable IT leaders to address the challenges of scale outlined above.

In addition to product flexibility, some networking suppliers take a systems approach to their fabric design, meaning that a solution is built and pre-tested before it arrives on site. This ensures that IT does not have to perform system integration. With the increased concentration of computing and IT dollars into data centers, it’s only obvious that data centers are long-term corporate commitments. Therefore, it is only appropriate that the networking supplier of choice also has a proven long-term commitment to their product architecture.

Perhaps the best example of this is Cisco’s Catalyst 6000 switching architecture and its’ two-year-old Nexus product line. The Catalyst investment protection is well documented as it has been in operation for over a decade, which Cisco customers enjoy continued innovation and value added to this platform. Competitors view its’ longevity as a weakness. The Nexus product line has a similar investment protection philosophy with a fifteen-year plus lifespan expectation. Common to both Catalyst and Nexus is the fact that these products are built on silicon, developed at Cisco, affording investment protection from one generation of the hardware to the next.

A Unified Fabric

The concept of a unified fabric is to virtualize data center resources and connect them through a high bandwidth network that is very scalable, high performance and enables the convergence of multiple protocols onto a single physical network. These IT resources are compute, storage and applications, which are connected via a network fabric. In short, the network is the unified fabric and the network is Ethernet.

The industry tends to focus on storage transport over Ethernet as the main concept behind a unified fabric with technologies such as Fiber Channel over Ethernet or FCoE, iSCSI over Ethernet, iWARP over Ethernet and even Infiniband over Ethernet. But this is a narrow view of a unified fabric, which is being expanded thanks to continual innovation of Ethernet by the vendor community and standards organizations such as the IEEE and IETF. Ethernet innovations such as FCoE, Data Center Bridging or DCB, link aggregation, Cisco’s VN-Link, FEX-Link and virtual PortChannel or vPC have enhanced Ethernet networking to support a wide range of new data center fabric design options. In addition to these protocol enhancements, the IEEE is scheduled to complete its’ work on defining 40Gb and 100Gb Ethernet during the summer of 2010, significantly increasing Ethernet’s ability to scale bandwidth. To demonstrate how Ethernet is evolving to be the unified fabric for high-end data centers, we explore Cisco’s new FabricPath Switching System innovation in this white paper.

The decision to implement a two or three tier network structure comes down to scale. For high-end data centers, a two-tier structure meets the requirements of low latency, movable workloads, scale, simplicity, etc. Many global 2000 concerns will have deployed both a two and three tier network fabric for their high end and less dense data centers.

When shopping for network equipment to construct two and three tier network fabrics, look for suppliers that support both rich Layer 3 routing services and scalable Layer 2 Ethernet capabilities to ensure choice and flexibility of three tier and scalable two tier fabric implementations. Such suppliers offer products that can be configured in multiple use cases and topologies where modules are inter-changeable, skills transferable and operations common between both fabric approaches.

Tweet

In mid May of this year HP, Juniper Networks, Microsoft, Logitech / LifeSize and Polycom established a forum to develop a set of interoperability test methodologies and certification programs along with specifications and guidelines that enable mixed vendor Unified Communications UC solutions to work with each other. In short, the UC Interoperability Forum or UCIF is trying to define what it means for multi-vendor UC implementations to interoperate. Since its establishment, membership has grown by thirteen vendors, but blaringly obvious is the omission of Cisco, Avaya, Mitel, ShoreTel and other major UC providers. This begs the question of motivation. Is the UCIF interested in interoperability or changing the market landscape to gain advantage on the established leaders? In this Lippis Report Research Note we explore this question.

UC interoperability is a very big deal. In fact, back in early April of this year, Zeus Kerravala, SVP of the Yankee Group and I addressed this issue in a Lippis Report podcast titled What is Holding UC Back?. Our answer was lack of interoperability standards and the vendor community’s minimal interest of embracing the ones we have. The UC market has evolved in a peculiar way as it brings together traditional voice communication companies, data networking firms, computing corporations and software concerns. UC is now at the epicenter of video communications, social networking and mobile computing too. UC represents one of the largest cross sections of disparate markets second only to the Internet. It’s here, within this cross section, that UC gains its enormous value.

UC offers to control real time communications and collaboration. Put another way, all real time business processes will be accessed and control by UC over time. Need to call a colleague? It’s via your UC client. Need to schedule a meeting? It’s via your UC calendar client. Need to video chat with a customer? It’s via your UC video client. Need to bring a group of people together for an emergency meeting? Yes, you guessed it! It is via your UC collaboration client. And common to all those UC clients is presence enabled directory to you, so you can find someone and know if they are available, a communications management system that sets up and tears down connections over intranet, internet and mobile nets. To make UC work ubiquitously, like the public telephone network or the Internet, the vendor community needs a forum or place where it can work out interoperability standards. In addition, for this next evolution in human communications to live up to its promise, it needs motivated vendors to allow their equipment to work together.

Yes, UC does have key interoperability standards such as SIP or Session Initiation Protocol that offer both end-point and communications manager interoperability, but many vendors add proprietary extensions to SIP reducing its value in multi-vendor networks. So the UCIF is to be applauded for taking the first step in creating an organization among the vendor community to usher in an era of interoperable UC. But the problem with UCIF is which companies established its formation. Clearly suppliers are businesses looking for sustainable competitive advantage that comes with large market share and innovative, albeit proprietary technologies. It’s no surprise then that when UCIF is established by firms with limited UC market share one’s mind jumps to the obvious assumption that the founding members of the UCIF are perhaps more interested in market share re-distribution than interoperability.

I’ve observed many industry forums and consortiums in the past that used interoperability as a convenient cause to hide a group’s true intentions. For example, Bay Networks, 3Com and IBM established the Network Interoperability Alliance or NIA in May of 1996 to foster interoperability between Local Area Network (LAN) switch vendors. NIA had limited success in competing with Cisco’s increasing market share gains of the enterprise router and switch market.

UCIF feels a lot like NIA to me. The shear fact that it’s mission statement, board and legal structure was done without any of the UC market leaders input and participation is unfortunate, as it has alienated them. It’s also unfortunate that Polycom and LifeSize are founding UCIF partners, but Cisco/Tandberg is not involved as this has a hint of Polycom/LifeSize fear of Cisco breaking away with the Telepresence market; UCIF seems like a way of mitigating this threat. The timing is very close with Cisco closing the Tandberg acquisition in April and UCIF being launched in May.

If UCIF is not able to entice and recruit Cisco, Avaya, Mitel, and ShoreTel et al in a meaningful and authoritative way, then its fate may very well be the same as NIA. What the industry does need is true interoperability standards so that a Cisco, Avaya, Microsoft, Siemens, HP et al UC implementations are able to work with each other in the same way that multi-vendor email systems work with each other. But without full industry participation, it seems that UCIF may be doomed and not able to deliver on its promise of interoperability. For UCIF to be meaningful it needs the UC market leaders full participation as well as Enterprise IT architects and planners plus service providers too, for without them, UCIF is NIA.

Tweet

In Lippis Report 148 we reviewed the major drivers and trends that are propelling the high-end data center Ethernet switch market to well over a $1B annual run rate. In this Lippis Report Research Note, we review the major suppliers of these switches. We review Cisco, Arista Networks Force10 Networks, BLADE Network Technologies, HP/3Com/H3C, Voltaire, Avaya, Brocade, and Juniper and identify their unique positions and offerings to participants in the burgeoning market. Our focus is the high-end, high density 10GbE switches that are enabling virtualized cloud computing data centers thanks to Terabits per second of back plane switching capacity, billions of packets per second of layer 2/3 forwarding, hundreds of 10GbE port connectivity per chassis, a new two-tier architecture, microsecond level latency, low power consumption, non-stop operation and software hooks that eliminate network barriers to large scale server virtualization. The engineering in these switches should be celebrated, as they represent the state-of-the-art in computer and network design. In short, they represent the fundamental building block of a new generation of IT delivery based upon cloud computing and virtualization. This Research Note is a must read for any IT executive designing a data center.

After finishing this Research Note, it became evident that this market needs a set of industry neural 10GbE switch test to independently verify vendor claims. We hope to make such a contribution this Fall.

Cisco Systems Nexus Family of Switches

Cisco’s approach to data center Ethernet switching is rooted in its Data Center 3.0 strategy which seeks to scale server virtualization while introducing a platform to enable a unified fabric or converged network and storage running on one physical Ethernet network. Cisco’s data center Ethernet switch portfolio is primarily the Nexus family of switches including the 7000, 5000, 2000 and 1000v. NX-OS is a purpose built data center operating system that runs across the entire Nexus family. NX-OS integrates a number of higher system availability functionalities such as virtual port- channel (vPC), and the capability to upgrade software without disrupting traffic. The Nexus 1000v is a softswitch that resides in a VM hypervisor. The Nexus 1000v’s main job is to eliminate network configuration barriers that exist when moving a VM from one physical machine to another. To accomplish this, the 1000v creates a port profile including VLAN, ACL, policy, security, etc. with persistence, which moves with a VM as a virtualization administer moves a VM from one physical machine to another.

The Nexus 2000 family of Fabric Extenders (FEX) introduces the concept of a remote line card of the parent Nexus 5000 switches and sits on the top-of-rack connecting servers to the switch fabric. The extender concept allows the 2000 and 5000 to be managed as one switch. This configuration reduces cabling requirements and offers an economical approach to server connection, thus providing the benefits of both end-of-row and top-of-rack deployments. The Nexus 5000 Series is 10 Gb Ethernet and Unified Fabric capable switches, connecting Nexus 2000s and servers directly at 100/1/10GbE/FCoE, while providing layer 2 forwarding. Providing layer 3 forwarding, dense 1/10GbE connectivity is the Nexus 7000 Series. The Nexus 7000 Series is available in a 10 and 18 slot chassis and is Cisco’s flagship data center Ethernet switch series. As a point of reference, the Nexus 7000 is now on an annualized run rate of $1B for Cisco, which is more than 10 times greater than any other switch supplier in the data center switch market. The high end 7000 connects 512 10GbE ports with 128 line-rate 10 Gigabit Ethernet ports. The Nexus 7000 Series switches can be segmented into virtual devices, delivering true segmentation of network traffic, context-level fault isolation, and management through the creation of independent hardware and software partitions. Overlay Virtualization Transport (OTV) provides customers a simplified DCI solution by extending layer 2 VLANs over existing IP networks. We have profiled the Nexus 7000 when first released and is available here. The Nexus switches can create a two-tier architecture with the 2000/5000, providing server connectivity and layer 2 forwarding between servers. The Nexus 7000 connects the 2000/5000 to each other and the internet/intranet with high density, high reliability layer 2/3 forwarding.

Arista Networks 7500 Family of Modular Switches

Arista Networks is a new comer to the data center Ethernet market, but its management team is seasoned and customer base growing. It provides six fixed 10GbE switches; five 1/10GbE 7100 and the 1GbE 7048 along with the new Best of Interop awarding winning 7500 modular switch. The 7100/7048 switches connect servers in a Top-of-Rack configuration while the 7500 aggregates these switches and connects them to the internet and intranet. This is a two-tier, “leaf-spine” architecture. The 7500 boasts ultra high performance layer 2/3 1/10 Gb Ethernet switching for high performance computing and cloud computing data centers. The 7500 supports 384 10GbE ports, 5.7Bpps at layer 2 or 3, high packet buffers 18GB deep, ultra low port-port latency of 4.5 microseconds and 10Terabit loss less switch fabric connecting modules.

The 7500 is 10GbE port dense, compact, cloud spec fast, green and prepared for 40 and 100GbE, with a price tag 50% below competitive offerings, according to Arista. While the 7500’s hardware architecture is impressive, its operating system EOS, Extensible Operating System, offers another set of uniqueness. For example, all Arista switches run the same binary image of EOS, easing administration while hastening switch feature upgrades. EOS is a modular OS that allows partners to run their software in the Arista switch, consolidating the number of management and network appliances required, thus increasing performance while reducing energy consumption and physical space. Arista’s EOS modularity was designed as a unique state sharing architecture that separates switch state from protocol processing and application logic. EOS is built on top of a standard Linux kernel. All EOS processes run in their own protected memory space and exchange state through an in-memory database. This multi-process state sharing architecture provides the foundation for in-service-software updates and self-healing resiliency. You can listen to a podcast interview with Douglas Gourlay, VP Marketing and Anshul Sadana, VP Customer & Systems Engineering from Arista on the introduction of the 7500 Series of Ethernet switches here

HP/3Com/H3C’s A12500 Core Data Center Switches

HP has spent 25 years building and selling networking products to its worldwide client base and is currently #2 in the market, with a 21% port count share and the fastest growing networking company in the industry. The combined HP/3COM acquisition brings core switching products, the #1 market share position in China, TippingPoint Intrusion Prevention System and ProCurve edge switches, representing a new choice for clients who are frustrated by today’s current offerings. HP will combine these two entities and operate under the banner of “HP Networking.”

The HP Converged Infrastructure Architecture and FlexFabric blueprint approach the modern data center with a vision that places networking at the center of an integrated data center solution and accelerates deployment of enterprise services and applications. It is designed to drive simplicity through streamlined network designs and centralized management, enhance agility with high performance security, and accelerated provisioning, and reduce cost with energy efficiency and low total cost of ownership. Central to HP FlexFabric is policy-driven network provisioning tightly integrated with server and storage management in an end-to-end data center converged infrastructure.

HP data center solutions are purpose built, using the latest advanced systems and ASIC technologies. “A” family data center networking platforms leverage a common operating system, Comware™ and are managed with a single-pane manager, Intelligent Management Center (IMC). HP switches make use of an HP-developed technology – Intelligent Resilient Framework (IRF) – to create a resilient virtual switching fabric. IRF delivers geographic independence, distributed high-availability, resiliency and millisecond re-convergence across layer 2 and layer 3 protocols. These innovations allow customers to build a simplified, high performing, highly resilient and flat (two-tier) data center network design. They overcome the limitations of low performance/scale, high cost/latency inherent in legacy solutions, which rely on multi-tier network designs, disjointed platform operating systems and complex resiliency protocols.

A key enabler of this transformational design flexibly is the HP next-generation data center switching architecture. This starts with the flagship HP A12500 core data center switch – which is based on a 100G design that uses a multi-level, multi-plane, non-blocking switching architecture to provide high performance and scalability. The A12500 supports 6.66 Tbps of high-performance switching capacity (future support for 13.32 Tbps) and scales to 2.2 billion packets per second of forwarding performance. The A12518 supports 512 10 Gigabit Ethernet or 864 Gigabit Ethernet ports in a single chassis. Its future-proof design accommodates 40/100 Gigabit Ethernet and emerging unified network requirements such as end-to-end FCoE/Data Center Ethernet.

Force10 Networks ExaScale E Series

Force10 Networks was one, if not the first company to offer 1 and 10Gb switching solutions for high-performance computing and data center markets in Fortune 100 companies, Internet portals, global carriers, leading research laboratories and government organizations. It offers a wide range of Ethernet switching and routing products that deliver high port density and resiliency to help customers deploy a high-availability, agile and standards-based GbE and 10 GbE network fabric, while reducing power and cooling costs. Its Ethernet switching products are designed to leverage virtualized data center environments and automate Ethernet networking. For example, its VirtualScale enables management of virtual chassis. Its VirtualControl enables virtualizing logical switching and routing boundaries. For automation, Force10 has developed an architecture, which automates network resource allocation as applications and services spin up and down. This architecture is built upon its HyperLink and SwitchLink technology, two new software features implemented within its Force10 Operating System (FTOS). HyperLink provides real-time communication between Force10 switches and hypervisors or virtual switches to enable automatic provisioning of one or many virtual LANs (VLANs) across multiple switches simultaneously. The SwitchLink feature provides real-time communication with middleware orchestration tools to enable automatic provisioning and management of virtual devices anywhere in the network.

Force10’s modular Ethernet switch data center product portfolio includes the ExaScale E-Series, optimized for core deployments in large-scale, high-performance 10GbE data centers, and the C-Series, optimized for mid-range data centers. Both the E-Series and C-Series come in multiple form factors, run FTOS and are dense high performance switching platforms equipped with redundancy, availability, fault-tolerant operations and many line card options. In addition, Force10 offers the fixed configuration S-Series product line for GbE and 10 GbE ToR configurations. Force10 promotes a vision of simplified data center topologies, using integrated switching and routing in the core, using chassis based E-Series or C-Series products, and fixed configuration ToR access products allowing both 1 tier and 2 tier designs. One tier can be achieved with high density E-Series platform for server aggregation, switching at the server edge, and routing off the same platform to the Internet / WAN. The two-tier architecture can be achieved leveraging ToR switching for server aggregation along with Force10’s chassis based systems in the core. In addition to a large direct sales force, IBM OEM’s Force10’s ExaScale platform as part of IBM’s iDataPlex clustering solution. You can listen to a podcast interview with Steve Garrison, VP Marketing of Force10 on their 40 GbE offering here.

BLADE Network Technologies RackSwitch Family of Ethernet Switches

BLADE Network Technologies (BNT) has been working in the data center switch market since 2006 with much success providing 1/10Gb Ethernet switches for blade servers and top-of-rack configurations. BLADE was launched from Nortel and made up of the successful Alteon Networks group. Their success stems from their ability to identify the top-of-rack and blade switch market in ’06, along with an OEM go to market strategy that included all of the top tier blade server providers such as HP, IBM and NEC. The result is that BLADE has shipped over 8m ports, achieved 25% growth from 2008 to 2009 (in a down economy), owns 50+ % of the blade switch market, is number 3 in the Fixed 10GbE market according to Dell’Oro Group, and has demonstrated scale with at least one customer installing over 16,000 of its switches.

BLADE offers the RackSwitch family of Ethernet switches, which are ToR, 1U high switches. They include the 24-port 360ns latency RackSwitch G8100 10GbE, 48-port RackSwitch G8000 1/10 GbE aggregation and the 24-port 700ns latency RackSwitch G8124 10GbE. Over a year ago, BLADE released its virtualization software called VMready that automates network settings for VM movement ensuring that network settings migrate when a VM is moved from one physical server to another. VMready scales to a 1000 virtual port switch, is based on standards and works with most popular hypervisors.

In addition to VMready, RackSwitch’s unique attributes are found in the fact that they were designed for the data center versus being a wiring closet switch re-formatted for the data center. For example, the RackSwitch BLADEOS supports CEE for unified fabrics, uplink failure detection, virtualization, dual homing for servers, low (80-170Watts) power consumption, back-to-front or front-to-back airflow and very low latency in the 700-360 nanosecond range.

Voltaire’s Vantage 8500

Voltaire has a long history in high performance computing and data center networking as it is one of the key leaders in the InfiniBand market. Voltaire enjoys distribution relationships with HP and IBM, as well as Bull, Fujitsu, NEC, SGI and Oracle. The result is a 100% + year over year revenue growth for Q1 as reported on May 5th. Last October, Voltaire entered the 10 GbE market with the introduction of its Vantage 8500 Ethernet layer 2-core switch. The Vantage 8500 boasts less than 1 microsecond of latency, a low 10 watts per port power consumption and 288 wire speed 10GbE ports in a 15U high chassis. The Vantage 8500’s unique industry contribution is that it’s based on converged enhanced Ethernet (CEE) technology providing InfiniBand-like capabilities to the Ethernet data center. In fact, Voltaire has ported many of InfiniBand’s key characteristics to the Vantage 8500 such as a lossless switching fabric, multi-pathing, virtualization, fabric-wide congestion management and QoS.

From a network design point of view, Voltaire supports a two tier network architecture that enables a simplified, ‘flat’ data center network and puts an end to the era of the over-provisioned network. Voltaire’s design centered on the Vantage 8500 is to support a two-tier data center network that scales from hundreds to a few thousand core ports, which requires high capacity, non-blocking 10 Gigabit Ethernet core switches. By clustering up to twelve Vantage 8500 switches together, IT business leaders can expand their data center to many thousands of servers while preserving the efficiency and price-per-port, without degrading performance or latency which occurs in traditional hierarchical network designs. To support ToR implementations, Voltaire and BLADE Network Technologies announced recently a partnership where BLADE ToR RackSwitches are aggregated by Voltaire’s Vantage 8500, rounding out the two-tier data center Ethernet network architecture.

The Vantage 8500 also features software-based capabilities to address virtualized and converged data center environments. Voltaire’s Unified Fabric Manager™ (UFM) software, application acceleration software and management OS (VT-OS) provide management and performance enhancement tools. These tools were developed and optimized in InfiniBand environments and are now available for Ethernet-based data centers. Voltaire’s recently introduced Unified Fabric Manager™ (UFM™) 3.0 software orchestrates physical and virtual switches delivering guaranteed levels of service per application. It’s the first and only Ethernet fabric management software that dynamically orchestrates end-to-end virtual machine connectivity for multi-vendor, scale-out data center networks.

Avaya’s VSP 9000

During the April 2009 Las Vegas Interop trade show, Nortel committed to the data center Ethernet market with the announcement of its Virtual Services Platform or VSP 9000 switch, which supports up to 27 Terabits per second (Tbps) of backplane switching and 240 10GbE ports per chassis at first release. Avaya announced their commitment to the VSP 9000 and said that it will be generally available in the second half of 2010 while already in controlled availability. The VSP 9000 is built upon the Ethernet Routing Switch 8600/8800 software providing a proven software foundation, mid-plane architecture, a fully programmable network processor unit for flexible data forwarding and carrier-grade Linux.

The VSP 9000 is designed to deliver high-density 10GbE, 40GbE and 100GbE. Its design center is rooted in highly dense connectivity environments that are all mission critical, by definition. Early testing validation of the VSP 9000 promises to provide ultra-high reliability and availability delivering below 50ms failover support, which is critical to eliminate application disruption thanks to its patented hardware failure detection differentiation. The VSP 9000 switch fabrics are lossless Ethernet capable and therefore well positioned to support the next generation Data Center requirements for convergence of storage onto the Ethernet infrastructure.

The VSP 9000’s unique network architecture is found in its ability to cluster four switches together, in that the total architecture exceeds 100 Tbs, with the number of 10GbE ports per rack being up to 720. Avaya continues to invest in Switch Clustering technology (Active/Active resiliency model) such as SMLT (split multi-link trunking) and RSMLT (routed-SMLT), which provides link, switch and router redundancy mechanisms. Three modules are being introduced in the first VSP 9000 release, a 24 port SFP+ for 1 GbE and 10 GbE connectivity, a 48-port of SFP module in addition to a 48-port 10/100/1000 TX module. Future plans include 40GbE and 100GbE interfaces, and even higher-capacity Switch Fabric modules.

Juniper Networks’s EX8200 & EX4500

In January of 2008, Juniper Networks launched its much-anticipated entry into the enterprise Ethernet switch market. Juniper’s focus is on the enterprise data center, campus and branch, as well as the service provider market. Juniper provides a suite of Ethernet switch products, including the EX4200 with Virtual Chassis technology for GbE Top-of-Rack (ToR) and End-of-Row (EoR) data center access, the EX2500 24-port and new EX4500 48-port 10GbE ToR switches, and the EX8200 high-density, high-performance line of modular Ethernet switches.

According to Juniper, it simplifies customer enterprise LAN architectures and advances the economics of networking via its most recently launched initiative called the “new network” for data centers. Juniper’s “new network” promises critical innovations in automation, virtualization and fabric technologies. These innovations are to reduce time to operation by up to 50 percent and eliminate up to 35 percent of data center networking capital expenditures. One aspect of the “new network” is a simplified two-tier network architecture, which may be reduced to one when “Project Stratus” is completed with IBM. The reduction of a three-tier architecture to two is accomplished by utilizing Juniper’s Virtual Chassis fabric technology in the access layer, in conjunction with its high-density, high-performance platforms such as EX8200 and EX4500 in the LAN core, thus eliminating the aggregation or distribution layer. According to Juniper, collapsing the distribution layer reduces complexity in the data center as well as campus networks by reducing the number of managed devices by up to 89%, providing up to 39% savings in space, 44% savings in power and reducing the number of switch interactions by up to 99% compared to three-layer networks. According to Juniper, this approach improves application performance by also reducing latency up to 77% compared to three-layer networks. Note that these claims and numbers are Juniper’s and not mine.

At the core of Juniper’s data center Ethernet product family is the EX8200 line of modular switches. The EX8208 and EX8216 are eight and sixteen-slot modular switches. The EX8216 sports a maximum of 640 10GbE ports and 1.92Bpps and 6.2Tbps backplane speed. The EX8200 is said to support 40GbE and 100GbE interfaces in the future. The EX8200s connect either EX4200 GbE or EX2500 and EX4500 10GbE ToR switches together while providing access to internet/intranet. All Juniper switches run Junos, the network operating system that provides reliability and availability features, developed for the high-performance enterprise and service provider market.

Brocade’s NetIron MLX Series of Switches

In July of 2008, Brocade had purchased Foundry Networks, catapulting them into the Ethernet switch market as one of the top five Ethernet switch/router vendors by revenue. Brocade, with its long history of data center storage, saw that converged I/O was going to happen and prepared the company to participate in this market. At the high end of Brocade’s data center Ethernet switch products is the NetIron MLX-4, MLX-8, MLX-16 and MLX-32 routers, which support 4, 8, 16 and 32 I/O module slots, respectively. We’ll focus on the high end NetIron MLX-32 here, which has been in production since August 2006.

The NetIron MLX-32 boasts a total of fully redundant non-blocking 7.68 Tbps switch fabric capacity. Brocade says that the MLX-32 can forward some 2.284 Bpps of Layer 2/3 packets and support 1,536 and 256 non-blocking 1 GbE and 10 GbE ports, respectively. Note that the new high density 10 GbE was announced the same day as this Research Note was made public. All four NetIron MLX systems are designed for non-stop operation, supporting 1:1 management module redundancy, N+1 switch module redundancy, M+N power module redundancy and N+1 fan redundancy. The NetIron MLX architecture is an adaptive self-routing Clos switch fabric with a virtual output queue (VOQ) design. This non-blocking architecture is optimized for maximum throughput and low latency for all packet sizes.

Tweet

During last week’s Cisco Q3 FY10 quarterly financial conference call, John Chambers, Cisco’s CEO, said something that impressed and shocked me. The company has been quiet about the growth rates for its Nexus line of data center switches until this call. What shocked me was that the Nexus 7000 is now on an annualized run rate of $1B, yes that’s Billion with a B! I remember being interviewed by John Markoff of the NY Times in Jan ’08 about the Cisco’s Nexus and Juniper’s yet to be announced Ethernet switches. In just 27 short months, the Nexus product line including the 7000, 5000 and 2000 represents a $1.4 B run rate of revenue to Cisco. Another insight gained from this ramp up is that the data center networking trends that we’ve discussed here in various Lippis Report Research Notes are powerful demand drivers for Cisco and other companies participating in this lucrative emerging market and its just starting! Companies such as Arista Networks, Force10 Networks, Blade Network Technologies, HP/3Com/H3C, Voltaire, Avaya, Brocade, Juniper, et al, have unique positions and offerings to participants in the burgeoning market. In this Lippis Report Research Note, we review the mega trends driving high market growth. We save a product review of each of the suppliers for our next Lippis Report Research Note.

In addition to the run rate numbers above, Cisco also posted a milestone of 1 million 10 GbE ports shipped, providing a strong indicator that the 10GbE market is nearing a tipping point to high volume, as pricing drops and its use accelerates. The following are mega trends driving this tremendous market growth. Traffic demand drives bandwidth and that’s the first mega trend.

Traffic Profile Changes: Gone are the days when data center networks primarily shuffle asymmetric email messages and low bandwidth client-server computing applications between endpoints and servers. Best effort data delivery, where latency was secondary to delivering data accurately, has changed to being a paramount design element where 10 milliseconds means the difference between losing a customer or capturing revenue. Traffic is now highly mixed, moving around a data center in near Brownian motion between servers, storage, internet and intranet thanks to a plethora of old and new applications such as mash-ups, VoIP, search, backups, storage access, emerging converged I/O etc. In addition to Brownian motion traffic flows and low latency requirements, the volume of traffic continues to skyrocket and shows no sign of abating. Remember when the Dow dropped by 1000 points in early May of this year? Financial services firms saw an average of 40 times the amount of traffic in their data centers as traders responded to the drop. There is no better driver for traffic volume as financial markets in turmoil. The traditional model of over subscribing data center bandwidth by as much as 80:1 is the norm, and IT business leaders are looking for a more efficient model.

Workload Mobility: With the advent of server virtualization IT leaders are able to decouple an operating system from its underlying server hardware and increase the number of instances an operating system can be replicated on a single server. Server virtualization reduced the number of physical servers needed and in the process reduced energy and cooling requirements. Now that an operating system only needs to know which hypervisor it’s running on, that operating system instance and the applications it services can be moved from one physical server to another in near real-time with the click of a mouse, thus providing workload mobility or portability as well as a rapid application procurement tool.

So what does all of this have to do with networking? A lot, first moving these workloads around a data center consumes huge bandwidth and has low latency requirements to driving raw bandwidth requirements. Secondary, and most importantly to the industry, is that networking or should I say the rigid structure of IP addressing/VLANs, etc are impeding the automation of these workload moves. In short, the data center network needs to be reconfigured when VMs are moved from one physical server to the next in the same data center and it simply does not work if a VM is moved between data centers separated over distance, between a data center and a cloud provider and between cloud providers. This is the area of the infrastructure 2.0 working group.

Doug Goulay said it best in his recent Network World post.

“When moving VMs between machines there is a caveat:  if you want your TCP connections and IP addressing to stay intact the receiving physical host must be capable of supporting the same IP address that the VM moving to it is actively using.  This means that both physical hosts have to be in the same subnet or in the same VLAN depending which layer of the network you are looking at.  Since the largest number of physical servers that can be supported doing this is around 64 it doesn’t change the addressing architecture too much, unless the servers are in different data centers, or are connected to different access layer switches that talk to different aggregation layer switches.  If this is the case the network architecture all of a sudden starts dramatically impeding the movement of VMs:  either VM mobility is impeded, or the network is redesigned. 

Some people often ask me, “can’t I do this with DNS?’  In short, no.  DNS is cached at many client sites, ignoring your TTL.  Additionally, DNS is cached on many PCs for the life of an application session.  If you try to change the IP address of your backup server while you are in the middle of a 2GB backup do not expect the connection to continue.  TCP doesn’t work this way.”

Increased Density: It’s no secret that data centers are bursting from the seams as the economic down turn kicked large IT capital outlays down the road until economic conditions improved. Business leaders have been postponing increasing data centers space, that is square footage, while power density has grown exponentially, until very recently, as cooling requirements increase unabated. Power and cooling capacity are the primary constraints to data center expansion. To deal with these realities, IT business leaders are left with only one option, appropriate capital to either upgrade power and cooling systems or build a new data center. The impact of high energy densities is that server hardware is no longer the primary cost component of a data center. The purchase price of a new (1U) server is now exceeded by the capital cost of power and cooling infrastructure to support that server and will soon be exceeded by the lifetime energy costs alone for that server. In short, energy costs are on their way to dominate data center economics.

To help mitigate these trends, the new data center switches offer increased server connection density at lower energy consumption levels. In addition, their own energy consumption to shuffle packets around has been reduced, for some by as much as 50%. To connect an every increasing dense set of servers, new generation of data center switches boast a two tier network architecture to support thousands to tens of thousands to hundreds of thousands of servers. To deal with high server density connectivity, server access is via a leaf switch, while leaf switches and storage connect to a modular spine switch. The two-tier approach offers efficient connectivity density, low latency albeit this depends highly upon the internal switch design, and is ready to support consolidated I/O.

Consolidated I/O while early in its adoption cycle will go a long way in reducing power consumption of servers as they will have a single network interface for both storage and networking. In addition, consolidated I/O promises to reduce the need for a separate storage switch too again reducing capital, energy and cooling cost.

Back to server density. Server density will only get, well, more dense. If the industry trajectory of cloud computing is realized any where near what the conventional wisdom dictates, then there will be more and more highly dense cloud computing sites supporting an ever increasing number of enterprise, government and consumer applications. How many cloud computing sites does the US need to support all IT applications? With nearly 16 million servers installed nation wide, according to IDC, and with each cloud computing site supporting hundreds of thousands of servers, then perhaps the number of cloud computing sites would be in the hundreds. While its unrealistic that all US enterprises and governments will be hollowed out of their data centers and applications via cloud computing with today’s technology and business control believes; the trend line is clear, there will be a smaller number of very large cloud providers delivering applications to a wide range of customers. Almost like a supernova transforms into a black hole, applications will not be able to escape the gravitational pull of the scale and economics of cloud computing if the industry gets anywhere near this size scale.

The networking industry has been busy adapting to these powerful trends with new internal switching architectures, data center network architecture and automation. Internal switching architectures are being designed with high internal switching capacity in the terabit rage, lower energy consumption in the 10W/port range, low latency and of course high port density. The data center network architecture most are progressing toward is a two –tier leaf-spin approach mentioned above. These switches possess the highest levels of reliability, serviceability and redundancy, as networking is at the center of this massive server connectivity density.

Network automation is another area of investment where VMs can be moved within and between data centers, as well as between data centers and cloud providers, plus between cloud providers. A few companies are addressing network automation, but this is a huge issue that the industry needs to wrap its arms around and provide a scalable solution.

In the next Lippis Report Reseach note, we’ll review Cisco, Arista Networks, Force10 Networks, Blade Network Technologies, HP/3Com/H3C, Voltaire, Avaya, Brocade, Juniper, et al, and highlight their unique positions and offerings to participants in the burgeoning market.

Tweet

This past Interop in Las Vegas was one of the best I have attended, since even before the economy took a noise dive in 2008. The tone and level of excitement of the industry’s growth potential was refreshingly up beat from the hundreds of IT and vendor executives I talked with. While the size of Interop is a small fraction of what it was in the late 1990s, (70k attendees with over 600 exhibitors to ~ 15K attendees with ~ 200 exhibitors) it still provides a pulse of the networking industry. In fact, Interop has come full circle, back to being a networking event even though it has added other topics. You have to give Dan Lynch credit for creating such a long lasting venue for our industry. Congratulations to Cisco, Arista Networks, HP/3Com, Mallonx for winning best of show in their respective categories and for Arista for winning Best of Interop. In this Lippis Report Research Note I provide the key industry themes that were evident at Interop this year.

The following are my observations of Interop 2010 in LV.

Network Infrastructure Takes Center Stage: Even though Interop provided attendees with thirteen educational content areas including cloud computing, IT security, Enterprise 2.0, etc., it’s the changes taking place in the network infrastructure business that was front and center, loud and clear. The following was the topic of conversations throughout Interop:

• Cisco’s introduction of its Best of Show winning Aironet 3500 Series Access Point with CleanAir technology,
• Arista Networks’ introduction of and winning Best of Show and Best of Interop for its Arista 7500 10Gb modular Ethernet cloud computing switch,
• HP’s closing of its acquisition of 3Com and winning Best of Show for its TippingPoint Virtual Controller,
• HP’s planned acquisition of Palm,
• Avaya’s reassertion in the network business with the introduction of its Ethernet Routing Switch 8800, WLAN 8100 and Advanced Gateway 2330,
• Voltaire’s new Vantage™ 8500, 10 GbE Layer 2 core Ethernet switch,
• Force10’s open network automation demonstrations and 40GbE module

With the above announcements and accomplishments, two thoughts come to mind. First is that Interop is finally back to core networking issues, and second, the above announcements provide a window into the huge changes that are taking place in our industry.

New Industry Structure Emerges: The networking industry has been consolidating for some time now and will only continue. Corporations have some $2T in cash and equivalents on their books, which will be put to work acquiring companies and investing in growth markets. The big growth market in our industry is the fundamental change IT is starting to progress through. HP’s actions last week provided a preview of what’s to come.

HP stole the headlines last week with their shorter then expected closing of their 3Com acquisition, in addition to their intent to purchase Palm. HP realizes that the IT industry is structurally changing away from fixed desktop computing accessing corporate applications hosted in data centers, to mobile computing accessing applications hosted in corporate data centers and cloud computing facilities. The big winner in this transition is networking, as without it, cloud and mobile computing will not happen. Palm gives HP a smartphone platform to participate in the mobile computing market while 3Com expands its corporate networking portfolio significantly.

HP vs Cisco: The buzz at Interop around HP was how it will compete with Cisco. The HP executives and booth personnel were the most energized I have ever seen. HP views their competitive advantage along the lines of innovation, open network architecture and economics. Thinking it through however, HP’s focus will be more on supply chain efficiencies to drive down their cost of producing networking gear close to server economics while leveraging their massive and productive channel to gain market share.

The supply chain efficiency is a great idea, but will take at least a year if not more to deliver. The thinking here is that a 40 Watt power supply is the same, independent of its final designation, as long as it powers a server, router, etc. So can HP redesign their product lines for common components where they gain huge cost efficiency thanks to volume purchasing? Perhaps, but this will take time. Their channel strength should deliver results in the short term. If HP executives are correct and that the market wants a strong number two networking provider, then its channel should produce fairly quickly. If it doesn’t, then this premise is questionable. HP networking is about $5B now; if it doesn’t grow faster then the industry by a significant amount next year, then something is wrong.

Remember HP is competing with a $40B powerhouse that is Cisco Systems, which has a massive and productive channel too that are energized to sell, not only networking gear, but also unified communications, Cisco’s new server platform UCS and video equipment. As for innovation, HP is a great operational company therefore expect them to take cost out of their products. Nevertheless, Cisco is the innovation king, thanks to its systemic incorporation of innovation in product development, plus its ability to integrate acquisitions quickly and materially. Cisco does not only innovate in its products, but around them, offering architected solutions. Examples of this are everywhere, including its borderless network architecture, EnergyWise, UCS, the new 3000 series stackables, Power over Ethernet Plus, its’ ISR G2, the Nexus line of data center switches, its’ approach to integrated network security, etc.

Here’s an example of the power of innovation. A client and Lippis Report subscriber has funded a new $20M data center. During their due diligence, they visited Dell, HP, IBM and Cisco. This CIO will go with Cisco’s UCS. The reason is that during the customer visit, Cisco first described the major direction and trends in data center virtualization and cloud computing in such a way that my client said “Cisco looked into the future and designed UCS to exploit these changes while all the other vendors were selling their old blade systems”. Now this is significant, as this CIO only purchased equipment from market share leaders, that is, he would buy from HP for servers, Dell for desktop systems, Cisco for networking, Avaya for communications etc. Cisco’s innovation in UCS changed his long-standing principal of buying only from market share leaders and will buy UCS for this new data center. So the basis of competition between Cisco and HP will fall into three categories; innovation, supply chain management and channel productivity.

A Mobile and Cloud Computing IT Model Is Disrupting The Status Quo

The Interop announcements above were aligned with this new world order of IT. For example, Arista Networks delivers a massively powerful 10GE switch for cloud spec data centers and high performance data center environments. Clearly investment in cloud infrastructure is a growth market which motivated Voltaire to enter the Ethernet market and leverage its Infiniband experience to deliver converged I/O for both Infiniband and Fiber Channel Over Ethernet (FCoE). As computing is in a rapid technology innovation stage thanks to server virtualization, networking has lagged in its ability to automate network changes brought on by VM moves. This has motivated Force10, F5 and Infoblox to demonstrate innovative approaches to automating network changes so that network administrators do not have to be involved in the process of VM moves and/or the provisioning of new IT services as demand is increased and/or decreased.

It’s clear that HP networking products has gained awareness and will receive consideration. As HP opens the consideration door, Avaya wishes to enter too with its refreshed and new data networking products. Avaya is now lead by experienced IP networking executives that understand voice and data. The Nortel channel also understands voice and data. Ever since Avaya closed its acquisition of Nortel, those channel partners that put selling Nortel gear on hold, have started to come back. They are comfortable now as stability, R&D funding and a strong financially viable company has emerged.

The networking industry is an upside down pyramid with Cisco at the top followed by a few others in the billion-dollar range. Then there are a number of $100M sized firms followed by a few start-ups. The successful firms will be the ones that embrace the new world order of IT that is being brought on as IT leaders de-emphasizes desktop computing and invest in mobile plus cloud computing.

Tweet

During a podcast with Zeus Kerravala of the Yankee Group, we came to the conclusion that the unified communications market is in a funk and the only way out is for suppliers to adhere to industry standards that allow interoperability. To demonstrate this achievement, UC providers would be well advised to participate in industry wide interoperability testing. In this Lippis Report, we discuss the issues that are holding back UC and video conferencing adoption.

It’s important to understand that standards and interoperability mean different things. A supplier can be open, but not standards based. A supplier can be standards based, and not open. And then a supplier can be standards based and build a range of extensions to the standard, which then makes their implementation nonstandard. And this is where the UC industry is right now. Nearly every supplier will tout how open they are; that is how standards based they are, but what it all comes down to is we really don’t have a common standard UC that allows IT business leaders to deploy UC solutions and work in a mixed vendor and service provider environment. This is the single most important issue to IT business leaders that is creating pause in their UC deployments and extending sales cycles.

It’s disappointing. Our industry has been developing UC since 1996. It seems as if UC suppliers are not ready to implement standards based UC solutions, as they haven’t figured out how to maneuver as the basis of competition changes toward interoperable UC. The question is if a UC supplier makes their offering open and interoperable will they lose important functionality and compete on features above standard UC services?

The UC market is built primarily off of a telecom heritage in which none of the PBX phone system vendors had interest in interoperable solutions, and as a result, the PBX market was frozen with 30% share each going to Lucent/Avaya, Nortel and Siemens for decades. Voice over IP or VoIP thawed that market by radically changing it with a new approach to voice and based upon the openness of IP.

It’s because of this PBX heritage that many of the suppliers view being open and truly standards based as a threat. Thinking this way masks the bigger picture. UC suppliers are missing the larger picture, which is this. If UC endpoints truly worked as plug-n-play, and IT business leaders knew that whatever UC systems they deployed would interact and work with different UC suppliers, then UC usage would go through the roof. The market would expand and service providers could offer standard UC services too.

The big picture of plug and play universal UC would change market share. Perhaps large suppliers would have a lower percentage of share, but of a much bigger addressable market and associated dollar value. In short, the pie would get much bigger. In addition, the big picture would create a much larger UC ecosystem, with more winners than the current industry structure, and that is healthy.

Point in case. Most IT business leaders have relationships and large investment with both Cisco and Microsoft. Many Lippis Report subscribers voice concern that they can’t get their Cisco and Microsoft UC solutions to work properly together. If two of the largest vendors in the UC space don’t work together, than what hope do most IT leaders have of actually getting their UC investments to work in a mixed vendor environment?

This is systemic, because without adherence to basic UC standards overall market size, growth rates, adoption rates and adjacent markets will be limited. A closely aligned UC adjacent market is video communications. While there are companies promoting various different standards, there’s no interoperability within the three-tier enterprise video communications structure. The three-tiers are 1) desktop video, 2) a pedestrian video conferencing system and 3) Telepresence rooms. There are little to no standards that would allow different vendors to be providing each of the three-tiers and offer users the same simple set-up that allows video communications to work between the three tiers. Today’s solution is to buy a single vendor, but no video conferencing supplier offers all three-tiers. Cisco may soon offer all three tiers thanks to their Tandberg acquisition, but Microsoft still owns the desktop and they are not opening up their RTA/RTE protocol any time soon.

Another closely aligned UC adjacent market are smartphones, such as the iPhone, Android, blackberry, the Palm Pre etc. There are only limited UC extensions being offered to mobile endpoints but they lack standards, presence, directory and fixed mobile convergence

In short, the biggest drawback is that it’s too hard to get systems, sometimes-even systems from the same vendor to talk to each other. Getting different systems from different vendors to talk to each other is nearly non-existent today. The directory problem is a huge industry problem, because it’s very different to know who has video communications and who doesn’t. Think of it in terms of telephony. I know you’ve got a phone and a phone number that I can call you on. I know you’ve got an email address. However, I don’t know if you have video, and if I do, I don’t know how to connect to you. So, if that barrier doesn’t fall, video will remain a niche application with relatively low utilization even though high definition video and Telepresence utilization has increased substantially during the downturn.

We are calling the telecos to task on this. The telecos hold a lot of the keys to success because video conferencing systems are connect over teleco networks, which is the perfect place to apply interoperability standards. And while a number of telecos now support inter-company Telepresence on their own backbone, they need to step that up and provide inter-company video cross-backbone, and be willing to work with all video conferencing providers.

Again, here’s the case where the telecos probably look at this interoperable video service as threatening, in that they don’t want to open their network up and allow other provides to provide service with our network. Yet if they did, usage would go up and everybody would benefit. So the network operators really need to step up here.

The big picture plug and play model of UC will change business models. As the industry becomes open and standards based, truly standards based, an innovative ecosystem will flourish. Money flows will shift as the big picture UC market becomes much more ISV (independent software vendor) driven. In this model, from a vendor perspective, what’s important is less about the tools you have or the applications you provide, and more about your willingness to support the ecosystem that surrounds you and the development tools you provide them. In essence, the developer community winds up leading your organization.

This is a big shift. In the world of applications, the platform is the important asset and how a company supports its ecosystem will become a key basis of competition and a barrier of entry, as there are only a limited number of ISVs. The open UC market will move the value proposition to one of a platform delivering innovative UC applications. In this model, revenue generation shifts where money comes from and how vendors get it. Avaya understands it very well, with its Dev Connect community, Cisco with its CDN and Siemens with its UC Server 2010 UC platform, but all suppliers need to put much more energy into open standards and going to market through a developer ecosystem.

To accelerate the industry to the big picture UC market expansion, the industry needs to embrace a public semi-annual interoperability testing and demonstration event. It was this public testing that drove TCP/IP into the success of the Internet with the industry trade show and conference called Interop. We need a UC Interop to move this technology to mainstream.

Tweet

Many IT leaders are striving to understand who is on their network and what they are doing. These are two simple questions and yet, in many cases, IT business leaders do not have a good way to answer them. And once IT leaders are able to obtain this information the question then becomes what else I can do with the data: obtain a history report, perform statistics for analysis and planning, generate compliance reports and much more. To tightly link business processes with networked applications, IT leaders need to wrap policy, identity and security around users and IT assets.

This is the essence of Cisco’s TrustSec; that TrustSec provides security services as its primary value proposition but the data and insight it generates assist IT business leaders with network design to meet future growth. Cisco’s TrustSec organizes and simplifies existing authentication and policy schema allowing administrators to configure and maintain identity-based access to IT resources while identifying and applying policy based on a user’s role in the organization. TrustSec also provides encrypted links between end-points and servers. TrustSec is an architecture which builds upon existing network services embedded into network infrastructure, addressing not only security issues but delivering certain business services too.

A key pillar of strength for TrustSec is its ability to create a consistent and unified set of policies across the entire network. Its second pillar is the ability to identify users; from the moment a user accesses the network, everything about this user is known and it follows them wherever they go. TrustSec identity is embedded in the traffic that the user generates, which goes well beyond initial Network Access Control (NAC) and offers unique design capabilities that we’ll discuss below. The third pillar is security, which is reflected in a number of areas such as NAC, encryption, etc.

TrustSec is an architecture delivering network access control, policy, identity and encryption. Policy is the glue that ties business processes to network behavior and thus TrustSec has expanded its role in policy creation. TrustSec policy is segmented into three areas:

Authentication: The foundation of the technologies is authentication as it defines user identity. Authentication is how TrustSec understands users; who they are, what roles they have in the organization and what type of credentials they possess as well as confirmation of these attributes. TrustSec provides multiple authentication approaches, such as 802.1x, web authentication and MAC authentication bypass (MAB). All three approaches are implemented and supported on Cisco Catalyst or Cisco Nexus switches. Cisco uses the term “Flexible Authentication” to represent these three methods. What’s unique about Cisco’s TrustSec authentication approach is that it is providing all three methods together and they are completely adjustable. What this means is that IT administrators can configure these authenticating methods in any sequence of their choice, in one place, to host all authentication configurations, greatly simplifying the process of configuration and change management. There is yet another TrustSec authentication method, namely appliance-based network authentication provided by the Cisco NAC Appliance. This method expands beyond LAN switches to include wireless and remote access as well.

A powerful feature is that once authentication is configured on a centralized policy server all switches receive this data, easing deployment while providing consistency and scale. No more authentication configuration on a per switch basis but rather a consistent policy is realized. For IT leaders not ready to implement Catalyst or Nexus switch policy enforcement but who would rather use an appliance there is an in- and out-of-band NAC appliance approach to policy enforcement.

Authorization: Once a user has been authenticated and their organizational role confirmed then services could be designed specifically for them, implemented via control mechanisms. It’s common in the industry to typically assign a VLAN or ACL for the user depending upon a layer 2 or 3 construct. TrustSec supports both VLAN and ACL implementations. What’s unique about TrustSec is that it allows IT administrators to create a security group tag or SGT. SGT essentially allows every single packet to be tracked throughout the entire infrastructure so user control is not relegated to the initial network entry point that VLAN and ACLs dictate. SGT enables user control and support deep down in the interior of the network. For example, to strictly control access to a critical file server, an IT administrator can enable SGT to filter network egress to that server for only those allowed access. The control point is on the switch so that when traffic leaves the switch trying to reach the file server, authorized users via SGT are able to egress.

Value-Added Services: With user authentication and authorization configured along with control, IT administrators can now design specified user services that are linked to business processes. Services such as IP telephony integration and IP phone end-points that need to be authenticated and authorized but are non-user devices, meaning that they don’t possess an 802.1x supplicant and there is no human behind the device. TrustSec utilizes aspects of 802.1x to authenticate and authorize the IP phone’s user taking into account various scenarios such as when the IP phone is powered down or its behind a PC, etc. Other services are guest access, device profiling, device posture and link encryption via MACSec, an IEEE standard that specifies how encryption may be used to secure links within local area networks.

TrustSec’s MACSec implementation is supported on the Nexus switches and on the new Cisco Catalyst 3560-X and 3750-X series switches that connect desktops, WLAN access points and laptops. In short, with MACSec supported on Nexus 7000 and Catalyst 3560-X and 3750-X switches Cisco is working towards full native layer 2 encryption as the Nexus switches are located in the data center while the Catalyst 3000s are closet switches connecting desktops. This is a welcome development for high security environments such as government agencies, certain research and development laboratories and other environments that require a higher level of security.

TrustSec Innovations
Cisco is announcing a set of new TrustSec features and innovations such as Security Group Access Control List that allows IT administrators to control group access based upon MACSec key technology. Security group Tag Exchange Protocol (SXP) is useful for Catalyst switches that do not have the processing power to support SGT today. So Cisco developed SXP to insure Cisco customers can use their existing Catalyst switches to participate in the overall SGT implementation. Flexible Authentication is another innovation for scenarios when end-points do not have an 802.1x supplicant and require access to an 802.1x network. Flexible Authentication offers web authentication which is useful for printers, guest access, etc.

Open Mode offers additional options or modes to being simply denied network access, a dramatic event when it occurs. Cisco TrustSec designed multiple modes to ease this transition. For example, monitor mode is like an audit mode. IT is able to monitor all users and their traffic thus allowing IT to view network dynamics before turning on 802.1x.

In addition to monitor mode there is ‘low impact’ mode. In this case 802.1x authentication is engaged but allows certain types of traffic to pass onto the network even if authentication denies access. This is useful for DNS or maintenance related network traffic; for example, allowing this specific traffic to pass even if it didn’t pass authentication. There are configurable options for “low impact” mode. There is also a “high security” mode where only authenticated users/devices are granted access.

Value-Added Services:

There are tools to automate the process of adding value-added services such as device profiling which recognizes defined end-points such as a printer which is very handy when the printer is moved, replaced or a new one is added, thus saving IT operations configuration time. Automated device profiling tracks devices by monitoring these end-points as they boot up on the network. TrustSec identifies that the new device is a printer, and then loads the printer policy placing the printer in the right VLAN, ACL or SGT; then it updates the device database, saving IT a lot of effort.

Guest services are now integrated with the Cisco NAC appliance guest server, streamlining guest account creation and user notification. The integration of guest services into the NAC Appliance allows report creation; for example, history tracking. Guest services now works in both 802.1x and NAC environments offering IT choice, convenience and simplified operations, an industry first. Thus any worker with authorization can create a guest account, reducing dependence on IT or the helpdesk which often fielded guest access requests.

Posture assessment provides device compliance status, such as which version of Anti-Virus, spyware scan, network configuration assessment, etc., which is added to authentication services.

Cisco has enhanced end-to-end troubleshooting and monitoring capabilities into TrustSec for 802.1x environments. When an 802.1x end-point attempts to access the network a string of exchanges occur between that end-point and the network. There is a protocol exchange to obtain user information while the authenticator or network switch transfers the information to the authentication policy server. During this protocol exchange between the three entities there could be a number of reasons why things do not work. Typically when things went wrong there was limited information available to IT administrators to troubleshoot and resolve the issue. To fix this problem TrustSec collects user supplicant information from the network, the policy server and switch as a log message, which is passed through certain algorithms or scripts to isolate the problem. This increased visibility enables quick problem identification and resolution, pin pointing the trouble to the switch configuration, supplicant issue or determining whether it’s simply a wrong password. These scripts are not only useful with troubleshooting, but also compliance as collected information can generate reports. These scripts are available in Cisco’s ACS 5.1 policy server.

Implementing TrustSec

There are currently two TrustSec deployment scenarios: 1) 802.1x and 2) Appliance based. In 802.1x environments ACS server is the policy server with Catalyst and Nexus switches providing enforcement with Radius as the control plane. In the appliance-based approach Catalyst switches provide enforcement, NAC Manager is the policy server while SNMP is the control plane. The appliance-based approach does not support SGT but it provides posture assessment which 802.1x does not.

TrustSec features and attributes are implemented across many Cisco products such as the Cisco Catalyst and Nexus switches providing policy enforcement and encryption services. Policy is defined in the Cisco ACS (Access Control System) while its key authentication and authorization are implemented in the NAC Manager, Server, Profiler and Guest Server. There are two TrustSec end-point clients, those being Cisco’s or any 802.1x supplicant and its NAC client. It’s not a stretch to see that Cisco will consolidate the end-point clients and policy components over time to minimize the number of appliances needed to fully utilize TrustSec. ACS already works with the NAC Profiler and Guest Server plus directory services such as active directory or LDAP. Knowing Cisco the NAC manager may also hold all this functionality for those who choose to deploy TrustSec in an appliance form factor. Over time these two TrustSec approaches will consolidate to one, allowing 802.1x and NAC users and devices connect to the network with one policy server, and either switch or appliance enforcement method leaving choice to IT departments. The end-point clients would fit nicely into Cisco’s AnyConnect client offering both LAN and remote security services in one client.

TrustSec has expanded to include 802.1x and NAC environments offering customer choice to either proceed with one approach or a combination of the two. TrustSec’s attributes are based on policy, identity and security. Over time we expect that many of the TrustSec attributes will be integrated into the network allowing its services to be ubiquitous throughout the corporate network fabric, significantly adding to corporate security architecture.

To make TrustSec truly successful Cisco should add more support for mobile and remote access end-points in addition to LAN-based end-points to the architecture. In addition video end-points will require TrustSec services too and will have to be supported. There are slight tradeoffs between 802.1x and NAC clients such as posture assessment and SGT support. These two client features should blend over time and converge into one to simplify TrustSec client software.

Tweet

With all the investment in IT security over the years, one would think that threats would have subsided; but they have only increased and largely increased with exploits and iframes (redirection on a reputable website to infect its visitors) up nearly by a factor of 2000 over the past two years. This has resulted in an increase in data theft Trojans over the same period by a factor of 6000, according to the 2009 ScanSafe Global Threat Report, enriching hackers and cybercriminals. What’s driving this exploit growth is that hackers and cybercriminals are automating successful techniques for mass website infection. In addition, hackers increasingly collaborate, sharing best practices to infect websites for personal gain. In short, IT and business leaders are not confronting individual hackers, but a community of cybercriminals working together to steal corporate data that is increasingly organized as a traditional business with suppliers, resellers and end users. And this community’s opportunities to attack individuals and corporations have only increased with the huge growth in mobile access and deep corporate reliance of web-based applications to automate business processes.

IT leaders, especially those in small- to medium-sized companies are at a disadvantage with limited and even decreased IT staff and capital budgets, making it difficult for them to keep up with an ever-increasing volume of threats and complex exploit profiles. To mitigate these fears and concerns IT leaders have been turning to Cloud Web Security offerings by Cisco, BlueCoat, Websense, McAfee and others. While limited at first to URL filtering, Cloud Web Security is becoming sophisticated enough to identify threats by analyzing content in a contextual basis. Further, Cloud Web Security is in essence a SaaS offering affording on premises and mobile threat defense by extending a corporate perimeter around its mobile workforce.

The Web has become fundamental to business and the overall economy. The use of the internet has evolved from a static research tool to a dynamic communication platform, with corporate revenue directly linked to Web availability. Second, Web access is wide and varied in terms of end-points used, be it desktops, laptops, netbooks, smartphones, kiosks, etc., and networks providing access such as corporate networks, broadband, WLAN, hotspots. From a security point of view exploits infect corporate IT assets primarily through malicious content on web sites, email and blended email/web combinations. The Web will be used increasingly as the threat vector of choice by hackers and cybercriminals to distribute malware and perpetuate identity theft, financial fraud, and corporate espionage. As networks have become borderless, security vulnerabilities have increased by opening up doors or entry points that hackers can exploit, be those doors end-point devices, web sites, bad sections of web sites, applications, email, etc.

To mitigate these vulnerabilities IT leaders have deployed Web Security services in their enterprises in an effort to control which web sites employees’ access. But with the huge growth of laptops and smartphones, Cloud Web Security has been introduced beyond the corporate perimeter to protect all users and mobile devices too. Cloud Web Security threat prevention is getting much smarter by incorporating both content analysis with context offering, a powerful defense against zero-day exploits for all users regardless of location.

Cisco ScanSafe

To make these points, I focus on Cisco’s Cloud Web Security offering through their acquisition of ScanSafe. Prior to Cisco’s acquisition of ScanSafe, IDC’s “Worldwide Web Security 2009-2013 Forecast and 2008 Vendor Shares” ranked it as the worldwide market leader with over 30% share with Websense in second place at 7%. ScanSafe’s suite of services includes Web Malware Scanning, Web Filtering and Anywhere+ for roaming user protection. Unlike other solutions, which rely on URL databases and signatures to filter and identify malicious sites, ScanSafe, through its Outbreak Intelligence engine scans all Web requests in real time, so IT leaders receive comprehensive protection from all threats, including threats that appear before an anti-virus signature is available – and that’s a huge advantage.

What’s unique about Cisco ScanSafe is the sheer volume of data – billions of web requests daily – it processes for threat identification. The visibility gained from ScanSafe is also fed into Cisco’s Security Intelligence Operations (SIO) that incorporates data from IntelliShield, SensorBase and the huge footprint from participating Cisco customers who have opted into send their IPS appliance security data to SIO, creating the largest threat collection network on the planet. SIO’s broad threat collection and exploit mitigation dissemination will only increase the accuracy of the entire Cisco security portfolio, including ScanSafe.

Since ScanSafe is a Cloud Web Security service consisting of over 15 data centers deployed across the world, access is independent of geographic location. In essence a user connecting to the Web will have their traffic pass through one of ScanSafe’s data centers. In the ScanSafe data center the requested Web page is split into its basic components such as Java, PDF, Windows EXE, etc., and scanned within an analysis engine called Outbreak Intelligence for zero-day exploits via twenty-six specialized scanlets. The output of the scanlets is processed by a meta scanner that processes contextual information to decide if the content should be blocked or allowed to pass. This process of content scanning takes less than 5ms assuring user performance is not impeded. What’s impressive about ScanSafe is its scale. It sees billions of web requests per day and all of this scanning and filtering of traffic is captured within Outbreak Intelligence that provides real time harvesting of data that allows it to identify and stop an exploit well before anti-virus vendors can produce a signature and propagate it to their customers.

Signatures Defense Is Not An Effective Zero Day Threat Mitigation Technique

For example, during the Zeus Botnet and Gumblar exploit ScanSafe was blocking these exploits from propagating to clients well before anti-virus firms developed and distributed a signature. This lapse of time between exploit identification, signature development and mitigation is reduced to zero in ScanSafe’s Outbreak Intelligence, offering a much better approach to defense. Consider Gumblar, which first spiked near the 16th of April 2009 and took anti-virus vendors nearly a week to develop a signature, all the while ScanSafe was blocking it from clients. After anti-virus vendors released a Gumblar signature Gumblar traffic did indeed decline, but the hacker modified his/her exploit and near the 23rd of April Gumblar spiked again forcing the anti-virus vendors to identify it, analyze it, write a new signature and finally distribute it. During this time ScanSafe had been blocking the mutated Gumblar from its clients. This cycle continued for nearly six weeks starting from threat outbreak and included four hacker mutations and subsequent signatures until the anti-virus vendors delivered consistent protection.

The above is an example of ScanSafe’s ability to detect and block exploits in scale. The more content ScanSafe’s data centers scan the smarter its Outbreak Intelligence gets. This is important for two reasons. First in this market the suppliers with the largest market share are rewarded with the greatest visibility into exploits and thus offer the quickest and most potent defenses. Thus with its dominant share ScanSafe has a level of threat visibility that allows it to accurately and quickly mitigate exploits. Second since ScanSafe is a cloud-based service it can deliver a solution for on-premise and mobile users quickly and easily. This combination is not only powerful for large enterprises but for small- to medium-sized business as well, where IT skills and capital constraints had precluded them from offering the same protections as larger firms, until now. In fact the small to medium enterprise (SME) market can offer its employees the same level of protection as large enterprises when using ScanSafe.

ScanSafe’s data centers not only offer scale of processing but fault tolerance and redundancy are built into their design so that in the case of a data center outage, the data center that’s nearest in proximity is equipped with enough capacity to support all users without negatively impacting performance. ScanSafe has a track record of 100% availability over the past 7 years. For traveling mobile users their protection follows them anywhere in the world. For example a traveling mobile worker may deplane in Singapore connecting to the ScanSafe Singapore data center, but upon arrival in the U.K. the London data center will service this mobile user so that his/her policy is consistent worldwide while performance is maximized.

Reporting Is A Key ScanSafe Differentiator

ScanSafe reporting is arguably the most detailed in the market at analyzing web security threats and offers depth unattainable by enterprise system thanks to its position in the cloud. There are over 5000 customizable reports with 75 reporting attributes and 11 categories with comprehensive drill downs. This reporting flexibility allows administrators to define important data too. There are virtually no report design restraints offering great insight and visibility into web activity. The reports are based on a data warehouse infrastructure providing cumulative, trending and forensic reports being processed and maintained by ScanSafe’s storage, compute and network infrastructure. Its reporting is SaaS-based, meaning that IT leaders do not need to purchase or run reporting software on-premise. Reporting is key as IT leaders are provided with visibility for both on-premise and off-premises Web usage, offering them tools for charge back, forensics, application planning, etc.

Consistent or Different Policy

Policy is an enabler for IT leaders to gain control over Web use by in office and mobile workers. ScanSafe delivers IT leaders control knobs over content such as URL filtering, dynamic classifications of websites, end-user education through threat labeling of search engine results before employees click on links plus other traditional policy settings. In addition, ScanSafe’s Anywhere+ allows IT Security leaders to set flexible on- and off- premises policy. For example, in-office employees may have policy set for both acceptable use and malware prevention; however, off-premises employees may have policy set for malware prevention. As Anywhere+ becomes integrated with Cisco’s AnyConnect client, this capability will be pushed to the millions of users that use the AnyConnect client. Providing a consistent policy framework for on- and off-premises is a work in progress at Cisco, but they do have the product breadth to deliver on its implementation.

Cloud Web Security has primarily been focused on URL filtering as its primary control. But URL filtering has become less effective as a control or security technique due to large quantities of dynamic content delivered over the internet. URL filtering schemes are unable to identify different types of content within pages especially within Web 2.0 sites. This is where content analysis has blossomed as an accurate approach to identify every component of web page content that is attempting to traverse a corporate firewall or reach a mobile end-point independent of website categorization.

Cloud Web Security offerings are delivering a network approach to zero-day exploit mitigation that is faster and more accurate than traditional client-based anti-virus signature approaches. Cloud Web Security offerings that are based upon content analysis with a contextual basis are best positioned to mitigate exploits. As these offerings are cloud-based their use is naturally extended to static and mobile locations offering protection to both desktop and mobile users with consistent reporting and customizable policy creation. Another large benefit is that Cloud Web Security solutions are well within the reach of small- to medium-sized businesses, offering these firms an effective way to close the gap between effective defense and budget plus staff limitations. Cloud Web Security should be considered as part of IT’s overall arsenal to defend workers and corporate assets from hacker and cybercriminal threats.

Tweet

No matter where you look today the structure of IT is fundamentally changing. Applications are increasingly being accessed from mobile devices along with traditional laptop, desktop and even kiosk machines. SaaS has taken off and is far more prevalent than most executives realize as they are acquired by line of business and divisional budgets, leaving many IT leaders blind-sided and out of control with their relevance coming into question. As a result corporate application portfolios are shifting in their mix under IT leaders from one of total control to partial control to none. In short, IT leaders are finding that the largest application growth in their corporation is coming from outside of their traditional perimeter and with no control knobs. In essence applications and networks are becoming borderless.

While borderless networks offer productivity improvements allowing work to follow individuals, IT leaders are concerned about its security implications, that being are corporate assets secure when applications are being accessed and used within and outside of corporate perimeter? Can IT leaders deliver the ease of use afforded by borderless networks securely? In this Lippis Report Research Note we review Cisco’s New AnyConnect approach to securing mobile devices, which promises invisible use along with safeguards, visibility, control and relevance for IT security leaders.

With mobility comes productivity. As users work anywhere through a wide range of devices or end-points business productivity accelerates. This has been the case with every cycle of computing, from mainframes, minis, PCs, internet-connected PCs to now mobility; a correlated significant jump in productivity at a macro-economic level occurred and the mobile computing cycle will be no different. But to cease this productivity IT leaders need to be comfortable with mobile computing security. And they do have a lot to be concerned about as securing a plethora of different devices accessing both corporate and Web/SaaS applications from a vast array of locations and network access methods is a challenge.

Three major mobile computing themes stand out:

Theme one: Increase Productivity: IT business leaders need employees to be productive, so they provide access to information, making that access as seamless as possible so employees obtain the tools they need and information they require to do their jobs. A central component to this is providing consistency between out-of-office and in-office IT experience.

Theme two: Deliver Mobile Security: Many IT leaders feel this way: “I built all of this infrastructure to protect my users when they’re sitting within the organization. When they leave and are remote what is protecting them and corporate assets? I protect them eight hours a day, then they go home with their laptop and get infected for 16 hours.” In short a disproportionate amount of security investment has been made within the corporate perimeter that needs to be extended to remote and mobile access.

Theme three: End-point Agnostic: Consumerization of the enterprise is forcing IT business leaders to not only support traditional remote devices such as laptops, but also IPhones, Android, Blackberry, netbooks and other end-points that are on the horizon such as the iPad. Consumerization is focusing IT business leaders to deliver seamless network access with always-on security and protection across a broad array of devices to enable business productivity.

Securing Mobile End-points With Existing Defense Techniques
From a security point of view, IT defense for mobile devices share many of the same concerns as securing fixed end-points. Unique to mobility is the security issue of lost mobile devices/end-points. To address this concern IT leaders typically need complementary product that can enforce PIN locks/encryption and support remote data wipe. Common to mobile and desktop security are concerns with acceptable use and threat protection. Malware plus web-based threats have spiked over the past 18 months, increasing threat awareness as business press coverage of exploits have expanded. IT leaders have data security on the top of their minds too. Therefore, access control, threat protection, data security, etc., are common security concerns to fixed and mobile computing with IT leaders and vendors seeking to expand/extend existing defenses to this new wave of computing.

Legacy VPNs Too Cumbersome: A New Generation of Remote Access Emerges
Clearly existing technologies such as Virtual Private Networks (VPN) is a remote access approach that seeks to provide a solution to mobile computing, but it falls short. The challenge with legacy VPNs is its cumbersome use model with multiple boxes to check, tokens and keys to exchange plus certificates to obtain. The process is not transparent and as a result is too painful to use resulting in legacy VPNs use only when absolutely necessary. This use difficulty is both a lost productivity opportunity and security vulnerability.

The vast majority of time a user is outside the corporate network its end-point is unconnected to that network and thus largely unprotected and invisible to IT. Laptops in essence have no security except perhaps a desktop anti-virus (AV) client, which is becoming less and less effective over time due to signature-based defenses lagging exploit propagation. Connectivity may even be so rare that end-points spend much of their time out-of-compliance on patch levels. SaaS makes the problem even worse. Many use SaaS applications such as Salesforce.com, et al., to conduct business-critical or business-relevant tasks by simply accessing these sites over the internet where IT doesn’t have visibility let alone control over these sessions. Most don’t use VPNs to access SaaS applications, which would route traffic through the corporate network, due to the use hassle.

With corporate applications having moved rapidly to both HTTP/Web/SaaS web security is an increasing threat breeding ground that requires a new defense model. There are web security solutions in the market such as Websense and BlueCoat, but their current models are limited to URL-filtering clients, which enforce approved URLs to each end-point. Further, their current operating system support for clients is limited to Windows XP omitting MAC OS X and smartphone mobile platforms. And while URL-filtering does provide limited acceptable use and malware security it does not address data loss, access control and thus full threat prevention, particularly given the nature and mechanism used by hackers to propagate threats today.

Enter Cisco AnyConnect Secure Mobility

To address mobile computing, Cisco has announced its Cisco AnyConnect Secure Mobility to combine access control and web security, which in essence creates a flexible perimeter around a corporation’s mobile end-points providing them the safeguards and security that desktop systems enjoy behind the corporate firewall. AnyConnect Secure Mobility combines Cisco’s AnyConnect client, Cisco’s ASA (VPN, Firewall, IPS, content switch appliance), IronPort (Web security), ScanSafe (Cloud Web Security), and SIO (Security Intelligence Operation) to deliver the next generation of remote access and security for mobile end-points.

While AnyConnect utilizes and integrates much of Cisco’s security technology, the real innovation is how the mobile client captures ease of use and simplicity, allowing users to access both corporate and Web/SaaS applications without the hassle of traditional VPNs for any type of end-point, be it laptop, smartphone, netbook, etc., while protecting corporate assets. In many cases the user experience will be far superior to existing remote access solutions as they don’t need to be concerned with network access type, be it VPN, internet, 3G, WLAN, 4G, etc. The hope is that AnyConnect will provide IT leaders with the assurances they need to enable employees to embrace mobile computing allowing their corporations to exploit its productivity advantages.

Making Remote Access Secure and Invisible

AnyConnect is a pervasive end-point controlling network access and security. The idea is that it fades away into the background, versus the very manual VPN configuration of today. AnyConnect decides where to connect and establishes the connection when the end-point needs to network. If a laptop or iPhone moves from WiFi to the 3G network, AnyConnect figures out what it needs to establish the connections. In addition, AnyConnect provides persistence, keeping all session state. The more intelligent AnyConnect gets over time the more it will fade into the background, being invisible to the user. Cisco is committing to a broad range of device support. Support for Windows XP, Vista, Windows 7, MAC OS X laptops has been made. Smartphones from Apple’s iPhone, Android and Windows Mobile are rapidly changing the enterprise mobility landscape which has been dominated by BlackBerry thus far and it seems logical that these end-points will be supported by Cisco at some point.

Flexible Policy Creation

For web security clients AnyConnect delivers an innovation around policy so that specific policies for remote workers can be distinguished and reported differently than desktop policies. This is important from a compliance point of view as IT leaders often set policy for workers within the network perimeter around “acceptable use” and from a compliance and liability standpoint IT leaders need to be concerned with “where” users go on the web. However, when an employee is home on their own time using their laptop to browse the internet, IT Security leaders don’t care “as much” about which web sites they visit, only that they are secure and protected from propagating threats. Therefore, AnyConnect allows IT Security leaders to set flexible on- and off-premises policy. For example, in-office employees may have policy set for both acceptable use and malware prevention; however, off-premises employees may have policy set for malware prevention.
Device Collaboration Takes Complexity Away From Mobile End-point

AnyConnect promises to deliver an end-to-end user experience, thanks to the engineering that Cisco has done to enable the above mentioned security products to collaborate between each other. One example of this value is during AnyConnect user authentication via the ASA configured for remote access VPN headend. The ASA authentication information along with the fact that the user is mobile is passed to the web security appliance so that both can apply the right policy without delivering another prompt to the user; thus allowing mobile-specific policy to be applied to the remote access session. For the mobile user this process streamlines their access as he/she is not greeted with two different screens (ASA and Web security) during authentication, just one.

Hybrid Hosting: The Way We Work

Backhauling internet destined traffic from remote sites over the corporate network is unfortunately more often done for security reasons. As many security leaders are requiring remote or mobile users to pass through the corporate perimeter to access SaaS applications and other Web content, application performance may suffer. AnyConnect performs performance optimization between VPN and Web access scenarios to significantly lower latency improving user experience even during backhaul scenarios. But as internet video traffic has skyrocketed there’s increased pressure and demand to maintain high user experience by allowing these flows to bypass backhauling and go straight to internet, or “enforcement points” such as a ScanSafe cloud. AnyConnect promises to seamlessly find the closest network attach point and optimal enforcement point, whether that’s the backhaul path, a ScanSafe cloud or even a Cisco ISR G2 running in a branch office equipped with web security capabilities. It’s logical that Cisco will release these capabilities over time.

Securing mobile/remote users via cloud-based services and desktop users with on premise security appliances have emerged as an important security design approach. Security services delivered to mobile and desktop users via on premises and cloud solutions respectively are what some call “hybrid hosting”. Policy consistency is important to a successful hybrid hosting implementation. That is the ability to define user access policy on one policy server and propagate it to on-premises and cloud providers, providing common enforcement, single consolidated reporting and a better user experience.

Key to hybrid hosting is the mobile client. Cisco has built connection intelligence into the Cisco AnyConnect Secure Mobility Client. AnyConnect manages connections by finding a trusted network, meaning assessing if the connection is a secure enforcement point. If an end-point is currently connected to an unsecured public internet link, but the user application requires a secure connection, Secure Mobility Client will find it without operator intervention. Optimal gateway detection is another feature that automatically finds the fastest gateway for VPN access and connects to it.

Security For Thin Client End-points: Full Context Awareness

As end-point devices become thinner and thinner, meaning devices with less processing power and memory, the harder it is to enforce security on the end-point. Laptops can run sophisticated AV and scanning software to protect the end-point, but this software will not run on iPhones, BlackBerries, Android, etc., as they don’t possess adequate resources to run the code. Therefore as end-points become thinner and their numbers balloon while threats continue to be more sophisticated and web-based the question is how to protect these devices and corporate IT assets from them if they become infected? The answer is to leverage the processing power that resides within the network. With the network providing security services on behalf of thin client mobile end-points, a consistency across devices is gained that is independent of end-point type. Malware or exploits are identified along with web site destinations, policy can be enforced, reporting is captured and in the process IT Security leaders gain visibility.

For web security AnyConnect has integrated Cisco’s Web Security Appliance, which provides malware security, acceptable use, access control, and data security for web traffic. By performing this in the network rather than the end-point it’s possible to obtain powerful security capabilities such as multiple layers of malware defense and web application controls which are very difficult to deliver, especially across a breadth of end-points via an end-point solution.

Malware defense includes Web reputation, which is delivered by Cisco’s Security Intelligence Operation (SIO), and is effectively a risk rating for how likely a specific Web object is to be hosting malware. Additionally, multiple AV signature sets are run in parallel on suspicious traffic providing better coverage than any single engine. Currently Cisco offers Webroot and McAfee, and is planning to offer Sophos in the near future.

For acceptable use, Cisco offers standard URL filtering. But URL filtering has become less effective as the number of pages on the Web is exploding, making it impossible for URL lists to keep up. To address this, Cisco dynamically categorizes web sites in real-time. In addition, Web 2.0 sites and tunneling applications mean that a URL filter is not enough to protect users or create meaningful policy. Enter application control. What Cisco has done to expose web traffic is build an engine that understands web traffic and applications that traverse within it. That is to be able to identify if the traffic is IM, WebEX, Facebook, Facebook chat, an application running on Facebook such as Mafia Wars, Twitter, streaming media, etc. With all traffic being distinguished Web Security Appliance’s application control can “block” or “allow” the traffic but more importantly provide greater policy granularity.

Consider this. An IT leader can develop a policy that allows chat on IM, but it’s a data security violation if a user attempts to send a file via IM. Or a user can participate in a WebEx session but he/she can’t relinquish remote control of his/her desktop because it’s a security violation. A user may be allowed to go to Facebook and read, but not post as this may be a potential DLP risk. Cisco’s AnyConnect Web Security Appliance offers this deep application control thanks to its parsing of web traffic and subsequent policy granularity.
It’s difficult if not impossible to obtain this level of security and policy enforcement even on a traditional mobile end-point like a laptop. Imagine trying to make it possible for all of those smartphones that are flooding into the enterprise; virtually impossible. This is the value of Cisco’s network-based approach.

With SaaS Growth, IT Managers May Become Less Relevant

With the large number of mobile devices that access SaaS applications that are out of an IT leader’s control and visibility, IT leaders have become concerned with their own relevance. Most SaaS purchases are in fact not from IT departments but from business unit or line of business managers. Therefore, IT becomes less relevant as IT leaders don’t see this surge in SaaS application use, how to secure it and protect existing IT assets from potential threats. As SaaS use grows so does this challenge to IT.

To address this challenge, Cisco is building in SAML (Security Assertion Markup Language) assertion into the Cisco IronPort Web Security Appliance, in addition to authenticating web traffic as it egresses the enterprise. IronPort already works with AD (Active Directory) and LDAP to authenticate users. Therefore, Cisco is adding the capability to create a SAML token, which will offer a better user experience by delivering single sign-on into SalesForce, WebEx, Concur, Google Docs, and all SaaS applications that support SAML.

SaaS Access Control

What this does for IT leaders is provide control back as IT can demand that their SaaS providers support SAML token, meaning that users can’t access the SaaS application directly but through the corporate network. So if a user is at home he/she can’t go directly to SalesForce.com and download a customer list onto his/her home PC or onto an unmanaged end-point. Users have to come back through the corporate infrastructure via AnyConnect to obtain their token. This provides IT leaders with both control and visibility independent upon where applications are hosted; be it in their data center or the cloud. With this link to all applications IT leaders can apply access control policy, data security policy and in the event of data loss or theft IT leaders now have granular forensic evidence too. With SAML token in IronPort, IT leaders have both control and great visibility that gives them the confidence to enable SaaS applications for workers and remain relevant. This is a huge point as many companies don’t know how many SaaS applications are being used. Cisco for example has over 350 SaaS application in use throughout their corporation, which is more than likely the rule rather than the exception.

One critical challenge SaaS presents is when employees leave or are terminated from their employer. How does IT remove access to these SaaS applications? It’s easy if there are only a few SaaS applications in use, but when the number of SaaS applications grows to the tens and hundreds the process becomes daunting and DLP vulnerabilities increase. With Cisco’s Web Application Controls IT can simply implement a zero day revocation; that is pull the terminated employee’s credential out of the AD and all access to every SaaS application is terminated.

What AnyConnect is offering IT leaders is the assurances and safeguards to say yes to employees to use the IT tools they desire, be it a laptop, iPhone, SaaS applications, Android, Blackberry, etc. For users, they get a simplified way to connect to applications independent upon where they are hosted along with the protections and safeguards once only available to them while in their offices behind the corporate perimeter. From a security leader perspective they get increased control and more security as AnyConnect extends out to that entire mobile workforce. Cisco’s AnyConnect promises to successfully thread the needle to avoid the typical tradeoffs that accompany security products such as security versus business process or security versus user experience. With AnyConnect IT leaders will be able to enable business mobility, increased user experience, and protect corporate assets through strong security services. In short the AnyConnect Secure Mobility Client offers a simple use model for mobile workers that leverages Cisco’s ASA, IronPort Web Security Appliance, SIO, and more then likely in the future ScanSafe, to wrap a corporate perimeter around its mobile workforce.

For existing Cisco customers that utilize ASA and WSA their implementation of AnyConnect is straightforward and the ability to absorb this innovation fast. These IT organizations would install AnyConnect Secure Mobility Client on end-points with required configuration changes to ASA and WSA. AnyConnect can be implemented piece meal too starting with AnyConnect Secure Mobility Client and ASA adding other security defenses when appropriate.

But to make AnyConnect a success Cisco needs to expand its smartphone support and prove that its AnyConnect Secure Mobility Client is indeed as simple and invisible as it claims. Also IT leaders will have to get comfortable with and trust the various enforcement points and its policy granularity. AnyConnect will have to work in conjunction with other security technology such as anti-malware engines, PIN locks and data encryption, plus remote data wipe to protect against lost devices. Look for Cisco to partner with others to deliver these aspects of mobile security. The key value proposition of AnyConnect is a simple yet powerful user experience. The success of AnyConnect rests upon Cisco’s ability to deliver on the promise of an exceptional user experience with an always-connected remote access and security architecture.

Tweet

Networking has become “rigid”. Yes I know it’s almost absurd to attribute inflexibility or rigidity to networking. Look what TCP/IP has done for us. There are nearly 2 billion people connected to the internet and according to the Internet World Stats internet user growth rate increased by 380% between 2000-2009. With 2 billion people and growing online, accessing a plethora of applications via a wide range of end-points there is no doubt that the internet and TCP/IP has been a much bigger success than anyone would have imaged back in the early ’90s. But there’s always a give and take between computing and networking where one drives and changes the other. Right now we are in a compute innovation cycle that’s driving a fundamental change in networking which screams out the need for more flexibility.

Computing has always driven network design as mainframes drove SNA and analog multi-point wide area networks (WANs) during the ’70s. Mini-computers drove peer-to-peer networking protocols like DecNet, OSI and TCP/IP in the ’80s. Client-Server computing drove LANs and TCP into the mainstream in the early ’90s. The Web drove the internet in the 2000s and now server virtualization and cloud computing is once again changing fundamental networking requirements to make them more flexible.

The rigid label is a powerful one as it creates frustration by not addressing or enabling new business processes. Every time a network protocol or architecture was labeled as too rigid it was replaced and in the process a new market emerged on the scale of tens of billions of dollars. SNA was labeled as too rigid to support peer-to-peer networking. The T1 multiplexer market of the late ’80s and early ’90s was too rigid to support data traffic and thus routing replaced it. The PSTN and TDM were too rigid as they doled out bandwidth in 56Kbs chunks and were unable to support internet and VoIP traffic. The national entertainment network is rigid too as it doesn’t support two-way communications and it also will be replaced slowly but surely.

So where is networking not flexible enough? It’s in virtualized data centers. Some analyst groups estimate that 30% of workloads are virtualized and increasing. Since virtualization or a VM is the new atomic layer of data centers, networking is falling short in public as well as private clouds. Ideally, all resources (compute, storage, and networking) would be pooled, with services dynamically drawing from the pools to meet demand. Virtualization techniques have succeeded in enabling processes to be moved between machines, but constraints in the data center network continue to create barriers that prevent agility, for example, VLANs, ACLs, broadcast domains, Load Balancers, Firewall/IPS Security settings and service-specific network engineering.

The well understood problem is that when a VM is moved from one physical machine to another the network, load balancers, firewalls/IPS, broadcast domains, etc., have to be reconfigured. There is no automation in place, meaning that the network is not flexible or agile enough to make the changes required. Now this problem has scale to it as it’s a growing requirement of both IT executives managing corporate IT assets and service/cloud providers.

There are market solutions available today and more are coming that address “network automation” which enables the network to reconfigure itself as a VM and/or workload is moved within a data center. Cisco’s Nexus 1000V, HP Network Automation software and its Virtual Connect approach, Force 10’s Open Automation, Blade Network Technologies VMReady Network Virtualization, Arista Network’s Virtualized Extensible Operating System or vEOS and others are addressing the problem of network agility or lack thereof in virtualized environments.

But the problem gets bigger and more complex when distance and cloud provider entities become engaged. None of the solutions above address moving a VM from one physical server to another over large distance, be it around town, across state lines, across the country or the globe. Some are using IF-MAP as a registry, sort of like facebook for computers that publish their resources and use this information to automate network configuration to support large distance VM moves.

The problem gets larger yet when workloads move from a private cloud to a public cloud. (Definition note: There is no single definition of a workload, so for my purpose here I assume a container including a VM and associated applications and data that can be moved as simply as drag and drop or some other string of instructions). In short all the software that is needed to compile and run an application for a set of users is a workload. The network inflexibility problem grows even larger when moving workloads between public clouds.

Now is this a real problem? You bet it is. Consider the value also of portable or mobile workloads to Enterprise and service providers. Workload mobility means capacity on demand, business continuance, and disaster recovery, etc. In addition, as IT leaders explore public and private cloud alternatives, they will want to move workloads from their data center to a provider’s and move the workload back when and if required. For reasons of security and trust, IT business leaders will demand mobility. For example, if your cloud provider goes bankrupt, then you will want to move your workload out quickly. If your cloud provider’s performance drops again then you could move your workload out. If your cloud provider is the target of a terrorist attack or is turned into a large botnet then you can move your workload out.

In addition to security and piece of mind, mobile workloads will fundamentally change IT delivery, capital structure and most importantly business models and processes. Once IT can move workload anywhere in their data center, across their data centers or to a provider they have tiered with, the question becomes when and how fast does IT move workload? If IT can perform all the provisioning in software and enable workload moves to occur transparently and safely with address, identity, security preservation, enabled trust, control and interoperability across providers, then the question is when does IT need to move workload? This level of mobility is an industry-wide initiative as it offers significant and material business value. Business value is created as IT could move workload in a follow- the-sun model, following the lowest cost per kilowatt-hour model; workload could move to avoid a disaster, or for capacity on demand, or for lowest cost of workload execution, etc.

So how can data center networks become more flexible? A key element of the solution is agility or the ability to dynamically grow and shrink resources to meet demand and to draw those resources from the most optimal location. Today, the network stands as a barrier to agility and increases the fragmentation of resources which leads to low server utilization and prevents portable or mobile workloads.

Tweet

It’s been over a month that Avaya has acquired Nortel and in that little time it has produced the most extensive product rationalization and roadmap the industry has seen. Kevin Kennedy, Avaya CEO and long time industry veteran known for execution and operations clearly has his hands all over the New Avaya as it consolidates product and organizational lines and expands a global channel ecosystem all the while striving to make Avaya easier to work with for both channel partners and customers. During times of rationalization it’s often easy to get mired in details, but Avaya maintains a key focus on unified communications, collaboration and contact center. Like a laser it’s focused on financials. It purchased the Nortel Enterprise Business for slightly more then $900m and reported FY09 revenue of $4.2B while projecting an initial proforma FY10 combined revenue of $5.5B! Its net debt to EBITDA or Earnings Before Interest, Taxes, Depreciation and Amortization, a measure of profitability, is 5.9 with a goal of driving it below 4 by year-end 2011. While Kennedy’s hand is on operations his eye is on profitability as Avaya’s EBITDA is in the mid teens to lower 20 percent of revenue with a goal of being industry leading at 25% by year-end 2011. In this Lippis Report Research Note I review the “New Avaya” and provide an assessment of its going forward strategy.

Avaya now employs some 20,000 and supports over 100 products that it sells through an ever-increasing global ecosystem of channel partners. Its goal is to drive over 85% of sales through this channel by year-end 2011. Before the Nortel acquisition it earned approximately 50% of revenue through its channel. But beyond revenues, employees, channel, etc., is a strategic vision and synergy it gains from being a new corporate entity of Avaya plus Nortel. That synergy is a common culture that has navigated the communications industry for over 100 years. At one point in time both Nortel and Avaya were AT&T and with that they have earned the skills to transition the industry through huge technical evolutions in call control/routing that created multi-billion dollar plus size spending over decades. Call control has migrated from analog to digital, then TDM to IP telephony and now IP telephony to SIP. From a technical point of view, it’s in SIP that the New Avaya is building upon to rationalize products, provide customers with a migration and transition plan and innovate new features and capabilities. From a business plan perspective the New Avaya offers the most extensive communications portfolio in the industry, surrounded by global services and channel partners who promise to take complexity out of doing business with it from envisioning, designing, implementing and managing its real-time communication solutions.

There is an excitement within Avaya that seems to be rooted in the knowledge that they are a new major industry force equipped with a new business plan that’s being executed by an experienced executive management team who possess both networks and communications experience from Cisco. Their CEO, Dr. Kevin Kennedy ran Cisco’s IOS Technologies Division and Service Provider Line of Business. Charlie Giancarlo, Avaya’s Chairman was Cisco’s CTO; Dr. Alan Baratz, Sr. VP and President of Avaya’s Global Communications Solutions was the Sr. VP for Cisco’s Network Software and Systems Technology Group while Todd Abbott, Avaya’s Sr. VP of Global Sales and Marketing & President of Field Operations ran Cisco’s global sales and marketing. This executive management team knows how to create value and change industries and it seems like the employees understand it and are energized to be a part of this New Avaya.

As job one, Avaya set out to communicate a roadmap for its Unified Communications, Contact Center, Small and Medium Enterprise Communications, Data Solutions, Government and Industry Solutions businesses. Being sensitive to both Nortel and Avaya customer’s existing investments the New Avaya provides a well thought-out and generous support program for when and if they notify product end of life. We’ll touch on just a few of the roadmaps here, in particular Unified Communications, SME and data networking. To deep dive into any of these areas there is a set of webinars here.

Avaya Aura Is The Integration Point for UC and Legacy Voice: The Unified Communications (UC) portfolio roadmap provides a migration from today’s integrated voice-based PBX systems to a future world of open, flexible, modular real-time communication systems that support voice, video, and real-time data. SIP is the fundamental building block to deliver this vision and it’s the Avaya Aura product that makes it a reality. Aura possesses two components to its value proposition: 1) Aura connects legacy PBX and IP telephony voice communications systems via SIP reducing communications cost through consolidated SIP trunking plus operational efficiencies; and 2) Aura offers an application environment where communications can be injected into business processes removing system and human delay, speeding workflow and increasing productivity.

By connecting legacy and SIP-based communication systems into Aura, Avaya is able to provide customers with a migration path that not only pays for itself with reduced facilities and operational cost but also offers an application development environment that links IT and communications and an innovation inject point for their customers and partners. To meet that end, the Avaya UC roadmap expands the value of Avaya Aura with the addition of the Agile Communications Environment (ACE). ACE uses Service-Oriented Architecture and Web Services to facilitate rapid development of communications enabled applications.

Key point of this strategy is that existing investment in Nortel CS1000 and/or Avaya Aura Communications Manager (ACM) legacy PBX platforms and end-points are preserved, meaning that support, line cards and end-points of both systems are available; however, over time Aura will run on top of CS1000 and ACM while delivering cost reduction benefits. With Aura connecting the CS1000 and/or ACM, customers will have increased choice of end-point devices, which could connect directly into Aura via SIP or existing end-points into CS1000/ACM. For example, consider a CS1000 customer running Aura on top. Avaya will ensure that consistent or identical end-point user interfaces and feature sets are available to end-points connected into Aura or the CS1000 to assure a zero learning curve for users. In addition as SIP and Aura are “session-based” meaning that sessions carry any type of traffic, users are delivered a wide range of communications mode options, be it voice, video, text, etc. The underlining message here is that sessions support and enable any type of communication end-point such as a desktop phones, mobile end-points, a soft client, etc.

Small and Medium Enterprise Migrates To IP Office: The SME business unit possesses the largest number of products that need rationalization including the TDM/Key System Partner, Integral and Norstar products plus the Hybrid IP PBX IP Office and BCM products and the SCS (Software Communication System), a SIP-based UC Software solution designed for IT-centric SMEs. Since the TDM/Key Systems market is in decline by as much as 43% in 2009 and projected to nearly disappear by 2013 it only makes sense to phase these products out over time. As the Hybrid IP PBX market segment is growing double digits in volume with 24% of SME getting ready to deploy it only makes sense to address this market with the current popular IP Office that is used by 6m users worldwide. The SIP client software market is projected to show strong growth in 2012 providing time to integrate SCS into IP Office and Aura.

To its credit Avaya has already consolidated many of the Integral 5 and Partner features into IP Office with a common management environment where IP Office supports Integral 5 and Partner end-points. Avaya will build upon this by converging Norstar and BCM key features, attributes and management into IP Office over the next eighteen months. At the end of this process IP Office will support Integral 5, Partner, Norstar and BCM end-points. Note that all of these products will remain for sale during FY2010 and Avaya has committed to another release of BCM later this calendar year. In total Avaya is providing up to six years of hardware support, which is generous as, most systems are depreciated over seven years. This is a thoughtful migration with a long tail, but the flagship product in the SME space is IP Office.

Real-time Data Networks. This is one area of the product portfolio that is not being rationalized as there is no overlap between Avaya and Nortel in data networking. Avaya did sell ethernet switching under its Cajun brand, then decided to drop these products in lieu of partnering with Extreme Networks and Juniper Networks. Avaya’s history in data networks is dubious. It’s excellent at voice communications and collaboration, but has not been able to deliver competitive data networking products. Avaya Data Solutions currently owns slightly less than 5% of the very large market for ethernet switching which is dominated by Cisco. But Avaya’s data networking customers are unique as they possess a propensity not to buy from Cisco. So the question is, with the executive management of Avaya all from Cisco does it now have the right stuff to compete in this highly competitive market? Avaya seems to be staking out a stance in the area of real-time data networking that enhances Avaya’s real-time communications and collaboration solutions. In short, will Avaya’s UC and CC run better over its data network?

Assessment:
Avaya believes that either the communications industry is at a pivot point toward SIP or it has the wherewithal to influence the industry by creating a flash point of value with a SIP- based product portfolio that’s surrounded by a global partner ecosystem and service organization. Avaya clearly has expertise, products and management to navigate and take advantage of an industry inflection point as big as the transition from analog to digital and its resulting economic opportunity. Independent of pivot, flash or inflection point 2010 will be a year of hard work at Avaya as it executes on the roadmaps. But as it does, little by little the number of products it will be supporting will be smaller, its EBITDA should get larger and if its calculus about SIP is right, then its revenues and market share will surely grow too.

Tweet

No matter where you look today the structure of IT is fundamentally changing. Applications are being increasingly accessed from mobile devices along with traditional laptop, desktop and even kiosk machines. Applications are downloaded for free or a few dollars on mobile devices, while cloud computing and anything as a service offers a new approach to application delivery. As a result corporate application portfolios are shifting in their mix under IT leaders from one of total control to partial to none. In short, IT leaders are finding that the largest application growth in their corporation is coming from outside of their traditional perimeter and with no control knobs. In essence applications and networks are becoming borderless.

While borderless networks offer productivity improvements allowing work to follow individuals, IT leaders are concerned about its security implications, that being how do I secure corporate assets when applications are being accessed and used within and outside of corporate perimeters? Can IT leaders deliver the ease of use afforded by borderless networks securely? In this Lippis Report Research Note we offer an approach to securing networks without borders.

Traditionally security has taken the form of a perimeter environment where IT assets are housed in the data center under tight corporate control. This environment offers the ability to protect and control these assets. For example, remote access via VPN for employees, customers, suppliers and partners access can be managed as security is managed via firewall perimeter. This approach is the traditional security model and it will stay in place for a long time to come.

But IT is fundamentally changing. There is tremendous diversity in network access from a device, network type and geographic independence points of view. The explosion in device diversity accessing networks, be it smart mobile phones such as the iPhone, blackberry, Nexus One, Android or laptops, notebooks, desktop, readers and kiosk is challenging traditional IT security norms. Not too long ago IT leaders would distribute a corporate-approved computer with a locked corporate standard software image to employees as their IT tools. Not any longer; legitimate business applications have arrived for mobile devices and cloud computing scenarios offer new approaches to application development and delivery. In addition a richness and increased velocity of applications tunneling through Port 80 further challenges perimeter security and IT control. The new world of IT is device diversity, network access point diversity and application diversity, changing how IT leaders mitigate threats while enabling users freedom of access to applications without boundaries.

As device and application diversity flourish, data too is increasingly being distributed. This is very different from the early 2000s IT model and before that as data was centralized in data centers. What used to be stored in a data center and locked behind a firewall is shifting out into clouds. Salesforce.com offers a good example of how proprietary information such as sales leads and prospects are now outside a corporate perimeter and into a public cloud. Further, most corporations don’t know how much their employees are using clouds or SaaS offerings for mission critical business functions. One client conducted an internal survey asking business and IT leaders “how many kinds of SaaS cloud-based applications do you use?” The initial answer was “probably a dozen or so.” After an audit, the real answer was well over 300 SaaS applications were being used from ADP, engineering to Salesforce. The bottom line is that there are a tremendous number of applications already moving outside the data center and the question now being asked is how to protect corporate assets in this new IT environment.

The New World IT Order

With device, network access and application diversity booming along with distributed data, more and more of IT is happening outside the traditional corporate boundary or perimeter. The diversity trend while small in terms of overall corporate application use will only grow and may very well dominate typical corporate application portfolio mixes in the next five years. But in the mean time the traditional perimeter does not go away but needs to be a pillar in a more expansive overall approach to securing borderless networks.

Borders by nature define trust and create trust boundaries. The European Union has eliminated many borders such as walls, physical access, currency differences, etc., but what remains are rules, regulations, passports, etc. The EU reconfigured their boundaries to allow greater freedom of movement and trade. Networking is undergoing a similar transition as corporate defense shifts from a single perimeter to a set of pervasive fungible perimeters or trust boundaries where protection is pushed out to follow users around based on what application they are using, how network access is gained and on what device. Security services have to move in this direction as forcing the new world order of IT into an old world IT security model will not scale and defend corporate IT assets.

For example, IT leaders could choose to back haul all their internet connections to a central site but this will clog their enterprise network, drive up internet access bandwidth and routing requirements plus slow application performance. In addition with more and more devices such as mobile end-points, notebooks, etc., readers connect to the network differently than laptops, IP phones, desktops, etc., and thus don’t lend themselves to back hauling. Therefore, IT and business leaders are thinking about a need to provide IT delivery in the cloud, or maybe perhaps a virtual environment. A much more dynamic approach is needed for applying security in the new IT world order.

An Approach to Borderless Security

One approach is to utilize a family of existing security appliances including firewalls, IPS, web filtering, web security, email security, VPN, etc., as a security enforcement array. These appliances could be put to work to enforce existing and create new trust boundaries such as cloud security, the enterprise perimeter, mobile security, etc. The enforcement array can be segmented into four architecture components. Cisco is the only large IT company to embrace this approach thus far. Cisco breaks down a secure borderless network into 1) Borderless End Zone; 2) Borderless Internet; 3) Borderless Data Center; and 4) Borderless Policy.

The Borderless End Zone provides security services to end-point devices such as securing the end-point and obtaining secure network access. End-point security is increasingly important as a plethora of new mobile and innovative end points have emerged and are consumed in mass. One significant trend is that end-points are thin with little footprint or storage/memory for large security agent software. In addition mobile end-points access networks and IT assets differently than traditional laptops and desktops, requiring a different approach to protecting today’s powerful mobile devices that preserve the ease of user experience. A transparent VPN connection that is able to select an appropriate persistent network connection and apply the right kind of security independent of end point device without user intervention will go a long way to securing new thin and mobile end-points.

The second component is the Borderless Internet which plays a large enforcement array role by delivering real time threat protection, signatures, etc., to existing gateways, appliances and network infrastructure to make enforcement decisions. For example, even though users may be accessing cloud-based applications as simple as email and not even traversing back to their corporate premise, a borderless internet applies some of the same security policies and protections afforded to them within their enterprise to enforce what users can do and then protect them from exploits and threats. Expect to see large security portfolio moves into this enforcement array as the borderless internet develops.

The third security component of a secure borderless network architecture is a Borderless Data Center. Data center network security has become more critical, particularly as servers and soon I/O becomes virtualized. Data center security services such as firewalls, et al., are becoming virtualized, affording a wide range of threat protection without additional hardware. There is a new dynamic security model needed in the data center that allows security services to move without operational intervention when VM workloads are moved. To address dynamic security more security services are required in the hypervisor such as moving firewall features closer to the virtualization layer.

The fourth and last security component of a secure borderless network architecture is Borderless Policy including access control, acceptable use, data security and exploit mitigation. Policy has traditionally been focused on permissions and access control of resources within the corporate perimeter, but policy now needs to be pushed out across enterprise, internet and mobile networks to follow users and afford them policy enforcement. In other words, as users traverse outside their corporation using different devices, network access and a mix of applications how do IT leaders provide the same policy enforcement across a global network and ensure that access and data usage is appropriate while protecting users and corporate assets from exploits, threats and malicious websites, avoiding back haul into the corporate perimeter?

The main point of borderless policy is to enable IT leaders to make greater policy decisions that are pushed out across a global network that factors who, what, when, where and how a user accesses networked resources. Borderless policy will strive to provide ubiquitous control over how users are using IT assets across different devices. To achieve this, policy needs to be translated into code that a machine understands, can enforce, and then monitor.

Securing networks without borders needs to provide protections and enforce policy in a new set of use scenarios that are growing rapidly in their adoption and use within corporations. This is not to say that existing IT security is not critically important. None of today’s security appliances will be displaced or removed any time soon. Private data centers will be with us for decades as will the need for effective corporate perimeters. IT leaders want to leverage existing security investments to protect corporate IT assets when users access applications on mobile end-points, across and behind the perimeter. The Secure Borderless Network offers an approach of providing security, protection by setting new boundaries for a different IT use and delivery model that will only accelerate as the global economy continues its recovery.

Tweet

Information demand is growing faster than Moore’s Law. IDC recently predicted that between 2008 and 2012 IT staff will grow at approximately 1.1 times the rate of business growth while servers will grow at 1.9 times, mobile internet users will grow at 3 times, non-traditional user devices will grow at 3.6 times, information will grow at 4.5 times and interactions per day will grow at 8.4 times. Clearly, the gap between IT staff resources and business expectations for IT services is huge and growing fast. To close the “business expectation” gap many IT leaders are evaluating public cloud-based services to augment their private data center/cloud services as IT leaders observe an increasing amount of applications being deployed from outside the enterprise perimeter. Salesforce.com, EC2, Google Apps and other cloud services will have a huge impact on their data center capacity. The enterprise network is an integration point in an IT architecture allowing homegrown, private and public cloud services to be deployed securely and reliably.

IT business leaders have long been seeking more dynamic data center infrastructure that allows applications and services to scale with demand, both up and down. This flexibility of service delivery has become acute during the recent economic downturn as business leaders cut under performing business models, streamlined business processes and sought to quickly enter markets as they developed. This business agility requirement to usher in new business priorities and processes need prompt data center provisioning and service delivery automation. The time to provision a server, storage, network and application is too long, often measured in months. Provisioning automation is paramount in the data center as it quickens the pace of business while also contributing to business continuity initiatives.

In addition to scale, many IT business leaders are confronted with the challenge of greening or reducing their data center power consumption and cooling requirements as they represent approximately 25% and 15%, respectively, of total amortized data center cost. For each watt delivered to a data center approximately 59% is consumed in IT equipment, 8% to power distribution loss and 33% to cooling. Over a 3-year period energy cost can be twice server acquisition cost! In addition, data centers or more accurately server utilization can be very low, as low as 10%. Making matters even worse is that servers draw as much as 65% of peak power while idle. Two key design goals are to increase server utilization to near 35% and reduce energy consumption so that the Power Usage Efficient or PUE (Total Facility Power/IT Equipment Power) is 1.7. Note inefficient data centers run at 2.0 to 3.0 PUE while extreme Green data center projects are striving for an ultra low PUE in the 1.05 range.

The above business pressures placed upon data center resources are in addition to operational pressures that most are confronted with. Increasing productivity is a top priority. Well-run data centers typically have a staff to server ratio of 1:1000. As productivity pressures increase so too do service levels. Service Level Agreements (SLAs) between IT and business units are changing data center business models, as IT becomes more of an internal service provider with formal chargeback mechanisms for use of infrastructure services. Therefore, IT business leaders are challenged with increased efficiency, productivity and service delivery.

Virtualization Trends

Data center virtualization has emerged as a main solution to address many of the challenges identified above and has become a means to enable large-scale data center consolidation. As CPU suppliers move to multi-core processors and server virtualization offers multiple isolated application and OS pairs per server, IT leaders are able to build larger scale data centers measured in the 10s to 100s of thousands of servers. As more applications are loaded upon servers their utilization increases too, reducing power consumption, cooling and server acquisition requirements. Because of virtualization’s value it has become a “top down” executive management decree as companies that embraced it early realized business value in controlling and reducing operating costs, easing sub-function spent and extending the life cycle of acquired capital assets.

Why Massive Virtualization is Inevitable.

IT service delivery demands are growing faster than Moore’s Law which predicts a doubling of transistor density every two years and in today’s engineering that’s a doubling of CPU core width. This leaves IT leaders to either re-write applications for multi-core processors or settle for halved deficiency every two years. The path of least resistance has become to virtualize servers, but this too offers challenges around span of control. Virtualization has fundamentally changed the role of IT executives in charge of networking, storage, servers and applications. IT organized around competency centers, or centers of excellence are finding that responsibilities around IT silos are changing permanently.

In short, server configuration changes now impact networking and storage. Virtualization breaks the premise that IT can be organized around isolated technology groups. Server virtualization is powerful enough to IT business leaders that they are willing to sacrifice the 15-year proven network design approach to achieve business benefits. Therefore, networks are changing, servers are changing and storage is changing to embrace and accelerate virtualization.

Hybrid Virtualized And Non-Virtualized Data Centers

But for all the value associated with virtualization there are impediments to deployment. For example, not all applications are capable of running on a VM. Many IT leaders and application teams struggle with Microsoft Exchange, SAP and Oracle database implementations, for example in virtualized environments. In the mean time, some IT groups are deploying Oracle, for example, on non-production virtualized machines to gain experience and confidence. But many older or legacy applications cannot run on a virtualized machine or they have not been tested in a virtualized environment on various blade offerings. IT leaders are concerned with professional service cost to port legacy applications onto a VM while application teams are slow to fully embrace virtualization due to performance and reliability fears. The end result is that most servers are not virtualized and the industry is slightly beyond the early adaptor cycle.

The de-facto standard is that the majority of data centers live in a hybrid state of virtualized and non-virtualized servers. While this hybrid state will last for many years to come the trend line is clear that the portion of virtualized servers will increase, and increase significantly, especially for x86 servers, over time. In fact x86 servers are typically on a two to three year refresh cycle, which IT business leaders are using to synchronize their vitalization plans. In short, new x86 services will be increasingly virtualized.
The virtualized side of the hybrid data center will grow, as application teams feel comfortable about virtualization. While there are many server virtualization providers such as VMware’s vSphere, Microsoft’s Hyper-V, Citrix’s Xen virtual servers etc., VMware dominates the market segment. Its vSphere 4.0 goes a long away to increase performance, management, security and visibility capabilities of virtualized environments, a major concern of application teams.

vSphere adds significantly more power and flexibility as current ESX hypervisors only support up to 64 GB of main memory allocated to a single VM on a server and can only span up to four x86-64 cores. vSphere will span up to eight cores and address up to 256 GB of memory. In addition, vSphere allows application teams to change the amount of RAM allocated to VMs without rebooting. These capabilities are going a long way toward making application teams conformable, as it should help avoid disruption or downtime when making a memory change. The new vSphere’s maximum RAM limit is now set at 1 TB. Furthermore, an integrated Microsoft PowerShell command-line interface can be used to adjust the configuration of a VM running Microsoft Exchange on the fly. Many of these features are solutions to key technical hurdles, such that application teams will now be able to virtualize larger, more-mission-critical applications, such as Oracle, SAP and large Exchange implementations.

With server virtualization an efficiency technology compacting operating systems and applications into every increasingly more powerful server hardware, IT leaders are afforded lower cost, greener data centers and most importantly scale. Cloud spec data centers are able to scale to 100s of thousands of servers thanks to virtualization. With all this scale and increased network speed in the 10 Gb to 40 Gb and soon 100Gb a new approach to storage and networking is afforded that combines their access over a single fabric. This converged I/O via a single NIC card that splits storage and network traffic further reduces data center energy consumption, cabling and equipment cost while contributing to workload mobility requirements by automating network and security changes required during such moves. But these advances are not just afforded to public cloud providers; they are available to IT leaders building private cloud too. In fact, IT leaders are moving just as fast as cloud providers to take advantage of these new data center design approaches especially as large IT suppliers such as HP, IBM, Cisco, Dell and others offer new blade system designs that package computing, virtualization and converged networking into units.

In upcoming Lippis Reports we’ll focus on these new blade systems and converged network designs that offer new economics and performance advances.

Tweet

In this Lippis Report Research Note we offer our 2010 top ten predictions for the biggest issues that the IT industry will confront. Our predictions span technology, industry structure and IT budgets. This Research Note is based upon a Lippis Report Podcast recorded with Nick Lippis and Zeus Kerravala of the Yankee Group. This end-of-year, forward-looking analysis is one of our most popular research notes, so we offer it to our subscribers as a holiday gift with wishes for a great holiday season and prosperous New Year.

Prediction Number 1: Virtualization Becomes Primary IT Building Block


Nick Lippis: Our first prediction is the expanding role of virtualization, especially server virtualization, its progression out of the data center to desktops plus homes, and its role as a fundamental IT building block of cloud computing.


Zeus Kerravala: There’s no question that virtualization’s become a core piece of technology for companies today. In fact, discussions with CIOs have led me to believe that it’s probably the most important piece of technology implementation moving forward. And I think, to date, what we’ve seen is virtualization be used largely for server consolidation. In 2010 is when we start seeing cloud computing being built in earnest.


There are lots of ways this could play out, but it will start with early adopters building private clouds. We’ll see more public cloud offerings too, but largely the impact of cloud will be on the private cloud side, which will benefit infrastructure vendors probably more than the cloud providers. But that will give way to public clouds as the market matures.


Nick Lippis: The virtual machine (VM) is now the new sub-atomic component within IT, becoming the new organizing principle on how data centers are built and information technology is managed. We’re seeing all the major server companies such as Cisco’s unified computing, HP’s converged infrastructure, IBM’s Dynamic Infrastructure and Dell, preparing their blade systems to scale up support and management of VMs.

Prediction Number 2: 802.11n Wireless LANs Cannibalize Wired Port Growth & WiMAX


Nick Lippis: Our second prediction is centered around mobility, meaning wireless local area network WLANs). The industry ratification of 802.11n in 2009 was a very important industry milestone, which will translate into continued WLAN growth and market expansion. 802.11n will provide competitive pressure to WiMAX while corporate consumption of WLAN devices skyrocket. 2010 will be the year that companies like Aruba, Ruckus, Meru will be potential acquisition targets from the larger companies that don’t possess a solid WLAN offering.


Zeus Kerravala: The ratification of 802.11n was a very significant turning point for the industry, because at n speeds, there’s really no experience degradation for the end-user, whether you’re wired or wireless. And from a worker flexibility standpoint, 802.11n is a game-changer in wireless. I’m very surprised, in fact, that there aren’t more wired companies that have strong wireless offerings. HP acquired Colubris. Cisco bought Airespace. 3Com just announced their own WLAN solution in Nov 2009. When I look at Juniper, Brocade and Extreme Networks and all the other networking companies, I wonder where they are in this space, and I think Juniper will likely launch their own WLAN solution in 2010. But you have to wonder, if you’re not in the space now and you try and build your own, are you going to miss the early adopter wave, and if you don’t want to, then probably an acquisition may be the better way to go.

Prediction Number 3: Converged Fabrics Deployments Take Off


Nick Lippis: Yeah. Prediction number three is that converged fabric or unified fabric in the data center proves successful in early pilots setting up 2010 as the year converged fabrics are implemented in earnest. This is a really hot area as the value proposition is so strong around cable reduction, power reduction, equipment reduction and cost reduction; also with the ratification of most data center ethernet standards 2010 will be the year that converged fabric deployments occur in earnest. A converged fabric is the replacement of a storage and a network card on a server with one converged card that supports Fiber-Channel-over-Ethernet, InfiniBand, and/or iSCSI. This interconnect reduction also reduces the amount of networking fabric and also switching fabric required, driving a major consolidation of cabling, equipment and cost. 2010 is the year in which we start to get a large amount of the industry offering unified fabric solutions resulting in an uptick in the deployment thereof.


Zeus Kerravala: It’d be interesting to see how this plays out, because there’s multiple angles you could take on this. You mentioned just a few. There’s iSCSI, Fiber-Channel-over-Ethernet and the InfiniBand vendors. They all offer data center connectivity and what’s happening is all these different technologies are getting to a point where they can support the purpose that the other technology was built for. In short, there is increasing overlap and less differentiation between the three approaches. So right now, if the market really only becomes Fiber-Channel-over-Ethernet, that creates a market for just Cisco and Brocade. But there are indications that companies like Mellanox, which historically is an InfiniBand vendor, is entering into the FCoE space. Voltaire’s been looking at it too. Emulex and QLogic make the adapters, so this is a market that’s going to get crowded real fast and I think this will be an area that you do see M&A activity too.


Nick Lippis: I agree, and converged fabric also offers another virtualization play. Basically, it’s the virtualization of I/O. Another technology to add to this space is soft switches as it allows the portability and the mobility of workloads both within a data center and over time outside of a data center.

Prediction Number 4: No Surprise The Industry Will Continue to Consolidate


Nick Lippis: We’ve already seen more consolidation in our industry in the last 12 months than we have ever seen. 2010 offers another major wave of M&A activity. Zeus, we had a discussion before this recording about Avaya and their Nortel Network Enterprise division and how that might play out. Won’t you share that with everyone?


Zeus Kerravala: From talking to Avaya I get the sense that the networking division of Nortel will be sold off. At least, that’s my guess. I have no official word from them, obviously, but what you have there is really 5 percent of the ethernet switch base that’s up for grabs. And for somebody like an HP that just acquired another 9 percent to bring their share to 20, or a Juniper who’s looking to grow in this space, or Brocade, who’s got 3 or 4 percent now – 5 percent of the market could actually be significant. And this customer base already has shown a proclivity to buy something other than Cisco, so flipping Nortel customers to the buyer’s base actually may not be that difficult a task, so I think it’ll get sold off. I don’t think it’ll be very expensive, probably not more than a couple hundred million, but I do see that piece of the business moving. Extreme is another company whose customer base could be up for grabs. Let’s face it, they’ve struggled. When you get rid of your CEO and you lay off 70 people and you have your worst quarter since ’99, the only thing left of value there is probably in the installed base, of which they have a pretty significant one, so that could be another feather in an acquirer’s cap.


And when I look at the M&A activity that’s happened in 2009; the industry needed this. There’s too many vendors and when you look at the computing vendors trying to move into networking there’s just not enough market to support everybody in this space now. So it’s healthy for our market to consolidate down, just overall, it’ll create a much stronger market if this happens.


Nick Lippis: The major black hole that’s pulling the M&A activity has been around data centers and the convergence of computing, storage and networking, which brings us to IBM and Dell. Those are two companies that will find it increasingly difficult to add value to their blade systems if they don’t have a significant networking offering, which means they’d be looking at a Juniper, an Extreme, maybe the Nortel Network Systems business, Blade Network Technology, Brocade, Arista Networks, Mallanox, Myricom, Voltaire, et al. But IBM and Dell need to add a strong networking offering to their overall portfolio.


Zeus Kerravala: I agree. Right now, there’s fulfillment through OEM’ing Brocade and Juniper. Brocade’s another acquisition candidate as well, and with that you’d get a pretty decent chunk of the fiber-channel business. But, clearly both these companies have recognized they need to do something, which is why they entered the OEM relationships. The question is, are they going to do more, and IBM’s very surprising. When you look at the moves HP’s made, I’m surprised IBM hasn’t been a more aggressive.


Nick Lippis: Absolutely. The other major observation here is that we now have computing companies chasing a very limited number of networking companies, which increases the value of networking in the overall IT portfolio.


Prediction Number 5: Unified Communications Goes Mobile, Social Networking and Cloud To Boost the Experience and Productivity


Nick Lippis: 2009 has been a sleepy year for unified communications due in part to the consolidation of this market and the time it’s taking suppliers to adjust. There seems to be a major theme around how UC is going to morph or expand into three major value propositions. One is to make UC more mobile, integrate into social networking or add social functionality and third is to deliver UC as a cloud offering. UC suppliers are looking to dramatically change the value proposition of communications that we’ve had in the industry for at least 30 years, which is based upon a computer and phone at your desk, to now a mobile and softphone that gets UC from a cloud. Now that phone is being virtualized and put up into a cloud.


Zeus Kerravala: Well, I do think social media and cloud to me are pretty significant directions in which this market’s going to migrate. And in fact, if you look at what Siemens announced at VoiceCon, where they can integrate Twitter right into OpenScape and be able to change your present status based on the things you Tweet. That’s pretty cool to be able to use a social networking tool that we already use in our daily lives to alter the things in our corporate life.


I also think Cisco’s play with WebEx mail was a very good indicator that this market is moving to cloud. I think Cisco tends to make their bets at the right time, and if you believe that UC is the software play and if you agree that software is moving to SAS – and you’d have a hard time finding people to disagree with that statement – then, by logic, UC’s going to move to SAS. And when you look at something like e-mail, all the regulatory requirements around it – is that something that’d be better to be SAS-based? And if the answer is yes, that actually puts Cisco in a very good position, because I think their product is actually better than what you would get from Microsoft or IBM. And that creates a very interesting battleground for Cisco to go after Microsoft at what’s the heart of their sales strategy, i.e., e-mail.


But regardless of what happens to the e-mail market, this is a market that’s migrating towards social media faster than the industry’s really prepared for. If you look at the way a lot of the younger generation works, it is through tools like Twitter and Facebook. E-mail is not their primary work tool, and e-mail has peaked. And so you will see this industry focus a lot on the social media side.


Prediction Number 6: 2010 Is The Year Of Wide Enterprise Video Deployment


Nick Lippis: Prediction number 6 is that in 2010 enterprise video becomes legitimized and widely implemented. Video is like a heart attack, meaning if you don’t take care of yourself, or if you ignore risk factors then you’re just going to get clogged arteries and at some point a heart attack. For enterprise video, if you ignore it and don’t prepare for it, then at some point in time your network is just going to choke, and it’ll choke by being unable to deliver application performance that end-users need. 2010 is the wakeup call for most IT managers to start thinking about video, its role within their business processes and how their network needs to evolve to support it.


Zeus Kerravala: I’ll disagree with you a little bit here. I think video is a bit of a solution to no problem today. We’ve had starts and stops to this market before. 9/11 and through the economic downturn drove more use of video. But the big problem to me with video remains the fact that it’s too device- and network-dependent. So if you believe in Metcalfe’s law – that the value of a network is proportional to the square of the number of nodes on it – there’s lots of video nodes that are just not connected nodes, so it keeps the value low. And unlike a phone, where I can pick up any mobile phone or any desk phone to call anybody on any other phone, I can’t do that with video terminals.


So once that barrier falls and I’m able to just double-click something and get you on video no matter where you are and what kind of video device you have, then this market can accelerate. Cisco’s doing a lot of work breaking that barrier down, but it’s far too complex to establish a video session today to people outside your organization. So I think we’ll see more interest in video, but I think ultimately this is another market that may start and then stop again because some of those other barriers still exist.


Prediction Number 7: Cloud-to-Cloud Standards Start To Take Shape


Nick Lippis: Prediction number 7 is that standards for cloud-to-cloud communications start to take shape. Even though clouds are lightly loaded today, we know that there’s only one direction, and that’s to add load to them. As soft switches allow a VM to move from one physical machine to another physical machine without the need to reconfigure the network, IT leaders will increasing seek to move workload from their private clouds to public and between public clouds. Mobile workloads offer the beginnings of a massively different way in which business is conducted. The prediction is that cloud-to-cloud standards, which include a new way in which we think about the Internet around security, control, performance and persistence, is going to get a real inspection and become much more visible and important as 2010 progresses.


Zeus Kerravala: Before that happens, though, the traceability and security have to become better. IT leaders will move their workloads around once they know where it’s been and how secure it is. And I think that’s a great vision to work toward, but until all these cloud providers decide to get on board and follow the same standards, it’s going be a tough, tough road to hoe.


Prediction Number 8: Droid Becomes The Blackberry Killer


Zeus Kerravala: The Droid is being dubbed by many as the BlackBerry killer and in some ways it could be, in the consumer space. There’s no question that the iPhone set the bar extremely high on what a consumer-based smartphone is largely thanks to the availability and cost model of apps. This is the path that Droid’s taken, i.e., going down the path of trying to attract as many application developers as possible. BlackBerry, while their devices are very well built and engineered and I think will always appeal more to the business user, hasn’t focused on the application side. It’s only been recently that even some of their OS’s became a little more consumer friendly. Let’s face it, the Touch was kind of a disaster. I do think that Android and iPhone create a nice one-two punch in the consumer markets. And that’s good for the industry because it’s going to pull along everybody else into having to improve their platforms or let these two companies run away with the market.


Nick Lippis: I have a slightly different twist on the BlackBerry and iPhone competitive space. I view BlackBerry as having their core market in financial services, but for other industry segments we’ll see more inroads by Apple and the iPhone, thanks to the applications.


Prediction Number 9: Wither Netbooks


Nick Lippis: Prediction Number 9: Netbooks will wither. Netbooks have seen impressive growth in 2009, but the netbook is like the Apple Newton, not enough networked applications and clumsy to use. If the industry offered more SAS offerings reducing the need for local computing and storage than netbooks might have a brighter future. But its ergonomic design does not work either.


Zeus Kerravala: 2010 is the year of the netbook fizzle. It’s had outstanding growth, but I also know that if you look at the shipment returns at Best Buys and Wal-Mart, almost one-third of netbooks that were purchased have been returned. A lot of the returns were based on the fact that, while people look at this as a small laptop, it is not a laptop. It’s a scaled-down version of a laptop with a smaller disk, smaller memory. Even from trying to do any kind of significant work on it – it’s hard to type on a netbook. And people that use the netbook tend just to keep it as yet another device. So it didn’t replace the smartphone; it didn’t replace the laptop. It became yet another device that we’d use in very specific circumstances.


So if you want a device to work on, use a laptop. If you want a small form device to view things, use an iPhone. And largely in the business world, I just don’t see a place for the netbook. There’ll be a few niche-use cases of it in healthcare and field service, etc.


Prediction Number 10: IT Spending Improves


Nick Lippis: Prediction number ten is that IT spending improves but in fits and starts. 2009 was a difficult year for the industry but 2010 is looking to be a better year for IT.


Zeus Kerravala: From people I’ve interviewed about what their spend looks like next year, I do think spend is going to be flat to up slightly. But it seems that a lot of the barriers that were in the way, that is CFO approval, seems to have gone away for now. Don’t get me wrong. The lessons we’ve learned over the last couple of years around “must prove ROI,” that my ROI must be 12 months, etc., are here to stay and sales cycles are longer. But a lot of the projects that I’d seen put on hold, like network upgrades and data center consolidation, are back, and the activity’s here. However, if we get any kind of bad news though, you could see the brakes being put back on. But I think, overall, we’ll have a better year next year than we had this year.


Nick Lippis: I agree and I’m very bullish on the data center spending.


Zeus Kerravala: There’s so much to gain by doing that.


Nick Lippis: Great. Excellent. Well, happy holidays, everyone.


Zeus Kerravala: Happy holidays as well.


Nick Lippis: Excellent. Great and looks like we end on a high note. A better year in 2010.

Tweet

This is a different kind of Lippis Report research note than those we usually produce as it is product vs industry or architecture focused. We were impressed with the ease of installation and performance of the Ruckus Wireless dual-band 802.11n ZoneFlex 7962 access points and ZoneDirector 1000 wireless LAN (WLAN) controller in our office so we decided to write about it. Ruckus provided these products for us to test and use. In this Lippis Report Research Note we document our experience.

Our office is made up of approximately 5,000 square feet or 150K of cubic space with some ten computers, the same number of WiFi-enabled mobile devices and IP phones plus four printers. We provide WiFi service for internal voice, video and data as well as guest services for clients, partners, visitors and suppliers. We used a range of WiFi devices, including Apple Airport Extreme, Express, Time Capsule, Belkin and Linksys for 802.11 b, g and n services before we deployed the Ruckus Wireless AP and controller. Like many companies we deployed different WiFi products for different connectivity needs such as backup, printing, general connectivity and communications. This piecemeal approach resulted in poor wireless coverage and multiple management interfaces, which increased complexity during configuration and troubleshooting.

To provide uniform wireless coverage, simplify management and offer guest services we deployed two Ruckus Wireless ZoneFlex 7962 access points and a ZoneDirector 1000. The initial set-up and configuration could not have been easier and was perhaps the simplest and most straight forward we have experienced. The installation was a simple three-step process:

Connect and Discover the ZoneDirector. After the ZoneDirector 1000 was powered up and plugged into our LAN we were able to simply discover it and start the configuration process.

Configure the Wizard: A set-up wizard asked for the language we wanted to use (i.e., English, Spanish, Japanese, etc.), a unique name for the ZoneDirector, a network name (i.e., ESSID), Passphrase for WPA security, guest WLAN check box, administrator and network accounts. It took us less than five minutes to go through this wizard.

Connect the ZoneFlex APs. With the ZoneDirector configured, the next step was to connect the ZoneFlex 7962 APs to a wired LAN, preferably 100 to 200 feet apart. After the APs are powered up and connected to the LAN, the ZoneDirector discovered and configured them. The Ruckus Wireless network was ready to use. That was it.

After the above three-step process we connected computers, IP phones and mobile devices to the new WLAN. We then reviewed the coverage to find out that there were no dead zones or poor coverage areas in the entire 5,000 square foot area. In addition we found that coverage had expanded significantly. Each ZoneFlex 7962 AP was delivering a high performance signal range throughout a 200 foot diameter. With two ZoneFlex 7962 APs, approximately 160K cubic feet of space was being covered with 802.11 n.

The ZoneFlex 7962 APs are dual-band 802.11n Smart Wi-Fi access points each with an integrated and miniaturized antenna array that supports “dynamic beamforming.” With concurrent dual-band supported in the ZoneFlex 7962 APs, they operate at both 5GHz and 2 GHz delivering some 300 Mbps of throughput. Ruckus’s patented beamforming antenna technology delivers a reliable signal through difficult or challenging RF conditions such as concrete, metal and other structures. The APs also sport automatic interference mitigation for high-density usage scenarios.

In addition the ZoneFlex 7962 APs support smart meshing. This means that an AP can connect into a WLAN without a wired Ethernet connection to extend coverage to unwired spaces. And as the ZoneFlex 7962 APs and ZoneDirector 1000 supports multicast IPTV and other video services, it is enterprise business video ready, which is important as enterprise video usage is on the rise. The company has recently received a patent on its multicast-to-unicast conversation invention. This enables every APs to direct multicast transmissions only to requesting stations, thereby allowing better queuing, scheduling and prioritization of multicast video over 802.11 which, until now, has treated multicast as best effort only traffic.

While the above configuration process is simple, the Ruckus ZoneDirector supports a Web user interface for more detailed configuration, monitoring, administration and troubleshooting. For example, multiple guest access accounts, user roles, AAA services, access control, hotspot services, etc., can be established. In short, the ZoneDirector offers a full suite of enterprise-class configuration, monitoring and troubleshooting services allowing as much or as little WLAN customization that a business may require. The ZoneDirector dashboard feature is one of the best we’ve seen with a snap shot overview of the ZoneDirector, devices connected, most recent user and system activities, most frequently used APs and overall usage summary.

As for scale, a ZoneFlex 7962 AP delivers 20 concurrent voice calls, 100 simultaneous data users or 80 Mbps of guaranteed user throughput for over 100 meters or 328 feet (line of sight). The ZoneDirector 1000 supports as many as 50 APs. Therefore, a ZoneFlex 7962 and ZoneDirector 1000 combination is well suited for the small-to-medium-sized business market. With the ZoneDirector 1000’s simple configuration/deployment and centrally managed AP which are automatically tuned, this solution should scale effectively to the medium size business with limited operational support requirements. While our experience with Ruckus was confined to its ZoneFlex 7962 AP and ZoneDirector 1000 controller, they offer a wide range of enterprise and service provider WLAN solutions. They are currently leading the industry in outdoor WiFi as an alternative to WiMax’s high cost, complexity and performance. Therefore, a Ruckus Wireless WLAN solution will scale to outdoor coverage too over time.
We found the ZoneFlex 7962 AP and ZoneDirector 1000 to be easy to install and operate while delivering significant range and bandwidth performance.

Tweet

HP is planning to acquire 3Com for $2.7B to bolster its converged infrastructure position. HP, Dell, IBM, Oracle, Cisco, et al., are astute and see that IT is entering a new convergence era where servers, storage, management software, facilities and networking are packaged, bundled and sold as a unit. Convergence is being driven by technology and market dynamics that are forcing large IT suppliers to cross into each other’s traditional markets. While our industry is starting a new IT wave of virtualization and cloud computing which promises to distribute applications and content to thin, virtual and mobile end-points over massively connected global networks, the reality is that most corporations will contain a mix of private and public/outsourced/cloud computing environments. But be it on or off premises enterprise computing has entered a convergence era, which every large IT supplier is now engaged in developing solutions to address. It’s for this reason that HP is bolstering up its networking portfolio by planning to acquire 3Com and more than likely many others. The knee-jerk reaction to HP’s planned acquisition of 3Com is the competitive position that places HP against Cisco. HP and Cisco are on a path to becoming head-to-head competitors but as they fight it out in the market, their blows may land on IBM, Dell, Oracle, Juniper, et al., who have been slow to react to the new convergence era reality. In this Lippis Report Research Note I review the planned acquisition of 3Com by HP and its potential industry impact especially with respect to Cisco.

What’s In The 3Com Acquisition For HP?

If the 3Com acquisition does happen, and there’s no reason to think that it will not, HP will gain significant assets. HP announced a “Converged Infrastructure for Next Generation Data Centers” plan in early Nov ’09 with the major missing piece being a broad network portfolio. 3Com addresses this hole and provides HP with a large networking portfolio in ethernet switching, network security and unified communications. 3Com has a 30% share of the fastest growing IT China market and gains 50% of its revenue from this channel. It also gains 2400 networking engineers in China and a significant presence in Latin America.

For those who have not followed 3Com, they are three brands. “H3C” is the enterprise brand of 3Com, the joint venture between 3Com and Huawei which 3Com had exclusive rights to sell into America and Europe. “3Com” is the SMB brand and “TippingPoint” the security brand. HP is buying all three in total and I use “3Com” here to mean all three brands. While these assets are impressive the real value is what could be created when 3Com is fully integrated into HP. 3Com should benefit from HP’s buying power plus its huge North American and European sales and service channels to market. In short, HP provides a powerful global “go-to” market engine for 3Com. It also gives 3Com credibility, as it will be part of the $120B HP value proposition.

And HP has full intention to bestow its credibility on 3Com products. Randy Mott, executive VP and CIO of HP, states, “We are confident that we can run our entire global business of 300,000-plus employees, including our next-generation data centers, entirely on the new HP networking solutions….Based on our experience and extensive testing of 3Com’s products, we are planning to undertake a global rollout within HP as soon as possible after the completion of the acquisition.” HP is currently a big Cisco networking shop.

3Com’s Ron Sege, President and Chief Operating Officer has put in place a “China Out” strategy that leverages its success in China to enter other worldwide theaters. When HP and 3Com close, 3Com will see a significant acceleration of its China Out strategy. 3Com has refreshed some of its ethernet switching product lines and has been tested in large enterprise customers in China/APAC. 3Com is differentiating this product line with energy efficiency advantage, lower acquisition cost and services. 3Com has over $600 million in cash and equivalents and earned $1.3B in FY09. It has been growing since FY06 thanks to its large penetration in the China market and nearly 6,000 employees worldwide. They have new experienced management in the networking industry too with Bob Mao in the CEO role, Ron Sege, a veteran 3Com executive along with Alan Kessler, president of TippingPoint and Eric Benhamou as its Chairman.

How Large A Threat Is HP+3Com To Cisco And Others?

Now remember that this deal is not expected to close until the first half of calendar 2010 which could be April through June 2010, so there’s a lot of time for the industry and competitors to react. So what kind of threat does a networked HP pose to Cisco and others? First, HP ProCurve and 3Com captured niche networking markets in North America and Europe equal to approximately $1B each. Cisco is a $40B networking company with the largest IT war chest of $35B in cash and equivalents, which it has started to put into M&A work. Put another way, Cisco is 20 times the size of HP’s networking business equipped with human capital and skills that HP+3Com do not match. Further, Cisco’s war chest is 2.6 times larger then overall HP’s. Cisco, Juniper Networks and potentially Avaya (with their planned acquisition of Nortel Enterprise business) know IP routing extremely well, a claim that HP would find hard making.

Cisco’s networking, unified communications and collaboration product portfolios are much larger than HP+3Com. Even with the acquisition of 3Com, HP lacks a branch office solution and while their S12500 data center core switch product is impressive, it’s only been shipping for three months. From a network security point of view, 3Com’s TippingPoint has been a great IPS platform product for it, but it does not compare to the security portfolio that Cisco has built which spans IPS, firewall, NAC, VPN, SIEM, WEB/email, data protection, etc. From a broader HP perspective, however, HP’s Enterprise group delivers enterprise computing security solutions that extend well beyond Tipping Point and the ProCurve ProActive Defense portfolio.

It’s in HP’s interest to close the 3Com deal and integrate it into the Enterprise Business Group as soon as possible. Clearly, HP has assembled its integration team, which has tackled much larger integration projects e.g., EDS. Execution should not be an issue. But if the deal does not close until June, it may be a year from now until 3Com is fully integrated into the HP Enterprise Business Group, procurement system, sales, service, etc., to the point that HP can scale it up. And that is the question. When 3Com is fully integrated into HP what kind of networking revenue and market share can HP gain? ProCurve + 3Com is approximately $2B of revenue now. With the existing product lines can HP generate $5B, $10B or more of network revenue over five years? Time will tell. But while HP is integrating 3Com, Cisco and others will use this time to develop competitive offerings, marketing programs and channels to both go after their customers and blunt its pending attack.

Positioning For The New Converged IT Era

You can’t expect HP to be able to match product lines and compete with Cisco in networking with one acquisition, far from it. It’s pretty clear that HP is looking at Cisco’s margins as a point of vulnerability while it looks to leverage its worldwide footprint, supply chain and IT leader relationships for scale. But there’s a longer cycle at play here so if you’re looking for a head-to-head comparison between Cisco and HP then you’ll be disappointed but most importantly miss the main point. HP and all of the large IT suppliers especially Cisco with its Unified Computing System and recently announced Acadia (Cisco, EMC, VMware JV) see a new converged IT infrastructure market of servers, storage, networking, facilities, management, etc., emerging where networking is a core attribute.

And networking is now central to HP’s convergence strategy as it plans to get networking right over time. HP views networking as it viewed PCs back in 2004 when Dell was number one followed closely by IBM. HP was ridiculed for buying Compaq in ’01 for $25B but in 2009 it’s the number one PC supplier worldwide. It’s clear HP is dead serious about networking so expect it to bolster its networking portfolio with other acquisitions, with an eye toward a new longer term converged IT buying cycle.

IBM and Dell will have to acquire networking properties too as they may find it harder and harder to compete with Cisco and HP as they offer servers, storage, networking and networked applications. It’s hard to see Brocade, Juniper, Extreme Networks, Force10 Networks and others being a pure play networking company as the IT world around them consolidates and the industry prepares for a new convergence era. It’s clear that networking is central to the new converged IT infrastructure market. To be a successful supplier to this market a key question is does it matter if your core technical competence is networking or servers? Cisco dominates networking, where HP shares server dominance with IBM and Dell. It’s interesting that the server companies are chasing networking and not the other way around. Cisco and HP have their convergence plans; over the next quarter we should find out if IBM, Dell and Oracle have theirs.

Tweet

Cloud computing has become of great interest to providers, business and IT leaders as the economic downturn forced review of business processes and IT’s automation of them. As business and IT leaders searched for efficiency, cloud computing came into focus as it promises a different and favorable IT economic and delivery model. There are multiple cloud visions and use cases, but one I hear most often in corporate IT organizations is that of thin and mobile clients accessing a mix of custom, consumer-based and cloud-based applications. In this scenario real or virtualized desktops and mobile clients present applications that are hosted in a cloud residing on a virtual machine isolated from another corporation’s applications. Economics, technology and business imperatives are driving this future into reality. In fact, IT organizations are increasingly losing control of their application portfolios as a new generation of IT savvy workers develop and/or find applications that help them get work done without the blessing or assistance of corporate IT. As cloud computing promises to radically expand access to applications and low cost application development, IT leaders fear that the portion of applications they control will increasingly shrink if they don’t get ahead of this curve. As such, IT organizations are focusing like a laser on cloud security, application control, portability and the critical potential role of the network.

Proprietary Clouds

The current state of cloud computing is that cloud providers are building proprietary cloud services and APIs that do not interact with other clouds. In addition business and IT leaders of Global 2000 firms are exploring building their own private clouds in an effort to hold on to application control, ensure security and offer elastic IT services. Without an open or standard way of connecting clouds or allowing clouds to interact, isolated clouds will be the norm and a huge lost opportunity will result. Just like islands of isolated networks were the norm during the ’80s and early ’90s, open networking via TCP/IP and the Internet unleashed global productivity and innovation that parallels the industrial revolution. The IT industry is presented with an opportunity to again increase global productivity and innovation by interconnecting clouds or building more advanced network infrastructure capable of handling these new demands.

The Need For Infrastructure 2.0

While the cloud adoption cycle is young and the need for interaction/communication between public and private clouds may not be front and center, it’s only a matter of time before it is. In addition to employees deploying their own applications on corporate networks, IT departments are struggling to meet business expectations. For example, IDC recently predicted that between 2008 and 2012 IT staff will grow at about 1.1 times the rate of business growth while servers will grow at 1.9 times, mobile internet users will grow at 3 times, non-traditional user devices will grow at 3.6 times, information will grow at 4.5 times and interactions per day will grow at 8.4 times. With IT services demand skyrocketing and IT staff budgets being held tight, a gap between business expectation and IT delivery is growing. To close the gap today’s static, manually managed networks need a new economic and delivery model and for most cloud computing is the answer. Today IT growth is accommodated, if funded, within the confines or perimeter of an enterprise network and IT structure while being governed by business and IT leaders, but what if it moved to the cloud?

Consider if IT engages cloud services to meet these business expectations and demands. There would be increasing economic and performance pressures on networks to address the emergence of increasing system/cloud connectivity. Clearly IT organizations are not going to rely upon a single cloud provider to meet their business needs, but a group of providers that may specialize in SaaS/PaaS/IaaS, etc. Herein lies the rub: clouds are going to have to interact and communicate securely among each other if they are going to reach their potential and live up to their hype. If the above IT growth and associated dynamics shift to public clouds over the next 5 to 20 years, which is probable, then there are fundamentally new networking services that need to be designed and incorporated into internet architecture to support Infrastructure 2.0 cooperation.

A New IT Industry Phase

Before I highlight some of the Infrastructure 2.0 services that may be needed, I offer an industry perspective of similar industry transitions and their associated scale. Consider 1984 and the break-up of the Bell systems. Prior to ’84 most large corporations used public voice services to meet their needs. But when bulk T1 transmission services were offered at attractive tariffs most large corporations starting building private voice networks that ushered in companies such as Network Equipment Technologies, Timeplex, Newbridge Networks, et al. To counter this exodus of revenue, service providers offered with success voice private networks (VPNs) to woo enterprises back. In the early ’90s enterprise data networks were proprietary and private, running over leased lines; then, as these proprietary networking protocols such as DECnet, SNA, etc., gave way to open IP networking a huge shift occurred in telecommunications away from traditional PTT/Telecom service provider offerings toward open internet services, changing a $600B worldwide telecommunication market. During this phase Cisco Systems, Wellfleet Communications, Proteon and many others grew at unprecedented rates as LANs, WANs, ethernet switching and routing became essential business tools. Computing clearly benefited from the transition from proprietary-to-open/industry standards as UNIX and WinTel systems linked over open networks drove record corporate productivity and created a new IT industry structure.

Infrastructure 2.0 computing could represent the next phase of IT and be as disruptive as the shift from mainframe computing with SNA to mini-computers with peer-to-peer networking, to personal computing with client-server, to the Internet. With each IT industry phase or transition multi-billion dollar markets were created and the world economy grew thanks to productivity improvements. This shift promises a vast reduction in IT operational expenses along with productivity gains enabled by waves of innovation delivered via increasingly automated networks.

The Open Cloud of Clouds

During each of the above transitions IT leaders questioned vendor lock-in and the security of utilizing public IT services. More often than not, IT leaders were concerned if not frightened about the co-mingling of their bits/applications/compute/storage, etc., with other corporations. Each time the industry responded with a suite of security technology to comfort IT leaders and standards that offered a path away from vendor lock-in. Cloud computing and in particular a suite of open internet services for Infrastructure 2.0 communications could usher in the largest and most sweeping IT transformation yet. Dare I say it; open internet services for the “cloud of clouds” could have a larger economic and societal contribution than even the Internet. The Internet provides connectivity with a few popular applications, i.e., the web, email and increasingly voice and video. Infrastructure 2.0 has the potential to hollow out or outsource IT applications from corporations.

With an open approach to interconnecting clouds, cloud-computing services could scale, applications/objects/data, etc., could be portable, IT organizations could be offered control through visibility and a suite of management/troubleshooting tools could be exposed so that IT infrastructure placement is location/hosting independent. Think of it this way. If an open approach to Infrastructure 2.0 connections were available then a market place made up of cloud computing providers selling a wide range of services to IT departments and consumers could be created. IT leaders could shop the cloud providers, picking and choosing which ones to provide or host applications without being locked in and fearing loss of control plus security vulnerabilities. For example, change management could be policy-based or on demand, versus today’s model of manual configurations, spreadsheets and layers of processes created to compensate for human error potentials.
So what is needed for clouds to communicate with each other so that IT leaders can exploit the cloud for a larger and increasing set of their IT application portfolio while offering a competitive cloud environment for consumers? What follows are a few ideas that could move Infrastructure 2.0 forward.

Open Clouds: Cloud deployments are proprietary and thus there is little to no interoperability among them. To create a pro-competitive environment, clouds and the interconnection between them should be open and interoperable.

Greater Trust: Business and IT leaders plus consumers need to be able to trust cloud services. Ronald Reagan used to say, “trust but verify”; however, clouds need to be verified then trusted. To meet that end, embedded security services versus security appliances could be most effective at creating trust within and between clouds.

Cloud Common Registration System: To find objects, i.e., a VMs, applications, storage, data, etc., within and between clouds a registration system would be very helpful.

Portability: In order to move applications, VMs, data, objects, etc., between clouds portability and persistence is highly desirable.

Management and Visibility: To ensure troubleshooting, diagnostics, repair, modification and control of applications a set of Infrastructure 2.0 management and visibility services could ease the concerns of IT leaders and application developers over their loss of control.

A Means for Billing: A mechanism for providers to bill each other for services may be needed for connections between clouds.

The above is simply a sample of desirable Infrastructure 2.0 attributes. Much work needs to be done to develop an open framework, blue print or architecture. It’s not clear how long it will take to develop an evolved industry network architecture, but as more and more cloud services are consumed market demand will heat up for open approaches to portability, control, scale, security and the ability to mix and match cloud services to construct application portfolios. Infrastructure 2.0 is a game changer that promises to cast a new IT competitive landscape by offering a new standards-based approach to IT delivery.

Tweet

I’ve been working in the networking industry my entire adult life starting in the mid 1980s, having developed and reviewed numerous network architectures. I view an IT supplier’s network architecture as insight into their perspective of business changes plus trends and how their IT solutions can be exploited for corporate advantage. In short, the architecture provides a roadmap or blueprint of their investment plan and corporate priorities. The latest IT architecture I’ve reviewed is Borderless Networks from Cisco Systems and it does a great job of addressing business, economic and technical trends that are converging into an opportunity for business leaders to accelerate earnings while preparing for and taking advantage of top line growth. The first manifestation of Borderless Networks into product is in Cisco’s October 20th, 2009 Borderless Branch Office Network launch including the Integrated Services Router Generation 2. In this Lippis Report Research Note I review Cisco’s Borderless Networks architecture, an approach to networking that is very much in synch with the times in which we live.

2036

The Borderless Network

We live in an ever-increasingly connected world where our workspace is with us constantly, independent of geographic location and user device. The days of boundaries or obstacles to accessing information which location, applications and devices erected are limited and dwindling. These boundaries are being torn down by business necessity, personal preferences and technical innovations. Businesses are increasingly expanding globally, increasing the geographic area in which they operate and from which they need access to information. The huge growth of the mobile internet provides insight into how work and work product has moved far beyond a stationary desk. It is technical innovations, however, that are ushering in a new borderless network architecture that’s delivering the capability to experience a workspace without borders, friction or frustration.

The rise of wireless networks, smartphones and the mobile internet has ushered in workspace mobility that tears down location boundaries. Application performance acceleration technology extends application access over large distances while presenting the user with an experience of being local. Network security services, especially identity and policy, preserve user preferences as they drift between workspace environments ensuring corporate assets are safe. Over the past 18 months, real-time and on-demand video has been embraced by business leaders as a way to be closer to customers, reduce travel cost and speed business processes. In the current business cycle, corporate networks will have to become even more borderless as cloud computing services, collaboration applications and virtualization technologies accelerate application access to any location and device on the planet.

For corporations the Borderless Network delivers value in two important ways. First is the frictionless movement of workflow consistently over a corporate network that is secure, mobile and as vast as a corporation’s employees, contractors, suppliers and customers. Second is the value of the increased customer experience which Borderless Networks deliver as existing and prospective customers are everywhere, interacting with your company on a plethora of devices. Customer service studies show that keeping customers connected or wired brings them closer to a business, improving their experience and increasing their loyalty.

So what boundaries does Cisco’s Borderless Networks bring down? It’s primarily focused on applications, devices and location boundaries, and since the network touches every IT asset Cisco believes that it can add network value to bring down these boundaries and replace them with a “Borderless Networks” experience. The Borderless Networks experience promises to enable access to information seamlessly, securely and reliably, independent of location and/or user device. This experience transcends employees and customers and for good reason: Forrester’s state of the CIO agenda identified that the two top CIO issues are to “acquire, retain and manage customer relationships better while lowering company operating costs”.

Borderless Networks is an architectural approach to networking that, if designed correctly, can automate business and network processes driving down operational cost, thus allowing IT to scale. And scale is something IT needs desperately right now. IDC recently predicted that between 2008 through 2012 IT staff will grow at about 1.1 times the rate of business growth while servers will grow at 1.9 times, mobile internet users will grow at 3 times, non-traditional user devices will grow at 3.6 times, information will grow at 4.5 times and interactions per day will grow at 8.4 times. Clearly, the gap between IT staff resources and business expectations for IT services is huge and growing fast. To close the “business expectation/availability” gap many IT leaders are evaluating cloud-based services to augment their homegrown services as IT leaders observe an increasing amount of applications being deployed from outside the enterprise perimeter. Salesforce.com, EC2, Google Apps and other cloud services will have a huge impact on IT. But the network needs to be an integration point in an IT architecture allowing homegrown, private and public cloud services to be deployed securely and reliably.

To put this into more general terms, have you ever tried to access video content while in a branch office?; or tried to access a corporate application while on the road?; or tried to dazzle a new customer with a live video session?; or have your work office IT environment be the same, if not better, at your home? If you have then you have experienced productivity breakers in your IT systems. If left unchecked and these barriers are allowed to persist, productivity will get worse. For example, desktop virtualization and video are two of the most disruptive new IT services which will have the biggest impact on barriers that exist between datacenter and the rest of the enterprise IT environment.

The productivity frustration or friction that is created in these scenarios is location, user devices and/or application access. Cisco’s Borderless Networks seeks to eliminate these boundaries with a consistent and secure user experience by enabling IT to scale and close the gap between business expectations and IT service availability with a suite of user network services around mobility, performance, and security.

To fully understand the shift in IT you need look no further than from where applications are being delivered and you’ll notice that the borders are changing. Instead of a corporation having one perimeter with well-defined internal/external trust relationships, corporations now have three new fronts or perimeters to manage. At the center of this new IT challenge is a shift in the way users are consuming technology. Employees are bringing more consumer-based IT technology into the workforce, whether it’s Kindle, an iPhone, a flip camera, etc. All of these technologies are entering the workforce, creating new borders. These new borders are different locations, different devices plus applications and services that are being deployed from anywhere.
IT’s problem has changed from managing performance, scalability, and availability across one domain to having to manage those attributes across three domains: device, location, and application. IT leaders now need to manage this multi-dimensional service delivery problem across devices, locations, and applications, and making matters even worse is that these borders are often in a non-IT-controlled environment.

Borderless Network Technical Architecture

The Borderless Networks business case is that Cisco’s network innovations are being focused on IT elements that will contribute to doing business faster, bring more scale to your business and grow the bottom line, by investing in technology that makes your business go easier, smoother and become more engaging with customers. As an example, a Borderless Network in a sports arena increased revenue by a factor of three by enabling food and merchandize orders to be placed by sport fans in their seats and delivered by a friendly salesperson. This scenario broke location, application and device barriers, increasing both customer experience and revenues. A network with borders could not deliver the experience and business outcome.

The Borderless Networks technical architecture is made up of three components. First is the separation of hardware and software. This decoupling of software from custom hardware appliances enables network services to be deployed quickly and flexibly around the enterprise, independent of location and hardware. The first example of this is in Cisco’s ISR G2 where IT leaders can load and activate network services on demand to branch offices. The second component is called converged systems, where compute, storage and network resources are coming together to define a new IT control plane. The third component is policy, being the unifier or the way to implement, automate and unify services end to end. These three components work together to create a more virtual networking environment where services can be turned on and off plus deployed on-demand to eliminate barriers and create a Borderless Network.

For example, security services such as firewall, IPS, encryption, etc., can be deployed for specific cloud services or to far reaches of a network to increase secure communications. Application acceleration may be controlled in a similar fashion increasing application performance to mobile end-points or speeding up video sessions to various parts of the network. The net goal is to ensure that the technologies Cisco brings to market across collaboration and virtualization tie closely and tightly couple with routing, switching, security, wireless, and optimization technologies that exist in the Borderless Network.

Borderless Network Value Proposition

What Cisco is building toward with Borderless Networks is to offer its customers a means to increase productivity. Productivity has been on the rise thanks to IT, which specifically started with the PC. Networks helped drive productivity growth even higher. The economy is now at the next point of productivity growth with Borderless Networks, virtualization and cloud computing offering a path to close the business expectation and IT availability gap. For business leaders an opportunity is being presented to break with the status quo of being confined to a single perimeter or break away and embrace technology trends that increase customer experience and lower operational cost by opening up to new perimeters of location, devices and applications securely and reliable with a Borderless Network. If architected correctly a business can grow its top and bottom line faster.

Tweet

The market crash of 2008 had a similar effect to a long drought on a once lush ecologically diverse and thriving environment. Only the strong survive such harsh conditions. With hardware sales down some 25 to 30% over the past year the revenue drought in the networking and communications industry brought large changes. We have seen the once huge Nortel go bankrupt and be sold off in pieces; Siemens Enterprise, Enterasys and Avaya were brought private; Foundry Networks was sold to Brocade and now Brocade may be up for sale; HP ProCurve was integrated into the large HP group TSG; 3Com re-emerged in the enterprise market while many start-ups closed shop.

Our industry has dramatically consolidated over the past year and as the economy improves a new concentrated order is emerging filled with winners, losers and dark horses. Layered on top of macro-economically caused shifts are new IT buying patterns plus a new technology wave of virtualization and cloud computing which promises to alter IT delivery. The IT industry is now an upside-down pyramid with a few very large players at the top garnering the lion’s share of revenue followed by many smaller firms.

The Big Three: Cisco, HP & IBM

At the base of this upside-down pyramid is Cisco, HP and IBM, all of which offer a suite of computing, storage, networking and applications. One could argue that Microsoft should be at the top too, but their exclusive focus on software relegates them to partnering with these top three IT suppliers. In fact, Microsoft could hold the keys to which one of the top three is most successful during this difficult business cycle, as all are forced to collaborate with it. In this regard, HP has the best and longest relationship with Microsoft as the two companies’ product portfolios barely overlap.

It’s easy to point to Cisco, HP and IBM as competitors since Cisco introduced its Unified Computing System that propelled it into the data center server market; core markets for HP and IBM. But the three firms are very different as are their core competencies.

New Markets Always Seem To Come To Cisco

Cisco is by far the largest networking company on the planet and as a result its core competency is grounded here. Networking, once seen as providing simply a connectivity service, has evolved into a major IT architectural component along with servers, storage and applications. This is due to a technical shift driven by Moore’s Law, which is propelling older IT technologies to fold into an IP network architecture. For example, communications used to be based upon Time Division Multiplexing; now it’s IP packets. Video conferencing used to be a service provided on top of the phone system, but now it’s an IP service. Just as mainframes and mini computers gave way to PCs, laptops, notebooks and smartphones, the national entertainment system, non-IT electronics, etc., are being folded into an IP network. The networked smart grid is a good example of an older technology, i.e., the national grid that is on the path to being folded and transformed into an IP network. All of these markets are transforming into Cisco’s strength, IP networking, versus Cisco having to change technology horses to catch them.

The same is occurring in the datacenter, which is the area of increasing competitive pressure between Cisco, HP and IBM. Consider the following trends. Virtualization is minimizing the need for servers as more applications reside on a single server. 10Gbs Ethernet is a huge change agent as it allows the first generation of networking and storage to share a common network that, over time, will cannibalize storage switches. New blade systems that package compute, networking and storage access allow the sales forces of the big three to sell units of IT versus being experts in networking, computing and storage. This IT packaging change alone is where competitive pressure stems from between the big three. Cloud computing, depending upon how you define it, threatens existing application suppliers by re-writing application licensing arrangements. In short, the datacenter is undergoing the most fundamental change since the glass house gave way to mini and microcomputers.

Big Three Positioning

So who is best positioned? After IBM sold off its PC business, its main focus has been services, software and datacenter technology. This is its core market and value proposition. It enjoys relationships with top business leaders who value IBM’s financial, support and technical prowess. IBM’s systems and technology segment groups generate nearly $36B annually. HP with its recent acquisition of EDS has become a services powerhouse to augment its Enterprise Business. HP segments its business into services, enterprise storage and servers, software, then Technology Solutions Group, personal computing, imaging and printing. HP unlike IBM has retained a large consumer computing position. Its datacenter focus is primarily found in its Technology Solutions Group (TSG) which generates approximately $52B per year. As mentioned above Cisco comes to the datacenter and IT from a different direction, that being a network direction. Cisco’s switching, routing and other advanced technology segments generates some $34B annually.

It may seem like comparing HP, IBM and Cisco is like comparing apples, oranges and cumquats and there is some validity in that argument, but all three are huge IT companies with a common value proposition to IT leaders: we have financial stability, are world class IT suppliers who invest huge dollars in R&R, offer excellent support and we will be around for a very long time.

While the snapshot today does not offer a wide product portfolio crossover, you have to extrapolate a few years and each of these firm’s directions. It’s getting harder to find the next $1B market so each of them has to look at each other’s market and enter into them to grow; this was part of Cisco’s UCS strategy. Each is competing in security, networking, unified communications, blade systems, and video conferencing (more HP and Cisco than IBM here). The question is which firm will be able to manage technical and customer buying pattern transitions faster? In short who will be quicker to market with innovations that ride a new multi-billion dollar market wave? This is clearly a strength they all possess. HP’s EDS acquisition was brilliant as was IBM’s acquisition of Lotus while Cisco can be an acquisition machine as its buys are mostly right on. Cisco’s 1994 acquisition of Kalpana and 1997 acquisition of Crescendo Communications, Inc., were both brilliant as is its 2009 purchase of Tandberg.

As I write this HP is beefing up its networking product line with Brocade and its own ProCurve line while IBM is working with Juniper Networks and Brocade. Brocade may be up for sale too as reported in the Wall Street Journal with HP and Oracle showing preliminary interest. It’s clear that in the next five years the product lines of these three will increasingly overlap; time will tell which one will break away.

Tweet

The World Health Organization (WHO) has reported over 182,166 laboratory-confirmed cases of 2009 H1N1 influenza virus with 1,799 deaths. In June 2009 the WHO raised the pandemic alert level to six, signaling a pandemic of this influenza is underway. If the H1N1 virus, or swine flu, is in full pandemic force during the fall and winter months of the seasonal flu, 40 to 50 percent of the workforce could be affected; yes that’s 40 to 50%. However, early numbers indicate H1N1 is no more infectious than seasonal flu strains that typically hit each year. But H1N1 could still pose a significant threat. New flu strains can mutate, sometimes becoming more serious and more contagious. Businesses may have already been impacted by the spring and summer outbreaks of 2009 H1N1 influenza affecting their employees. CDC anticipates that more communities may be affected than were in the spring/summer 2009, and/or more severely affected, reflecting wider transmission and possibly greater impact. In addition, this fall and winter seasonal influenza viruses may cause illness at the same time as 2009 H1N1.

The severity of illness that 2009 H1N1 influenza flu will cause (including hospitalizations and deaths) or the amount of illness that may occur as a result of seasonal influenza during the 2009–2010 influenza season cannot be predicted with a high degree of certainty. Therefore, employers should plan to be able to respond in a flexible way to varying levels of severity and be prepared to refine their pandemic influenza response plans if a potentially more serious outbreak of influenza evolves during the fall and winter. More people and communities are likely to be affected as influenza is more widely transmitted. While H1N1 provides the immediacy of action, business disruption on this scale can occur due to multiple causes. Virus outbreaks or other natural disasters, man-made disasters plus major events such as protests or large scale national strikes common in some European countries are all potential causes of workforce disruption. Note that multiple events can and do occur simultaneously amplifying the total impact of these events on businesses.

So the question to business and IT leaders is this: what if 40 to 50 percent of your workforce cannot get into the office? Are you prepared? According to Gartner only 13 percent of enterprises are prepared for a major workforce disruption where employees cannot travel to the office. For IT leaders a best practice to minimize the impact of a workforce disruption caused by a H1N1 pandemic, another infection, man-made or natural disaster is a scalable, secure and reliable teleworking solution.

Secure Teleworking Access

Pandemic mitigation is best addressed with remote access technologies where physical IT assets are still intact but mobility has been restricted and in some cases drastically restricted by quarantining. A close cousin to pandemic planning is business continuity planning. During a crisis business and IT leaders first usually start thinking in terms of connectivity, meaning how to connect voice, video and collaborative application resources to remote workers when office access is highly restricted. Unfortunately, if business and IT leaders are thinking in this way, they often overlook secure access as their knee jerk reaction is just to connect employees. When IT leaders are responding to a pandemic and executing their plans with remote access to applications and collaboration, remote workers workflow security should not be compromised as it is most vulnerable at this time. To ensure remote access to IT resources and communications are secure, security technology needs to be systemically embedded in the remote access solution from the client software to the routers to the applications.

Role-Based User Configuration

In addition to secure access and connectivity, policy over the use of this business continuity resource is important to ensure that different job functions, responsibilities or roles are appropriately administered. What this means is that the management system should allow configuration of user profiles with associated privileged access to business assets. For example, there are employees who will perform their duties at a home office while others who are mobile conduct a large percentage of their business on smartphones. These two examples represent different device, connectivity and security needs. Therefore, a pandemic teleworking solution should be flexible to support multiple user scenarios, needs and employee roles.

A Framework for Preparedness

A best practice framework approach to business continuity planning includes policy definition and IT preparedness. While assessing business risk for workforce disruption, IT leaders should work with Human Resources to categorize employees by responsibilities, into groups of communications and application requirements and job roles. This is helpful in defining user roles and policy so when a crisis hits IT can execute a plan defined during a period of calm. While this work is underway IT leaders should survey existing remote access solutions and network capabilities with the goal of identifying gaps that need to be closed considering the potential that 40 to 50% of the employee base is forced to work remotely.

When surveying the remote access solution, six items are recommended for consideration. First, review access methods and connectivity options available for each remote access scenario. For example consider mobile devices, laptop and notebooks and even public kiosks as power outages may force employees to public spaces for enterprise connectivity. Second is the level of access, meaning employees/partners/contractors should receive different levels or priority of access. Third is to consider security technology essentials, primarily firewalls, virtual private networking (both SSL and IPsec) and Network Access Control for granular user and end-point access to networked resources. Fourth, voice, video and data connectivity need to be considered during pandemic crisis to assure IP and TDM phones, softphones and collaboration software are functional as these will be the tools executive management and others rely upon when travel to the office is not an option. Compliance requirements such as PCI, FISMA, SOX, HIPAA, Presidential Directives, et al., need to be considered as their non- compliance can result in serious penalties to executive management. Finally business recovery, while often overlooked is an important practice to restore business and IT assets after an event.

A Remote Work Environment

To ensure business operations during and after a displacement event, a remote work environment only needs to be based upon a few technology pillars including virtual private networking for connectivity, VoIP for voice communications, conferencing and collaboration software for video and virtual meetings plus embedded security. With these pillars a robust and resilient pandemic response plan can be executed which exhibits these attributes.

Wide & Resilient Access: Extend connectivity to employees working remotely. During a displacement event connectivity needs to stretch across a variety of end-points, such as company-provided and employee-owned PC/laptop/notebook, public internet terminals and/or internet-enabled mobile phones. Connectivity needs to scale up to support a burst of employees, as high as 50% of the employee population, displaced and thus attempting to access corporate IT assets from a wide geographic area. In addition, the remote network access facilities supporting teleworkers and mobile users should be geographically resilient as well, with back-up access equipment at different sites to ensure availability in case a site is disabled or destroyed due to the displacement event.

Real-time Communications & Collaboration: To ensure workflow and business process keep moving, real time communications and collaboration services are required. In most cases a computer/laptop is all that is needed for the employee to stay connected and productive with unified communications and collaboration software such as webex.

Embedded Security: With policy defining user roles and configured into a teleworking management system, IT will be able to provide access to corporate assets based upon roles, access medium and end-point. In addition, with firewalls, tunnels and network access control IT has the tools to mitigate cyber threats that often accompany pandemic and other workforce displacement events.

Centralized Management: Teleworking or remote access solution are characterized by a few IT personnel offering network service to a large number of people dispersed over a very large geographic area which is often challenging and costly to administer, thanks to a ratio of 1 IT ops to 20,000 teleworkers. Network management is the only tool IT has to manage this ratio and contain cost while delivering an excellent teleworking experience to the employee. Therefore, centralized network management including configuration, change management, etc., which the employee does not need to touch, is key to successful large scale teleworking solutions.

The Cisco Teleworking Solution Set

There are many providers of teleworking solutions including Cisco Systems, 3Com, Juniper, Avaya, Mitel, NEC, Siemens, et al. But there is only one company that offers solutions that deliver networking, communications and collaboration with embedded security. That company is Cisco. To address this market, Cisco has introduced a solution portfolio. Depending on a customer’s needs, teleworking usage profile, or security requirements, Cisco has solutions that combine technology and services to deliver an integrated approach.

For example, the Office Extend AP is designed to provide secure, corporate wireless to the home office user or road warrior in a small access point form factor. The Cisco Adaptive Security Appliance (ASA) supports secure remote access not just through SSL or IPsec VPN, but also a phone proxy feature that works to secure voice traffic direct from an IP phone. And finally, the Cisco Virtual Office (CVO) is a solution designed for premium teleworking services including single-number reach, a dedicated multiservice platform for tighter security, and zero-touch management. CVO also supports dual mode phones extending solution flexibility to secure mobile infrastructure.

Think of Cisco’s approach this way: different end-points and access methods create different user experiences. Cisco’s teleworking solution supports a broad range of experiences such as workers accessing corporate assets securely from public spaces such as a coffee shop computer, in the confines of their home or on the road. Each one of these scenarios has different security requirements and capabilities which the ASA and or CVO serve up to remote and mobile users. In addition all of this is centrally managed and configured which frees up employees to simply be productive.

In addition to the technology, Cisco offers a flexible licensing option which allows organizations to scale up their VPN usage to that 40 to 50% of employees without the need for new equipment but only a management key to unlock as many VPNs as needed during a pandemic or other dislocation event. As a reference, on average only 10% of an employee population has regular access to VPNs, but as many as 50% may need access during crisis. Cisco’s shared licensing option means that licenses are no longer attached to a single location. For example, a 10,000 user license could be shared among different locations and employees providing elasticity of VPN availability through a licensing arrangement to accommodate the surge in VPN requirements during pandemics or other disasters.

No one wants to manage through a crisis, but those that plan now will find that successful crisis management is not only good business but a career booster as well. Many executive managers find that they are granted greater responsibility and stature after successfully guiding their corporation or government through a crisis. With the autumn approaching fast and the potential for a H1N1 outbreak, now is the best time to position your company to both respond to a pandemic and recover from its damage. A teleworking solution is can be a major component to that plan.

Tweet

In late July Avaya announced that it had signed an agreement with Nortel to purchase its enterprise business for $475 million. The agreement would add talent, bolster Avaya’s channel partner network, increase its presence in the growing government business and expand its product portfolio to include the computer networking gear of routing and switching. But this is not a simple transaction. On September 11th Nortel will hold a bidding process to entertain other offers with a hope to gain more value, i.e., dollars for its enterprise assets. In addition, whoever wins the bidding process must then pass anti-trust hurdles in all the countries in which Nortel conducts business. In short, it will not be until first quarter of 2010 before anyone knows who will own Nortel’s enterprise business.

Avaya is in the same place Nokia Siemens was in when they were bidding for Nortel’s CDMA and LTE access unit business in June. Nokia had placed a bid of $650 million for this profitable business unit only to loose it to Ericsson, who outbid it with a $1.13 billion offer. Siemens or its financial sponsor the Gores Group is interested in acquiring Nortel’s enterprise business too. But while it’s early in the process and there is uncertainty as to who else may have interest in Nortel’s enterprise business, IT leaders can and should prepare now for a change of ownership at Nortel.

Nortel customers are in a precarious position. Will Nortel’s new owner continue investment in its products or will they slowly enter end-of-life by allowing them to fall behind in features and function, increasing the incentive to switch to more feature rich solutions as both Avaya and Siemens offer overlapping product sets? While there is little worry that maintenance contracts and obligations will continue under new ownership (as maintenance is lucrative business), the question is who will maintain the equipment? There is no reprieve for Nortel customers large or small. If you are a large Nortel customer who has chosen to standardize on Nortel’s voice and data solutions then uncertainty abounds as there will be no other option but to wait and see who your new supplier is and to assess a massive migration plan. For IT departments that choose a mixed vendor approach your risk has been partially mitigated and there is a chance your organization has a relationship with the new owner. But be they a large or small Nortel customer, it’s highly likely that a transition plan will be required.

The unified communications (UC) market is a smaller worry than data networking infrastructure. UC is still early in the deployment cycle with Avaya, Cisco and Siemens offering cross vendor solutions thanks to SIP trunking and interface support. SIP should be at the center of transition planning for IP and TDM telephony to UC. Corporations with a Nortel data network infrastructure in place will find it more difficult to develop a slow and smooth transition and will more than likely be forced into a rapid transition. The reason is that it’s unclear if Avaya or Siemens was to acquire Nortel’s enterprise business, would they keep it? Avaya had previously provided network switches with its Cajan line only to exit the business as a single solution value proposition was most credible from Cisco. Avaya was unable to keep up with Cisco’s switch investment and most importantly Cisco certified engineers were reluctant to switch vendors as they viewed it as a career limiting decision. With Cisco owning more than 60% of the enterprise switch market, the thinking was, and is, if I get fired or decide to leave my current employer I have a much greater opportunity to find another employer, with a Cisco infrastructure providing a greater market for their skills. If Avaya, Alcatel-Lucent or others acquire Nortel’s enterprise business it’s likely they will sell the data networking business. Siemens Enterprise includes Enterasys which would benefit from Nortel’s data networking gear, talent, customers and channels.

Cisco offers a data networking safe harbor for Nortel customers as their market share affords them investment resources, large customer requirements that are fed into product development in addition to their financial stability. 3Com/H3C also offers a safe harbor as its product portfolio of data gear is full. HP’s recent switch expansion also offers a safe harbor; however it is limited to network switches and their router products are nearly non-existent.

I offer the following advice for Nortel customers to consider:

Time is Your Friend: By the end of Q1 2010 Nortel’s change of ownership should be complete and uncertainty eliminated. If your corporation can wait until the new owner is known then you mitigate the risk of choosing a new supplier that is completely orthogonal to the new owners. This option is the status quo as Nortel’s enterprise business shrank 28% year over year as Nortel reported its Q2/09 performance in August, 2009.

Separate Voice and Data: Think of voice communications and data networking transition plans differently and develop separate plans. It’s highly unlikely that any of the traditional voice suppliers will keep Nortel’s data business which means it’s highly unlikely that the new acquirer will be a “little” Cisco or 3Com/H3C offering both voice and data solutions. It’s also highly unlikely that Cisco, 3Com or HP will acquire Nortel’s enterprise business which raises the possibility that Nortel customers will be forced to change out their data gear.

Develop Data Networking Transition Plan Now: With more uncertainty around Nortel’s data networking business, Nortel customers should consider accelerating their data network transition plans by assessing data networking suppliers Cisco, HP, 3Com, Force 10 Networks, Brocade, Extreme, Juniper, Siemens/Enterasys, et al. Some will offer trade-in plans and other incentives to make the switch.

Consider UC Overlay: Nortel customers should consider utilizing their TDM telephony gear until it’s absolutely required to replace while deploying UC as an overlay. In short, offer two voice communication services, TDM and UC with investment tilted toward UC. Unless a Cisco or Microsoft UC solution is favored it’s advisable to wait until Nortel’s new owner is known before committing. This strategy offers investment in new voice technology and a trajectory for the future while receiving the highest investment return on Nortel voice equipment.

There is a school of thought that Nortel customers should start working with other suppliers now to transition their networks. The thinking is that there is no guarantee that whoever acquires Nortel’s assets will be a better company to work with and may be distracted for months digesting the new business. For this reason some are planning transition plans now with vendors. There is clearly a shift to value and safety which Cisco, 3Com/H3C and HP are enjoying among this large and growing group of ex-Nortel customers.

Tweet

Cyber crime and IT security threats are taking a more ominous turn as they seek financial gain by exploiting open Web 2.0 technology vulnerabilities and share “tricks of the trade” via collaborative web sites. Hackers and cybercriminals are launching ever more sophisticated attacks on businesses and individuals, intent on mastering the arts of trust-breaking and reputation-hijacking. The economic motive for cybercrime is well documented and lucrative, which is disturbing on multiple levels.

First, during the economic downturn with high and growing unemployment more
cybercriminals are being recruited with the opportunity to make $5K to $10K per week at “entry” level positions; large cybercrime organizations “earn” or more appropriately “steal” tens of millions of dollars annually. Second, with the prospect of large paydays, cybercriminals are increasing their skills to both stay one step ahead of security professionals and to craft even more sophisticated attacks that blend worms, botnets, phishing, etc., over mobile, social networking, cloud computing and traditional Internet vehicles. Attackers are combining old-school methods that exploit Windows vulnerabilities with new complex approaches, resulting in increased difficulty in detecting attacks and diligence on the part of IT security operations to protect corporate assets. There is a good spy versus bad spy force at work and it’s hard to tell who is winning. In this Research Note we expose and highlight key global IT security threats and trends from the first part of this year and provide a future outlook. This Research Note is based in part upon the “Cisco 2009 Mid-year Security Report” available here.

The Conficker worm offers insight into global threats and trends, shaping the future outlook for IT security. The Conficker worm propagated globally, infecting tens of thousands of new machines daily during the fall of 2008 and was slowly exposed as a massive botnet with a strong profit motive. These new deceptive exploits are increasingly using different forms of malware to avoid detection and increase reach plus impact. This new breed of exploit proves tricky as it changes form, launches multiple and different attacks and is instructed by its creators to perform new tasks via multiple forms of Internet communications.

For example, an exploit may start as a worm, disabling various Windows services such as Automatic Update and Security Center and block access to websites that allow users to remove the infection. These exploit techniques are not new and that’s the point. Cyber- criminals will use old techniques such as exploiting a Microsoft vulnerability to plant their code onto millions of computers only to turn them into botnets with the ability of the cybercriminals to instruct the bots to perform specific tasks. For example, it’s not uncommon that once infected a bot will then receive instructions directing it to propagate, gather personal information, download and install more malware onto victims’ computers.

For Conficker, researchers realized that on April 1, 2009 the growing botnet would transition to a new method of communicating to its creator. The security industry responded to this threat with a Microsoft patch and a new model of threat mitigation. As April 1 approached, security researchers were able to “dissect” the worm and piece together its plan of attack. On or about April 1, Conficker would begin generating thousands of Internet domain names and attempt to instruct some of them to download updated software. Although the botnet began generating 50,000 domain names per day compared to 500 before the April update, this method of communication was never actually put into place; peer-to-peer functionality was instructed instead. The lesson learned here is that these new breeds of exploits are difficult to dissect and they morph into different forms of malware.

The end game for the large percentage of exploits is to monetize and botnets offer unique attributes for their cybercriminal owners. Botnets are well suited to launch an outbreak of spam, for example. Consider that a botnet distributed spam offering a free trial of software that would allow individuals to read supposedly private SMS messages. The malicious payload delivered via the fake SMS software was the Waledac worm, which the botnet subsequently advertised as a security software to remove it for a fee. Spam and scam techniques rise with high profile global news such as the swine flu where swine flu spam accounted for 4% of global spam traffic. But in addition to these spam and scam approaches botnet owners are also leasing their bots in a software-as-a-service model to other cybercriminals to launch their own exploits, which not only provides revenue to the botnet owner but increases the number of exploits distributed per network of bots. By the way the going rental rate for a bot is 10 to 25¢.

It’s this new level of chicanery that has demanded a new model for threat mitigation response. The rapid propagation of these new complex and tricky exploits emphasizes the need for risk and threat management that intelligently determines that attacks can be sourced from anywhere in a network and on the globe. A key takeaway from the Conficker experience is the value of collaboration in fighting back. The Conficker Working Group, composed of more than 100 organizations involved in technology and security was formed in February 2009. ICANN, the organization that coordinates the Internet’s naming systems and a member of the Conficker Working Group, was able to compile a list of the domain names Conficker was attempting to contact, thanks to data provided by security researchers tracking the worm. ICANN then passed this information to top-level domain operators, who could then block these domains.

This coordinated effort went a long way toward blunting the impact of the worm and subsequent botnet and is now the new model for how researchers share information and develop defenses to mitigate a new breed of exploits. From the above the following IT security global threat trends and outlook are offered:

Morphing Exploits Will Become The Norm: The days of a single exploit, be it a worm, virus, botnet, spam, etc., are over. Today’s cybercriminals use all of these “tools” and their unique attributes to inflect harm with an ever-increasing profit motive.

Botnets are the Tool of Choice: These networks of compromised computers serve as an efficient means of launching an attack. In addition, it’s becoming clear that botnet owners are renting out these networks to fellow criminals, effectively offering comprised resources using the SaaS model to deliver spam, malware, etc.

Spam Will Only Increase: One of the most established ways to reach millions of computers with legitimate sales pitches or links to malicious websites, spam remains a major problem in the spreading of worms and malware, as well as clogging Internet traffic. A staggering 180 billion spam messages are sent each day representing on average about 90 percent of all email traffic. Botmasters are increasingly using spam to promote the propagation of worms, spyware and online scams which will only increase the amount of spam going forward.

Spamdexing: Many types of businesses have long used search engine optimization to be listed more prominently in searches conducted on Google and other sites. The tactic, involving packing a website with relevant keywords or search terms, is increasingly being used by cybercriminals seeking to disguise malware as legitimate software. Because so many tend to trust and not be suspicious of rankings on leading search engines, they may readily download one of the fake software packages assuming it is legitimate. The creators of Conficker used spamdexing to promote fake security software, and other malware. Be careful during major news cycles as spammers are increasingly using social engineering via spamdexing to offer fraudulent and dishonest solutions.

New Attacks Target Social Networking: The rise of social networking has made it easier to launch attacks. The hundreds of millions of people engaging in these online communities are more likely to click on links and download content they believe were sent by people they know and trust.

Text Message Scams Only To Increase: Since the start of 2009 at least two or three new campaigns have surfaced every week targeting handheld mobile devices. The rapidly growing mobile device audience is unfortunately a new frontier for fraud, irresistible to criminals. With some 4.1 billion mobile phone subscriptions worldwide, a criminal may cast an extraordinarily wide net and still walk away with a nice profit, even if the attack yields only a small fraction of victims. The Conficker creators used spam to offer a free trial of software that would allow individuals to read supposedly private SMS messages.

The above list of global security trends and associated outlook point to ever more sophisticated exploit techniques at the same time as hackers and cybercriminals increasingly target popular new platforms such as smartphones, Web 2.0 technologies and social networking sites. Furthermore, as cloud computing takes off it is highly likely that it will be an irresistible target for cybercriminals, and hackers as well, to launch their exploits. Remember the above list has manifested itself only during the last six months highlighting how fast cybercriminals and hackers have become in modifying their techniques.

But security researchers have modified their defense techniques to confront these new challenges, and IT security operations can too. During the first half of ‘09 there were new positive and potent methods for combating these threats. First, security researchers and the organizations they notify and work with have stepped up their use of collaboration technologies. Collaboration is being used by the “good” guys to quickly identify threats and develop mitigation solutions. Collaboration between security researchers, standard organizations, vendors, service providers and law enforcement is the new organizing principal to understand threat nature and development mitigation solutions. For example, ICANN, mentioned above, was extremely effective at organizing a massive mitigation response to Conficker that significantly reduced its impact and damage thanks to its collaboration with the Conficker Working Group.

In addition to collaboration the United States government has stepped up its focus and is providing leadership on cyber security, thanks to President Obama’s efforts. Following a formal “60-Day Review” of cyber security in the US, President Obama announced that he will appoint a “cyber security coordinator” to oversee “a new comprehensive approach to securing America’s digital infrastructure.” The Obama administration is expected to keep the spotlight on making improvements and embracing innovative thinking in both U.S. cyber security and technology policy.

IT security operations organizations have seen a shift over the years from exploits attacking specific IT vulnerabilities to the use of social media, scams, blended attacks through spam/web, etc., motivated by wreaking havoc or thrill seeking which has now nearly fully transitioned toward a financial gain motive. Because of this trend, security operations may have been lulled into becoming less diligent about patching and closing IT vulnerabilities, thinking that these older forms of attacks are on the decline. But remember, Conficker used an old technique of writing code that exploits a vulnerability infecting millions of computers/companies/individuals, but they did this with the motive not to just wreak havoc, but to gain financially and steal data.

The key insight here is that security operations are well advised to continue conducting vulnerability assessments across the entire IT infrastructure as a best security practice. The grim fact is that the new trends used by cybercriminals are the exploitation of both old and new techniques to gain their financial goal. This means that security operations are well advised to stay on top of traditional security methods as ‘you never know’ what attackers are going to use next. In addition to the above, we offer a set of recommendations in the Cisco 2009 Mid-year Security Report available here.

Tweet

Today’s Enterprise IT defenses against malware or exploits are built by deploying a set of security appliances that mitigate specific threats. This appliance approach was very effective during the 1990s when dominant threats were hackers attacking corporate IT assets via the Internet. As hackers were joined by cybercriminals an economic motive to target personal data and create greater havoc materialized along with increased exploit sophistication. In fact, most of today’s threats are blended, meaning that an exploit might enter a corporation through e-mail, then pass through the web which ends up having botnet traffic that eventually infects a client and phones home to a botnet server. An exploit could use three or four different vehicles before it launches a full-scale attack, bypassing legacy or siloed security tools. These blended attacks result in the all-too familiar consequence of security breaches including company image damage, personally-identifiable information (PII) theft, service downtime, cleanup and remediation costs, compliance penalties, and corporate liability. So how do security leaders defend against these assaults? The solution lies in the fact that the more IT security defenses can view the better control defense they enjoy. Enter the Gestalt approach to IT security.

The Gestalt Approach

The word Gestalt means a structure, configuration, or pattern of elements so integrated as to constitute a functional unit with properties not derivable by summation of its parts. In other words, IT needs to think about an IT security approach that delivers greater defense than the sum of its siloed security tools and appliances. Over the years IT has been too product focused in its efforts to mitigate exploits. Anti-X client software, firewalls, intrusion detection and prevention systems (IPS), network behavior anomaly detectors (NBAD), alarm aggregators, etc., were deployed and operated independently to address specific exploits. This resulted in a largely product centric siloed approach to security. IT ends up having many defense “bits and pieces” but not an overall view and control over their threat level. Traditional IT security looks at defense as: “I have devices providing security to devices that are targets.” The Gestalt approach is a way to make sure that every device is contributing to the security of the corporation by being able to share information and work collaboratively to defend against increasingly sophisticated exploits through increased visibility and control.

The Gestalt approach had not been possible before as different security vendors focused solely on their product, device or appliance. There was no common language or organizing principal that allowed security devices and security features within network devices to collaborate in an effort to mitigate and remediate a threat. The Gestalt approach turns the IT security industry on its head. Exploits or malware hijack corporate IT assets such as email, web sites, the network, etc., to deliver their damage or target personal and secure data. In a Gestalt-based security architecture the network becomes an important component of IT’s defense arsenal. The best example of the Gestalt approach is Cisco’s SAFE, a security architecture and framework to network existing security devices so they work in unison and thus deliver a higher level of IT defense.

Cisco SAFE

Cisco SAFE is designed to address the disconnect between individual security devices not being able to share and communicate information with each other and not being able to leverage network intelligence. Note Cisco SAFE is not a product; it’s an approach to securing IT assets complete with a reference guide that shows IT how to achieve highly secure networks. SAFE starts from the perspective that IT organizations have invested in security tools and appliances and offers a way to network these devices and gain greater value from them through configuration suggestions, best practices and how-to guides.

SAFE provides detailed blueprints on each segment of the network, be it the campus, data center, branch, wide area, etc.; these are called “places” in the network. The blueprints provide information such as security device placement, kinds of applications supported, network functions, and what threats are associated with the unique place in the network either, directly or indirectly. For example, the campus network may be viewed as being directly attacked; however most of the time the campus is simply overwhelmed with traffic as an attack is passing through it on its way to the data center. So how does IT secure all the areas of the network? What kinds of technologies need to be put in place to obtain the Gestalt effect?

The Security Control Framework

To make SAFE usable, Cisco developed the Security Control Framework (SCF). SCF is a way of thinking about security so that there is a consistent approach regardless of the place in the network. To achieve this simplification SCF focused on two principal ideas, visibility and control. The first is how to increase visibility into a segment of the network and second is how to increase control over end-points, devices and traffic resident in that part of the network.

Using the concepts of visibility and control a series of design guidelines or reference architectures for all the places in the network in a typical enterprise was developed and is available here. There is a SAFE design blueprint for the data center, campus, Internet edge, branch offices, partner connections, customer connections, e-commerce sites, the WAN, etc., each with their own unique functionalities. There are separate design guides for each of these “places” as well as a design guide that crosses “places” in the network providing a common approach to a solid network security foundation.

Proscriptive And Prescriptive Guides

The guides provide information to answer such questions as what are the fundamentals for securing a switch, WLAN guest access, a router, etc? What security technologies do you need to have in place? How do you best enable security that’s built into the devices themselves, the integrated switch security features or WLAN controllers for example? Each design guide starts at a high level of device placement then increases in granularity providing security confirmation recommendations, identifying common threats, and implementations. The guide dives into command line instructions to configure devices appropriately to ensure proper operation of the device in that network place to maximize security defenses there. For example, a guide would provide guidance as to the placement of an alarm aggregator and recommend configuration thusly so it communicates with other devices. It may prescribe the placement of a firewall and IPS while proscribing best practices based on lab and customer test. The SAFE guide modules, organized by network “places”, have the value of being fully vented, tested and validated thanks to thousands of hours of engineering time. SAFE is both proscriptive in terms of a view, but also prescriptive to assist IT organizations in achieving a high level of security defense by providing device configuration.

It’s in this systematic approach to securing each “place” in the network that SAFE delivers a higher level of defense than the individual devices themselves or what a collection of devices would deliver. Information and intelligence is thus leveraged across security components and coupled with network intelligence providing increased visibility of threats and defense control.

The main purpose of SAFE is to enable a systemic view of threats and security defenses so that organizations have the best mitigation tools possible. The days of buying IPSs and firewalls, for example, and thinking that an organization is secure have been over for some time. IT organizations are in an arms race with hackers and cybercriminals, meaning that unfortunately its job of securing its organization is never going to be done. But securing IT assets can be made easier by recognizing this fact and shifting thinking away from a component point of view toward building a defense that is systemic across an organization reaching as far and wide as the tentacles of its network. This is strategic thinking about security where the focus is on the whole as opposed to the parts.

Cisco provides a suite of professional services that tie directly to each SAFE module. Cisco also provides full life cycle professional services for SAFE such as an overall pre-SAFE assessment that identifies existing security equipment that can be leveraged complete with gap analysis and vulnerability closure to design and implementation, through on-going management and optimization. But the SAFE reference guide is free and is designed for IT organizations to implement on their own or with a systems engineer. The 300-page document is available here and will walk you through the step-by-step guides for how to implement SAFE.

The Gestalt approach to IT security and Cisco SAFE offers new thinking in defending corporate assets by networking and configuring each device with a security role as a contributor to the overall security posture of an organization, delivering greater visibility and defense control.

Tweet

Nortel, announced on June 20th, that it will liquidate its assets and may get less then $2B, which is less then 1% of its pre-dotcom boom valuation. This is such a sad story as $2B will be divided among holders of approximately $4.5 billion in Nortel debt, and more than $2 billion owed in severance to ex-employees and pensions to retired managers, and other obligations, according to the Wall Street Journal. While the CDMA and LTE groups are being sold to Nokia Siemens for an estimated $650M, the enterprise unit which includes its IP Telephony, UC, Routing, Switching, et al., products is being valued at less than $500 million since it’s losing money, according to people familiar with the business. As Warren Buffet said, when the tide goes out you get to see who’s swimming naked, and Nortel was very naked.

The speculation around the industry centers on who will buy the Nortel enterprise business, with all eyes focusing on Avaya and Siemens Enterprise. While I have no inside information on the matter, I doubt that either would buy Nortel’s enterprise assets since they don’t need them, and Nortel customers, channel partners and distributors have been defecting in mass over the past six plus months. The Nortel maintenance business does have value thanks to a steady stream of revenue. The bottom line for Nortel customers is that if you haven’t started to develop a migration plan, then you best get started.

In this Lippis Report I provide IT leaders with guidance on navigating network infrastructure expenditures during challenging economic cycles such as the current economy. With Nortel’s liquidation, now is the best time to question the mixed network vendor approach to diversity and redundancy as some IT leaders, pressured by lower capital budgets, seek to procure infrastructure from low cost providers as a means to make ends meet. I take the position that a common network based upon mixed network supplier platforms paradoxically increases risk, reduces network availability by increasing complexity, which increases Mean Time To Repair (MTTR) and operational cost, the highest cost component in total cost of ownership (TCO). Also a mixed network vendor environment restricts design options, increases security vulnerabilities and limits the ability to optimize application performance. A single network platform supplier is recommended for mission critical operations as this approach reduces overall TCO and complexity, increases design options, and simplifies trouble isolation, hastening resolution while optimizing operational resources. Let me explain.

The market crash of 2008 and subsequent deep recession modified business behavior and processes permanently. While the current downturn is mild compared to the Great Depression, the two periods share a common attribute, that being personal and business behavior was significantly modified and for the Great Depression this modification lasted for an entire generation. As such, nearly all business leaders have focused on streamlining business processes during the fall 2008 and winter 2009 with an eye toward reduced operational cost and preparedness for the upturn. It’s becoming clear that capital-spending behavior on IT will be similar to the period between 2000 and 2002 when capital spending on IT fell sharply from $160B to $88B, according to the US Census Bureau. Capital spending during the 2003 upturn did not fund pre-2002 IT projects, but was invested in automating new business processes via IT projects; the same is occurring now.

During this economic cycle winning IT projects include HD video conferencing, collaboration, virtualization, network security and all IT projects which reduce corporate operational spending. For example, it’s highly likely that business travel will not resume to the levels of the pre-2008 crash as business and IT leaders reap the benefits of travel cost reduction, improved business processes and the avoidance of executive wear and tear, thanks to HD video conferencing and collaboration. In fact many business and IT leaders are starting to label collaboration and knowledge sharing IT projects as “Strategic Initiatives” as they are key enablers to post-crash streamlined business processes.

A best practice among IT leaders during this and previous downturns has been the implementation of IT project pilots. While IT pilots are not new, they take on a different priority and meaning during down-turns in that they offer an IT organization the time to

develop skills, technology understanding, time to assure business leaders of their business processes, automation benefit and planning for massive roll-outs when corporate conditions are met. The key condition IT leaders are looking for is revenue growth and visibility as the indication to commence rapid corporate-wide deployment. In short, pre-2008 crash follow-on IT projects will be difficult to fund as a new set of business priorities is being set and institutionalized within new business processes.

There are many implications for the above dynamics but two, in particular are acute. First IT organizations will increasingly be directed top down versus bottom up, as business leaders press IT leaders for automation and corresponding operational results. Second, as more real time and collaboration services are deployed and embedded into business processes, corporations will be dependent upon their enterprise networks to the same degree if not more as retailers depend on Point of Sale (PoS) for revenue and business intelligence. In short, as the economy emerges from its current recession the enterprise network will emerge as the strategic business platform. In a subsequent Lippis Report we will dive into high availability and risk mitigation associated with mixed versus single vendor networks. We come down on single for many reasons.

The following recommendations provide business and IT leaders with guidance in navigating corporate network infrastructure expenditures during challenging economic cycles with an eye toward maximizing performance and minimizing total cost of ownership.

Recommendations

As during the 2000-2002 dotcom bust, many start-up operations and large firms too entered chapter 11 and 7 liquidation. The same is occurring now with Nortel being the most obvious example. There is a consolidation phase occurring in the networking industry now as evidenced by Foundry Networks merging with Brocade, HP reorganizing its ProCurve group into its TSG organization, IBM tightening its relationships with Brocade and Juniper Networks, Force 10 Networks’ merger with Turin Networks, etc. These reorganizations put in question product priorities, research and development levels and increase IT risk.

During down economic periods most IT organizations choose to procure equipment and services from independent, financially secure firms who are in charge of their own destiny; the current economic period has shown acceleration in this buying behavior. Clearly Cisco is unique with over $30B of cash and equivalents; either the number 1 or 2 market share position in its strategic markets, innovation that has only accelerated during the downturn and seasoned executive management that has proven it can navigate difficult markets. There are others such as HP, IBM with its partners, and now an enterprise re-engaged 3Com/H3C that are enterprise-network contenders. With this in mind and based upon the above discussion the following recommendations are offered for consideration:

• To reduce risk of network downtime and operational spend consider a single strategic network platform partner rather than a multi-vendor solution.
• Avoid procuring perceived low cost products for low functionality places in the network such as access as this tends to increase operational cost, the largest cost component in TCO.
• Consider selecting a network platform supplier that possesses an architectural view of high availability. Add additional weight in the vendor selection process to a supplier who conducts large-scale deployment validation and testing to achieve higher availability for an entire network.
• Consider the single network platform approach for not only dual backbone scenarios but for other mission critical network applications such as branch office and data center deployments.
• Consider equipment sparing, device high availability features and network design options as components to deliver a high availability network.
• Consider networking suppliers with the financial stamina to not only withstand periods of economic downturn but who will enjoy increased market share and customer scenarios to guide its research and development investments.

Tweet

The spring business cycle in our industry brought HP and Microsoft closer together, Avaya’s launch of Aura, Cisco’s go-to-market strategy for its unified computing system (UCS), Brocade’s 8000 FCoE switch launch, 3Com/H3C’s new 12500 data center core switch and re-emergence into the enterprise market, Voltaire’s entry into the ethernet data center market and much more. With the stocks of many networking companies trading higher than before the crash of 2008, it’s becoming clear that the efficiency gains of IT will play a major role in the fall economic up turn. With that in mind I review the major spring launches and provide my assessment.

The major spring event that is now shaping the industry was Cisco’s UCS or unified computing system announcement that has placed Cisco into the computing industry and ushered in the unified fabric market. Clearly HP and IBM were not and are still not happy with Cisco entering into their space and have started to respond. IBM has become closer to Brocade and Juniper while HP has increased its relationship with Microsoft to bolster its unified communications and collaboration offerings. I offer pros and cons to the most important spring announcements.

HP & Microsoft Team Up on UC and Collaboration:

My take with a HP TSG focus:

+ Huge announcement with HP entering into the UC & Collaboration space with MSFT; instant credibility gained

+ Excellent ProCurve pull through sales opportunity

+ HP, IBM and Cisco now compete at Datacenter and UC + Collaboration markets eliminating a major HP hole.

+ Excellent demo(s) with HP + MSFT being able to credibly focus on communications enablement of business processes

- No UC & Collaboration specific features/attributes associated with proCurve products during the announcement

- Questions of scale need to be addressed as OSC R2 is still immature from a number of end-points and multi-site reliability points of view

- HP is hostage to MSFT UC & Collaboration initiatives, i.e., HP does not control development and MSFT is fighting huge, multiple battles

Avaya’s Aura

Avaya launched Aura, which is a device that uses SIP to connect multiple vendors’ phones, PBXs, IP telephony and applications into a streamlined enterprise communications system. My assessment is:

+ Great use of SIP as a way to connect disparate communication systems into one SIP cloud

+ Simplifies mixed vendor communication environments and an excellent way to provide Nortel customers with a migration path toward Avaya

+ Cost reduction thanks to significant WAN, mobile and bridge cost elimination plus centralized communication management yielding operational dividend.

+ Great application integration environment enabling facebook, google, et al., screen pops throughout an organization

+ Mobile and office phone integration

++ Reduces short term facilities cost and provides long term application integration/business productivity advantage

+/- Integration into LiveMeeting, SameTime, Adobe Connect Professional and Avaya Web Conferencing, but needs stronger collaboration & social networking offering

- Requires IT staff to be proficient in SIP & application integration

- Multi-vendor management is sparse

- Needs better UC client support

3Com/H3C Re-Enters The Enterprise Market

3Com under its H3C global brand and new executive management, which includes Ron Sege, President & COO, Alan Kessler, President Tipping Point, Eric A. Benhamou, Chairman, among others, are rebuilding its distribution and partner channels to move its full portfolio of switching, routing, UC, security and mobility solutions to the enterprise market. H3C sees a behavior change in enterprise IT spending that values green, cost efficiency and high performance networking and seeks to be a major supplier to this market. My assessment is:

+ $1.3B of review with operations around the globe

+ Experienced executive management who knows how to execute

+ Full portfolio of switching, routing, UC, mobility and security products for enterprise and data center solutions

+ Low cost basis thanks to Huawei JV

+ New high-end core switch 12500 for data center with 6.6 Tbs of backplane bandwidth, 512 10 GB port density, non-blocking architecture that was designed to support FCoE, 40 and 100 Gbs

+ Brand new approach to network management H3C Intelligent Management Center with a single point of access to configure and manage the entire portfolio of products

+/- Industry needs to fully vent, discuss and evaluate the new 3Com/H3C to discover its value proposition and measure how well it resonates with the new enterprise market realities

- Needs to build credibility and trust in the enterprise market

- Needs to communicate execution plan and roll out customer testimonials

Voltaire Announces the Vantage 8500 Switch

Voltaire announced a high-end ethernet switch called the Vantage 8500 available in the 2nd half of 2009 that touts 288 non-blocking 10 GB Ethernet ports and 11.5Tbs backplane bandwidth. Key features are Layer 2, CEE, FCoE, Virtualized I/O port, low latency of less than a microsecond and low power of less than 10 W per port. My assessment is:

+ High-end switch from a company that understands high performance with its engineering roots buried in infiniBand

+High density 1 and 10 GB Ethernet with key data center logical features such as CEE and its Voltaire scale out capability, which allows two tiers versus three tiers data center constructs to be deployed

+ Touts $1.2K per 10G port, unique design features that deliver linear scale of performance as the number of ports increase

+ Has been focused in high-end data center market addressing need for high-end core layer 2 switching

+/- Unclear how Vantage’s logical features would connect with existing network vendors, storage and CNA equipment

- A relatively unknown company with $62M of revenues

- Above product claims need independent testing and customer testimonials

Brocade 8000 FCoE Switch

Brocade launched its 8000 ToR (Top of Rack) switch with integrated Fiber Channel switch and 8 ports of FCoE support plus 24 10G Ethernet ports. This is an important announcement as it offers a unified fabric solution from Brocade, albeit a limited approach. My assessment is:

+ Impressed with packaging, FC & Ethernet switching plus 2 CNA adaptors

+ Consistent FC and switch management

+ Non-blocking switch fabric; however this needs to be independently confirmed

+/- 8 GB FC a hedge until 10 GB FC

- Brocade manufactured CNAs and no support for 3rd party CNA adaptors

- FC ports on 8000 means still two cable runs to EoR ethernet switch and FC switch

- Lack of a scalable solution

Cisco’s Non-Stop Innovation

In addition to the above Cisco has been introducing innovations non-stop during the downturn as it prepares its customers for the up turn. For example, it put its channel muscle behind UCS with a major go-to-market strategy at its Partners conference here in Boston last week, launched WebEx Node for ASR 1000 that won Interop Best of Show, launched EnergyWise to reduce IT and non-IT electrical consumption, launched Cisco Unified Communications System Release 7.1 bolstering its video services, offered new phones and UC features, and launched Global Correlation for the ISR and ASA and the Nexus 1K soft switch for virtualized data center environments. Cisco has been relentless in their product expansion aimed at making the Network the next business platform. Close to Cisco and a UCS enabler is VMware’s vSphere 4.0, which promises to usher in large-scale virtualization by providing features previously lacking to virtualize most corporate data center applications.

The crash of 2008 has left its mark not only on the financial systems but also on corporate and personal behavior. It’s becoming clear that corporate behavior will continue to be frugal well after the up turn; in short IT justifications will be rooted in cost avoidance, reduction and productivity improvements. The above IT supplier announcements all focus on new and cost effective methods to either design data centers or deliver collaboration. These two IT projects in particular are high priority on lists of projects from IT leaders as they both offer cost reduction and productivity improvement, which many are planning to exploit as they get ready for the fall economic up turn.

Tweet

Data center IT pros live in interesting times, as they have not seen design changes so sweeping since IBM introduced S360 architecture in the early 1960s. While Moore’s Law maps out a hardware compute trajectory of higher capacity, increased density and lower pricing, a new software approach to computing, networking and storage has been building over the past few years which is accelerating the effect of Moore’s Law and fundamentally changing data center design and IT delivery. At the center of this change is virtualization of computing, storage and networking which is starting to expand beyond the data center all the way to client end points. The value of virtualization’s economics and utility is well documented with power, cooling and server reduction thanks to an increase in the number of applications that run on servers. And while the industry is readying for a second generation of virtualized data centers thanks to VMware’s vSphere 4, another data center innovation is finally taking shape that offers consolidation of LAN and SAN switches, reduced cabling requirements and cost while increasing performance. This innovation is called a unified fabric. In this Lippis Report Research Note we discuss the unified fabric (UF) from architecture, maturity, and value proposition points of view.

I ran a little experiment using social networking via Twitter to get a pulse on the UF market. I used http://monitter.com. Monitter is a twitter monitor that lets you “monitter” the twitter world for a set of keywords and watch what people are saying. Well, I monitored unified fabric for an entire day, just letting it run. There was not one UF posting, meaning that few are discussing UF. Translation, UF is early to market although there are now UF products and/or support from a wide range of companies including Cisco, HP, IBM, Brocade, Qlogic, Intel, EMC, Sun, Mellanox, Fusion, XSIGO, Emulex and many others.

The fascinating aspect of UF is the simplicity and cost reduction it offers to data center network and storage design. The goal of UF is to consolidate LAN and SAN networks into one. The implication of UF is simplification, meaning that only one network adaptor is needed in a server to support storage, IP and inter-processor-communications (IPC) flows. In short, the expensive Host Bus Adapters (HBAs) are virtualized on a network interface card (NIC) or the server. In some cases all I/O is virtualized with HBA, network and clustering drivers virtualized on the server. Further, only one cable and server connection is needed for both storage and network traffic, which reduces data center server-to-network, and server-to-storage cabling within the rack by over 50%. There is no need for both a storage and network switch; a network switch will suffice, reducing the number of switches by over 50%. UF equates to lower cost, complexity, equipment, power and cooling requirements and increased performance too.

So why haven’t IT departments flocked to deploy UF? It has taken a while to develop all the standards needed to implement UF and in some areas the standards are still under development, but by the end of 2009 UF standards should be ratified. The fall of 2009 should kick-off the UF market with 2010 being the year of wide spread experimentation and data center piloting. UF deployment will be a multi-year rollout with significant revenues generated in 2010.

Unified Fabric Architecture

What’s intriguing about UF is its architecture and attributes of increased server performance and lower cost/complexity. UF is the ability of a switch and host adapter to use the same physical infrastructure to carry different types of traffic that typically have very different traffic characteristics and handling requirements. While most UF is based upon 10Gbs Ethernet as its foundation, Inifiband, thanks to its high data link speeds and low latency is also being used.

UF is comprised of three primary hardware components: a converged network adaptor (CNA), a 10 Gbs Ethernet link, preferably the twin-ax SFP+ variety, and a 10Gbs UF switch that supports storage, inter-processor communications (IPC) and IP data packets. As you can guess this 10Gbs Ethernet link is special as it needs to support storage and IPC traffic flows, which are not forgiving of dropped packets as TCP/IP has been designed. In short, UF calls for ethernet to be partitioned into lossless and lossy logical links that are accommodated by extending the IEEE 802.1Q priority and IEEE 802.3x Pause concepts in what has been named Convergence Enhanced Ethernet (CEE (pronounced “sea”)). The 10Gbs Ethernet UF switches need to ensure strict bandwidth scheduling for storage, IPC and IP traffic, automated configuration and forwarding of lossless and lossy traffic flow, which is the job of Data Center Bridging (DCB). DCB is close to being standardized in IEEE P802.1Qbb, IEEE P802.1Qau and IEEE P802.1Qaz. Just this May, the University of New Hampshire Interoperability Lab hosted a DCB plug fest that demonstrated interoperability between DCB vendors including Cisco, Dell, Qlogic, Intel, NetApp, Fulcrum Microsystems and Finisar.

Three Main Storage Architectures

With three primary storage architectures UF gets a little messy or rich, depending on your perspective. There is iSCSI, Fibre Channel (FC) and InfiniBand (IB). IB is used to connect servers to storage in high-performance data centers as its architecture boasts quality of service, low latency, failover and is scalable from 2 Gbs to 96 Gbs. Most IB implementations are running at 20 Gbs moving to 40 Gbs. FC represents some 20% of all server-storage connections thanks to its B2B link credit mechanism which ensures lossless operation and scales from 1 to 12 Gbs with 2, 4 and now 8 Gbs speeds commercially available. Dell’Oro pegs the FC switch and HBA market at approximately $2.7B. iSCSI utilizes TCP which ensures lossless operation and scales with ethernet from 1 Gbs to 10 Gbs and above. iSCSI is the fastest growing category in the storage market with revenue growth of 76% between 2005 and 2010, according to IDC. IDC forecasts iSCSI to be a $5B market in 2010 representing nearly 20% of the external disk storage market, up from 3% in 2005. These numbers tell the story of why HP bought Left Hand Networks and Dell bought Equal Logic both of whom are iSCSI providers. 10 Gb Ethernet is a boon for UF as it starts to offer the bandwidth to support FC, IB and/or iSCSI storage flows. Over time 40 and 100 Gb Ethernet will be available but with the dominant ethernet speed in data centers being 1 GbS, 10 Gb Ethernet is a sure bet for UF over the next several years.

iSCSI

iSCSI runs over IP today without the need for a special CNA. iSCSI can run over ethernet, IB, ATM, Frame Relay, MPLS, et al. But iSCSI’s reliance on TCP for reliable transport has caused many data center managers to pause, thanks to concerns over jitter, latency and reliability at 1 GbS Ethernet. The vast majority of iSCSI users build separate ethernet networks to support iSCSI and IP traffic with a few segmented the traffic via VLANs. 10 Gbs Ethernet potentially removes the pause as the higher speed may mitigate previous concerns with iSCSI and IP traffic flowing over a single 10Gbs Network Interface Card (NIC). If this pans out, then iSCSI may realize a surge in popularity as it is widely supported by all server concerns. It’s interesting that Solid-State Drive (SSD) innovator Fusion io offers iSCSI over ethernet via a PCI Express adaptor to access its SSD, meaning that the SSD performance leader feels comfortable using iSCSI and ethernet for SSD access.

IB

There are many IB providers such as Voltaire, Mellanox, et al., but a few are using IB as a UF. For example, XSIGO Systems uses IB as a UF, while servers see virtualized NICs and HBAs. The server is completely unaware that it is using IB. The administrator can create vNICs and vHBAs on the I/O Director and these show up as ethernet interfaces or HBAs on the server while it gateways into ethernet and even FC. Accenture Software Utility Services uses XSIGO’s VP780 I/O Director and provides data center services to such firms as Best Buy, Mass Mutual, Continental Airlines, Virgin Blue, JetBlue, Net2Phone, et al., proving IB UF viability. IB is used as a UF construct here connecting servers-storage and server-server links with gateways to ethernet and FC LANs/SANs. IB providers are moving down market too, from their High Performance Computing (HPC) heritage in an effort to broaden IB’s appeal to data center professionals as a UF. There are also proposals for IBoE. However, the bulk of IT suppliers are either offering or announcing FCoE or iSCSI UF solutions.

Fibre Channel Over Ethernet

In the FCoE switch UF market a few companies dominate, those being Cisco Systems and Brocade. Cisco offers its Nexus 5020 FCoE switch while Brocade has recently introduced its 8000 FCoE switch. EMC also provides an FCoE switch, that being the Connectrix NEX-5020 which is the Cisco Nexus 5020. Converged network adapters (CNAs) that combine the functionality of an Ethernet NIC and a FC HBA are available from Emulex, Qlogic, Intel and Brocade. Native FCoE support on NetApp SAN storage arrays have been announced while EMC’s new Symmetrix V-Max supports native FCoE. Look for HDS, IBM, HP, Compellent, Dell, Sun, Pillar, Fujitsu, et al., to announce native FCoE during the fall of ’09. Many of these firms are working with QLogic to use its CNA ASIC on their array controller boards, which would provide native FCoE support and connect directly to 10 Gb Ethernet switches.

Increasing Server Performance

While UF components are becoming available, UF has a large role to play in increasing server performance. With the advent of 10 Gb and soon 40 to 100 Gb Ethernet, networking speeds are now outpacing CPU speeds, which means servers will have to work harder to keep up. When servers participate in network processing it reduces application performance as a large amount of CPU time is spent in the TCP/IP stack to copy data and manage buffers. To increase application performance especially in server-to-server communications and inter-processor communications Remote Direct Memory Access (RDMA) was developed to allow computers in a network to exchange data in main memory without involving the processor, cache, or operating system of either computer. Further, the IETF developed Internet Wide Area RDMA Protocol (iWARP) as an update to RDMA’s use over the internet.

But alas, there is disagreement on which standard to use: RDMA over ethernet or iWARP over ethernet. For example, Intel boasts that it will support iWARP over ethernet on every motherboard while others support RDMA over ethernet. The reason why this discussion is relevant to UF is that 10 Gbs Ethernet is a fundamental UF technology and thus with current line rates of 10 Gbps and higher, non-RDMA network transfers consume significant amounts of the available memory bandwidth and result in system CPU(s) stalling on memory accesses. In short, RDMA allows servers to keep up with network speeds and since UF is enabled by 10 Gb Ethernet, RDMA needs to be included in a UF solution. The OpenFabrics Alliance, a consortium of IT suppliers, government and corporate IT professionals, is working to deliver a unified, cross-platform, transport-independent software stack for RDMA that is architected for high-performance, low-latency and maximized efficiency. The OpenFabrics software is being bundled in VMware, HP’s BladeServers, Red Hat Linux with a Windows version available for IB. It needs to accelerate its work for FC and iSCSI.

Status and Issues

At this point in time, there is clear momentum behind FCoE as it enjoys the widest support across IT suppliers and it’s likely this momentum will only increase as we enter into the fall of ’09. While there are only a few FCoE switches available, every major ethernet and SAN switch supplier will offer a FCoE switch either by the end of ’09 or early ’10. So for those with FC storage infrastructure it’s time to start experimenting and piloting a small FCoE island to gain skills and comfort with the technology.

There are issues with FCoE too. Currently, there are only two switches to choose from, limiting choice; also where FCoE termination occurs will change over time. FCoE is terminated in the FCoE switch now while over time it will be terminated in Disk Arrays, forcing a transition from FCoE termination in Top of Rack or End of Row switches to Disk Arrays. Over time one can imagine a pure ethernet switch with DCB forwarding FCoE, IPC and IP packets to their destinations. Also there are no RDMA options for FCoE today. Another issue is that FC links can run up to 8 Gbs, which would leave only 2 Gb for IP and IPC traffic. Also there are FCoE switch suppliers such as Brocade who have developed their own CNAs and don’t currently interoperate with 3rd party CNAs.

For those with large investments in IB and strict latency requirements that are only met with IB, IB as a UF is being proved out as Accenture Software Utility Services shows. It’s unclear how far IB will move down market and it’s hard if not foolish to bet against ethernet as a UF transport. IB enjoys the widest RDMA support with the OpenFabrics Alliance supporting Linux, Windows and VMware over IB. Also HP, Sun, IBM and Dell blade server systems all support IB options as their high performance solutions.

iSCSI will benefit from 10 Gb Ethernet and DCB in high performance ethernet switches. In this model a single 10 Gb Ethernet NIC would support both iSCSI and IP traffic with layer 2 or layer 3 segmenting storage and IP traffic flows. For the mass UF market, at this time, it seems that iSCSI and FCoE are the two main options with IB as the UF option in the HPC segment.

A final note. It’s clear that Cisco, HP and IBM are putting their significant weight and influence behind FCoE. However, FCoE is a core component of Cisco’s Unified Computing System and Cisco has thought through the system level issues associated with integrating computing, networking and storage, which should yield it a learning curve edge on next generation virtualized data center design. In short, Cisco has embraced UF to a much larger extent than its data center competitors, offering a safe harbor in which to experiment with UF and as many technology transitions before, it’s not necessarily the technology but the companies behind them that decide which one wins or loses.

Tweet

During this downturn Cisco has taken the opportunity to launch initiatives that rivals simply do not have the scale and wherewithal to deliver. Cisco is delivering well thought out solutions to big problems with its smart grid initiative, EnergyWise energy management, Unified Computing System (UCS), collaboration, and now IT security. At RSA Cisco launched its Cisco Security Intelligence Operations (SIO) that leverages its presence in service provider and enterprise networks to deliver a global correlation of threats and in the process offers the deepest and widest range of IT security defenses available in the industry. SIO is in essence a “security cloud” service capable of identifying threats propagating throughout the internet and intranets before corporate networks are infected by transmitting mitigating code to enterprise security devices such as IPS, firewall, Web and email systems.

IT security has been delivered piece meal and aligned with an IT supplier’s core competency. For example, Microsoft delivers security patches and fixes to Windows often, Anti-X firms such as McAfee, Trend Micro, IBM, Symantec, etc., focus on desktop malware, application firms such as Oracle, et al., deliver security solutions to protect their applications, Juniper, Check Point, and others offer firewalls and IPS, etc. All of these security solutions are useful and needed, but they are not systemic. They cannot correlate and interact with other security software to bolster defenses and provide SECOPS with contextual information that reduces false alarms and focuses defenses to mitigate an attack. This is where networking acting as a threat mitigation system offers unique value and where Cisco SIO delivers.

First let’s frame the problem most, if not all, SECOPS and business leaders are confronted with on a daily basis. Over the past business cycle enterprises have significantly increased their use of collaborative and social networking applications which deliver productivity value but also an abundance of risk. Cybercriminals are front and center to either sabotage or gain financially through these new applications. The newest wave of threats often target personal data and are blended in nature, propagating via multiple vehicles such as web, email, and USB keys to bypass legacy or siloed security tools. The all-too familiar consequences from security breaches include company image damage, personally-identifiable information (PII) theft, service downtime, cleanup and remediation costs, compliance penalties, and corporate liability. Consider the level of risk:

• Spam accounts for over 100 billion messages each day, which is approximately 85% of email sent worldwide. Eighty percent of spam is from infected clients
• The number of disclosed vulnerabilities grew by 6.77% between 2007 to 2008
• Vulnerabilities in virtualization products tripled, from 35 in 2007 to 103 in 2008
• Fifty percent of attacks are by serial offenders, and 70% of botnets use dynamic IP addresses to evade blacklists
• Over the course of 2008, there was a 90% growth rate in threats originating from legitimate domains, nearly 2 times the amount of 2007
• Organizations that experienced a data breach in 2008 paid an average of $6.6 million last year to rebuild their brand image and retain customers

The goal of Cisco’s SIO and global correlation is to both close the above vulnerabilities and give employees the freedom to use collaborative, social, mobile and other IT assets with significantly reduced risk. SIO is build upon Cisco’s security products including Cisco IPS and Cisco ASA and leverages IronPort and IntelliShield to deliver security intelligence. But SIO is an architecture or framework made up of three components: SensorBase, Threat Operations Center and Dynamic Updates. It’s these three components working in unison that deliver global correlation to threat mitigation and in the process also delivers a security infrastructure that dynamically protects a corporation against the latest threats. Let’s look more closely at them:

SensorBase: The first SIO component is Cisco SensorBase, which identifies threats by collecting information from over 700,000 plus and growing globally deployed sensors such as IPS devices, firewalls, web security and e-mail security devices and 600 third-party feeds. The number of sensors and partner feeds continues to grow as Cisco customers can choose to opt in to SensorBase and send traffic samples to it on the order of 500GB/day allowing SIO to detect malicious activity in their traffic. As a point of scale SensorBase is able to examine over 30 percent of the world’s e-mail thanks to strategically located honey-pot accounts equipped with e-mail addresses that have been publicized on lists that spammers might use to send spam, thanks to relationships with 8 of the top 10 global ISPs. SensorBase has enhanced the ability to sniff out and identify the latest threats.

With so many of today’s threats being blended, meaning that an exploit might enter a corporation through e-mail, then pass through the web which ends up having botnet traffic that eventually infects a client and phones home to the botnet server. An exploit could traverse or use three or four different vehicles before it launches a full-scale attack. Therefore, the more that security defenses can view the better the defense. To address blended threats, SensorBase is collecting information from four initial sensors and correlating this information with approximately 3,300 IPS signatures. The combination of IPS signatures with massive sensor feeds allows SensorBase to expand beyond exploit-specific to vulnerability-specific threats allowing IPS signatures to cover a wider range of exploits. For example, there may be 100 exploits intending to affect a vulnerability but by SensorBase addressing vulnerability specific threats, one IPS signature can mitigate 100 exploits, making SensorBase IPS signatures much more potent than traditional IPS device signatures.

In addition to the sensors and IPS signatures, SensorBase also has integrated Cisco’s IntelliShield, which contains the largest vulnerability database on the planet with 40,000 different vulnerabilities that are continually tracked. In addition to sensors, IPS signatures, and IntelliShield, SensorBase also collects information from 600 third-party feeds as well. The benefit of SensorBase is being able to collect real time network traffic threats from so many devices into a live information feed, where security threat information is always being collected and used to correlate and extrapolate more sophisticated intelligence to warn customers and mitigate threats.

Threat Operations Center: The second SIO component is Cisco’s Threat Operations Center (TOC) that consists of five global teams of researchers and analysts. The most important attribute of TOC is that it develops automated techniques that extract SensorBase threat information and deliver actionable tasks to close vulnerabilities. These automated techniques build upon SensorBase live information feeds, a reputation database to deliver globally-correlated identified threats, and develop automated mitigation strategies quickly which are then transmitted to email, web, IPS and firewall devices hopefully before an enterprise is infected.

Dynamic Updates: The third SIO component is Cisco’s dynamic updates and actionable intelligence distributed in real time to customer security devices around the globe. Reputation is at the heart of global correlation as TOC is able to score threats from 1 to 10, 10 being threats with the worse reputations. Reputation-scored threats contain such parameters as the originator, its source destination, IPS signature, etc., across multiple types of threats. Reputation data is generated in real time as threats are emerging, so that TOC may send dynamic updates of threat mitigation information to IPS devices around the world. In short, TOC analyzes the SensorBase live information feed for threats, calculates reputation scores and automatically sends out security updates and alerts to e-mail, web, firewall and IPS devices via dynamic updates.

Dynamic updates, in the case of reputation-identified threats scoring between 8 and 10 are distributed in real time. These high reputation-scoring threats afford high priority and speed of mitigation as SECOPS can automatically block the threat, because their threat reputation indicates that they’ve sent large percentages of malicious traffic to the point that it’s not worth inspecting. Dynamic updates are sent, on average, every three to five minutes for low scoring reputation-based threats.

The scale of SIO is cloud spec. SensorBase is based upon 1000 plus servers processing 500GB of data/day streaming in from 700,000 sensors and 600+ partner feeds. To use SIO, Cisco customers only need to upgrade their IPS to software version 7.0 and ASA 5500 Series software version 8.2. IPS version 7.0 provides IPS reputation filtering with global correlation, which doubles the attack coverage and significantly reduces false positives. ASA version 8.2 is equipped with Botnet traffic filter, which detects infected clients as they attempt to phone home at a rate of blocking 100,000s of malware connections per week. Cisco IronPort was the pioneer of automatically gathering threat intelligence and global correlation, and Cisco Web and Email customers only need to maintain their subscriptions to continue benefiting from SIO.

Full Context Threat Analysis

With IPS and ASA supported by SIO Cisco is offering a fuller context to threat analysis and mitigation. For example, traditionally IPSs analyzed content, meaning that they analyzed packets; but now with SIO threats are identified by source reputation and location plus propagation and mutation methods. This is key to correlation in that in addition to sending out updates every five minutes from SensorBase to IPS, email, web, firewalls and other appliances, they have the option to send their information to SensorBase too; i.e., the data flow is bi-directional increasing the number of sensors over time. In addition to receiving this security data, it’s gathered over multiple technologies, increasing the context of the threat. What is key about this bi-directional information feed is that it draws from multiple types of technologies, i.e., email, web, firewall, IPS, etc., enabling SIO to defend against blended attacks or offer different mitigation tactics over time as the attack mutates, as has been observed with Conficker, McColo, Srizbi, etc., botnets and other types of threats.

Recommendations and Guidance:

For Cisco customers upgrading to IPS v7.0 and ASA v8.2 software versions will offer a large functionality upgrade and access to SIO. Botnet threat mitigation and global correlation through reputation scoring are powerful defenses to add to IT security operations. For those Cisco customers with Cisco IronPort Web and Email Security Appliances, they will continue to enjoy the full power and defense against blended attacks with global correlation.

I recommend that a pilot first be deployed so that SECOPS gain an understanding of the SIO “system” meaning its alarms, feeds, threat mitigation results, false alarm rate and overall effectiveness. Once SECOPS and NETOPS are comfortable and skilled then a more phased deployment can commence.

SIO is clearly targeted to the Cisco installed base; however for those who are investing in IT security and have yet to purchase IPS and ASA (vertically integrated security appliance offering VPN, firewall, IPS, etc., security services), SIO should be considered, as it’s currently unmatched in the industry. SIO and in particular SensorBase, reputation scoring and global correlation offer a unique approach to defending against today’s complex and increasing volume of threats.

Tweet

There are multiple business and technology trends that are now interacting and forcing IT planners to rethink their wide area network (WAN) design. The macroeconomic downturn has proven once and for all that business and its processes are global. With economic globalization and the current turbulence people are required to collaborate more closely, more frequently and across greater distances, more so than at any other point in time. At the same time IT leaders have been consolidating IT service delivery into data centers as well as consolidating their number of data centers. Data center consolidation offers large economic efficiency but places greater distance between data, applications and end-users, putting great strain on application performance. Corporate green initiatives have driven up the number of home and mobile workers to the point that 15% of traffic flows to and from mobile workers and data centers. Adding more pressure, WANs have historically been designed in a piecemeal fashion with little to no regard for delivering consistent WAN Services among sites.

Add heightened security plus compliance requirements to new applications such as web 2.0, video conferencing, mobility, etc., and the result is unprecedented demands on the WAN to keep a corporation productive. At a time when WAN performance needs to be optimized and tuned as carefully as Local Area Networks (LANs) performance, it is unfortunately more difficult than ever to accomplish. These trends, if not addressed, will invariably negatively impact application performance and corporate productivity, especially among WAN-connected branch offices, larger corporate sites and data centers as 41% of network traffic now flows to and from branch offices.

Increased traffic load, application load, collaboration, distance, separation of data and applications and security/compliance requirements are all dynamics that are completely altering the design requirements for the WAN. To address these dynamics, IT leaders need to deploy consistent WAN Services so that tuning/controlling/optimizing of WAN Services and applications across all sites connected via the WAN are performed uniformly, saving both time and money while increasing corporate value. Having consistency in application optimization, collaboration, and security allows WAN services among corporate sites, large and small, to combine to form a WAN Advantage that enables business and IT leaders to boost collaboration throughout their business, strengthen security, speed access to data and ideas, optimize application performance end-to-end, and ultimately cut operating costs. In this Research Note we focus on the WAN Edge that connects branches to larger sites and datacenters; however the concepts and subsequent principles can be applied to other corporate WAN areas.

WANs Slow To Keep Pace

Wide area bandwidth has not kept pace with the rapid advance of LAN bandwidth and application demand where wide area connections are often at least one to two orders of magnitude (10 to 100 times) slower than the LANs they connect. This bandwidth mismatch is the root cause of slow application response time and poor voice and video user experience. In addition to WAN bandwidth, WAN Service delivery has also been slow to keep pace. To defend against security breaches, optimize application performance plus gain the benefits of unified communications and collaboration IT leaders have been forced to deploy a series of appliances in each branch office thanks to a lack of common WAN Service delivery options. Deficits in WAN bandwidth and service delivery increase complexity, which drives up life-cycle management cost and makes IT service delivery difficult.

Nowhere is the deficit in WAN bandwidth and services more acute than in connecting branch offices to larger corporate sites and datacenters, as the complexity it creates is magnified. This magnification is due to the fact that branches are widely distributed over large geographic areas resulting in a lack of WAN bandwidth consistency, meaning that some branch offices may connect at broadband speeds while others use frame relay; still others use MPLS or private lines, etc., while WAN Service appliances pile up in each branch. While IT leaders have limited control over WAN bandwidth provisioned by telecom service providers they do have total control over WAN Service delivery, which in turn exploits and manages WAN bandwidth. In short, WAN Service management is the key to complexity reduction and the basis for new thinking in WAN design.

Essential WAN Services

WAN design thinking is focusing on a set of common WAN Services available in both branch office and WAN aggregation routers, which are typically located within data center and larger corporate sites. This consistency in the WAN Services phase is akin to LAN evolution, maturity and value.

Thanks to WAN Services, WAN performance can approach that of LANs. There may not be a single WAN physical service such as ethernet any time soon but just as multi-protocol routing simplified LANs so too will WAN Services as it manages and masks the inconsistencies in different wide area facilities and injects value. In short WAN Services provide a set of logical components that rationalize a messy WAN world and replace it with user experience consistency and uniformed IT management and security.

To bring the discussion down to product level, it’s Cisco’s ISR and ASR 1000, 3Com’s 5000 and 6000, Juniper’s J and M Series, HP ProCurve’s 7000dl Series and others which offer the promise of consistent WAN Services. Of the above list only a few offer routers, which deliver consistent WAN Services at the branch office and the Enterprise WAN edge/aggregation respectively, thanks to a shared common software code enabling these routers to collaborate via protocol exchanges across the wide area. Part of this common WAN Services software code is based upon standards such as IPSec, SSL, MPLS, SIP (Session Initiation Protocol), Real Time Protocol (RTP), etc., while other aspects are company specific such as Cisco’s GET-VPN which simplifies the provisioning and management of VPN.

While there are a growing number of WAN Services we’ll focus on the three most important or essential ones, those being security, unified communications and WAN optimization that support the above WAN requirements.

Network/IT Security: To readily adapt to new business requirements, reduce qualification time for new deployments, proactively monitor and provide pervasive integrated security services, meet and comply with federal or industry regulations requiring confidential communications, ASR 1000, for example, can be deployed as a Secure WAN Aggregation router with integrated firewall, IPsec encryption and a wide range of VPN termination options.

Unified Communications Video and Telepresence: The WAN requires increased collaboration frequency over larger distances to support unified communication (UC) plus video, and telepresence services. There are specific WAN Services that ensure the user UC and video experience remains excellent even while other applications compete for WAN resources and/or during network disruption such as backhoe fade, etc.

WAN Optimization: WAN optimization is a WAN Service that is embedded as a series of application optimization features/functions within branch and WAN aggregation routers that strive to deliver local drive response time to applications that are delivered over the WAN. WAN optimization services include WAN optimization and traffic classification.

There are more WAN Services such as mobility and others to come over the next business cycle. The value WAN Services delivers is rooted in the fact that WAN Services are logical components embedded into the wide area simplifying IT operations, accelerating the absorption of innovation and delivering end-user performance consistently independent of their physical location.

The New WAN Advantage

Old World WAN

Traditionally, connecting branch offices to larger corporate facilities and data centers has been implemented in a piecemeal fashion, meaning that most IT organizations have not architected or designed the WAN Edge as a holistic solution. For these firms, branch office WAN connections are a mixture of disparate transport services, their routers have little to no WAN Service consistent with headquarter and data center aggregation routers while the branch offices are populated with special purpose WAN Services appliances. This lack of planning results in much higher IT capital and operational spend. But more troubling is that poor business performance results, thanks to inconsistent application performance and branch IT delivery difficulty especially of new collaboration services and tools.

New World WAN Advantage

The new approach to WAN design is based upon business initiatives and user experience expectations independent of geographic location. This shift from piecemeal to end-to-end design considers secure access to corporate data, applications, people, ideas, etc., from anywhere. This approach requires a comprehensive, cohesive WAN design with end-to-end support for services because after all, a network delivers applications and application performance governs a user’s experience and productivity.

The new WAN delivers a consistent user experience in the same way as LANs do, by switches and routers offering a common set of LAN services. For the new WAN, considerations of WAN bandwidth plus a common set of WAN Services between branch and aggregation routers delivered end-to-end can result in consistent user experience. This is primarily achieved through a common set of tools that provide network operations with access to tune/tweak/optimization/configure/etc., WAN Services throughout branch offices and aggregation sites so that a user’s experience is the same, independent of location, LAN and/or WAN. With well over 6 million Cisco ISRs in production and most firms running sophisticated applications and services in the branch, it’s only logical that these ISRs be terminated at an aggregation router over the WAN equipped with common WAN Services to achieve a WAN Advantage.

Recommendations

The following recommendations are offered which focus specifically on WAN Services at the WAN Edge. Consider the following:

1. Nonstop Forwarding To Boost Redundancy/Availability: Consider redundancy and fail-over capability across switching, routing, tunneling, WAN access, etc. With new services such as UC and video being massively adopted, convergence time or the time to recover from a WAN transport outage needs to occur within tens of milliseconds.
2. Consistent WAN Optimization and Performance Routing: Consider the consistent implementation of WAN optimization and performance routing between branch and aggregation routing.
3. VPN and WAN Scalability: Consider scale when designing a WAN that connects a large number of branch offices into a set of aggregation routers. Scale such as bandwidth and VPN support can be limiting factors. Aggregation router VPN service in particular should scale up toward 20,000 tunnels to support multiple VPNs per branch as well as mobile users.
4. Consider Integrated Management: Consider network management that integrates WAN Services configuration, troubleshooting, fault isolation as well as security management including threat reporting and compliance reporting. Management that provides constant audits to ensure QoS should be considered as well, as a means to monitor application performance.
5. Consistent Application of QoS/Encryption/Security Across Routers and Tunnels: Consider consistency of services across different branches especially with QoS, security, routing and switching. Ensure that security policy enforcement is the same at headquarters, data centers and branch levels.
6. Confidentiality And Integrity: As aggregation routers support widely geographically distributed branch offices and mobile users, confidentiality and integrity are important security attributes to be considered as part of the WAN security service. Confidentiality ensures that only authorized individuals, processes, or systems have access to information. Identification, authentication, and authorization through access controls maintain information confidentiality. Encrypting information also supports confidentiality by limiting information usability in the event it is viewed while encrypted. Integrity means that information should be protected from intentional, unauthorized, or accidental changes.

Tweet

Unified Communications (UC) as an integrated launch point to multiple communications applications will swiftly fade as UC is integrated into corporate social networking and collaboration applications. This is the impression I walked away with after the Orlando VoiceCon industry event. The implication of this is systemic, sending change throughout the industry from suppliers, buyers, and even industry event organizers. What I mean is that UC as a standalone desktop application has limited value. IT and business leaders are pressing suppliers to improve user experience and in the process productivity.

It wasn’t too long ago that UC was touted as a better way to access a broad range of communication applications such as voice, IM, video, email, etc. Vendors such as Microsoft’s Office Communicator, Cisco’s Unified Personal Communicator, Avaya’s One-X, Siemens OpenScape Desktop Client et al., will be of increasingly little use as standalone products. Even as these UC clients go mobile they will fall short of user experience expectations. As communications is now firmly in the grips of Moore’s Law and software economics, the rate of change and level of integration is accelerating at a frantic pace.

There are multiple trends building upon each other with such force as to morph UC into social networking and collaboration Web 2.0 applications. Social networking tools such as Facebook and Twitter have jumped from consumer internet services to business tools. There is a cottage industry of start-ups that are creating innovative approaches to capturing an individual’s social grid and interface it into contact centers so as to better up- and cross-sell. Yes there are interesting Facebook, Google and/or LinkedIn pop-ups that extend caller ID to a screen pop, complete with a caller’s profile and even search your email for relevant past exchanges with the caller, all aimed at increasing user experience.

Then there are corporate-based social networking platforms such as SocialText which add security and journaling to social media tools. Whether UC is added to consumer social and collaboration tools or to enterprise grade applications is irrelevant; both are occurring and both activities will only accelerate. The growth and level of communications enabled by social networking and collaboration tools is unparalleled and represents a new approach to human interaction that needs to be captured and put to work within enterprises. We are in the midst of a great experimental phase of how best to achieve this integration. The meeting at VoiceCon offered only a glimpse of this progress.

Collaboration platforms such as IBM Lotus Sametime is very popular and its growth has not waned during the economic downturn. In fact IBM’s LotusLive cloud collaboration for inter-company collaboration is one of the fastest growing IBM products. Sametime is a great example of how a UC has been integrated into a collaboration suite and improves the user experience. IBM’s mash-up hub application lets users create their own mash-ups with a Sametime call widget, again increasing the user experience and control over that experience.

Siemens is in an interesting position as its OpenScape is an integral part of IBM’s Sametime. Siemens introduced its Cloud UC service built upon Amazon’s Elastic Compute Cloud (EC2) to offer the SMB market UC in a SaaS model. One can imagine that with OpenScape and Sametime in the Amazon cloud a SMB would have access to the same tools and user experience that only large firms could once afford. Therein lies the beauty of UC being integrated into collaboration suites and offered as a cloud service. Price points are smashed along with a total disruption of the SMB channel to market.

Cisco has been busy integrating UC into a wide range of collaboration tools too. It has integrated its unified personal communicator client into its Unified MeetingPlace and WebEx platforms. I expect to see UC integrated into its recently acquired Jabber IM service and Telepresence platform too.

Avaya introduced its Aura™ platform, which seeks to clean up and rationalize legacy voice and VoIP communications into a SIP platform. Two important aspects of Aura™ are that 1) it’s a new design that takes cost out of communications by reducing WAN, equipment and operational spend; and 2) it offers a UC integration into applications platforms. In short Aura™ should pay for itself within twelve months and pay dividends as communications is embedded into applications, especially social networking and collaboration applications.

But the above examples are just snapshots of a broader and bigger vision of how UC will be integrated into Web 2.0-based social and collaboration tools.

Envision a corporate Facebook-like user interface that is self populated with an employee’s profile, complete with past and current projects, their skills and relationships to both internal and external resources. Employees can join groups modeled after traditional organizational lines of command such as finance, HR, manufacturing, engineering, sales, etc. But more importantly, imagine these groups being cross-functional and based upon projects or product development where sales, engineering, marketing, manufacturing, etc., collaborate to move a product through its phase review process. Employees would populate the groups with work product, placing a huge body of work or information into the collaboration space. So imagine that over time three entities would emerge: people, groups and information, all cross-referenced through TAGs. All IT offers is the collaboration and social networking platform; profiles, group membership and information are populated by employees. The collaboration between these entities of people, information and groups would enable work to move faster throughout an organization and employees to self-organize around projects. Now inject real-time UC and video into this platform and you have the basis for a new approach to how work gets done.

The above scenario is not just my vision; it’s the direction our industry is heading after numerous NDA briefings with a wide range of IT suppliers. The intersection between social networking, collaboration and UC, thanks to Web 2.0 techniques will usher in a new model for productivity improvement through improved user experience and in its wake will change the IT industry and IT organizational design. This new collaboration model will emerge as the global economy recovers. As capital spending recovers it’s becoming clear that IT and business leaders will not fund the same old projects but will invest their capital spend into new innovative approaches to corporate productivity such as the UC and social collaboration platform discussed above.

For IT organizations a re-design is needed. UC has been sold to networking and telecom professionals while social networking and collaboration tools are sold to those who manage applications. These two groups are clearly stakeholders in the solution they eventually deploy and thus need to work together. Here too the economic downturn has a positive effect in that many of the past organizational barriers have fallen as IT is focused on operational cost reduction and project delivery.

As the application and networking groups seek a new working relationship so too do IT suppliers. For example, Adobe, Citrix, HP, et al who have for the most part been absent in social networking, collaboration or UC will partner up or acquire others to engage in this new industry sector. Look for one of the above to make a huge announcement at Interop.

Just as IT organizations and suppliers re-align and position for the Web 2.0-enabled collaboration market so too will the industry venues. VoiceCon for example attracts the telecom manager, but not the networking, application, or collaboration buyer. At the same time VoiceCon was taking place so too was Web 2.0 expo. Look for a new venue to emerge that is virtual and uses the tools of social, collaboration and UC to address this new market.

UC as a standalone desktop application has limited value. IT and business leaders should focus on collaboration platforms that are Web 2.0-based, and incorporate social media and UC as the path toward greater use experience and productivity.

Tweet

It’s been over a week since Cisco launched its Unified Computing System (UCS) initiative. I’ve reviewed all the presentations, documents, financial analyst research notes, twitter and Facebook chatter as well as talked to a dozen or so IT leaders and in this Lippis Report Research Note I provide my assessment. There’s so much to consider with the UCS launch, the technology, the data center value, go to market strategy, competitive responses, etc. But I have a one important observation. This is the first time in the history of IT that a networking company has entered the computing industry. My first job in 1984 was at Digital Equipment Corporation, where networking was always an accessory, or stepchild, to computing. And yes, a lot has transpired since then but the sheer fact that a networking company has grown to the size of Cisco and that it can stand up and say “Hey IBM and HP, I’m entering your core market and there’s nothing you can do about it” is a remarkable occurrence. Anyone who has spent his or her career in networking and has worked within DEC, IBM or HP networking groups knows how it feels to be tangential to corporate strategy. For this group, UCS was a moment that tipped networking technology and networking professionals to a higher level of importance and influence in the IT industry. In this Lippis Report Research Note we review UCS and Cisco’s opportunities and challenges.

Let’s start with what the problem is that Cisco is attempting to solve with UCS. The key issue UCS addresses is scaling virtualized data centers. While there has been much hype associated with virtualized data centers, its market penetration is only 15% among the 28 million x86 world-wide installed servers, thanks in large part to the lack of support for legacy applications to be hosted on virtualized machines (VM). As VMware represents some 70% of the virtualized data center market it only makes sense to focus there when asking why more applications have not been virtualized. The absence of widespread virtualization adoption includes the lack of a true real-time failover, immature management tools, a lack of VM visibility and security questions about virtual environments. VMware’s vSphere (VI 4.0) scheduled for release 2Q09 does much to address many of these existing issues and will be a catalyst for increased virtualization projects as legacy applications will become increasingly virtualized.

vSphere will span up to eight cores from 4, address up to 256 GB of memory, allow users to change the amount of RAM allocated to VMs without rebooting and increase its maximum RAM limit to 1 TB. vSphere will now be able to virtualize larger, more mission-critical applications, such as Oracle, SAP and large Microsoft Exchange implementations. Some have estimated that VMware will be able to virtualize more than 99% of applications in existence with this release.

What Cisco sees is a market transition to massive virtualization implementations that current data center providers do not address. UCS does not go after the non-virtualized blade servers but participates in the growth market of virtualization that will lead to private cloud implementations, and then inter-cloud (private/public) projects.

Why Now?

Why is the network so important now? In an ideal virtualized data center IT resources, those being compute, storage and networking, would be pooled, with services dynamically drawing from the pools to meet demand. Virtualization techniques have enabled processes to be moved between computers, but network constraints create barriers that prevent elasticity such as static network assignment via VLANs, ACLs, broadcast domains, fragmentation of resources thanks to load balancers, service-specific network engineering and poor server-to-server connections, etc. In addition virtualization adds significant load to data center networks and this load is only going to increase significantly. Networks traditionally move data between client, server and storage devices. But as applications become more mobile-enabled by vSphere, networks will need to move entire application, OS and driver bundles if applications are going to spin up and down based upon demand. The additional network load is huge as the file size of a single VM image is typically 16 GB, but can be up to 2 TB, which will move over the network for “just in time” application provisioning.

It seems that Cisco seeks to eliminate network barriers to virtualization, increase data center network bandwidth and compute resources while simplifying data center architecture and its associated cost. Key to the last point is consolidated I/O thanks to Fibre Channel over Ethernet (FCoE) support within the Nexus 5000 which Cisco believes will require fewer switches, adapters and cables, reducing management points and thus streamlining operations. Its not-yet-available VN-Link or Nexus 1000v hopes to enable management of the virtual environment in the same way as the physical environment and break the boundary between server and network. Its recently introduced fabric extender in the Nexus 2000 promised to scale server connections without increasing management points and streamlines cabling.

Unified Computing System

But UCS is a system with integrated management, networking and consolidated storage/network access. UCS unites network, compute, and virtualization resources into a single system consisting of:

UCS Manager: Integrated system-level device management

UCS Fabric Interconnect: Line-rate 10 GbE, DCE & FCoE fabric

UCS Fabric Extender: I/O fabric extension, cut-through architecture

UCS Blade Server Enclosure: Optimized for energy efficiency

UCS Blade Server: Patented memory expansion, based upon new Intel Xeons large memory capacity unified fabric

UCS Virtual Adapter: Scalable virtual HBA & NIC resources

Support for the following 3rd party software solutions were announced on March 16th:

Hypervisor: VMware ESX & Microsoft Hyper-V

OS: Microsoft Windows Server, RHEL & SLES

Management: BMC BladeLogic, Microsoft System Center & EMC Smarts

Application: Microsoft SQL Server, Oracle DB & Oracle RAC

UCS is based on a standard set of components with which most IT staff are familiar. The intelligence for managing the overall system is based on a Nuova-class processor that Cisco has embedded in the UCS Fabric Interconnect. The UCS Manager software that manages the entire system communicates with firmware embedded in every device in the system. Note that UCS provides three adapters: a standard 10GB Ethernet adapter, a 10GB FCoE adapter, and most important, the adapter which supports the virtualization of network connections.

UCS looks like a standard rack of servers, but the wiring of the components is much simpler and easier to manage, track and deploy. This approach creates a cleaner, simpler model for managing data center assets that stands in sharp contrast to existing PC architectures. As a result, IT organizations should find it easier to set and maintain hardware policies. They will also be able to better physically secure the environment. The overall environment supports 63 percent more airflow than traditional servers, which leads to substantially less heating and cooling costs. UCS Manager can manage each component of the system to the point where specific power and cooling thresholds can be set. UCS also provides easier access to disks residing on each server blade. Power supplies are hot swappable. Each UCS should have two Fabric Extenders to maximize availability. Taken all together, the UCS should greatly reduce all the points of management compared to traditional blade server environments.

Cisco believes that it can drastically reduce data center total cost of ownership with UCS thanks to its ability to consolidate data center infrastructure through fewer switches, servers and management points, driving down both cap and op ex cost while delivering faster time to new server deployment.

Cisco’s Opportunities

UCS is innovative on multiple levels including leveraging Intel’s next generation of silicon, significantly expanding available memory, timing UCS to be ready for VMware’s vSphere VI 4.0, simpler cabling, easier management and provisioning and consolidating I/O. As networking speeds increase to 10Gb, 40Gb, 100Gb and beyond, computing will increasingly become hollowed and distributed through the network. By integrating computing, networking and virtualization Cisco has developed a platform that enables this re-distribution of computing and applications to occur along with its associated benefits of lower cost and increased utility of IT resources.

At the same time UCS is offered, the world economy has fallen into recession. One impact of this has been that the barriers between IT administrative domains of storage, applications, networking and compute have fallen too. The requirement to focus on service delivery and cost efficiency within IT has been dramatic over the past 9 months with much of the previous IT organizational distractions and friction being swept away. As a result, Cisco will find a welcome reception within executive IT to learn about UCS and how it may benefit their corporation.

Cisco’s Challenges

Cisco will find this adjacent market entry much more difficult than its previous entries into IBM’s SNA, voice communications, security, etc. In short it’s competing with a different class of competitors, going head on with HP and IBM, who have expected calendar year 2009 revenues of $110B and $100B. HP in particular is not a stranger to virtualization as it’s the number one provider of such services and products to market, providing VMWare and Microsoft virtualization software. Cisco hopes that it will be able to ride the virtualization transition much faster than HP and IBM. And while this was true for Cisco in the past, there is no evidence that IBM or HP will be slow to respond to the virtualization and cloud computing industry initiatives. Further, most IT leaders buy based upon market share. Cisco enjoys this preference in the networking space while HP and IBM do the same in the blade server market. Cisco will have to overcome this preference and time will tell if UCS innovation tips the preference scale.

As organizations look to transform data centers, strategic system integration may be a key area of focus. IBM and HP derive approximately $58B and $37B in revenues from IT services; that is one of the largest challenges Cisco faces. HP recently acquired EDS while IBM global services are massive. Cisco has a partnership with Accenture and Tata. While there is no rule that Cisco needs to have a large professional services organization, it clearly has served HP and IBM well.

Margins will decide if UCS is successful. As I wrote in Lippis Report 119 HP operates happily on 25-30% margins while Cisco enjoys 65-75% margins. Even if Cisco does generate $1B at 30% GM that’s $300M profit, but they could lose $1B and $650M of profit too in switching. It’s unclear what the margin contribution of UCS is and until that is known, it’s not possible to judge if Cisco’s bet will pay off.

Tweet

In Lippis Report 120 we discussed how cloud computing is driving new networking requirements for both public and private cloud implementations. We focused on ethernet switch devices in that Research Note. But cloud computing may also require a new network design paradigm as well. The three-tier network model of edge or access, then aggregation or distribution and core have been the building blocks of modern computing networking for the past two decades and are still fundamental to classical enterprise network design. But in high performance data centers and in particular cloud computing a new two-tier model is being considered.

Three-Tier Enterprise Network Design Stays Firm

The three-tier network model is based upon desktops, printers, servers and LAN-equipped devices being connected to access switches. These access switches are aggregated into “aggregation or distribution switches” to manage flows and building wiring. Aggregation switches connect to core routers/switches, which provide routing between aggregation switches and connectivity to wide area network services. It was the classical “dumbbell” model of big LAN and small WAN bandwidth that brought about the modern three-tier system as routing provides congestion management, traffic segmentation and a wide range of physical interfaces to the WAN.

Routing or layer 3 versus switching/bridging or layer 2 boundary placement decisions have ebbed and flowed with corporate IT network architects traditionally choosing layer 3 at the core and layer 2 mostly everywhere else. With increased traffic between aggregation switches many network architects place the layer 2/layer 3 boundary there to allow for inter-VLAN routing, client to server routing, stateful service integration and to avoid traffic flowing back and forth between core and aggregation. This is common for organizations with matrix traffic flows versus desktop-to-data center dominated flows. In building networks I expect the layer 2/layer 3 boundary to be increasingly at the aggregation tier to manage a huge increase in video, Web 2.0 streams, collaboration and corporate social networking mixed traffic streams.

A Transition To A New Set of Network Attached Devices

The access layer, or as some prefer to call it, the edge, is slowly disappearing in classical enterprise network design as the campus is transitioning to a different set of network attached devices from desktop to mobile personal utility accessories. This is most evident as wireless LAN connections outpace that of wired. But the need for PoE for iPhones, video surveillance cameras, WLAN access points, etc., will keep the access layer in place for a long time, regulating its pace of change. It’s not until fixed phones are replaced with virtualized soft UC phones and the majority of end-point connections are wireless that the access layer may be subsumed into a WLAN infrastructure. PoE support in the end will keep the access layer viable for years to come.

For the vast majority of corporations the network core’s role of managing the large amount of LAN bandwidth competing to access the small amounts of WAN bandwidth will not change. Clearly layer 3 services are needed to define a logical layer, which provides and enforces forwarding policies, security, routing/forwarding, traffic aggregation, traffic segmentation, management, accounting, etc. But as service providers increasingly offer metro ethernet and other high-speed WAN services at 100Mbs to 10 GbE levels the LAN/WAN boundary will migrate to LAN interfaces for WAN access, but this will take some time; perhaps a decade or so as leased lines are the dominant form of router WAN connections today. In short the three-tier model will remain the network architecture in corporate campus networking, supporting classical applications such as file transfer/access, e-mail, UC, web 1.0 and 2.0, collaboration, etc., for the foreseeable future.

A Two-Tier Network Model Emerges In The Cloud

So what’s so different about the high performance data center and new cloud-computing environments that the three-tier model could be collapsed into two? In a word it’s “performance”. In two words it’s “consistent performance” under heavy load. Performance demand is more critical in this market with applications such as storage connect, high performance computing (HPC), video, extreme web 2.0 volumes, etc., requiring unique network attributes. Consider this: approximately 10 million servers are sold every year. In 2003 20% of servers were sold into HPC and large public facing Web sites according to IDC. In 2009 that number will increase to 50% of server units are sold into cloud and HPC environments. In short, high performance data center and new cloud-computing sites is becoming extremely server dense. Take server density on a scale we have not seen previously and add ultra application demand at load and you have the requirements for a new kind of networking.

To deliver performance at scale and under load of a cloud computing data center equipped with tens to hundreds of thousands of servers delivering applications to millions of users, network performance has to be non-blocking, highly reliable and faultless with low and predictable latency (sub-microsecond) for broadcast, multicast and unicast traffic types. In addition the cloud network needs to be aware of application flows rather than static addressing of devices so that changes in applications, servers and storage can occur without re-configuring the network. Ten-gigabit ethernet connections to servers, storage and between switches are the design direction now, which will scale up as the IEEE develops the 40 GbE and 100GbE standards, expected to be ratified in 2010.

Meeting these requirements offers scale and optimization of servers, applications and storage elements, which allow millions of applications to randomly spin up and down with demand much like atomic behavior described by Brownian motion. In short, traffic profiles in this high performance and dense application environment is unpredictable. This is a key design criterion; that is, networks need to anticipate wild matrix flows with overlapping peaks and valleys and move these flows without dropping packets at microsecond latency between server and storage over the network.

Access Layer Becomes a Virtual Layer

So how is networking design changing to address these high performance requirements? First, the access layer in virtualized data centers is changing dramatically and disappearing as it’s increasingly being subsumed into servers, either in the form of virtual switches and/or blade switches inside servers. A new wave of technology and intelligence is stretching the classic physical access layer into a new virtual access layer. In this new virtual access layer, switching takes place in a hypervisor virtual switching instance, and in other cases the network fabric is stretched to the rack level ensuring single point of management. Effectively the classic access model or end-of-row, top-of- rack and Blade Switching is evolving to a Distributed Access Fabric combining the advantages and benefits of EoR and ToR models.

Secondly, network traffic in clouds is a matrix of overlapping flows with web 2.0 and mash-ups driving massive server-server connections. Network latency becomes a fundamental limiting factor to application performance as the network becomes the bus connecting storage and computing. And as networking speeds increase to 40Gbs, 100Gbs and above the boundaries between storage, networking and computing are being redefined as virtualization is starting to show now.

Cloud Access and Cloud Core Made Up The Two-Tier Model

To accommodate these requirements a two-tier network model is being considered consisting of what I call a “Cloud Access” tier and “Cloud Core” tier. The Cloud Access tier connects servers while the Cloud Core consists of a series of non-blocking switches delivering mesh connectivity between non-blocking Cloud Access switches. The Cloud Core also connects storage and wide area services/routers to the cloud. Within both cloud tiers are switches that provide layer 2 and layer 3 services giving the cloud architect design options of deploying all layer 2, all layer 3 or a hybrid yielding choice as to where to place the layer 2/layer 3 boundary. We reviewed cloud switches in Lippis Report 120 Research Note.

For example, layer 3 services may only be in the Cloud Core or in both Cloud Access and Core which is important for web 2.0 and mash-up based traffic flows. In this model there is no third tier where traffic has to flow to accommodate server-to-server flows; traffic is either switched at Cloud Access or in the Cloud Core at less than 10 microseconds. Oversubscription needs to be carefully managed in a two-tier structure ranging from 1.5:1-to-10:1 Access: Core.

There are examples of a two-tier model in high performance data center applications. For example, the Infiniband architecture describes a leaf and spine structure, which is also championed by Arista Networks. What is important about this market segment is that ethernet switches based upon previous generation ASICS and network operating system technologies may not be up to the performance task. Only two firms, Cisco and Arista have developed new operating systems and hardware for this market.

While Cisco does not tout a two-tier architecture in its Data Center 3.0 program, its Nexus data center switches can clearly be configured in this form. For example, its high end Nexus 7000 would occupy the Cloud Core while its Nexus 5000/2000 occupies the Cloud Access tier. The Nexus 2000 provides GbE connections to servers while obtaining configuration and NX-OS services from the Nexus 5000 via 10GbE placed in end-of-row. The Nexus 2000 and 5000 may be two separate physical devices but they are logically one, making up the Cloud Access tier. In this scenario the Nexus 2000 is a line extender and I expect to see others introduce a similar approach as it delivers the cabling efficiency of top-of-rack and network management operational efficiency of end-of-row. The layer 2/layer 3 boundary resides in the Nexus 7000.

Arista Networks would deploy a series of its Arista 7148SX to construct the Cloud Core while having the option to deploy any of its three 10G switches in the Cloud Access, that being the 7148SX, 7184S, or 7124S. Arista’s Extensible OS (EOS) operating system is unique and purposely built for self-healing resilience and open extensibility designed specifically for cloud computing environments.

Over the next two quarters other networking companies will be announcing cloud-networking products, with most if not all based upon this two-tier model. Look for offerings from Force10, HP, Brocade and Juniper during 2009. Clearly there will be trailblazers and certain vertical market segments that will deploy the two-tier model sooner with a wider adoption after 2010 into 2015. Also note that the two- and three-tier models will co-exist with three-tier being the network architecture in building/campus networks and non-cloud/high performance data centers. But for the high-end cloud and high performance data centers, the two-tier model offers the attributes of low latency, cost and packet throughput required.

Tweet

The data center market has been undergoing tremendous change over the past 24 months, with consolidation, green projects and virtualization deployments accelerating, thanks in part to the bleeding macro economic climate. Building upon the next phase of data center virtualization is cloud computing, which in 2008 ushered in initiatives with announcements made by nearly every computer, software, networking, internet hosting and storage concern. While it’s clear that the industry is in the center of the hype curve a simple example reveals that the hype is justified. One well-known example demonstrating the power of cloud computing is animoto and Amazon. In April of ’08 animoto, a music video production application on Facebook ramped up from 25,000 to 250,000 users in three quick days scaling from 50 instances of usage on Amazon’s EC2 cloud service to 3,500 without service interruption; that’s like having nearly 4,000 servers to support this application.

Just think of all the planning and cost that would be needed to accommodate that demand without cloud computing! To understand the scale consider that large content providers are building public clouds consisting of physical containers equipped with 100,000 plus servers while private clouds are being designed with 1/10th to 1/100th the size or 10 to 1 thousand servers. Animoto is an app that is being consumed and served on a massive scale without the company’s need to expense a data center thanks to a public cloud computing service.

It’s examples like animoto that are driving demand and usage up on public cloud services such as Amazon’s EC2 and has caught the eye of IT leaders as they view with envy the ability to scale applications up and down based upon demand. Enterprise or private clouds seek to replicate public cloud services with an aim to achieve the same level of elasticity but with tight control over security and manageability while avoiding 3rd party support issues.

Integral to cloud computing discussions is the fact that the industry is creating a new IT delivery platform and associated economics. IT products have always burdened IT organizations with high operational support, which dominates IT infrastructure total cost of ownership (TCO). Just think about it: desktop computers loaded with an operating system and applications are replicated to every employee, often multiple times thanks to laptop and notebook computers which IT operations needs to support. As network speeds increase to the 10GbE, 40 GbE and 100GbE range the difference between local and distributed application response time narrows to the barely noticeable. This new IT delivery platform known as cloud computing has a value proposition promise that radically changes/lowers TCO economics while at the same time offering massive scale and elasticity to spin applications up and down based upon demand. And this is good news for business and IT leaders searching for new business and IT delivery models with attractive economic profiles.

At the center of cloud computing is cloud networking. Virtualization and cloud computing are modifying the boundaries between computing, storage and networking. Virtualization decouples applications and operating systems from server hardware with the result being fewer servers to support more applications. The value of cloud computing is that it transparently makes software and data available everywhere thanks to stateless computing. This “stateless” model facilitates much greater scalability than conventional computing and when used in conjunction with virtualization maximum data center utilization is achieved. Cloud then eliminates the need for separate storage area networks in exchange for network attached file storage. To make virtualization and cloud computing work the data center network or the cloud network has to deliver specific attributes. These attributes are contained in both product/switches and network design. First let’s review device attributes and we’ll cover cloud network design in another Lippis Report edition.

Gbs Ethernet Speeds: Server connections while currently dominated by 1GbE are quickly moving to 10Gbs in cloud implementations thanks to both performance demand and cost. Server vendors are adding 10G NICs to their motherboards and low-cost SFP copper interconnect. The cost per 10G connection continues to drop and currently is at a price point of twice the typical gigabit Ethernet connection of $200-$250/port. In addition to 10GbE, 40GbE and 100GbE are on the horizon enabling storage and compute systems to drive the network at higher speeds to realize the full performance potential of this hardware investment and support the re-distribution of compute, applications and storage functions in a virtualized world.

Ultra Low Latency: To support the scale and user performance requirements of cloud computing, network latency needs to be both consistent and very low. One of the best latency numbers we’ve seen is Arista’s 7148SX which delivers packets independent upon size in the .6 microsecond range. Other products are in the 3-to-3.5 microsecond range. In addition to latency, packet throughput at 100% maximum line rate at 10GbE for multicast and broadcast independent of packet size is important too as video such as animoto shows represent a large and growing portion of both corporate and internet bandwidth.

Lower Power Consumption: With the average cost per kilo Watt-hour at ten cents, switch power consumption cost can vary depending upon port speeds, power supply efficiency and utilization. On an annual basis switch energy cost can be as much as a few thousand dollars per switch. For very large public cloud deployments network energy cost can be a few million dollars annually or nearly the network’s capital cost.

Non-blocking: The days of under subscribing the network core of bandwidth and relying on buffers and queue management to manage congestion are over in cloud computing. The network must be non-blocking so that no packet has to wait as it travels between storage and compute.

Non-Stop Operation: The cloud network operates 24×7 and cannot disrupt service by failure or maintenance and by definition requires a new level of reliability. Switches that make up the cloud network need to be self-healing at a software modular level and offer transparent in-service software updates. In short one software feature failure cannot bring down the entire software image.

Management: In large cloud networks automated provisioning, monitoring, maintenance, upgrading and troubleshooting is required to eliminate the complexity and risk of real-time upgrades and image/patch management.

There are four primary suppliers of Cloud Networking. Cisco’s Nexus switches offer a complete solution from server connect, inter-switch and certain storage connections. The Nexus 7000 is a large chassis-based switch for core inter-switch and storage connections while the Nexus 5000 is a modular switch positioned for the distribution layer plus storage connections. Cisco provides the Nexus 1000 and 2000 which are port extenders designed for server connections. The port extenders currently obtain configuration information from the Nexus 5000.

HP ProCurve is new to the data center with its 6600 series of switches, which are focused exclusively on top-of-rack and end-of-row server connections at 1 and 10GbE. Its enterprise 5400 and 8200 switches provide distribution and end-of-row and core-layer connections. Blade Network Technologies offers the RackSwitch family of switches consisting of the G8000, a 1/10GbE switch, the G8100 a 10GbE top-of-rack switch and G8124, a 24 port 10GbE switch with SFP+ connectors. All of Blade Network Technologies switches are exclusively for server connections. They also boast of their VMready software resident on their RackSwitch switches, which automate VM migration across network.

The newest company to enter the cloud networking space is Arista Networks. Arista offers the 7100 series of datacenter Ethernet switches for rack and blade server aggregation. The 7100 series includes the 7148X, a 48 port non-blocking 10GbE switch; the 7148S, a 48 port slightly blocking 10GbE switch; and the 7124S, a 24 port non-blocking 10GbE switch. Arista is unique in three aspects:

1. Extensible Operating System (EOS) delivers a modular protected memory architecture that ensures reliability and availability as each process is monitored and restarted automatically in response to failure, while in-service software upgrades (ISSU) allow individual software components to be updated without disrupting system operation.
2. Raw performance measured in non-blocking packet throughput at line rate and low latency independent of packet size and traffic type while the switches are fully populated with both 1 and 10GbE.
3. Its two-tier architecture of leaf and spine where leafs connect servers and spines connect switches eliminates the access layer of the traditional access, distribution and core, collapsing network design into a simpler two-tier structure.

The Arista switches were designed for cloud hosting and PaaS providers, market data and electronic trading, high scale web environments, analytics, Hadoop and large scale data processing, virtualized environments, cloud storage and video content creation and delivery.

Other switch firms will more than likely announce new switches for cloud networking over the next few quarters. For example, Force10 has invested in virtualization and automation with cloud networking being a natural next step. Extreme Networks offers its Summit X650, a top-of-rack switch designed for 10 GbE server connections in enterprise data centers. Foundry Networks (now Brocade) offers its BigIron Ethernet switches for data center applications.

There are vendor options for cloud networking. Cisco and Arista have developed new products and operating systems to support this market. Others will be sure to follow as infrastructure spending for cloud computing is projected to reach $42B in 2012, according to IDC. That level of spending represents about one fourth of all IT infrastructure spend in 2012, growing at a rate of 25% a year. Did someone mention a recession?

Tweet

For this Lippis Report Research Note I talked with Cisco’s Mark Fulgham, VP Marketing Data Center Emerging Technologies at Cisco on Unified Computing, and Jim Ganthier, VP HP BladeSystem Marketing, Metrics and Solutions. Scheduling difficulties precluded IBM from participating; thus we’ll focus primarily on Cisco and HP in this Research Note. IBM is rumored to shortly be announcing a tighter relationship with Juniper Networks and Brocade to bolster its Dynamic Infrastructure to be more competitive with HP’s Adaptive Infrastructure and Cisco’s Data Center 3.0 with Unified Computing initiative. Look for more information as it occurs; follow us on our Twitter account and join our cloud computing/networking Facebook group.

During this economic cycle a larger concentration of dollars is being spent among the largest IT suppliers, i.e., HP, IBM, Cisco, Microsoft, CA, et al. Similar to the dotcom bust in 2001 IT leaders are flocking to the safety of large IT suppliers with broad product portfolios, healthy balance sheets, financing and staying power; companies such as Cisco, IBM, HP, et al. As more dollars flow to these firms they are compelled to enter adjacent markets once occupied by friendly partners. In short the lines of market delineation are changing with the largest of IT suppliers finding that their once friendly partners are now fierce competitors. This dynamic is most pronounced in the data center market where HP, Cisco and IBM are increasingly on a competitive collision course as they position for a larger share of overall IT and in particular data center spend.

Data center rationalization/consolidation, virtualization, green data center technologies and cloud computing are all healthy market segments, albeit challenged. HP and IBM are the two data center powerhouses providing blade servers, storage, data center switches, virtualization and professional services solutions while Cisco is the networking giant who recently announced its unified computing strategy; more on this below. All have been in the data center market for years providing solutions around servers, storage and networking. But there are some huge changes taking shape.

First Some Background

In November of ‘08 HP integrated its HP ProCurve networking group into its Technology Solutions Group (TSG). TSG represented some $41B in FY 08, 35% of HP revenue and contributing over $5B to net income which excludes EDS. TSG is the largest business segment of HP, providing servers, storage, software and information technology services for enterprise and mid-market business customers. TSG includes Enterprise Storage and Servers (ESS), Services including EDS and Technology Services (TS), HP Software and HP ProCurve Networking serving HP’s business customers of all sizes in more than 170 countries.

TSG markets its Adaptive Infrastructure (AI) as its strategy and portfolio for accelerating adoption of next-generation data center technologies and services. AI enables the delivery of a ‘service-ready’ infrastructure to ensure IT supply readily meets business demand; and for IT Operations to maintain effective and efficient resource utilization. To that end, AI offers a range of modular, standards-based products and services including BladeSystems, its recently announced and delivered Virtual Connect, Insight Dynamics-VSE for physical and virtual server management and the AI Maturity Model tool and process, offered in addition to advisory and implementation services. Last month HP added Insight Orchestration (embedded Operations Orchestration functionality) and Insight Recovery options to Insight Dynamics – VSE and announced new AI Discovery centers plus ProCurve switches, software, and services to aid in network orchestration. It’s clear that HP is executing on its AI strategy to deliver the vision of a next-generation data center – with deep product and professional services underpinnings that are available today, a unique position.

TSG Integrates ProCurve

Back to ProCurve and TSG. TSG’s sales organization is now selling HP ProCurve networking products while HP ProCurve maintains its existing two-tier distribution structure. ProCurve products are integrated into the TSG portfolio, making it more compelling for HP’s enterprise sales staff to sell ProCurve in an enterprise solution than from competing vendors. With TSG sales organization compensated to sell HP ProCurve, TSG will open doors for ProCurve in very large accounts. Further, the inclusion of ProCurve 6600 series top-of-rack switches into TSG’s Performance Optimized Datacenter (POD), a datacenter in a 40-foot container equipped with nearly 4,000 servers, 12,000 LFF hard drives, cooling, etc., will almost certainly boost their market share, thanks to its reach and distribution. Also, EDS represents an opportunity for ProCurve to gain a significant presence in the world of large enterprise companies. Since the completion of HP’s acquisition of EDS on August 26, HP ProCurve has been working with EDS to introduce ProCurve products into their network services portfolio qualification process.

Furthermore, ProCurve’s new SVP and GM Marius Haas reports into TSG head Ann Livermore where previously, Haas and before him John McHugh reported into chief strategy and technology officer Shane Robison. This is a huge change from when Carly Fiorina, previous HP CEO, sat on John Chamber’s Cisco Systems CEO board where the two companies were friendly competitors. Not any longer. TSG is focused on competing with Cisco as HP ProCurve will increasingly have access to large enterprises. ProCurve has always been a lower cost and margin provider of networking solutions. ProCurve recently announced its 6600 series of five top-of-rack switches for the data center, ProCurve ONE ecosystem and ProCurve Data Center Connection Manager network orchestration software. The ProCurve ONE ecosystem includes partners such as Microsoft, Avaya, Riverbed, F5, McAfee and many others.

In addition HP Network Solutions has teamed with ProCurve Networking to develop a modular suite of technology services for networks – the HP ProCurve Environment Direct Access Service (EDAS). The ProCurve EDAS program offers customers the advantage of 24×7 direct access to remote expert-level support, with value-added features that includes a high-touch customer relationship via an assigned remote Technical Account Manager. This service enables customers to manage their ProCurve environment by receiving remote technical assistance to improve their network performance and reduce the risks associated with unplanned downtime. This service complements a full range of services that meet the end-to-end networking needs of customers. Network lifecycle services form the core foundation of network consulting, assessments, planning, design, integration, deployment and management. HP Network Solutions Group’s complete set of initiatives span Unified Communication Solutions, Data Center Networking, Wireless and Mobility as well as Network Security/Adaptive Network Architecture (ANA). A main theme of HP is choice and options, which it clearly is delivering.

Cisco’s Data Center 3.0 Initiative

Cisco’s Data Center 3.0 initiative is its vision to orchestrate virtual IT. The strategy is to sense changes in application demand, facilities, servers and virtual machines by enabling all IT assets to respond in a coordinated fashion within seconds to change and extend the reach of data centers. The execution of this strategy is based upon virtual datacenter infrastructure including storage, servers, networks and network services. To meet that end Cisco has produced products and services that unify front- and back-end networking with a unified fabric and I/O, delivered data center class platforms, service orchestration systems and deep application intelligence products.

Its products include the Nexus family of data center switches including the Nexus 7000, a high-density 10Gbs Ethernet core switch; Nexus 5000, a modular, low latency 10Gbs Ethernet/Fibre Channel/FCoE top-of-rack access layer switch; the Nexus 2000 Fabric Extender for 1/10Gbs Ethernet server consolidation; and the soon-to-be released Nexus 1000V, a software switch for server virtualization and part of Cisco’s VN-Link portfolio of virtual machine-aware network and storage services. The Nexus switches link servers and storage into a unified data center fabric via lossless 10Gbs Ethernet and support for Fibre Channel over Ethernet (FCoE). The Nexus 1000V will enable the virtual network infrastructure to deliver the same visibility, security, management and diagnostics tools that are available today with Cisco’s physical networking equipment while preserving the dynamic nature of a virtual machine environment.

The entire Nexus family shares a common operating system, NX-OS, which has been optimized for the data center, providing resiliency with support for process restartability and modularity for service upgrades. Cisco Nexus family provides customers with a granular path to add capacity and capabilities to the data center network while allowing customers to have the ability to leverage their existing and continued investment in Catalyst. The Cisco Catalyst 6500 & 4900 Series products provide industry leading investment protection and feature rich services support, while the MDS 9000 family of storage area networking (SAN) switches support the customer path to virtualized SAN environments; the ACE (Application Control Engine) and Wide Area Application Services (WAAS) portfolio deliver leading application delivery and WAN Optimization, and Data Center Network Manager (DCNM) provides integrated management, topology visualization and provisioning.

Unified Computing

During the past two weeks Cisco has been discussing its Unified Computing initiative, which is its strategy to provide a wider data center offering into the computing market. Cisco’s primary focus is on virtualized data centers, a new growth market and departure from existing data center design. This one theme transcends its Data Center 3.0 initiative. The main point here is that Cisco sees an opportunity to offer a wider range of products which enable virtualized storage, compute and networking. As networking speeds in the data center increase from 1Gbs to 10Gbs to 40Gbs and 100Gbs the boundaries between storage, networking and computing are starting to be redefined as virtualization is starting to now show. High-speed networks with very low latency will accelerate this trend, which Cisco sees as an opportunity to expand its role and place in data center design and prominence.

While I have no inside information on Cisco’s Unified Computing, when connecting the dots it does seem fair to assume that Cisco will create a new offering that accelerates data center virtualization in the server market which could be a higher margin product space than traditional blade servers, rack servers, etc. Cisco has always entered adjacent markets based upon an architectural transition occurring; it sees virtualized data centers as such to the point that existing suppliers, those being HP and IBM will be painted as legacy data center players. While HP is the market leader in blade servers and virtualization, the opportunity that Cisco is hoping for is that it will be faster to gain virtualized blade server market share than its competitors by dominating this segment.

HP, IBM & Cisco Head Toward Greater Competitive Positions

Now HP sells a lot of Cisco gear as does IBM and neither are pleased with Unified Computing and Cisco’s expansion into the data center. In the past Cisco has always done well to break away from competitors such as 3Com, Nortel, Extreme, Foundry/Brocade, et al., during down markets. When it entered the SNA market and competed with IBM for networking, it won over a much larger competitor. When it entered and defined the IP telephony market competing with long time established firms such as Lucent (now Avaya), Nortel, Siemens, Mitel et al., Cisco now holds the number 1 or 2 market share position. Now as the industry has both a major technology transition occurring, that being virtualization, and a severe economic recession Cisco finds itself in a place it thrives in: two environments – a bad economy where its financials are competitive differentiators and a major technology transition.

But HP is different than previous Cisco competitors. It’s massive with FY08 revenues of $118B and 13% Y/Y growth with projections to grow in 2009 to some $130B; yes that is growth and we’ll see on Feb 18th when HP announces last quarter’s earnings. It’s responsive to competitors in markets where margins are thin (25 to 30%) such as PCs. It’s now the largest IT firm in the world, recently pushing IBM to second in revenues and beating rival Dell in the PC market. It’s not clear if Cisco’s financial strength will be an advantage over HP, even though Cisco has the largest cash and equivalents war chest in the industry of nearly $30B as both are valued at nearly $90B.

But here’s the rub: business models. HP is clearly looking to gain some of Cisco’s $12 to $15B networking leadership. HP operates happily on 25-30% margins while Cisco enjoys 65-75% margins. Entering the server market unless Cisco’s product includes VMWare software is a low margin business model. Even if Cisco does generate $1B at 30% GM that’s $300M profit, but they could lose $1B and $650M of profit too in switching. That’s why it’s a fair bet that Cisco will opt for the virtualized blade server market, to make sure that its risks are fairly rewarded.

No matter how you look at it, these once friendly companies seem destined for a major confrontation in the data center. The question is will the boundaries being changed in storage, computing and networking, thanks to virtualization tilt toward a network platform to the point where Cisco can control much of the data center? Or will HP and IBM be able to react and respond to the same technical shifts with innovations of their own blunting, Cisco’s surge? For IBM, they are getting very close to Juniper and Brocade as they look to bolster their Dynamic Infrastructure offering to stay competitive with HP’s AI and Cisco’s DC 3.0. Stay tuned.

Tweet

The stock market crash of 2008 and the subsequent global economic downturn have diverted attention away from major IT industry themes. But as business and IT leaders come to grips with new economic realities one theme, Green IT, has not lost its luster. In fact, green is increasingly being viewed as “lean” as it complements corporate efficiency initiatives, which have been prioritized during this current business cycle. In short, the economic slow down is offering business and IT leaders an opportunity to accelerate their Green IT plans as these programs improve operational and energy efficiency.

For IT executives most of their Green IT efforts have focused on data center power and thermal efficiency by leveraging tools and programs such as data center consolidation, server and storage virtualization and procurement of IT devices with improved power supply conservation technology. While data center power efficiency projects are worthy of their investments and results, the fact is that data center power consumption represents less than 2% of total electrical power consumed on average.

The Environmental Protection Agency (EPA) calculated that the energy consumed by the nation’s servers and data centers was estimated at 61 billion kilowatt-hours (kWh) in 2006, which accounted for 1.5 % of total U.S. electricity consumption at a cost of about $4.5 billion. This consumption is two times larger than what was consumed in 2000 and is projected to double again by 2011 unless efficiencies are implemented, according to the EPA.

To limit climate changes, many believe that greenhouse gas emissions must be reduced by 25 gigatonnes (Gt) to 30 Gt of CO2 equivalents (CO2e) annually by 2030; a tonne is a metric ton. Gartner estimates Green IT’s total CO2 emission reduction is approximately 0.6 Gt. Clearly there has to be better ways to leverage IT to not only reduce its own power consumption but the power consumption of non-IT devices. For example, in a typical commercial building, lighting plus heating and cooling represents some 66% of total electrical energy consumption while IT represents between 25 and 30%. Within IT, desktop computers, printers, etc., consume 50%, data centers draw 30% while networks represent 10% of electrical energy consumption.

Much attention in the IT vendor community has been placed upon individual devices and data center power consumption in an effort to reduce carbon footprints and energy cost. And while these are all welcome activities which deliver real results in both power consumption reduction and savings on spend, there is a broader networked-based approach to address the remaining 98% power consumed which can deliver far greater gains in power efficiency and cost reduction.

The networked approach to power management is based upon the simple fact that all devices are connected into a network. Today these devices are IT-based, including computers, storage, printers, access points, cameras, phones, special network appliances such as firewalls, mobile devices, and increasingly TVs and other non-IT electronics. The network is in a unique position to monitor, distribute commands and most importantly control the power consumption of the devices it connects. This concept is straightforward for devices that obtain their power from network switches via Power over Ethernet (PoE) such as wireless LAN access points (AP), IP phones, ethernet/IP-based video surveillance cameras, etc. But the networked approach to the power management concept is being extended to non-PoE IT devices such as computers, digital signage, printers, storage, fax machines, etc. The concept can be extended further still to non-IT systems such as building controls, lighting, elevators, 24/7 monitoring systems, HVAC-sensors, fire/smoke sensors, et al.

To achieve this level of power management there needs to be an open architecture rich enough to foster a new green energy ecosystem. This architecture will offer business and IT leaders the command and control tools to manage and measure overall corporate versus just IT power consumption with the potential to demonstrably reduce energy cost and CO2 emissions, comply with government regulations, industry directives, and gain real business rewards through improved environmental practices and posture.

Cisco’s new EnergyWise architecture offers enterprise IT energy management software to monitor and control the ability to change the state of power consumption of devices connected to the network. IBM’s smart grid maturity model is a framework designed to help energy and utility companies improve how power is distributed and used, adding intelligence throughout the grid to dramatically reduce outages and faults, improve responsiveness, handle current and future demand, increase efficiency and manage costs. Building a national smart grid will take time while Cisco’s EnergyWise will focus on controlling corporation energy use.

With EnergyWise, enterprise networks will not only be a distributor of packets but a control plan to manage power consumption extending IT’s value proposition beyond traditional cost reduction and productivity improvement to total energy, cost and carbon reduction and optimization. For Cisco, IBM and others who offer enterprise energy management solutions, the basis of competition to manage power will be on the scale of their ecosystem, the number and type of devices they can manage and the usefulness of their energy management software.

For corporations, Cisco’s EnergyWise promises to offer the ability to program and control energy consumption of devices and facilities such as AC, heating, lighting, etc., much like programmable thermostats. Selectively powering down building controls and IT after hours and turning them back on in the morning will be the largest use at first. Today to conserve energy, facility managers have the option to either turn power on or off; there is little to no monitoring and intelligence in the decision. This is about to change as EnergyWise will provide facility managers the tools to be more surgical in their energy conservation efforts.

For corporations the use of EnergyWise offers a means to view power consumption, optimize its use and reduce cost and carbon spend.

I offer the following recommendations to business and IT leaders who seek to develop demonstrable impact on corporate energy cost reduction, power conservation, reduced GhG, emissions energy regulation compliance and the benefits associated with an improved corporate “Green” brand.

1) Consider Cisco EnergyWise as a component of your corporate green initiatives to, over time, manage not only power consumed by IT devices but all electronic systems. Clearly, Cisco EnergyWise will evolve over a long period of time as its ecosystem develops and value is added to its architecture. Cisco EnergyWise could be thought of as an eco-friendly — and business beneficial — technology that provides increased power conservation opportunities as it evolves and matures.

2) Consider pilot-based Cisco EnergyWise deployment first to understand the technology and its limitations, develop skill sets and perhaps most importantly develop an energy efficiency policy which can be managed, monitored, enforced and optimized under Cisco EnergyWise.

3) Consider developing success metrics such as power managed per port, energy reduction and spend goals, power consumed per worker productivity, power spend as a percentage of revenue, power spend as percentage of EBDIT (earnings before depreciation, interest and tax) plus other relevant success factors to track your progress and success.

Tweet

This is not 2001, but 2009. This recession’s impact on the IT industry is nothing like the Great IT Depression of 2001 when $5 trillion of IT market value was wiped out, IT firms worked off large product inventories pushing margins down and hundreds of thousands of IT jobs were lost. 2009 IT spending is projected to be +/- 2%, which does not include the yet to be approved $700 to $850B stimulus package which IT will benefit from because of its universal broadband, healthcare IT investment, smart grid and green energy initiatives. In fact IT jobs, especially those with networking skills, are in demand. But 2009 is similar to 2001 in one regard: IT leaders are flocking to the safety of large IT suppliers who possess healthy balance sheets and staying power; companies such as IBM, Cisco, HP, Microsoft, CA, Oracle, et al. No doubt there is caution in the air as IT leaders focus on smaller projects that have quick payback or large IT projects that can be delivered at speed to realize business value in short order. While the first two quarters may be slower than normal, the hope is that the back end of 2009 will be stronger. With this as a backdrop here are our Top 10 IT Predictions for 2009:

Prediction 1: 2009 is the year of Data Center Redesign. Data center projects including consolidation, greening, virtualization and increasing cloud computing have been accelerated thanks to the macro economic climate and are in full force now and for the foreseeable future. In addition to strong economic incentives which take advantage of increased performance at lower cost including dollars, footprint, carbon, etc., with the downturn in the economy internet usage has spiked. As companies cut travel, training, conferences, trade shows, etc., employees have turned to the web for conferencing, training and collaboration. Consumers too have turned to on-line shopping to reap greater discounts then those from brick and mortar stores, fueling the demand for greater data center performance. Also data center performance upgrades cannot be pushed out in time like desktop operating systems and operational IT infrastructure.

Prediction 2: HP, IBM and Cisco are on Collision Course over Data Center Dominance. HP, IBM and Cisco will position for dominance in the data center space in 2009 thus putting them on a competitive collision course. The drivers are mainly a result of the macro economic cycle causing IT leaders to flock to the safety of large IT suppliers and the up tick in data center projects. Cisco, HP and IBM are augmenting their data center solution with adjacent offerings crossing into each other’s traditional markets which is sure to change these once friendly partners into fierce competitors.

Prediction 3: IT Suppliers step up to offer IT and non-IT Energy Efficient Solutions. 2009 will bring energy conservation and efficiency solutions from IT suppliers that transcend their own products to control energy consumption of IT and non-IT devices. In addition to more energy efficient power suppliers and cooling technologies, IT firms will offer architectures and solutions that allow IT and business leaders to monitor and manage the energy consumption of not only IT devices but facility systems such as lighting, AC, Heading, etc.

Prediction 4: Unified Communications gets Folded into Collaboration Solutions. In addition to standalone UC offerings UC will be increasingly integrated into collaboration offerings. Further, the communications-enabled business processes market, while still small will segment into technology specific-enabled business processes. In 2009 a mobile-enabled business process, video-enabled business process, cloud-enabled business process, etc., will emerge to address business needs to streamline processes and improve productivity.

Prediction 5: Enterprise Grade Facebook-Like Social Networking with UC, Video et al Takes Off Thanks To Efficiency/Productivity Gains. Call it Web 2.0, enterprise 2.0, etc., but in 2009 the combination of social networking, collaboration, UC and video will come together to offer business and IT leaders a bottoms up approach to self organizing into groups of people that share information to advance projects and improve workflow. In short, enterprise grade facebook style social networking complete with UC, presence, video, etc., will transform how people organize within a corporation to deliver work.

Prediction 6: IT Leads The Economy Out Of Its Slump. Business and IT leaders realize that sustainable productivity gains come from business process streamlining and automation. IT provides the automation. In addition new data center designs and collaboration models increase business value creation and productivity. After RIF (Reduction in Force) and business process review, IT is the only tool available to create sustainable business value.

Prediction 7: IT Organizations Are Redesigned. To support user programmable enterprise web 2.0 services and data center convergence IT leaders will be forced to review their existing mode of operation and organization. Gone will be the silo skills of security, communications, networking, storage, servers, applications, etc., and instead there will be a horizontal IT organization that delivers services and infrastructure. The delineation between user and IT procured will change with IT providing infrastructure and collaboration, in which users freely insert content and program to their liking. In the data center the segmentation of IT skills based upon technologies and administrative domains will change too as technologies cross old boundaries and vendors offer broader solutions.

Prediction 8: Brocade, Juniper and Extreme Are Not Standalone Firms By Year End 2009. There will be vendor consolidation in 2009 and with data center projects garnering the lion’s share of market dollars, a big black hole will form sucking smaller players into the portfolio of larger ones. It’s not clear if Juniper will be an acquirer or be acquired as its market value is nearly $10B, which yields it options.

Prediction 9: Microsoft Finds That OCS Lacks Industry Traction. It’s taking much longer for Microsoft’s OCS to gain industry traction. There are no 10,000 seat deployments of OCS to which one can point. So far the traditional enterprise communication suppliers are doing very well with their UC offerings including Cisco, Avaya, Siemens, ShoreTel and Mitel. It does not help Microsoft that its main partner, Nortel is bankrupt and maybe preparing a chapter 7 filing liquidation. Also it’s difficult to change the mind of IT leaders now as they are so focused on short-term projects. Microsoft’s UC solution is based upon presence while all the other communication company’s UC offerings are based upon VoIP/IP telephony. So 2009 does not look like Microsoft’s year for OCS, but don’t count them out, perhaps 2010 is their year.

Prediction 10: Wireless LANs Connections Increase. 2009 may very well be the cross-over year where wireless connections outgrow those that are wired. This would be a major turning point in the fortunes of companies that produce ethernet switches and WLAN products. Clearly firms such as Cisco and HP ProCurve offer both wired and WLANs, but Juniper, Extreme and Foundry offer limited WLAN solutions. Companies such as Aruba, Ruckus Wireless, Trapeze Networks, et al, are poised to gain as this cross-over takes place.

Tweet

I believe in IT. Even with all the gloom in the economic news, IT will play a major role in the recovery. This economic mess is not a typical business cycle of supply and demand balance or imbalance. It’s rooted in the greed of a few who sold sub-prime mortgages to those who could not afford them, rating agencies that gave AAA rating to BBB sub-prime mortgage-backed bonds, investment banks that solicited investors to short these bonds only so they could use the short to synthesize and multiply the number of bad bonds which eventually clogged the credit market and ignited the stock market crash of 2008. This cycle of greed has and will continue to cost us, our children and our grandchildren dearly as we are forced to bail out financial institutions, the auto industry and fund a stimulus package sized in the $500 to $700 billion range. With this concerning economic backdrop, I believe in IT more now than at any other time in my career. Why? Because after all the cost cutting, reduction in force or layoffs, supply chain rationalization, expense reduction initiatives, etc., IT is the only tool humans have to improve and sustain productivity gains.

For some this may seems like an odd position as many IT professionals have fresh memories of the 2001 recession that wiped out $5 trillion of IT market value and cost hundreds of thousands of jobs. But this economic cycle is in stark contrast to the role IT played in the 2001 recession. In short, IT was the problem in the 2001 recession; it’s the solution now.

In 2001 IT was at the epicenter of that recession. Overspending on IT, thanks to Y2K and the internet boom was the problem. The IT industry experienced 50% growth rates that reversed course to -45% within weeks. Inventories were bloated and IT firms were overstaffed. Skepticism descended upon IT investment, prompting CFOs to take charge of reviewing and approving IT projects. The 2001 recession, in retrospect, was the best thing to happen to IT. IT firms became more focused on delivering business value that was quantifiable in terms and metrics that executive management could understand. As IT firms worked off inventory and streamlined operations their balance sheets became strong with little debt to service and stayed that way.

In 2001, IT was the problem; in 2008 IT is the solution.

Well-managed IT firms have very strong balance sheets and their solutions are designed to increase productivity and reduce cost which will serve them very well during this difficult business cycle. Clearly there is reduction in force occurring across the economy with the latest unemployment levels at 6.7%. Many economists expect this number to rise above 8% during 2009. Note that every .3% increase is approximately 500,000 jobs lost meaning that another 2 million jobs are expected to be lost in 2009. But unlike 2001, IT jobs are in demand, especially those with networking skill sets. So why am I bullish on IT? Because IT is fundamental to productive and profitable business operations.

For example when organizations undergo a RIF, the workload of those remaining is increased to pick up the work performed by those who are no loner employed. While corporations may experience a short-term increase in productivity thanks to RIF, this is seldom sustained without the injection of productivity improvement processes and tools. Along with RIF many astute business and IT leaders are reviewing business processes with a laser focus toward efficiency. Automated and streamlined business processes via IT are the engine of productivity, which enables corporations to sustain productivity gains through RIF and other cost-cutting initiatives.

Larger IT firms will benefit more during the current economic cycle as they possess the resources to quickly deliver change. From an IT industry perspective there is a flight to safety occurring now which will continue during the next twelve plus months. This means that those IT firms with the largest market share and strongest balance sheets will gain the lion’s share of revenue during this business cycle. It’s highly likely that firms such as Microsoft, IBM, Cisco, HP, EMC, CA, Oracle, et al., will increase their market share during this time. This is not to say that these firms will grow in the current recession, as IT spending is usually two to three hundred basis points above GDP. But they will gain market share over their category competitors. There will be fortune change too between the largest IT players as a shift in IT spending favors the network business platform over legacy IT products and services. The bottom line is that the largest IT firms will be the winners at the other end of this economic cycle.

The Data Center At The Epicenter Of Large IT Supplier Competition

Never before have large IT vendors had so much overlap between product lines. The data center is the new front in competition between IT titans. Data center consolidation, virtualization, and cloud computing offerings will become more and more similar between large IT suppliers. In fact, Cisco is rumored to be planning a server blade offering, which has IBM’s Chairman and CEO Sam Palmisano and HP’s CEO Mark Hurd alarmed. At stake during the downturn is who will control the data center? Will it be applications, servers, networking, storage companies or those that can envision, design, deploy and manage next generation data centers? Web 2.0-based collaboration that integrates video, social networking techniques and unified communications is the second front where Microsoft, IBM, Cisco and HP will clash. While data centers are more about IT cost reduction, collaboration is about corporate productivity thanks to a new communication model for enterprise operations.

IT is Strategic

In the current macro-economic climate IT could not be more strategic as it offers the only sustainable approach to productivity improvement. In fact, for those that invest in IT projects targeted at productivity improvements they could be rewarded with performance increases between 5 and 10%. Let’s think about this for a second.

During the late ’90s in the run-up to the dotcom boom and telecom crash, corporate productivity soared. The reason was IT and in particular the internet and web 1.0. The internet was and still is an efficiency engine. It sought out inefficiency in business models and processes only to transform them and improve efficiency by eliminating human and system delay in business processes.

Clearly today’s corporate initiatives have changed dramatically since August. Business leaders have embarked on systemic operational cost reduction initiatives as well as increasing organizational flexibility, meaning delivering speed and scale of corporate capabilities to address market dynamics. Business leaders don’t have the luxury of patience to gain the benefits of IT projects, which means that their focus and scope is shorter. There is no time for year-long design cycles. So business and IT leaders are picking and choosing big productivity wins. For some firms this may be a streamlining of how it does business with customers, or perhaps reducing the number of product SKUs that make up a sale or making a corporation more responsive to customers and events through collaboration.

In today’s market, IT and the internet with web 2.0 deliver the tools business and IT leaders need to make their employees more productive as they pick up additional workload and business processes are streamlined. During 2009 industrial strength facebook like social networking, which integrates UC, video, telepresence, etc., could become the collaboration interface organizing employees, projects, information and processes via self-selecting groups. For example, all financial professionals may join the corporate finance group as well as various projects they support by posting videos, questions, project updates, schedules, problems, solutions, etc., in short populating and sharing information with the group. This new approach, borrowed from consumer social networking sites, promises to deliver productivity gains by moving workflow faster between employees within groups to speed up projects. In addition to enterprise-based social networking collaboration, we expect acceleration in IT projects that deliver strong business value as long as suppliers can deliver at speed.

All IT Vendors Are Becoming Networking Vendors

At the same time that the global economy is entering a great recession the IT industry is offering a new IT delivery platform – the networked platform. First a word on “platform”. A platform is an infrastructure in which business value is created and maintained. The word platform in the IT industry used to mean a software development environment, which was tied to a specific computing system.

In the 1960s and 1970s the IBM mainframe was the platform. Then in the late 1970s and into the 1980s the mini computer by Digital, HP, Data General, et al., took the platform ring. Then in the late 1980s and early 1990s the PC took the platform title. But during this time frame, a new technology emerged called local area networking (LANs), which connected PCs and expensive peripherals such as printers and file storage together into a PC LAN. This was the birth of the network-based business platform.

It took a few years, but in the early part of the 1990s LANs starting connecting all IT assets including terminals, mainframes, minicomputers, PCs, storage, servers and other LANs over wide area networks via IP. As each of these separate IT segments became connected a multi-billion dollar market arose. The network platform delivered value in two main areas: 1) it increased access to expensive IT equipment for all enterprise employees; and 2) for the first time it provided programmers with access to all computing resources so that data and applications could be shared between mainframe, mini and PC computing. Then in the mid 1990s the internet and email took off and the network platform was solidified.

Today the network has evolved well beyond a connectivity service as it touches every IT device within an enterprise, that being computing, storage, video surveillance cameras and soon facility environmental systems such as HVAC and lighting. With this sprawl networking’s value has increased by integrating security services, power distribution services, mobility, teleworking, unified communications, video services, virtualization services and application delivery services. In fact, the boundary between computing, networking and storage has been blurring with traditional demarcations soon to be redefined. All major IT industry initiatives are now based upon the network platform such as web 2.0, social networking, SaaS and cloud computing. Gone are the days when innovation such as new features to an operating system took the industry by storm. Today’s IT market is rooted in the networked world.

The unique characteristic of the network platform is flexibility, that is the ability for it to deliver business value unique to every corporation. The key aspect of the network platform is that many of the new web 2.0-based applications can be deployed from the bottom up versus top down. Business and departmental managers can easily deploy enterprise-based social network tools to keep employees updated as to project status, for example. IP video including desktop video, video on-demand and telepresence has become an important new IT tool to most organizations, which is now easy to use as it’s linked into UC solutions. These new attributes of the network platform (web 2.0, social networking, SaaS, cloud computing, etc.) will be rapidly deployed during this business cycle as they deliver results and a new IT delivery model.

So what kind of IT projects will address the post-crash corporate initiatives? Those that automate and improve business processes. For example, collaboration solutions that allow organizations to be more responsive to market dynamics by enabling speed and scale of executive decisions and implementations will be most useful. Collaboration solutions based upon the network platform which includes social networking, video and unified communications reduce organizational cost and increase productivity. IP video or telepresence for example, reduces travel cost significantly but more importantly increases decision making and adds value to business process. Unified communications solutions are well understood by the vendor community and can be implemented within months so that organizations can benefit from both reduced cost of communications, but most importantly increased productivity for all aspects of corporate operations, by linking employees, partners, suppliers and customers together, increasing corporate flexibility and hastening decision making.

The role of the IT leader is to review IT opportunities and filter them through the attitudes and initiatives of executive management. As this process of “search for corporate efficiency” takes hold throughout the world economy, many will look back and realize that IT based upon the networked business platform led the economy out of this funk.

And that’s why I believe in IT.

Tweet

While the global economy slows down, network security spending continues to be robust as business and IT leaders seek to protect corporate assets and achieve compliance, thus avoiding a major distraction at a time when market focus is needed most. The largest corporate security vulnerability is data loss and it’s getting harder to protect it. Here’s why.

The concept of work has changed significantly in the last decade. Gone for good are the days of nine-to-five working hours located in a headquarter facility. The modern concept of work is based upon anywhere and anytime electronic collaboration as computing and networking have gone mobile. Laptops and smartphones allow work to be done everywhere and work means sharing data and information from every place work happens to occur. Therein lies the rub; with greater work flexibility comes greater vulnerability to data loss. Employees are encouraged to share information and spread it freely between those with a need to know; but this comes with risk as information, potentially even customer information, is intellectual property, which becomes more vulnerable as employees work in the field and remotely.

But protecting data is not limited to mobile employees; it spans to all employees independent upon where they work. For example, compliance to regulatory, presidential directives and legislative initiatives require business and IT leaders to protect data loss or face significant penalties. Business and IT leaders need workable strategies to protect their intellectual property and customer data. The problem with implementing a data loss prevention solution is that data is everywhere and so too are vulnerabilities and harsh consequences. For example, details of 25 million child benefit recipients have been lost after two discs containing the data were sent from HM Revenue and Customs to the National Audit Office (NAO) but never arrived. The data included details of millions of bank accounts. In another example confidential records from more than 40 global businesses were stolen and stored on an unprotected server by a Russian cyber thief. The files came from Germany (621), France (322), India (308), Great Britain (232), Spain (150), Canada (86), Italy (58), the Netherlands (46), and Turkey (1,037), among others.

It gets worse. Consider the following statistics:

70% of IT leaders say the use of unauthorized programs results in as much as half of data loss incidents.

44% of employees share work devices with others without supervision.

39% of IT leaders said they have dealt with an employee accessing unauthorized parts of a company’s network or facility.

46% of employees transfer files between work and personal computers.

18% of employees share passwords with co-workers. That rate jumps to 25 percent in China, India, and Italy.

Data loss incidents are usually high profile embarrassments with large consequences, such as an Eli Lilly executive who inadvertently sent confidential M&A documents to a NY Times reporter, costing the company tens of millions of dollars as the reporter wrote about the deal before an agreement had been signed. An Ohio State University administrator inadvertently e-mailed an attachment containing faculty and staff Social Security numbers to hundreds of students. A rogue Kaiser Permanente employee cut and pasted personal patient information on a blog in a successful effort to trigger a HIPPA violation and penalty. In the UK a hospital reported a staff member losing a USB memory stick which contained the medical records of 4,000 patients. The largest records storage management company, Iron Mountain, lost a GE Money back-up tape containing 230 different retailers’ customer information, including Social Security numbers and credit cards. All told the unencrypted tape contained information on approximately 650,000 customers and held Social Security numbers for 150,000. GE Money is paying for a year of credit monitoring services to help protect those whose Social Security numbers were compromised. And everyone remembers TJ Max’s wireless LAN breach where 45 million customer credit card numbers were stolen and used to buy over $8 million worth of merchandise.

Incidents like the above are difficult in good times and can be catastrophic in bad economic cycles, which serve only to give customers spending pause with your company. Clearly businesses are not the only entities vulnerable; governments and their agencies are too. Not all data loss is intentional, but accidental loss occurs as well with unfortunately the same consequences. Further, data loss is not just concerned with loss of electronic information but the loss of information contained in physical documents or portable storage entities, all of which need protection as well.

What is Data Loss Prevention?

So what is data loss prevention or DLP? It’s a business problem that starts with the concerns of executive management about intellectual property and customer information being lost or stolen. For many business leaders DLP is intellectual property protection, avoidance of unwelcome media coverage of a security breach and regulatory compliance assurance. DLP discussions usually start with executive management, in order to understand data loss concerns which leads to a comprehensive DLP strategy. A DLP strategy does not include just one technology; to mitigate data loss risk a successful DLP strategy needs to include people, process, and technology. A DLP strategy is about educating and managing employee behavior, then using policy to enforce that behavior which is accomplished via security technology.

From a risk perspective most executives think of DLP in terms of communication channels such as e-mail, web, and devices such as end-points, USB sticks and encrypting backup tape compromises. Another way to think about DLP is to protect data when in motion, while at rest on storage media or in use on end-points and portable storage devices such as USB, iPods, MP3 players, etc. All of these areas of risk need to be mitigated and assessed from a regulation compliance perspective such as HIPPA, GLBA, PCI, Basel II, etc.

A Governance Philosophy of Non-Disciplinary Communications

In addition to DLP technical solutions, addressed below, governance and corporate culture play a large part in a DLP mitigation strategy. Changing behavior is difficult without a significant event, such as some of the firms mentioned above have experienced. The risky behavior statistics, again mentioned above, will not change overnight, but one approach has proven helpful. Educating employees to the dangers and risk of data loss is an important step in its prevention. By instilling a culture of non-disciplinary communications between employees and IT where employees feel comfortable reporting a real or potential data loss to IT is a huge step in containing damage when it occurs. The quicker the data loss is identified the quicker its damage can be contained. The reality is that data is going to get out. With all the data that flows throughout a corporation on a daily basis, there will be an accidental case periodically. The larger problem for business and IT leaders is when employees are fearful about acknowledging their mistakes and don’t sound an alarm; then all of a sudden business and IT leaders find their company in the news, in damage control mode and answering uncomfortable questions from regulators.

Two Technical Approaches to DLP

The DLP Overlay Approach

DLP technology is based upon content-level inspection which is fundamental to the DLP overlay and network-based approaches presented here. The DLP overlay is based upon IT identifying content it needs to monitor and the DLP overlay does so at every point in the IT infrastructure to prevent data loss. DLP overlay solutions provide large amounts of information concerning how data is used and is thus effective at protecting against accidental data loss. But DLP overlays have to be used in conjunction with other data security technology to protect against all types of data loss such as accidental, negligent, data theft, identity theft, etc. Therefore, DLP overlay delivers auditing and compliance in respect to monitoring specific content throughout the network, but it ultimately cannot solve the business problem of data loss prevention unless it is paired with other security technology.

Over the past several years firms such as Vontu and Reconnex, which have been acquired by Symantec and McAfee respectively, specialized in the overlay approach. But these overlay solutions are complex, require too much time to deploy and are costly to manage; many business leaders realize that the overlay approach cost them $10.00 to protect $5.00 worth of data. In short, the DLP overlay is an additional layer of content security on top of an existing security infrastructure. As a result few DLP providers are still in business as IT and business leaders recognize that DLP needs to be implemented as part of a broader system rather than a point solution for larger enterprises. The question is what kind of broader system?

The Network-Based DLP Approach

McAfee, Symantec and others believe that DLP is a separate security system while others such as Cisco believe that data loss is best mitigated by understanding what data needs to be protected, and then leveraging the network to prevent data loss as the network touches every IT asset. In short Cisco believes that DLP is best achieved by leveraging existing investments in network infrastructure, which already contains key security technology which mitigates data loss. For example, a strong security network contains web application firewalls, VPN, Network Admission Control (NAC), data link encryption and extensive security for data in motion with technologies such as TrustSec.

By examining DLP from a risk-perspective, and integrating content analysis plus targeted data security into the network fabric, data protection within all communication channels is achieved, providing the broadest defense of loss. For the above-mentioned content analysis Cisco has recently acquired IronPort, an e-mail security concern, which allows Cisco customers to implement content aware policy within security technology in an effort to mitigate unauthorized e-mails from being sent out of their corporation. Its Cisco Security Agent (CSA) offers an approach to mitigate unauthorized documents, data and applications from being copied on USB sticks and other personal data storage devices too in a single end-point security solution.

The network-based DLP approach is an efficient and reasonable way to achieve data loss prevention. The network approach to DLP allows IT leaders to measure risk by identifying its most valuable data and then creating the right strategy to prevent data loss. In addition data security policy is augmented while providing content monitoring and inspection over high-risk channels in the network. This affords a broad approach to DLP as every corporation has unique data loss vulnerabilities it needs to mitigate.

The network-based DLP approach is both comprehensive and does not require a large capital outlay; nor does it increase operational spend for its management as the overlay approach does. In short, DLP controls are distributed throughout the network infrastructure with data loss prevention achieved by configuring existing networking devices, turning on features, adding policy rules, and taking advantage of new security features added to existing network products and appliances. Network infrastructure policies can be changed to address different risks with different profiles all within the existing network. For example, web application firewall is not addressed by many DLP strategies, but web applications are most compromised. As hackers get through the web application firewall to a back-end credit card database, a company will find itself in a nightmare scenario. A network-based DLP approach addresses the widest range of risk with the tools to lock data down.

Enforcing content policies at high-risk points is an effective data loss defense, which is very useful for auditing and accident loss control. For example, content filtering of e-mail, web traffic and end-point devices ensure that accidental data loss is mitigated. With content filtering Outlook mail may notify a user that he/she tried to send an e-mail to the wrong person and it contained Social Security numbers. Or content enforcement over the e-mail channel may notify the user that there are Social Security numbers in the e-mail they are sending which is not supposed to be sent externally, thus providing a strong warning to prevent data loss. Putting content enforcement over channels where employees can easily leak information is an important aspect of a network-based DLP strategy of risk mitigation. Cisco, for example, has integrated content enforcement into security devices rather than forcing customers to buy a separate device to monitor e-mail.

Reasonable Steps To Maximize Data Loss Prevention

Data loss events are increasing thanks to today’s mobile corporate environment, which offers many ways to lose data. For large global and multi-national firms, there are different social, cultural and business practices in various countries that need to be factored into a DLP solution. In addition, in today’s global economy many business leaders do not have the patience or the budget to undergo a large complex and costly DLP overlay project. The network-based approach to DLP offers a wide range of defenses and solutions to mitigate data loss while leveraging existing network infrastructure and personnel investments.

We offer the following considerations to develop a network-based DLP implementation.

Identify Data Loss Risks: Business and IT leaders should identify data loss risk and associated liability. This is perhaps the easiest part of DLP, as high visibility data loss scenarios are straightforwardly identified. Working together, business and IT leaders with their strategic network vendor should identify all the risk scenarios that are of concern. This includes data at rest, in motion and in use as well as regulatory compliance requirements for data and applications. Consider communication channels such as e-mail, web, remote access, personal data storage such as USBs, mobile devices, lost or stolen laptops, physical security such as building access, and data resident on physical assets too, which if lost or stolen would constitute a security breach of intellectual property and/or customer data.

Network-Based DLP Planning: With data loss risk scenarios identified IT leaders can now review their network infrastructure to assess its ability to mitigate these liabilities. Two important network-based DLP areas for IT leaders to focus on are e-mail and storage. Clearly large firms have deployed switches, WLANs, firewalls, routers and remote access network infrastructure devices. But has Network Admission Control and TrustSec been turned on? These are two important DLP network features providing authorized access to data and network encryption protecting data in motion, at rest and in use. Content enforcement of e-mail via the network mitigates both unauthorized and accidental data loss from e-mail systems. Other considerations are the network’s ability to provide remote access via SSL VPN ensuring that remote connections are encrypted or ensuring that remote desktop applications are cleared of confidential information after use, mitigating specific data loss scenarios. There are numerous opportunities for data loss; IT leaders can close these vulnerabilities by leveraging their network.

Employee Data Loss Prevention Training/Education: IT leaders are encouraged to develop training that sensitizes employees to risky behavior. Many may not view their behavior as risky. Usually it’s not until events such as those presented earlier take place that employees fully understand the risk that they put their corporation in with password sharing, accessing unauthorized applications, sharing computers, transferring files between home and work computers, etc. Boundaries and acceptable use policies on better data usage are often viewed favorably, as most employees are good corporate citizens.

Data loss governance: Consider a corporate culture that encourages employees to inform managers and IT leaders of a data loss without incrimination. This will allow IT to react quickly to data loss, contain damage and even potentially avoid its consequences.

Most IT leaders are concerned about losing data over personal storage devices such as USB sticks and through email systems. A good DLP solution needs to provide strong risk mitigation solutions to these two concerns plus additional risk scenarios identified by business and IT leaders. The global economy is entering a difficult cycle, which can be made worse with the high profile visibility associated with data loss security breaches. The opportunities for breaches are increasing as corporations have expanded the diameter of their business processes and operations thanks to mobile devices and remote access network solutions. The network-based approach to DLP offers a rational method that expands data loss defense options by leveraging existing investments in network equipment and skilled personnel.

Tweet

A confluence of powerful macro-economic and industry trends are building upon each other, creating a perfect storm for managed services in branch offices. This storm is so powerful that it’s creating a window of opportunity that never existed before to change the demographic of the role managed services plays in the provisioning and management of branch office networks. There are multiple inputs that make up the perfect storm. First, the current macro-economic climate has prompted edicts from business leaders to reduce operational spending, requiring IT leaders to review all IT project financing options and question what aspects of IT are core to the business versus contextual. Then there is the networking technology of branch offices, which have increasingly integrated services such as security, mobility, communications and applications into one hardware platform allowing service providers to offer a range of branch office managed services well beyond conductivity. Factor in that there are thousands of service providers now offering managed branch office services and you have the formation of the perfect storm and a serious deployment option IT leaders now have to review.

With a focus on operational cost reduction and a means to finance branch office deployments without capital cost and its effect on increasing operational cost through depreciation and IT staff, many IT leaders will find the new managed branch office services welcome news. Some facts will help focus the mind, according to Nemertes’ Branch Unified Communications 2008 Benchmark:

• The number of new branch openings has been growing at 6.8% per year; this includes data from the fall of 2008
• 90% of new employees work in branches
• 93% of organizations are centralizing their infrastructure
• 91% spend some or all of their time working away from headquarters
• Organizations spend 31% of their IT budget in the branch
• Only 15 percent of branches have IT staff on-site
• 63% of organizations utilize or plan to utilize managed services in some of their branches today
• For those that use managed services they extend the service to 89% of their locations realizing the strategic value it offers

Branch Office Network Constraints

All these facts point to the growing demand for branch office deployments and the realization that business application delivery for many IT leaders has become data center and branch office focused. While application placement ebbs and flows between data center and branch or centralized versus distributed, one thing is clear: branch office deployment cost will continue to grow because that’s where the people are now. Delivering business innovation to branch office locations has always been challenging with few, if any, IT personnel on site plus limited and inconsistent application and service delivery and widely varying technology deployment including inconsistent WLAN, security, local storage and servers, backup, etc. services among and between branches. But even with these constraints branch office employees demand the same level of service available at headquarter facilities and more. With video conferencing, web 2.0 plus collaborative applications in demand, should IT leaders focus on connectivity or value added applications?

To mitigate these constraints IT leaders now have an option to accelerate the absorption of business innovation and focus on business applications with managed branch office services delivered by service providers, harnessing the power of Cisco’s Empowered Branch solution. IT projects always increase operational cost with depreciation and staff salaries. In the current difficult macro-economic scenario managed services trades off capital and its associated depreciation cost while capping salary and facilities cost into predictable manageable quantities. IT leaders understand this value as more and more have been buying managed services, which is currently a $34B industry projected to grow to $65.5B by 2012, an 18% CAGR between 2007 and 2012 according to Ovum. That’s more than twice the CAGR of the IT industry’s 8%.

As business and IT leaders have grown savvier by allowing business to drive their technology strategy versus the other way around, for some the maintenance and management of branch office networks can be outsourced to service providers allowing IT to focus on projects which are core to business operations. This shift allows IT leaders to focus on increasing innovation absorption in the branch such as video and unified communications, which offer competitive advantages through increased customer service. Further, with the large footprint or geographic coverage of service providers IT leaders can roll out services to hundreds or thousands or even tens of thousands of branch offices much more quickly than with in-house staff allowing a corporation to obtain operational efficiency results faster, which is a paramount concern today among business executives: get results in scale and at speed, fast!

Time To Review Branch Office Operations

For those who have not reviewed their branch office deployments in some time, they will find that network complexity is increasing their operational cost and making them less competitive. In short, network complexity is inflationary to operational cost. Network complexity increases when deploying different supplier solutions or appliances for every new IT service needed in the branch such as mobility, unified communications, security, LANs, fax machines, video surveillance, etc. An empowered branch that consists of a single integrated device such as the Cisco ISR (Integrated Services Router) has been proven to reduce operational spend between 50 and 70% thanks to its efficient deployment model of provisioning a wide range of IT services in a consistent manner to many branch offices.

In fact the ISR is the most widely used branch office network platform with over 5 million in production. The platform approach not only reduces corporate spend but offers energy efficiency through state-of-the-art power supplies plus environmental sustainability thanks to the elimination of multiple pieces of hardware into one with a reduced eco-footprint. With a branch office network platform that has a 5-to-7 year lifespan, IT leaders are assured that new services will be offered thanks to continual platform investment enabling their business to adopt innovation quickly without rolling out new hardware per branch.

The Managed Empowered Branch Service Model Emerges

Most business and IT leaders select to envision, design and deploy their own branch office network, as control, innovation absorption pace and security are high on their list of decision factors. But three out of every ten business leaders select to use managed branch office services and this number will only increase as the number of managed service offerings increase based upon Cisco’s Empowered Branch Solution. Service providers used to lag Cisco in the products and features offered, but this gap is closing. Managed service providers are bringing together routing, switching, integrated security, mobility, application performance and unified communications into their managed branch offerings at a pace comparable to in-house staff capabilities.

Service providers such as Verizon, TELUS, Cybera, AT&T, NTT, Orange, T-Systems, Alestra, Telefonica, Cable & Wireless, Telstra and many others are now offering Managed Empowered Branch Services around the world that start with a managed wide area connectivity service but are capable of offering the above services. This is a first in the industry as service providers were forced to deploy new hardware for every new service added to a managed service offering. For example, Verizon’s Managed ISR service offers a suite of five services that are delivered in any combination, one-by-one or all together. Verizon deploys a single fully provisioned ISR in the branch capable of delivering all five offerings which are provisioned remotely upon IT’s order.

Accelerating Innovation Absorption

With Empowered Branch Managed Services IT leaders will be well positioned to take advantage of new connectivity services such as 3G wireless and SIP trunking too. While 3G offers an alterative and diverse route for network traffic, SIP trunking offers lower facilities cost as analog voice lines are consolidated, there is improved inter-company connectivity, better dial plans and much more. And that’s good news as the number of SIP trunks being consumed is skyrocketing to nearly 3m lines in 2008 with a projected 54% CAGR between now and 2012 according to Frost & Sullivan. With 300 or so service providers offering an Empowered Branch Managed service based upon Cisco’s branch office platform 3G, SIP trunking, extended analog to IP connectivity, application recognition and control plus end-to-end application performance visibility are being enhanced on the platform and are available from Cisco’s managed service providers. Therefore, the pace of innovation absorption gap between in-house and service providers is closing.

Cisco’s new ISR 880 supports both 3G wireless networking plus its SRST for Survivable Remote Site telephony, which gives the ISR portfolio some breadth and in a fixed form factor 3G enabled router, is something for which Cisco customers, especially smaller branches and businesses, have been asking. Many corporations have been seeking the ISR 880 as it now collapses 3G and SRST into a single box solution. With SRST on this platform, branch offices are offered analog voice ports for redundancy and business continuity, plus SRST supports 911 service too.

For SIP trunking, the ISR includes CUBE or Cisco Unified Border Element version 1.3. CUBE is what Cisco uses to enable SIP trunking on all its platforms. CUBE version 1.3 adds extensive SIP trunking support features, including a strong focus on deep interoperability. The ISR 880 platform and all of the Cisco ISRs have a rich set of SIP capabilities that enable SIP trunking, which is well timed with the SIP market well underway. SIP trunking is another service managed service providers can layer into their multi-service offerings, and it’s one that almost every corporation will consume as SIP trunking is the new dial tone option in the IP world.

The Empowered Branch option allows IT leaders to capture and deploy innovation without additional hardware or expansion of the branch office IT footprint. What is different now in the market is that corporations that deploy innovative branch solutions via a Managed Empowered Branch offering can be on the leading edge with a service provider, meaning that corporations are not going to be trailing the market by 9 to 12 months in terms of branch office solution innovation. In the past service providers were 24-plus months behind those that built their own branch office solutions. This is no longer the case and it’s important especially in today’s economy where the time to deliver value back to an organization has collapsed down. Initiatives identified by executive management are required to be implemented in scale and without haste to gain value quickly. Speed is paramount and Managed Empowered Branch offerings have both narrowed the innovation gap and are best positioned to deploy branch solutions in scale and at speed.

Do Your Own Analysis

This is a key attribute as the facts presented earlier paint a picture that corporations are expanding their sprawl in an effort to be closer to customers. The managed empowered branch will reduce operational spend for most or re-structure operational expenses for others. As these managed services are new, IT leaders are advised to perform their own three-year economic analysis to understand its impact on total cost of ownership and which deployment option best fits its business initiatives.

A Word on IT Jobs

During the current economic climate reduction in force (RIF) is occurring and will potentially accelerate over the next two quarters. In IT departments, operational staff is vulnerable during these cycles. For IT professionals it’s important to be of high value by focusing on projects that are core to business operations and strategic initiatives. Therefore, focus on projects that are contributing to core business initiatives, and if that means outsourcing to a service provider for items such as transport or unified communications, so be it. In short, your projects need to be of high-visibility and importance in your CIO’s mind. If your projects are not viewed as core to the business then you should consider making the case for a managed service so that your job can be re-focused on projects that contribute higher value to your corporation.

Tweet

We continue to focus on the impact the macro economic scenario will have on the enterprise networks and communications industry. I was shown the most frightening graph while I was at Morgan Stanley. On one page it compared the economic declines of 1973 and 1929 versus today. It showed the S&P, industrial production, inflation and jobless rate at the precipice described by Treasury Secretary Henry Paulson, Warren Buffet, et al. Many business leaders believe the US government has done all it can and we are left to wait and see if the actions taken in October will help avoid a deep recession or worse. I am probably like you, numb to the talking heads espousing a “chicken little” doctrine; but you can’t ignore reality. The drop in S&P is steeper than in 1973 and 1929 over a 12 month time frame, which spans six months before the beginning of those declines and the first six months into them. This has created a cloud of caution among business leaders and prompted Reduction in Force (RIF) initiatives.

RIF causes many organizations to increase workload on existing employees. In short, as corporations reduce staff, remaining employees are required to increase their workload. For those business and IT leaders who view IT, networking and communications in particular as strategic, they will leverage IT to ensure that employees can increase productivity. Productivity improvement will come not only in the short term by reducing expenses but over the long term as well by re-thinking business processes that exploit IT to allow a smaller workforce to consume the workload of a larger employee pool. As occurred in the last recession business productivity increased and it will increase now again. Business leaders can choose to guide their firms into a period of huge productivity growth on the order of 5 to 10% during this downturn as RIF is complemented with business processes automated through IT.

There was good news in the 1973 and 1929 analog graph: industrial production, inflation and the jobless rate are in better shape now than during those two awful macroeconomic periods. With unemployment at 6.1%, and projected to grow to 6.3% when October numbers are released during the week of Nov 3rd, IT leaders should be focused on developing IT strategies that review business process and workflow that increase corporate productivity. There is no doubt that most executive management and corporate boards are focused on expense reduction initiatives, with RIF being one of their levers to pull. In addition to reviewing business process with an eye toward efficiency by reducing human and system delay in workflow between employees, suppliers, partners and customers, IT leaders need to enable corporate operational cost and expense reduction across the board.

A Flight to Safety Among IT leaders

An important point to remember and act upon is that IT suppliers went through a much worse economic period during the 2001 internet and telecom bust. This is important as these firms have been through a much more difficult downturn and survived. This means that IT suppliers are in a position to be a trusted advisor or business partner sharing best business practices with their customers as an important value add to the customer-buyer relationship. While 2009 IT budget projections are anywhere from -2% to as high as 5%, the industry will not know until January and February of 2009 when most IT budgets are approved. There is no doubt that there will be a consolidation in the general economy and in IT as there will be a flight to safety among IT leaders. This bodes well for companies such as Cisco, IBM, Microsoft, Oracle, HP, AT&T, Verizon and many other large and financially secure IT firms. Many IT firms have strong balance sheets as they avoided debt thanks to the post 2001-2003 dotcom bust where the winners were simply “The Last Man Standing”. Also, smaller firms with innovative products which can be inserted into larger IT projects will also fare very well. One company in particular is Arista Networks which is an emerging leader in cloud networking.

In the switching and routing space Cisco, HP’s ProCurve, Brocade/Foundry and potentially Juniper should either thrive or just survive this downturn. In the communications space Cisco, Microsoft, IBM, Citrix, Avaya, Alcatel-Lucent, Siemens, and Mitel should either thrive or just survive this downturn. Avaya, Siemens and Mitel have the benefit of being private firms that have greater latitude to transition products and change management without being under the eye of Wall Street quarterly calls. All of these firms survived the 2001-2003 IT depression and will have both economic and management strength to survive the crash of 2008.

Most of the above IT firms can be part of a business process review task force, which include business process consultants, IT and business leaders plus strategic IT firms. Most IT leaders will be selective on which business processes to review based upon their potential for operations and expense reduction. Structured business processes such as financial reporting, supply chain management, customer resource management and customer support via contact centers are low hanging fruit that will deliver expense reduction, increased productivity and better customer experience. Note that enterprise networks are the foundation of all IT projects and must not be ignored or have upgrades significantly delayed so as to reduce application performance.

IT Projects That Deliver Corporate Productivity Gains

We highlight a few horizontal IT projects that should be a part of any strategic IT initiatives for 2009. IT project horizons will need to be short as few businesses will have patience to gain results that take a year or longer to deploy during 2009. Short hits that reduce expense and increase productivity through business process efficiency will be the winners.

Unified Communications with Web 2.0 and Collaboration: Unstructured business process such as communications is also low hanging fruit which can add as much as 15% productivity to each and every employee through unified communications and collaboration tools, eliminating multiple voice mail boxes, IM accounts and making contacts, presence, call logs and email mobile. Many unified communication platforms from suppliers such as Cisco, Avaya, Siemens, Microsoft, IBM, Mitel, NEC, Nortel, et al., are increasingly adding Web 2.0 services such as wiki, mash-ups, social networking tie-ins, blogs, video on-demand clips and web conferencing to take advantage of productivity gains afforded by collaboration.

Visual Networking: Visual networking which is an umbrella term that captures video conferencing, Telepresence, click-to-conference and IP video services demand will skyrocket during this downturn. As travel and training expenses are cut, business and IT leaders will turn to the new generation of visual networking products not only as a means to reduce travel cost but also to hasten business process by allowing groups to communicate visually in an effort to move workflow quickly. GE just purchased a set of Telepresence systems and talking with some of their business leaders you come to the conclusion quickly that visual networking not only pays for itself with travel cost reduction but improves business productivity which is just what businesses need now.

Cloud Computing: While cloud computing and networking are in the early stage of market acceptance, it could not have come at a better time. According to a 2008 paper published by IEEE Internet Computing “Cloud Computing is a paradigm in which information is permanently stored in servers on the Internet and cached temporarily on clients that include desktops, entertainment centers, table computers, notebooks, wall computers, handhelds, sensors, monitors, etc.” In short, cloud computing is a model where corporate applications and communications are not resident on desktop, laptop or smart mobile end-points, but offered as a service in the “cloud” or in the internet. What is significant about cloud computing is that it offers a new IT delivery model and economics. Gone are the days of supporting applications for every end-point and managing its hot-fixes and upgrades plus funding its helpdesk. Companies such as Google, Amazon, Saleforce.com and other SaaS providers are offering cloud computing services and their numbers are growing. Cloud computing offers a new economic model for IT that requires very little capital investment to deploy and scalable cloud applications which do not beef up operational cost with depreciation. Again, this is an IT model for this economy.

Data Center Consolidation and Virtualization: Data centers are the largest IT budget item and are the focus of many IT leaders as they look to reduce their own expenses. Consolidating the number of data centers while increasing capacity within a smaller footprint via virtualization and reducing energy consumption via Green initiatives are all winning projects today. Outsourcing legacy computing is booming right now as IT leaders look to take depreciation expense off their books and exchange it for a manageable expense.

Branch networking and Teleworking: As data centers consolidate and become virtualized branch office and teleworking solutions represent the new sprawl of corporate employees. Teleworking reduces real estate requirements and allows employees to be more productive as well as reduce their own spending on energy traveling back and forth to an office. Branch offices allow corporations to be close to customers, a very good strategy for today’s economy. IT application delivery to branch offices can be centralized in data centers allowing complexity and cost to be contained and managed.

2009 will be a challenging time. If there was ever a moment when corporations needed IT leaders it’s now. Now is the time to be engaged with executive management to ensure that IT is not an expense but a strategic enabler of corporate initiatives. IT will be challenged by business line managers who will be short on patience for new services and executive management who need their initiatives implemented quickly. IT leaders will flock to the safety of the most secure IT suppliers and lean on them for rapid deployment of cost saving projects. While there will be RIF, don’t let employees burn out with workloads they cannot sustain; you have to delivery IT solutions to help them be more productive.

Tweet

While it looks like the US economy has averted the Great Depression 2.0 scenario, business leaders are preparing for what now seems to be a slow motion downturn to a deep and potentially long recession. All eyes and ears will focus on this quarter’s earnings reports, unemployment numbers, rate of credit market thaw and stock market volatility. Special focus will be on the $1T of consumer credit looking for signs of much larger than normal defaults as the next shoe to drop. But a $10T valuation loss on the Dow, unemployment at 6.1% and 10,000 home foreclosures a month (both of which are climbing fast) leaves little room for optimism unless you’re Warren Buffet who’s buying depressed equities. With 70% of the economy based upon consumer spending it’s easy to see how double digit unemployment levels and consumer credit defaults, which increased 54 percent in Q208 from Q207, according to Federal Reserve, adds doubt to a V-shaped recovery scenario. Consumer credit defaults at 7% will be a drag on economic recovery as it’s estimated to reach $100B in 2009. What an awful macro economic scenario. But there is a bright spot; IT can and for some will lead the economy out of this funk.

Based upon discussions with many business and IT leaders I find that this quarter’s budgets are on track, but visibility becomes cloudy thereafter. A cautious spending attitude has disseminated over business and IT leaders, but caution is not despair or cuts. Morgan Stanley’s June CIO survey estimated that IT budgets were projected to grow between 5 and 7% in 2009. At the October Gartner Symposium conference IT spending was projected to grow at 2% in 2009. The bottom line here is while the macro economy will take some time to improve and may very well contract more before it recovers, IT budgets will not crash like they did during the internet bubble burst of 2000.

Some text to space apart the download boxes

First there has always been a segment of business leaders who value IT as strategic and others who view it as an expense. These two schools of thought will become more entrenched in their thinking during this business cycle. Those who view IT as strategic will gain competitive advantage while those who view IT as an expense will make cuts and suffer the consequences. Now is the time more than ever for CIOs to take a leadership role within their corporations. No one, not even Chairman Greenspan, estimated that corporate productivity would grow between 3 and 5% between 1997-2004. IT was the major contributor to this huge economic expansion. This business cycle will present CEOs and CIOs with an opportunity to increase corporate productivity by 5 to 10% with the strategic use of IT.

How can corporations grow productivity by 5-to-10% with IT during a deep and long recession? The answer is to use IT to enable corporate top initiatives. If CIOs go to executive management with a plan to increase productivity by 1%, then they will be viewed as an expense. But if IT leaders and CIOs go to executive management with a plan to address the corporation’s top five initiatives, be they entering adjacent markets, reducing operational cost, increasing productivity, combining infrastructure between merged entities, increasing efficiency in business process, etc., with a goal of increasing productivity by 5 to 10% then IT and the CIO are strategic. The more IT leaders take this role and responsibility the more that IT will lead the economy out of its current funk.

Clearly IT will not help a family from being foreclosed upon or avoid consumer credit defaults or grease the skids for banks to lend to each other or stop the stock market volatility. The 2008 crash and subsequent economic damage is done; the real question is how to contain it and recover. Productive corporations don’t have massive layoffs and are stability points in an unstable economic environment. The more productive corporations there are, the more stable the economy.

Clearly business priorities have changed since the market crash; from revenue, profit and productivity growth initiatives just a few months ago to a new set of imperatives. These initiatives will vary from board to board but the main thrust of business leaders are:

Increase Organizational Flexibility: During highly volatile and uncertain times, business leaders are looking for ways to increase their organization’s flexibility and responsiveness to market and customer dynamics.

Increased Speed and Scale of Corporate Capabilities: Market dynamics and changes occur much faster than in previous market cycles, forcing business leaders to make decisions and their implementation at speed and in scale. For example, as the economy contracts the pace of mergers and acquisitions will increase significantly requiring business leaders to move at the pace set by Jamie Dimon of JP Morgan or Ken Lewis of Bank of America.

Enable Cost Cutting Throughout The Entire Organization: Business leaders will be looking for intelligent cost cutting strategies throughout their entire organizations as the economy contracts and spending slows.

IT leaders need to listen and understand the attitudes and priorities of their CEOs. As the above initiatives are articulated an obvious result will be that large IT projects that take a year or more to implement will be off the table. IT project focus will shorten up, such as multi-year ERP implementations that consume excessive IT labor and require years to implement. Less important items such as desktop computer refresh rates will slow. We offer the following guidance to IT leaders:

Pick and Choose Big Productivity Wins: IT leaders are encouraged to review which corporate areas will contribute to highest productivity gain and be most cost effective.

Be An Enabler: IT leaders need to embrace the new CEO initiatives and be a partner to increase flexibility, scale and speed and reduce operational cost.

Lead The Cost Cutting Initiative: IT leaders have a large role to play in organizational cost cutting. Work with business leaders to review existing business processes and create new more streamlined ones. IT has always enabled increased productivity while keeping headcount low; this is the time to put that attribute to work most effectively.

The IT industry, that is vendors, know all too well how to contribute and add value to these corporate initiatives. The industry learned during 2001-2004 that to survive it needed to add value that was cost justified. IT vendors have a lot to offer business leaders on the topic of how to survive and thrive in major market downturns. The organizational learning that took place within IT companies during the IT depression of the early 2000s will be put to good use for corporate with the above initiatives.

So what kind of IT projects will address the post-crash corporate initiatives; those that automate and improve business processes. For example, collaboration solutions that allow organizations to be more responsive to market dynamics by enabling speed and scale of executive decisions and implementations will be most useful. Collaboration solutions based upon the network platform which includes video, unified communications and communications-enabled business processes both reduce organizational cost and increase productivity. IP video or telepresence for example, reduces travel cost significantly but more importantly increases decision making and adds value to business process. Unified communications solutions are well understood by the vendor community and can be implemented within months so that organizations can benefit from both reduced cost of communications, but most importantly increased productivity for all aspects of corporate operations, by linking employees, partners, suppliers and customers together, increasing corporate flexibility and hastening decision making.

There are other IT projects that will offer cost cutting and increased productivity such as virtualized data centers, cloud computing, enterprise-based social software and networking, etc. The role of the IT leader is to review these IT opportunities and filter them through the attitudes and initiatives of executive management. As this process of “search for corporate efficiency” takes hold throughout the world economy, many will look back and realize that IT led the economy out of this funk.

Tweet

In Part One of Deploying Teleworking Solutions in Scale we discussed business and IT problems plus the benefits of teleworking. Here we provide business and IT leaders with an architectural view of today’s teleworking solutions that scale to home and small office environments. These environments may be home workers, call center agents working from home, small branch offices equipped with a few people, small retailers, etc.

Today’s teleworker solutions provide many benefits as described in Part One of our series. But teleworking solutions are becoming more realistic in order to accommodate all users of home internet connections such as family sharing of broadband internet services through the use of split tunnels. A split tunnel allows family members to directly access the Internet and not the corporate IT infrastructure separating work and family.

Another teleworking use is for small branch offices. For example, a food services industry restaurant such as those distributing at sports stadiums or airports, or a small retail outlet are perfect for teleworking solutions. Their use profile may be different than the home worker, as small branch office sites may need to support more than one user, or may not need mission-critical voice or video applications or perhaps might require an inventory back-up link. Today’s teleworking solutions can support these use cases too.

For example, the distributed call center agent model is very popular today as it taps into a previously inaccessible labor pool – work at home parents. Many airlines equip their ticketing agents with teleworking solutions so they may work from home, reducing commercial real estate office expense, increasing hours of coverage, etc. In short they are able to deliver a better service at a lower operational cost.

But while the small office and special use cases are interesting, the major teleworking market is to create a virtual office at home. Many IT leaders are asking how to scale their IT resources, especially the movement to home working. In short, IT leaders want to be assured that their deployment performs effectively and their teleworking solution scales. Further, IT leaders seek to receive the ultimate long-term return of investment promised during acquisition. To achieve these goals, the teleworking solution needs to incorporate these architecture components and attributes.

Three Architectural Components

For any teleworker solution that scales there are three basic components. First is the remote site or teleworking solution. This is and should be simple, a small router loaded with services such as WLAN, security, UC, etc., and an IP phone, typically. Second and most important for scale is the head end. The head end includes VPN routers for aggregation and also a series of management servers that provide a diverse set of functions, including policy definition, automated configuration management plus identity controls. One head end footprint should support thousands of teleworkers to deliver scale. This centralization of complexity and ability to scale delivers a recurring return on investment as a single head end footprint can scale without the need for new equipment when new teleworkers are added to the network. The third component is a professional service offering that assists IT management with envision, design, deployment and management/monitoring/optimizing of the teleworking service.

We offer a teleworking architectural view from an attributes perspective to help guide business and IT leaders as they consider options. We are impressed with Cisco’s new Cisco Virtual Office (CVO) and many of the attributes below can be found in that offering. What makes CVO different from previous teleworking offerings is the level of service integration including mobility, unified communications, management and security in the teleworking equipment. It’s the layering of security into the teleworker environment that makes executives comfortable that they’re not opening up back doors surrounding their organization. But perhaps most important is its ability to scale which makes it perfect for large enterprise organizations, multi-nationals and global operations.

Multiple Security Technologies

Security is the number one concern of business leaders when considering large-scale teleworking solutions. The concern is wrapped up in compliance, threat management, policy and control initiatives and requirements. To address these security issues and concerns the teleworking solution needs multiple levels of security technology distributed between head end and teleworking network device, i.e., a router with multiple security services embedded.

The router needs to support a wide range of security technologies for voice, video and data. Security technologies such as identity-based authentication, firewall, content filtering, intrusion prevention, content filtering, WLAN authentication, automated public key infrastructure (PKI), SDP, AAA, 802.1x, worm and virus protection and hacker lockout. The scenarios are relatively simple; if the device is compromised, lock it out from the corporate network and mitigate virus and worms from propagating into the corporate network. Ensure identity of device and user before access is allowed. Ensure that router configuration changes are not done at the home office thanks to PKI and if changes are made, the device is locked out. Control and distribute policy and configuration changes at the head end to all teleworking routers. Further, voice sessions should be isolated via their own VLAN. Hardware encryption is important too, to keep communication secure without paying a performance penalty.

The Ability To Scale Without Additional Operational Spend

Solving a teleworking problem that includes 20 home offices versus an organization that wishes to provide 40% of their 100,000 employees with home offices are different problems with different scale dimensions. 40,000 teleworkers is a large population and IT may not be ready to deploy a system that large in short order, but they need to know that the solution that they deploy today can scale to accommodate their requirements. In addition IT needs to know that they will be able to manage such a highly distributed and pervasive remote access solution. One of the largest teleworking deployments is at Cisco Systems, which includes some 13,000 teleworkers, which is growing at 1,000 new teleworkers per month until it reaches a projected 30,000. Cisco IT operates on a very tight budget and this solution has let them keep their headcount constant while growing at 8% per month.

It’s the management tools at the head end that delivers scale without adding operational expense. One of the most unique features assisting scale without additional operational spend is zero-touch deployment. Automating the provisioning process of initial configuration and deployment of teleworking devices scales IT resources. In addition ongoing maintenance is eased too as new software images or configurations are pushed to remote teleworking devices in bulk versus one at a time. Imagine how difficult this would be if IT depended on some 5,000 teleworkers to initiate this process versus IT initiating an automatic push from the centralized IT head end.

IT Management

The management of the head end and teleworking device is the technology that enables scale with minimal operational expense. The ability to configure and develop polices which are pushed to teleworking devices minimizes operational spend and removes this task from home office workers yielding a zero-touch deployment and management model. Look for a policy server to control teleworking devices. A server that performs device provisioning securely plus authenticates and registers new devices as they communicate to the head end is favorable. A configuration engine for teleworking devices to pull policy updates, software updates, configuration changes, etc., simplifies patch management operations. A certificate authority server that automates much of the process associated with pre-shared keys restricting management access to teleworking devices and an AAA server for authentication, authorization and access of profiles ensures system security.

VPN Support

At the head end multiple VPNs need to be accommodated. There are layer 3 VPNs for high availability applications, a dedicated “always on” session for voice, video and QoS tunnels plus on-demand tunnels with the ability to create full meshes between teleworker sites. This is an important attribute as traditionally inter-teleworking communications traversed from teleworker-to-head end-to-teleworker. Now direct tunnels between teleworkers can be established increasing application performance such as video conferencing while reducing the load on the head end for this form of traffic, increasing performance for all teleworkers.

In addition to the above user application VPN tunnels, management tunnels are needed too. For example, a VPN for policy push with integrated firewalling plus IPsec client interoperability provides direct access between teleworking router and head end for security and management. An SSL VPN at layer 7 for behavior-based end-point protection and full-tunnel client download provides additional security. A layer 2/3 VPN for mobile end-points such as iPhones and dual-mode phones enables model end-points to share the teleworking solution. With support for multiple VPNs at the head end and teleworking sites, business resiliency or continuity is ensured, as there are multiple connectivity options to leverage in the case of a man-made or natural disaster.

Advanced Network Services

We mentioned above that teleworking devices are being equipped with advanced network services such as security, routing, switching, WLANs, unified communications, etc. While these are powerful network services, look for application optimization too which increases application performance over broadband links. Enabling QoS technologies should be built within teleworking devices to ensure an excellent voice and video experience while prioritizing mission-critical traffic. QoS plays an important role in teleworking environments where family members share a single broadband connection. QoS prioritizes phone and business traffic, which may be flowing over the wireless network while youngsters download content or play internet-based games on Ethernet attached devices.

The value proposition of electronic communications has always been to allow people to communicate over distance. Modern corporate communications is not only a mandatory requirement for corporations to conduct business but with advances in teleworking solutions, communications is now a major contributor to green initiatives too. Teleworking initiatives have a unique set of business attributes such as reducing real estate requirements, increasing labor pool access, improved employee lifestyle options, plus enabling greater employee productivity. Never before have there been so many motivating factors favoring teleworking, including high energy cost, government initiatives, business benefits, collaboration/social networking and green initiatives. Advanced teleworking technology is now being packaged to allow business and IT leaders to develop and deploy massive teleworking initiatives. The architectural approach above can help IT leaders deploy teleworking in scale while achieving the goals outlined above.

Tweet

As business and IT leaders think through their next generation branch IT infrastructure many are reviewing their IT service delivery model, thanks to the third phase of integrated networks and applications, which we discussed in Lippis Report 111. The number of branch office locations is increasing and will accelerate thanks to the financial market crisis which has transformed Goldman Sachs and Morgan Stanley into bank holding companies, allowing them to take deposits and expand their presence throughout the globe. But independent of the financial market dynamics business and IT leaders have been re-distributing human and capital assets away from headquarter facilities toward branch offices for some time now and the network-embedded application approach allows IT leaders to manage this shift in business operations.

Strategies that leverage data center consolidation efforts, which minimize branch office IT footprints and TCO are favorable now more than ever. Server centralization, virtualization and network consolidation are key aspects of next generation branch office IT infrastructure. Application deployment, integration and performance are key management focus areas as is branch survivability, and the industry is responding to IT leader requirements by offering a new network-based application service delivery model.

Writing and residing business applications in network gear offers a new service delivery model where dedicated compute and storage capacity reside within a branch office router. This integration is a new application delivery platform offering several value points: 1) through an API branch applications gain network dynamic insights so that application performance is optimized; 2) networks, server and application consolidation in the branch; 3) both vertical and horizontal specific applications can be delivered via this platform; and 4) a new application delivery ecosystem is emerging, easing branch application deployment.

The integrated application platform enables independent software vendors (ISVs) to offer branch specific applications for targeted vertical industries such as healthcare, financial services, retail, transportation, et al. In addition ISVs are porting their software to this new platform to address horizontal or cross-industry branch office requirements.

For a horizontal application example consider Sagem-Interstar, a global leader in fax server solutions for IP networks. Sagem observed that legacy fax machine deployment is both expensive (they required dedicated analog circuits) and do not preserve privacy. Sagem realized that it could deploy its XMediusFAX Fax over IP (FoIP) technology on Cisco’s AXP to virtualize fax functions into the Cisco ISR VoIP gateway. By doing so any desktop application could send/receive faxes; plus fax services could now be integrated into e-mail and mobile devices. Not only is cost reduced by running XMediusFAX on Cisco’s AXP, but AXP improved resource utilization and provided audit trails for compliance requirements.

This solution came together for H I G Capital. H I G Capital is a leading global private investment firm with over $7.5 billion of capital under management. H I G created value and optimized its remote office operations through Cisco’s AXP business platform, which tightly links applications and networks. In the podcast linked below Luis Suarez, Director of IT at H I G Capital explains how H I G used AXP along with Sagem-Interstar’s XMediusFAX application to displace both an old world analog fax network plus web-based fax services, while integrating fax services into its unified communications environment extending fax services to all H I G end-points and in the process speeding up business process and deal flow.

H I G was able to remove all fax machines and their associated maintenance contracts, and improve service for company professionals without the need to add new equipment to their branch offices. The FoIP service was delivered by IPComIT, a Sagem and Cisco partner.

In addition to ISVs and application providers porting their applications to the branch application platform, in-house IT development departments such as those in the financial services industry are writing custom applications, which increase application performance or add features to management tools. Integrated application branch platforms offer APIs in which developers can write their own applications to add value to their branch office IT infrastructure.

The Value Proposition of Business Applications Written to and Residing in Network Gear

The value proposition for the network-embedded applications is specific to branch office IT infrastructure as it leverages data center consolidation while increasing IT services at lower TCO. The network- embedded application approach increases branch office IT infrastructure attributes thanks to a new application delivery model that lowers branch office IT footprint by consolidating networks, servers and applications onto one platform reducing the IT operational cost.

Lower TCO: Depending on the number of branch applications, multiple servers may be needed, but their total number will reduce in this model. The highest cost components of branch office IT TCO (operations and facilities) are reduced with a common management model for networks, servers and applications. Maintenance is reduced by the displacement of devices such as fax machines, voice recorders and some servers while WAN performance is optimized by the interaction between network code and applications plus WAN application acceleration.

The following four findings from a recent study compared application development of in-branch offices appliances/standalone servers versus the network-embedded application approach.

• Quicker Application Development Time: Application development cost is significantly reduced when developers utilize an integrated application branch platform versus an in-branch server. Because the network is being utilized as a platform, there are savings in terms of time and development costs thanks to integrated services plus libraries and APIs, to which developers have access. The application is able to work directly with the network and leverage its APIs. Time required for development of new features in a network-embedded application scenario accounts for approximately one-third of development costs. The integrated application approach reduces this development time by approximately half.
• Lower Integration Cost: Integration cost represents time involved in configuring and integrating the application server, security device, branch office router, etc. It’s the cost of bringing together a heterogeneous environment to allow transparent operation to achieve business goals. In the network-embedded application scenario integration consumes approximately one-fourth of the effort to own and operate an integrated application branch platform versus appliance or separate branch office server.
• Lower Maintenance and Energy Consumption: Maintenance includes the time and costs related to implementing patches, upgrades and updates which grows in time, cost and complexity as the number of devices in the branch increase. The network-embedded application approach reduced maintenance cost by over 50%. Power and cooling cost are also lowered by some 50% thanks to the integration of networkings, computing and storage in one package.
• 4) Faster Business: As servers are resident in the network and applications have visibility into network dynamics via APIs, faster deployments are achieved for new applications. New applications can be deployed without the procurement, configuration and operations of a new server, reducing the time required to launch a new branch office service. As more applications are layered on top of the integrated branch server platform, the time and cost associated with maintenance is reduced as well. This quicker pace of application deployment and efficient maintenance allows an organization to respond quicker to market dynamics and/or customer demands/concerns.

In addition to the above four advantages of network-embedded applications versus separated, survivability is increased as applications are able to respond quicker to changes in network status.

Survivability: There are specific network attributes gained through new design options afforded by the network-embedded application approach. In particular applications become network aware. For example, if the LAN link is performing sub-optimally, the application platform can sense this and dynamically alter some of the router settings based upon business load so that sensitive applications stay within performance tolerances. In the wide area, a failure of a primary or secondary link can be mitigated by configuring the two in a load-balancing manner that leverages performance routing and increases application survivability and performance.

Network Smart Proxy: Many branch applications are hosted in a data center and accessed over the branch office network. Some applications provide proxies in the branch office to increase survivability. There is a continual process of checking status between the network-embedded application platform and its clients plus the central application to detect a network failure and if one occurs to assume the role of proxy, assuring business continuity. Data center consolidation allows IT leaders to centralize complexity and deploy application proxies into branch office locations. That is, the application resides in the data center and the proxy could be running in the Cisco AXP; for example, in the event of a link failure or disaster the application platform could keep the proxy running until such time as access is available to the data center, transferring control back to the central entity.

Network and Application Awareness: Not only are the applications aware of the network, but the network is aware of the applications. Seems intuitive, but this awareness between networks and applications allow both to behave respectfully of each other so that performance and survivability are improved. This awareness improves disaster recovery and business continuity as the network and applications have a view into and some control over each other allowing quicker response to both man-made and natural disasters. In addition most IT organizations are split into application and network groups. With awareness between networks and applications, IT is able to view the service delivery, acquisition and performance optimization more holistically.

A tight linkage between the application environment and wide area network offer additional performance and disaster recovery attributes. For example, application performance over the wide area is improved as it has a view into router status and network dynamics, which it can manipulate based upon business rules. Applications can avoid network-based delays such as shifting application traffic from a heavy traffic WAN link to one less occupied. Not only can applications shift their transport based upon performance, but also failed links are avoided. As mentioned above application driven router reconfiguration allows application to modify network behavior to maintain performance. IT leaders may centralize most application support and create a very thin or thick branch application footprint, depending upon their business needs. The network- embedded application approach affords optimization of both models yielding great control over IT complexity.

One of the most important attributes afforded by the integrated application approach to branch office IT infrastructure is the speed of response to market conditions and the dynamics it offers to IT leaders. As executives seek to capitalize on globalization opportunities, manage IT complexity, become greener and deploy Web 2.0-based collaboration, the network-embedded application approach is an enabler of these important initiatives. As business and IT leaders re-distribute human and capital assets away from headquarter facilities toward branch offices the integrated application approach allows IT leaders to manage this shift in business operations.

Tweet

Working from home has always been a different IT experience than being in the office. Home connectivity was restricted to dial-in, VPN and client-based solutions. Voice service was usually the house phone. Then broadband came to the market and connection speeds ramped up, offering faster application performance, which was better but still a major downgrade from the office IT experience. This poor experience dampened the growth of teleworking, which was good news for most IT leaders as their concerns were security vulnerabilities and management. But with advanced integration of networks and communications the gap between office and home IT experience is closing fast. In addition a confluence of factors ranging from green initiatives to governmental requirements, work-home life style changes, business expense controls, business continuity and new teleworking solutions are giving business and IT leaders the motivation to embrace and massively deploy teleworking solutions.

There have long been inhibitors to massive teleworking deployment. IT management has been concerned with the lack of security measures to close vulnerabilities and mitigate exploits from propagating into corporate IT assets from thousands if not more home connections. Operating and managing thousands of far-flung connections is their other inhibitor. Business managers have been concerned with a potential drop in productivity as home workers may be distracted from their work. In short business managers did not have the proper level of trust with their staff and were unfamiliar with a remote working model. Employees need a certain amount of face time with other employees to establish relationships and trust before they can be productive working at home too.

For teleworking solutions to be successful they need to bring office-caliber resources and the office experience to employees working at home or in very small offices. Teleworking individuals also gain value by reducing their commute times and gasoline consumption, and experiencing a more balanced lifestyle in a work/home environment. IT leaders need to be assured that back-doors into their IT assets are closed and secure and that managing thousands to tens of thousands of remote home connections do not require new IT staff or overburden their existing operations. For business leaders teleworking offers a range of benefits including access to a larger labor pool, office expense reduction, increased productivity, a green initiative, gaining tax incentives, business continuity and much more. In short business leaders are starting to understand the value and benefits of the remote working model.

And it’s good that there is something positive for all three stakeholders — users, IT and business leaders — because the world market of teleworking individuals is large and getting larger. The worldwide corporate teleworking population of individuals who spend at least one day a month teleworking from home will show a compound annual growth rate (CAGR) of 4.3% between 2007 and 2011, according to Gartner Group. This population will reach over 112 million by the end of 2011. In the same period, the worldwide corporate teleworking population of individuals who spend at least one day a week teleworking from home will show a CAGR of 4.4% ballooning to 46.6 million by year end 2011. The big teleworking markets are the US, Western Europe and Japan with Asia/Pacific lagging behind.

There are five fundamental drivers fueling the above growth in teleworking:

Business Dynamics and Benefits: A few fundamental business trends are feeding the need for increased teleworking. One strong trend is globalization being prevalent throughout many different industries which forces business managers to keep their operations agile by attracting and finding talent wherever they reside. The old model of hiring skills that are local to physical facilities is outdated as business leaders are both forced to expand their labor pool reach by plugging remote employees into the corporation. The workforce has and will continue to be distributed. In fact, 62% of corporations have added new branch offices, accounting for an 11% year over year

growth in their deployments according to a recent Nemertes Research study. Further, the majority of new hires are now targeted to branch office staffing ranks. Eight out of ten new hires are staffed into non-headquarter facilities with telecommuting being the natural extension of this new business model. The motivation? Simply to be close to customers, talent attraction, gaining the best skills available on the global stage and maintaining operations when or if man-made and/or natural disaster hits.

Business and IT leaders are continually reviewing operations to reduce expense. For telecommuting initiatives real estate downsizing and energy consumption are two of the largest operational benefits. From a cost of deployment point of view, the relationship between Total Cost of Ownership (TCO) and Return on Investment (ROI) is inversely proportional to each other. Upfront capital acquisition is off set by lower operational facility cost plus higher productivity, returning the investment over time. In fact, American Century Investments justified the acquisition cost of its 100-plus teleworking solution with reductions in wide area facilities cost. In short, wide area cost savings of reduced PSTN lines and bulk broadband purchases provided the dollars to fund the capital cost of its teleworking solution.

With teleworking solutions scale is important and centralization of complexity allows for a quicker return as new remote sites are added with essentially the cost of the teleworking equipment (a network device and IP phone).

Technology Enablement: The convergence of multiple services and technologies into one small package that exploits a broadband connection are the main contributors to the high growth in teleworking. Being able to integrate unified communications, IP video services, firewall, intrusion prevention, content filtering, routing, switching, wireless LANs services and application delivery into one device that operates over a high speed broadband connection nearly eliminates the office-home IT experience gap. This advanced integration of networks and communications enables teleworkers to be just as productive as they are in the office by delivering nearly the same application performance and communication options available in the office. In short some teleworking solutions are delivering a virtual office experience such as Cisco’s new Cisco Virtual Office announced September 9, 2008.

For IT management, new teleworking offerings provide solutions to network security and scale. Some teleworking solutions have centralized complexity and distributed functionality so that adding new home users is straightforward and does not require user configuration. The use of tunnels for voice, data and management allow IT personnel to perform routine tasks such as updates, download policy rules, new configurations, etc. to thousands or tens of thousands of telecommuters with zero user touch. Layered identity- based security authenticates and identifies both user and device, isolates domains and locks out stolen/lost or hacked devices. In addition updated exploit signatures are distributed to teleworkers centrally by IT operations assuring business managers that their IT assets are protected with the latest defenses. All of these operations are performed without the teleworker having to touch their computer, network device or IP phone, a huge advantage for both teleworkers and IT management and a departure from past approaches.

Productivity: With high speed networks and integrated communications teleworkers now have access to all the resources, tools and technologies that they need to be as efficient and productive in a home office as they are in their corporate offices. Many find that they are more productive in their home office as they are able to focus with minimal interruptions. To address business manager concerns about keeping remote employees productive and plugged in, there are a wide range of communication tools available including UC, social networking sites such as Facebook and twitter, instant messaging, IP Video conferencing, etc.

In particular Facebook pioneered a concept called the News Feed which has been widely adopted by other networks. When you log into Facebook, you’re treated to an immediate stream of information about other people in your network. You immediately know about changes in their lives or schedule, when and where they’ve gone on vacation, what project they’re working on, what they’re reading, what conferences they’re attending and what they think you should be reading and attending. Other services like FriendFeed have expanded this idea to a broad range of online services. Twitter adds immediacy that other services don’t. The “friending” feature of social networks is the single most important factor that can keep remote employees plugged into the organization. Instant Messaging (IM) is the replacement for the water cooler, offering quick messages between staff or small talk. Unified Communications (UC) brings all the corporate voice services such as presence, direct dial, call log, directory, click-to-call and click-to-conference to the home office. In addition corporate collaboration tools such as webex allow remote employees to host or be a guest in customer and employee presentations and meetings while click-to-conference enables life video sessions between teleworkers and other employees.

Business Continuity: Business continuity or employee resiliency is another important driver for teleworking. Having a large teleworking infrastructure allows businesses to be productive and continue essential operations during disasters such as pandemics and massive storms plus man-made disasters by keeping key employees networked from home.

Regulation and Corporate Green Initiatives: Consider that a typical US employee commutes approximately 7,000 miles per year. On average there are .45 tons of CO2 emitted into the atmosphere for every 1,000 miles driven. Gartner says that there are 13.3 million US telecommuters working at home at least one day a week. These teleworkers save some 8.5 million tons of CO2 from being emitted into the atmosphere and as the price of gasoline rises they also save disposable income.

This math is becoming well understood around the globe. Many governments including the US, Japan, France, Sweden, Germany, et al have mandatory requirements for government workers to telework while providing business incentives to do the same. In central London a congestion charge is imposed on motorists in downtown areas to provide additional incentive to telecommute. The same was proposed in NY City. States like Washington are legislating telecommuting, requiring Seattle to penalize companies for not reducing year-over-year average employer commute times. Look for only more business incentives and regulations to cut down CO2 emissions and traffic congestion.

Some business and IT leaders questioned the energy savings benefits of teleworking as they believed that energy consumption shifted from corporate to personal. Sun Microsystems commissioned a study to address this question and found that an employee working from home consumed less than 50 percent of the energy that would have been spent if they had come into the office. The findings of this study put an end to questions about teleworking energy conservation.

The above five drivers are replacing old inhibitors with strong motivation to business and IT leaders to develop and deploy massive teleworking initiatives. In Part 2 of “Deploying Teleworking Solutions in Scale” we’ll focus on different uses of teleworking and provide a teleworking architectural view and framework that business and IT leaders can use as they plan their own initiatives.

Tweet

Enterprise networks, especially branch office networks, have experienced a level of service integration over the past five years that has delivered lower acquisition and operational cost while increasing the number of services available to branch office employees. Branch office routers now include switching, WLANs, PoE, network security, WAN Optimization, VPN, unified communications and advanced routing which increase application performance over thin wide area network links. This Lippis Report is based upon a white paper we have authored and which will be distributed after Labor Day. We explain the next generation of branch office optimization, which is the integration of applications into the network fabric. The networking industry has started to open up its software in the form of SDKs and APIs. Cisco, Juniper, Extreme, 3Com and the open source routing initiatives are all allowing developers to write to defined router software interfaces. We explore its value proposition in detail and provide guidance to business and IT leaders who wish to exploit this new model for value creation and improved service delivering in branch office operations.

There is a new model in branch office networking that links networks and applications much tighter than ever before. Branch office IT infrastructure is entering its third phase of maturity into an era we call the integrated application approach. As with most investments, trends are difficult to predict, as significant demand is required to identify the trend. During the process of demand-to-trend both IT leaders and suppliers start to offer architected solutions, which become more sophisticated over time. The same is true for branch office infrastructure. We offer the three phases of branch office networking and why the next phase is the integrated application approach.

Phase One: Overlay

The first phase of solutions was an overlaying of services such as routing, switching, firewalls, servers, storage, applications, etc. There was little to no integration of devices and virtualization of services. Overlays quickly became too expensive as their multiple devices sourced from different suppliers distributed over thousands of branch offices drove up all aspects of total cost of ownership and became too complex to operate.

Phase Two: Integrated Networks

To control complexity and reduce TCO, the second phase of branch office IT infrastructure was the integrated network approach. The integrated network virtualized many network services such as routing, switching, firewall, Introduction Protection Systems (IPS), WLANs, VPN, WAN acceleration, IP telephony or unified communications, etc. This integrated approach significantly reduced TCO by integrating all of these network services into one device. The integrated approach also placed all network services under one management umbrella offering both IT operational efficiency and headroom so that additional branch offices could be deployed without adding more IT personnel.

Studies have shown that IT operations were reduced by 50 to 70% as the integrated network approach was adopted. The integrated approach not only addressed TCO but offered branch office personnel additional services such as unified communications, mobility, application performance improvement and integrated security. Paradoxically survivability of branch office IT infrastructure increased as firms deployed the integrated network approach; the number of devices per branch were significantly reduced with a single high mean time between failure (MTBF) integrated device. Power requirements dropped as well, allowing the company to reduce its carbon footprint.

As a reference, there are over 5 million of Cisco’s Integrated Services Routers (ISRs) that have shipped. This number can be viewed as market acceptance to this Phase Two approach.

Phase Three: Integrated Applications

The industry is starting to offer the third phase of branch office IT infrastructure. The third phase is the integration of applications and networks from a physical packaging plus application delivery and deployment point of view. One of the main drivers of the third phase is data center consolidation, which enables branch optimization through aggregation and consolidation of the branch IT footprint, further lowering TCO. Business and IT leaders who have deployed the integrated network approach are now required to increase the manageability of their branch applications by moving some of their server-based applications onto the network platform.

To achieve the integrated application approach the networking industry has started to open up its software in the form of SDKs and APIs. Cisco, Juniper, Extreme, 3Com and the open source routing initiatives are allowing developers to write to well defined router software interfaces. This is an important development as it provides a venue for increased innovation in networking and tighter linkage between applications and networks. But Cisco has taken this activity to a higher level by offering Linux and Windows platforms within its Integrated Services Router (ISR) and Wide Area Application Services (WAAS) products respectively, delivering on the network as a platform concept.

Approaches to Integrated Applications

There are multiple approaches being offered by various vendors to the integrated application approach. For example, 3Com offers its Open Network, Juniper Network has Open JUNOS, Cisco offers AXP (mentioned above), while Extreme Networks launched its Widget Central. These efforts mostly offer restricted access to the network operating system such as monitoring and management feature sets. For example, Extreme has created an ecosystem around the development of application widgets by exposing features and providing software developers with access to its ExtremeXOS. Most widgets offer views and management assist for Extreme customers.

Cisco differs from the above suppliers in that the AXP is a dedicated Linux server with dedicated hard-disk and memory. It resides as a service module within its ISR routers for branch offices. The AXP is equipped with an API, which exposes certain routing features such as packet monitoring, event trigger allowing applications to react to router events, IOS configuration allowing applications to dynamically change router configuration, information API providing information available via command line interface and SNMP agents, etc. Application developers can access routing features through the AXP’s APIs and host their applications on the router. The AXP also supports virtualization of applications in completely self-contained contexts, allowing the ability to host multiple applications on the same service module in a secure manner. In addition to AXP, Cisco also offers a Windows Server platform within its Wide Area Application Services (WAAS) product.

There are open source approaches as well, such as eXtensible Open Router Platform (XORP), Zebra/Quagga and Vyatta. XORP and Quagga are research projects in open routing with little traction in enterprise computing. Vyatta is similar to Red Hat in that they offer open source routing code and charge for software subscriptions, network interfaces, hardware appliances, professional services and training.

What will determine success in the integrated application approach to branch office IT infrastructure will be the scale of the implementation or market share, solution economics, feature attributes, size of partner and developer ecosystem plus go to market strategy. As a point of comparison, there have been a few hundred thousand downloads of Vyatta’s Vyatta Community Edition 4.0 routing code versus 5 million Cisco ISR routers in production.

For a vertical industry example consider NICE Systems. NICE provides solutions for voice recording, monitoring, and managing customer interactions for organizations with multiple branches. NICE has teamed up with Cisco to deliver their Network Embedded VoIP logger on top of Cisco’s AXP. The NICE Network Embedded VoIP logger captures voice packets traversing the ISR and supports SRST (Survivable Remote Site Telephony) providing local audio storage with offsite archiving. There is no additional hardware for this solution, just an ISR with AXP. This solution allows business and IT leaders to address the growing trend of more personalized customer interaction requirements and increased regulation to journal customer interactions across many industries around the globe such as Base II in the US, MiFiD in Europe, FSA in the UK and JSOX in Japan. By embedding voice recording in the network, network optimization is achieved, recording servers are eliminated and application survivability ensured.

The networking companies are starting to position their infrastructure products as platforms and rightfully so. Some are developing developer and partner ecosystems that deliver value to customer unleashed by their platforms. As business and IT leaders start to think about the network as a business platform we offer a few considerations.

Consider platform suppliers with large market share/footprint and financial resources to sustain a healthy ecosystem. This is a critical consideration as ecosystem development is an expensive commitment that requires a business and technical architecture to be managed and optimized so that value is being delivered to market. In addition a certification, test and support program are important ecosystem attributes; make sure your platform provider has these partner aspects in place.

Consider platforms that deliver bi-directional network and application awareness to deliver lower TCO, higher application optimization and increased business continuity. The best platforms will have a deep library of services, which developers can access, and APIs to specific network information and control, which will create a rapid development environment of feature rich applications.

Tweet

The summer of 2008 has brought huge changes to the networks and communications industry. 3Com, ProCurve and Juniper Networks have new CEOs. Siemens combined with Enterasys and SER Solutions through a joint venture structure between the Gores Group and Siemens AG, creating the second largest networks and communications company. Foundry was acquired by Brocade to bolster up its data center networking architecture. ProCurve just purchased Colubris to increase its WLAN offerings. All this occurred while Cisco reported its strongest quarter in company history with over $10B in revenues, which is nearly the sum of all the annual revenues from the firms mentioned above. Put another way, in one quarter, Cisco takes in nearly all the revenues that Foundry, ProCurve, Juniper, the new Siemens and Brocade make all year. From data center networking to unified communications to enterprise networking there are mammoth changes and shifts occurring in IT spending which is forcing the consolidation and restructuring which is evident this summer. We’ll review the above transactions with our take and predictions for what’s to come.

But before we dive into the details, an observation of note. The global economic slowdown continues to fester as more jobs are lost, credit is still tight and the price of oil per barrel remains high. Yet even through this difficult economic period, IT spending remains strong. IBM, Cisco and Microsoft put up great numbers during the last quarter without downward guidance, which speaks volumes to the point that business and IT leaders are continuing to invest in IT during this period of economic uncertainty. During Cisco's August 6th conference call John Chambers, Cisco CEO said that "œwe all see the same mixed signals in the market, from both a U.S. perspective and other parts of the world, in terms of economic momentum, stock market behavior, energy costs and confidence challenges." But the big IT suppliers are navigating this period well with record revenues: $10B and $26.8B in the quarter for Cisco and IBM respectively, and $60B for the year for Microsoft; all of these record highs.

So the question is, will the large IT suppliers pull further away from their smaller competitors during this economic period or will the high tide raise all boats? Let's review some of the above-mentioned transactions in the networks and communications industry to try and answer that question.

Foundry acquired by Brocade

Foundry Networks is being acquired by Brocade for $3B in cash. First, the long anticipated second phase of consolidation of the networking industry has started. Data center networking starting it, thanks to Cisco's Data Center 3.0 initiative to unify data center front- and back-end networking with Ethernet. Clearly data center network architecture is in play and the Foundry acquisition by Brocade is a strong example that the market is heating up. There are now 5 approaches: Brocade/Foundry, Cisco (Nexus/vframe, VM), F5/Woven, HP, and IBM. Absent thus far are Juniper, Extreme, and ProCurve. By this acquisition Foundry has successfully positioned itself as a major data center player. What is odd is that this is a cash transaction which puts in question has much confidence Foundry executives have in the new Brocade as they opted for cash versus stock.

A New CEO At Juniper

In July, Juniper announced Kevin Johnson as its new CEO. Johnson, a 16-year veteran of Microsoft, was responsible for Windows software and this year’s failed bid to expand Microsoft's online presence by buying Yahoo. This moves Scott Kriens out of the CEO role but keeps him as Chairman of the Board.

Kriens may have been forced out after spending some $800 million to build Ethernet switches with little differentiation and virtually no direct distribution to the enterprise market. It's dubious what new skills Johnson will bring to the networking industry after focusing on desktop software and large public-facing web sites over the past 16 years. What relationships does he bring to Juniper's main customers and service providers? Further, what relationships and understanding does he have of enterprise network architects and designers, not to mention the technology, markets, and competitors that will benefit Juniper? Into what new markets can he bring Juniper? With data center networking, unified communications and network security being the hot markets in the current business cycle, Juniper could have done better. I give Johnson 12 months.

A New CEO and President At 3Com

In late spring, 3Com hired former Nortel Networks China CEO and Alcatel's regional president for greater China Robert Mao for the post of CEO, and former 3Com executive Ronald Sege as president and chief operating officer. This was clearly a re-grouping of 3Com following the failed Bain acquisition. Eric Benhamou is still the chairman of 3Com and has a ten-plus year working relationship with Sege.

This could be nothing but good news for 3Com and its customers as it now has executive management with the skills and understanding of the enterprise market. Clearly 3Com has lost much of its 1990s luster, market share and industry respect. But with a networking, security and unified communications portfolio plus a focused management team it should be in a better place. 3Com employees total approximately 4,000 in China, and more than 400 in Massachusetts with a worldwide labor pool of approximately 6,000. Its estimated annual sales are in the $1.3B range, nearly twice the size of Foundry Networks.

But while 3Com continues to focus on network switching, unified communications and network security there has not been a strategy or vision articulated for the firm. When 3Com sold its high-end switching products to Extreme years ago, it exited from the high-end enterprise market in order to address the small- and mid-sized market. It's the only enterprise networking and communications concern with a large manufacturer and sales distribution in China, thanks to the acquisition of its joint venture with Huawei called H3C. Sege will be key to any new momentum from 3Com as he knows the needs of network architects as well as channel and sales strategy, and he can create and deliver a strategy. He has to execute quickly.

A New CEO At ProCurve

In June Marius Haas replaced John McHugh as senior vice president and general manager of the ProCurve Networking business. McHugh was a long time HP employee who oversaw the proCurve business for the past two decades and was the executive credited with establishing ProCurve as its own business. Before Haas, HP executive management placed an interim CEO, Bret Cromwell as acting general manager. Cromwell was previously worldwide controller for HP ProCurve.

Now while there have been rumors for years that ProCurve was up for sale, this cannot be discounted now as Haas previously served as HP's senior vice president of strategy and corporate development. In that role, he led initiatives that focused on efficiency and driving growth for HP, including the execution and integration of all acquisitions since 2004.

I talked with Haas on August 11th when he said that the HP strategy is to more tightly integrate ProCurve into HP, leveraging its relationships with business and IT leaders to sell ProCurve gear. HP has a large presence in data centers; Haas could use that as a basis to develop a new data center network portfolio with ProCurve to gain a larger share of that market. But just like John McHugh before him, Haas will report into Shane Robison, executive vice president, chief strategy and technology officer at HP. Shane didn't see the value of ProCurve while McHugh ran it, so it's unlikely that he'll see it now. Haas does have acquisition and business development experience which could be helpful in architecting a different kind of ProCurve.

Haas' first action as CEO was the acquisition of Colubris for an undisclosed amount on August 11th. This is a big improvement to ProCurve's previously limited WLAN offering and it may offer a glimpse into HP's ProCurve strategy. HP may very well be planning to increase ProCurve's value by acquiring a number of firms to increase its product portfolio in an effort to either make it more competitive and/or increase its potential sale price. It's not clear if HP's strategy is grow by acquisition, steady as she goes, or increase value before a sale. Haas insisted that a sale of ProCurve is not on the table and that HP will focus on the first two options: acquiring firms to strengthen weak areas in the product portfolio and steady as she goes. But until Haas puts out a vision and strategy for ProCurve there is just no way to know what HP's plans are for ProCurve and where it will focus its resources.

A New Siemens Emerges

In June there were only three firms which offered both networks and communications: Cisco, 3Com and Nortel. Then Siemens AG and The Gores Group created a joint venture and populated it with Siemens Enterprise Communications, Enterasys and SER Solutions, creating the 4th firm to offer both networking gear and communication solutions. The JV name is Siemens Enterprise Communications. The new Siemens will be the 2nd largest firm offering both enterprise networks and communications, larger than 3Com and Nortel but still dwarfed by Cisco.

The new Siemens will be a $5B firm with more than 1 million customers, 15,000 employees and a presence in 80 countries, according to a fact sheet on the Siemens Enterprise Communications site. The Gores Group will own a 51% stake in the joint venture while Siemens AG retains 49% ownership. While the new Siemens will be the 2nd largest networks and communications concern focused on the enterprise market, its share distribution between Siemens, Enterasys and SER are not aligned.

Siemens is the 4th largest VoIP equipment supplier according to Dell'Oro but much of its share resides in Europe. Siemens owns nearly 10% share of the US market for Enterprise Telephony according to Synergy Research Group and has a leadership position (nearly 20% share) of Western Europe's Enterprise Telephony market. Over the past eighteen months Siemens has locked up German distribution channels to other competitors by signing deals with new indirect channel partners. By contrast market share for Enterasys and SER Solution is concentrated in North America. This may help Siemens grow its current 10% share of the North American VoIP market while boosting Enterasys and SER Solutions European market share. In short, this JV creates a global provider of enterprise networks and communications, which is matched and surpassed only by Cisco.

It's clear that software economics associated with unified communications has forced a consolidation in this industry as revenue from fixed point phones drops from $600/phone to a software license of $8/softphone. Siemens and its customers are better off as a combined firm with a broader product portfolio. This JV can only be good news for Enterasys and SER as they both gain new channels into the European market and work on developing products and architectures that leverage networks and communications. Enterasys and SER customers should be delighted as there will now be a new path for their products.

It will take time for this JV to solidify being spread over large geographic distances with mixed cultures and different sales channels and partners to rationalize. Here too there needs to be a solid strategy, vision and architecture which links the three entities together so that customers understand how their investments will grow over time and add value to their operations.

At the end of summer 2008 nears, there is now one new large enterprise networks and communications supplier, two less Ethernet switch providers and changes at the top of Juniper, ProCurve and 3Com. This is the kind of market confusion of which Cisco knows how to take advantage. While Siemens, Enterasys, SER, Juniper, Foundry, Brocade, ProCurve and 3Com focus on new management, product rationalizations, strategy and architecture development, Cisco keeps selling, executing and growing. Add on top of that an uncertain economic environment and record results at Cisco, and you have to be more than a little nervous if you're running one of its competitors.

Data center networking and unified communications are two of the largest change agents in the networks and communications markets. There is more consolidation to come in both market segments with the summer just a prelude to a busy fall.

Tweet

In this Lippis Report we offer an update to Network Access Control (NAC). The NAC market is at a pivotal point, as a key piece of technology that offers a third mode of operation is about to enter the market. This third mode, based upon authentication and distribution of NAC functions across existing appliances and network infrastructure will enable NAC to scale across an enterprise from its early deployments of guest, wireless and remote access to headquarter and campus LAN environments. We offer a view of how the NAC market is progressing and detail this distribution of NAC functions and enabling mode of operation which will allow business and IT leaders to build strong defenses in one of their most critical IT assets, the campus LAN.

Network Access Control (NAC) has gone through the typical cycle of new IT technologies. When a new IT technology is first introduced industry analysts and press are euphoric over its potential to solve a hard problem. This euphoria is replaced by disillusionment when the speed of deployment is much slower than first anticipated, usually due to implementation difficulties and/or feature deficits. After a period of disillusionment IT suppliers fix problems and repackage solutions while analysts and press set the right expectations for buyers. IT buyers, armed with a realistic view of the IT technology, start to implement en mass. This is what I call the reality phase.

NAC is now at the reality phase with many industry observers believing that over the next two years (2008 to 2010) there will be aggressive NAC deployments. For example, IDC estimates that LAN-based NAC shipments over a 7-year period will grow at a Compound Annual Growth Rate (CAGR) of 45% with 2007-9 being peak years. Infonetics predicts a 68% CAGR over the next 5 years, while Gartner is very bullish with a +100% year over year projection. The size of the NAC market is difficult to predict as it varies widely depending upon what is counted. For example, do you count the Ethernet switch for network-based enforcement? Some may count Microsoft 2008 Windows Server as part of NAC equipment as well. So the overall NAC market is on the order of a few billion dollars with NAC appliances sized in the hundreds of millions of dollars range. With high CAGRs and large market size, NAC is shaping up to be a very explosive market fueled with high-octane growth.

It took some time for NAC to get to this point and there had to be an industry shake up with Lockdown Networks closing its doors, ConSentry Networks changing executive management a few times, Cisco focusing on its NAC appliance offering and the linking between NAC and Microsoft's NAP. 2008 is the launch year for NAC as there are substantial and improved solutions being introduced. For example, Microsoft recently released their NAP product, which builds their solution into an overall infrastructure offering. Cisco is doing the same by unifying its NAC infrastructure and appliance portfolio, which combines both together with what is called the "œNAC portfolio unification".

NAC deployments will accelerate this year because IT leaders are being offered comprehensive offerings and options as they move forward with their developments. With system wide access control solutions available, IT and business leaders are now looking at a bigger picture. They are asking how they can use NAC not only as a single point solution, but also as part of their overall security strategy and infrastructure. Clearly most firms have two main IT layers. Microsoft's represents the desktop and end-point layer while Cisco is the dominant infrastructure layer. These two layers represent big portions of most enterprise IT budgets. It's no wonder that most dollars spent on NAC and NAP will flow to these two firms. Case in point, NAC solutions are transitioning from point appliance and use solutions to a comprehensive system approach offering greater defense across more use scenarios.
What is driving NAC deployments? Well it's a few things: the need for identity-based access control, to enforce end-point policy requirements, to configure guest and unmanaged users and compliance reporting. Most NAC deployments start with VPN, wireless and guest access moving onto remote offices and the campus LAN. NAC was first deployed in areas that had high security concerns, wireless access, guest access and protecting campus LANs from remote users. Many start-up concerns focused on these opportunities with the result being that NAC is deployed around campus and headquarter facilities. With NAC surrounding campus LANs and with comprehensive system solutions, NAC is now ready to be deployed within campus LANs to provide both inside and outside access control.

What NAC Provides

NAC provides a level of control around users and devices based upon access policy. NAC, governed by access policy, verifies who the users are and what kind of devices they bring to the network. To accomplish this, a complete NAC solution should cover the following four functional areas:
Authentication plus Authorization: This function enforces authorization policies and privileges and supports multiple user roles such as guest, accountant, consultant, board member, assistant, etc.

Scanning plus Evaluation: This function provides an agent scan for required versions of hot-fixes, anti-virus, et al. In addition to device scans, network scans for virus and worm infections plus port vulnerabilities are included here.

Quarantine plus Enforcement: This important function isolates non-compliant devices from the rest of the network by either MAC or IP-based quarantine, effective at a per-user level.

Updating plus Remediation: This function provides network-based tools for vulnerability and threat remediation plus help-desk integration.

Most of the established NAC vendors have all four functional areas covered, with some providers stronger in one area or another. Some of the smaller NAC appliances focus on one or two of the above functional components. For example, Lockdown Networks, who recently wound down their operations, was strong in Authentication and Authorization plus Quarantine but was weak in Scanning plus Evaluation and Update and Remediation. When Microsoft finally brought NAP to market, Lockdown's value proposition became too weak to sustain its operations and it was forced to shut down. ConSentry is similar but they also provide network-based enforcement via their own Ethernet switches and controllers, which has proved to be a good approach for them thus far. They need a good scanning and remediation engine, however. There are many NAC providers such as HP ProCurve with their NAC appliance sourced from StillSecure, Counter ACT from ForeScout Technologies, Dynamic NAC Suite from InfoExpress, EasyNAC from NetClarity, EdgeWall from Vernier Networks, Juniper's Unified Access Control, Nortel's Secure Network Access and many others. Here we focus on Cisco due to its size and efforts.

Cisco's NAC Portfolio

Cisco defined and created the NAC market and it now has some 3,000 NAC customers. Cisco started with an infrastructure-based approach and subsequently added the appliance-based approach. Cisco and the market are now at a point where they are ready to combine the two sides together with what is called the "œNAC portfolio unification". NAC portfolio unification is designed to take the appliance-based focus and infrastructure-based focus and make the best out of both worlds.

Cisco's NAC components are organized into three categories:

Policy: The policy component is the largest category, including its NAC Manager, which delivers centralized management, configuration, reporting and policy store. The NAC Server is tasked with posture assessment and enforcement. Its Ruleset updates provide scheduled automatic rulesets for anti-virus, Microsoft hot-fixed, etc. More on Ruleset updates below. The NAC Profiler profiles unmanaged devices and applies policy based upon device type. The NAC Guest Server is a full-featured guest provisioning server.

Optional End-point Client: Cisco offers a NAC Agent that is either persistent, meaning that it is permanent on the end-point or dissolvable, meaning that it dissolves after access is granted. It also offers a web agent and 802.1x Supplicant. There is no client cost for these end-points. Another optional end-point component from Cisco is its Cisco Security Agent (CSA). CSA is a desktop application similar to either McAfee or Symantec, but it uses a different algorithm to mitigate threats. Instead of relying on the static threat signature-based approach, CSA uses a behavioral approach. It monitors the user and the system behavior to determine what mitigation actions should be taken.

Communications: This is an important component as it provides network enforcement in routing and switching infrastructure and access policy for 802.1X termination and identity-based access control. Providing the latter is Cisco's Access Control Server (ACS). Look for more from Cisco in this area during 2008.

A few highlights on the above product portfolio. While Cisco delivers on the above-mentioned four capabilities through its product set, it's particularly strong in quarantine and remediation plus policy configuration and management. Cisco's remediation is strong due to automated threat update signatures and remediation enforcement support thanks to its Ruleset Update service. There are two points here.

First, automated threat Ruleset Updates are built into the Cisco NAC appliance. When IT deploys a Cisco NAC appliance, it periodically contacts Cisco, automatically pulling threat updates directly from a Cisco database which is updated every few hours. Cisco NAC Manager downloads the Ruleset Updates from Cisco as it provides new vulnerability signatures, Microsoft updates, hot-fixes, etc., off-loading this task from the IT organization.
Second, Cisco offers built-in enforcement support. The Cisco database supports policies for over 350 applications including Microsoft hot-fixes, nearly all anti-virus vendors, and others. When IT accesses Cisco NAC Manager, they are presented with a comprehensive list of security updates. If IT wishes to enforce any item on the list, all they need to do is point and click and the applications are updated during remediation. This process stands out in the industry as the best remediation engine available.

Its NAC manager allows IT to create and manage policies, an ability that also rises above other NAC providers. Role-based access is defined in the NAC policy manager. Cisco can easily place users into multiple groups depending on their initial job function, different network segments or both for example. Single sign-on is particularly nice too. When a user attempts to enter the network, they can perform a Windows logon and network/NAC sign-on at the same time as one process, independent of their access media, be it VPN, wireless, wired, etc.

Cisco NAC Profiler and Guest Server

The NAC Profiler and NAC Guest Server are optional components to a Cisco NAC solution. Cisco NAC Guest Server is a dedicated guest server where IT provides initiation configuration policy; then individual business units can tailor their guest or contractor access to their particular needs, which is very efficient. Cisco NAC Guest Server works with either Cisco NAC Appliance or Cisco wireless LAN controllers to manage the lifecycle of guest access, including account provisioning, user notification, access management and reporting.

The Cisco NAC Profiler identifies all end-point devices on the network including printers, scanners, network devices, all end-points and mobile devices. Profiling all of these devices manually, assigning the policy and maintaining this is unrealistic and needed to be automated, which is what NAC profiler does. NAC Profiler combines end-point recognition technology with Cisco NAC to automatically profile and identify all end-point devices and create a policy to dynamically provide access, such as a printer category.

Linking NAC Appliance and Infrastructure: A New Mode of Deployment Needed

To link NAC appliances with NAC infrastructure a more scalable deployment option is needed. For example, Cisco NAC appliance supports two deployment options today. One is called in-band and the other is out-of-band. In-band mode is when the Cisco NAC Server is always in the data path. Its benefits are that it's easy to deploy with highly reliable enforcement, as there are no other dependencies for enforcement. Out-of-band is when Cisco NAC Server is used to control initial authentication and posture checking. Once a device's posture passes conformance, data does not have to pass through Cisco NAC Server. Enforcement is provided by another entity. For most IT leaders, the choice between in-band/out-of-band is based upon the size of deployment. If it's a simple and small-scale deployment, in-band is the better choice. If it's large and a more extended infrastructure, then out-of-band is best for scale.

But to leverage network infrastructure and NAC appliances a new mode of deployment is needed. This new deployment option provides user authentication and device posture compliance status. To process user authentication, 802.1X is the standard approach which should be used. For device posture and end-point security policy compliance status would be the responsibility of a NAC Server. Combining NAC Server for assessing device posture and a Radius server system for 802.1x authentication, a third deployment option that glues together NAC appliances and NAC infrastructure is enabled. This provides a scalable way to deploy NAC and 802.1X authentication in large campus LAN environments. End-points would be authenticated via an 802.1x server, then posture assessed via NAC Server and have enforcement of policy by routing and switching infrastructure while providing a transparent experience to the end user.

This third deployment option will be available in 2008 and will contribute to the spike many expect in NAC deployments. NAC deployments around VPN, guest access, wireless, etc will be linked together so that NAC not only surrounds a corporation but is mitigating threats within the campus too.

Tweet

The global economic slowdown forecasted by economists and government agencies during the beginning of the year became real on March 7, 2008 when the Labor Department estimated that the nation lost 63,000 jobs in February. Since then, job loss continued to grow to nearly a half a million; Bear Stearns was sold to JP Morgan with help from the Federal Reserve; the housing mortgage crisis continued to brew while the drums of recession beat louder. This slow march of bad economic news culminated in the worst stock market performance during June since the Great Depression.

But while the housing, auto, airline, financial and consumer markets are feeling pain, business spending on IT remains strong. July 17th, just two days after this Lippis Report is published, will bring financial reporting from Cisco, Microsoft, IBM and many others. Since none have pre-announced bad news, we expect that the 4th quarter is solid for IT. During bad economic cycles during the 70s, 80s and 90s smart business and IT leaders invested in their business infrastructure to gain competitive advantage. It seems like business and IT leaders are doing the same this time around. In this Lippis Report we introduce the "œBranch 2.0" concept and show how savvy leaders are focusing on their branch office and retail stores to improve customer experience, grow revenues and lower total cost of ownership too with networks and communications.

Information Technology (IT) leaders are in a perpetual cycle of cost reduction and service creation with cost reduction being emphasized during difficult economic times. During down markets cost reduction initiatives are obviously important, but so too is service creation as corporations respond and react to new market realities. During economic down cycles there tends to be a bifurcation along the lines of business leaders who choose to invest in improved customer experience and those who focus primarily on cost cutting.

Case in point: Apple, Inc. continues to invest in its retail stores by improving the customer experience of the brand by using roaming sales representatives who can transact a purchase on the floor and email a customer's receipt versus having customers wait on lines. Their genius bars are just that: the genius being that they provide service and support to customers in the store offering up- and cross-selling opportunities. Apple does this and much more during a down market and is rewarded with over a 50% year over year unit growth in the first quarter of 2008, its best company performance.

Apple is not an isolated example. There are broad economic and market forces which have motivated business and IT leaders to re-distribute human and capital assets away from headquarter facilities toward branch offices and retail stores. Getting closer to customers and delivering a common brand experience across on-line plus brick and mortar facilities is a dominant goal. In fact, 62% of corporations have added new branch offices, accounting for an 11% year over year growth in their deployments according to a recent Nemertes Research study. Further, the majority of new hires are now targeted to branch office staffing ranks.

Business leaders realize that harnessing the intellectual power of distributed workforces play an important role in delivering customer value. Value is created by connecting a distributed workforce to the customer and the retailer's core operations, essentially placing personalized branch expertise wherever the customer happens to be. Personalized customer experience at branch offices offer new levels of top and bottom line success for retail businesses as Apple and other retailers demonstrate. Communications innovation is at the heart of this value creation.

There are five dominant trends in branch office and retail outlets including:

1) Improvement to the customer experience;

2) An increase in the number of brick and mortar facilities;

3) An increase in the number of personnel and resources focused on improved customer experience;

4) Unique value add to customer experience across on-line plus brick and mortar;

5) Communications and IT being central to branch office value creation.

Constraints Holding Back Branch Office Success

Retailing is one of the most competitive businesses in an economy. With brick and mortar and on-line competition omnipresent retail executives are challenged to find competitive differentiation beyond price. Customer loyalty is hard to gain and even harder to keep once acquired. Customers want a good to excellent experience at every brand touch point, be it on-line, over the phone, in the store and during the use of products or services before and after the sale.

Retail business executives are measured on customer experience, revenue and productivity. It's a challenge to find skilled employees and manage the high turnover rate typical for this industry. These executives strive for simple and timely business reporting to improve operations and the top line. Retail IT executives are expected to lower TCO while being integral to addressing the most pressing retail issues, those being customer brand loyalty and creation of an environment which delivers an excellent experience. Branch office constraints are focused around the following five issues:

• Staff skill levels and training
• Right here, right now customer transaction requirements
• Broad lack of loyalty, thanks to increased competition
• The inability to leverage a large number of branch offices to up- and cross-sell existing customers while gaining new ones
• The inability to address customer demand for personalized and relevant brand interaction at every touch point be it on the web, call centers, on-line and particularly in branch

Branch 2.0 Mitigates Constraints And Their Effect on Corporate Performance

The communications industry is driving new value in branch offices with Branch 2.0. Branch 2.0 leverages communications and IT to increase customer experience. IP telephony is the platform that enables a wide range of communications-based applications such as Unified Communications (UC) and Communications-Enabled Business Processes (CEBP) improvements. Business and IT leaders have a broader UC framework which extends beyond desktop and mobile phone communication launch points to a UC that is tied deep into business process, satisfying a competitive branch office business requirement.

Many business thought leaders are exploring how best to leverage their branch assets to up- and cross-sell customers while improving the branch office experience. These thought leaders are collectively thinking in terms of Branch 2.0, which from a real estate and staffing point of view is a smaller footprint but rich in IT. For example, staff expertise is a critical factor limiting the number of products and services that can flow through retail stores. To meet that end, intelligent IP video is an important attribute of Branch 2.0, assisting customers in selecting products or services that meet their needs out of hundreds of possibilities by linking a virtual expert into the sales process, and easing the localized staff expertise constraint of attempting to be an expert in hundreds of products and/or services.

The definition of Branch 2.0 can be communicated by a set of attributes and services that IT and business leaders can exploit to create value in their branch networks and address the constraints mentioned above. The following are Branch 2.0 attributes:

Multi-Site Capabilities: Branch 2.0 architecture offers capabilities to leverage resources between and among multiple sites within the network.

Multiple Modes of Communications: Branch 2.0 supports a wide range of communication options including mobility, IP video, Voice over Wi-Fi, SMS, E-mail, RFID, etc.

Open, Flexible Architecture: An open Branch 2.0 architecture is critical to scale a deployment and build upon that investment over a long period of time.

Presence: Presence or the ability to identify the availability of a single person or group of people is one of the most important attributes of Branch 2.0.

Security and Business Continuity: Branch 2.0 requires that customer data in a communication-enabled application is protected. Ensuring that during interactions between applications and live communications are available even in the event of disaster is a Branch 2.0 attribute.

Role-Based Communications: Branch 2.0 architectures offer the ability for IT leaders to mold and shape communications and application interactions to address unique user profiles.

Over the next several months we'll build upon this Lippis Report Research Note to assist business and IT leaders with ideas and best practices that improve branch office and store performance through Branch 2.0 concepts.

Tweet

At the Siemens Enterprise Communications Analyst Conference in Vienna discussion of a deal that would consolidate the enterprise communications industry further was rampant. Thomas Zimmermann, COO and Gerhard Otterbach, CMO let the room full of analysts know that a deal was close at hand and would be announced any day in the business press. I had dinner with Thomas and a few other analysts high atop Vienna on a wine vineyard complete with a full moon rising over the city as the backdrop to an industry restructuring conversation.

Many believe that Siemens will either be acquired by Nortel or private equity firm Cerberus Capital. We discussed the potential scenarios of Siemens being acquired by a competitor, software provider and financial sponsor to see which would be best for customers, partners and Siemens. I'm concerned that a competitor match up would not create additional value beyond the combination of the two firms.

Consider if Nortel and Siemens do combine. This combination makes sense from a market share point. Nortel has a large share in North America while Siemens owns nearly 10% share of the US market for Enterprise Telephony according to Synergy Research Group and has a leadership position (nearly 20% share) of Western Europe's Enterprise Telephony market. Over the past eighteen months Siemens has locked up German distribution channels to other competitors by signing deals with new indirect channel partners. In short, a Nortel-Siemens deal would create a global provider of enterprise telephony solutions unmatched by any other provider. Nortel will get a professional services group that it has started to rebuild after it announced ICA with Microsoft too. There are a few concerns about this scenario.

Product Transition: Both Siemens and Nortel are transitioning their TDM PBX product lines to software and services-based solutions. It's hard enough for one company to manage a massive product transition of their core products, but to manage two is a daunting task. Thomas believes that since market share is nearly mutually exclusive, then each firm can transition their products at their own pace in their respective markets. Overhead may be high during this transition period but it can be managed.

Product Rationalization: Both Siemens and Nortel are building and rolling out software-based communication solutions; these efforts would have to be rationalized, creating intense discussions between engineering, sales and marketing groups that could take eighteen to twenty-four months to sort out.

Culture Management: Managing product transitions and rationalizations while at the same time combining Canadian and German cultures is no small task. As I have grown older, I have placed a larger weight on cultural differences between organizations because it is the environment in which one works. The flow of the day, how managers talk with employees, how employees care for and talk with customers, the prioritization of product features are all derived from an organization's culture. Culture management will be a huge task in this combination.

Management Skill Level: It's not clear that Nortel would be able to manage this combination. If history predicts the future, Nortel did acquire Bay Networks back in the late 1990s for approximately $2B and successfully managed this purchase's value down to a $400M asset.

Most of the above issues would also be present if Nortel was replaced with Avaya or Alcatel-Lucent. Alcatel-Lucent does now have experience in large merger management and their products are primarily service provider focused. Avaya, while privately owned by two financial sponsors would have the same issues, but there are two wild cards here that could make them a better fit for Siemens. First, Charlie Giancarlo, an expert at combining companies thanks to decades at Cisco, is now running Avaya. As Avaya has been a private firm for nearly a year now, a three way financial sponsor of Silver Lake, TPG and Cerberus Capital creating a global enterprise communications concern would solve the management skill level and culture management issues.

I'd like a software company such as Citrix to pick up Siemens. Citrix with its large market share in the thin client and collaboration market would gain value by Siemens' OpenScape UC, offering both communications and a communications development platform for its customers. This combination would accelerate Siemens' transition to a software and services concern thanks to Citrix's knowledge and understanding of software licensing and distribution. It would place Siemens in the middle of the collaboration market, expand Citrix's European market position, and provide Siemens instant access to a large developer community, all without the above issues, thus allowing Siemens to focus on value creation verses rationalization. But the group did not view this option favorably at dinner. In a few days we'll all find out if it was me or the others who were drinking too much wine while admiring the big orange moon over Vienna.

Tweet

In this Lippis Report we offer industry best practices for Payment Card Industry Compliance (PCI) for the mid-market commercial corporation. We'll explain PCI benefits, the severe consequences of non-compliance enforced by the largest banks through fines plus increased transaction fees and how to avoid them. PCI is a big issue for all corporations that transact business with credit cards. According to industry sources, "œthe average corporation under budgets PCI by 40%." Who needs to worry about PCI? Any corporation that processes credit card information in any of these three ways: 1) processes credit card information; 2) transmits and/or; 3) stores credit card information. If your corporation does any one of the three or all three you need to be PCI compliant. Penalties for non-compliance are severe and are enforced by banks such as Visa, MasterCard, American Express and others through fees plus increases in transaction cost. For the mid-market, a doubling of the transaction fee charged by banks for non-compliance will have a large negative impact on profit.

The PCI Security Standards Council maintains the standard and certifications, but it is the large banks such as MasterCard, Visa, JCB, American Express, Discover, et al that enforce PCI by issuing fines and higher transaction fees for those in non-compliance. The two heavyweight banks behind PCI are Visa and MasterCard. The first thing to notice is that PCI is industry versus government regulated. It is a worldwide standard that protects credit card information and provides, in essence, the Good Housekeeping seal with which safe businesses conduct transactions. But while PCI is worldwide, its standard varies between countries, with even Canada and US versions being extremely different. PCI applies to nearly every industry in the world economy. Any business that processes, transmits and/or stores cardholder data needs to be PCI compliant and the deadline for mandatory compliance of its Data Security Standard (DSS) version 1.2 — October 2008 — is fast approaching. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

Merchant Levels

VISA categorizes US merchants into levels. Level 1 merchants are big firms that process 6 million or more transactions per year while Level 2 processes between 1 and 6 million transactions, Level 3 processes between 20k to 1 million transactions and Level 4 is everyone else. The PCI security standards council issues updates to the standard that specify when a particular requirement needs to be compliant. For example, on June 30, 2008 the web application firewall requirement update will be considered best practice and becomes mandatory for corporations to either deploy a web application firewall or undergo a source code review of all web applications on a regular basis. Note that to date: less than 25% Level 1 merchants are compliant. The other 75% have submitted an initial Report on Compliance. By September 30th 2008 Level 1 merchants need to be in compliance while Level 2 merchants have until December 30, 2008. Asia has until December of 2009 while Europe Level 2 and 3 have until December 31, 2008. Bottom line: the compliant deadlines are coming fast.

PCI industry deadlines are mandatory and if a corporation does not meet the requirement date then the bank can start issuing fines. This pressures business and industry to bring about change to adopt PCI. Pressure previously was placed on IT staff but they were placed between a rock and a hard place. Executive management was reluctant to appropriate budget to address the requirement. So the PCI community took the hard line approach of providing deadlines and for non-compliance estimated what fines would cost if the deadlines were not met. Overnight, PCI became a business level issue because the fines would subtract from profits, pushing PCI forward by a large degree. Executive management realizes that PCI and security are something they can't avoid any longer.

What is PCI?

The PCI data security standard is segmented into six categories with twelve requirements. They are:

Build and Maintain a Secure Network: There are two requirements under this category: 1) Install and maintain a firewall configuration to protect data; and 2) Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data: There are two requirements to comply with this category: 3) Protect stored data; and 4) Encrypt transmission of cardholder data and sensitive information across public networks.

Maintain a Vulnerability Management Program: There are two requirements to comply with this category: 5) Use and regularly update anti-virus software; and 6) Develop and maintain secure systems and applications.

Implement Strong Access Control Measures: To satisfy this PCI category there are three requirements: 7) Restrict access to data by business on a need-to-know basis; 8) Assign a unique ID to each person with computer access; and 9) Restrict physical access to cardholder data.

Regularly Monitor and Test Networks: Two requirements ensure that merchants regularly monitor and test their networks: 10) Track and monitor all access to network resources and cardholder data; and 11) Regularly test security systems and processes.

Maintain an Information Security Policy: There is one requirement to satisfy the security policy category: 12) Maintain a policy that addresses information security.

While the above provide six categories and 12 "œheadline" requirements, there are over 200 actual requirements when one dives into the PCI standard. PCI specifies in detail a large range of security IT. PCI covers anti-virus, firewall, AAA, IPS, disk encryption, web application firewall, etc. PCI spans all these security technologies and more. There isn't any security technology left out of PCI. PCI was developed by some of the best IT security minds in the world and just this one fact makes PCI the foundation of what a security best practice should be. Not that PCI is the end game for IT defense; compliance like anything is the lowest common denominator, but PCI delivers a solid foundation of security best practices that at least defines the first baseline for corporations to meet as PCI specifies mandatory deployment of security IT.

For example, the PCI Security Standards Council may issue a page and a half explaining firewall settings that a corporation needs to deploy which may include ingress and egress, stateful firewalls, etc. For wireless deployments, corporations are required to implement a stateful firewall in between wireless AP and card data. PCI details the security IT deployment required and while the standard may be 17 pages long, it's written in English, providing more guidance than any other government compliance regulation.

The PCI standard is a living standard. There is a large PCI standard revision due out in October 2008. PCI was first published in January 2005, and was updated September of 2006, with significant changes to support WLANs. PCI is not a standard that is implemented and then forgotten; it will be with businesses for as long as transactions are conducted with credit and debit cards and scanners.

Compliance Validation

The PCI Security Standards Council (SSC) requires validation of compliance. Each of the above mentioned merchant levels are to meet the same PCI 12 requirements, but how compliance is validated differs. For example a Level 1 merchant is required to have an annual onsite PCI data security assessment conducted by a PCI Qualified Security Assessor (QSA) from an independent company. Level 1 merchants also need to conduct quarterly network scans. Levels two through four are required to conduct quarterly network scans and annual self-assessments. While it is not mandatory for Level two through four merchants to conduct an onsite audit, it is highly recommend they do to ensure compliance, assess vulnerabilities and avoid fines. At a minimum, Level two through four merchants have to conduct a quarterly network scan performed by a scanning vendor, which is called an Approved Scan Vendor (ASV).

The PCI SSC is responsible for training and certifying QSA and ASV individuals and firms. QSA and ASVs have to pass a certification program to perform audits and scans. For PCI to work, the division of labor is that the PCI SSC defines and maintains the standard, trains and certifies QSA and ASVs while banks enforce PCI.

Getting into Compliance

As PCI details specific security IT solutions, all vendors of such products and services have offered PCI programs. As a network scan is required for all firms, networking vendors are in a particularly influential PCI position. Some networking concerns such as Cisco have developed a PCI validated architecture and a services group to perform vulnerability identification, gap analysis and solution suggestions. Cisco is also a participating organization on the PCI council.

PCI can be a tricky standard. The standard itself is written in English and fairly easy to understand. Then the standard needs to be translated into security products with specific configurations to defend transaction data and be PCI compliant. The translation from English to device selection and configuration is left to interpretation. To address this, Cisco has developed a PCI validated architecture.

Cisco PCI Validated Architecture

Cisco built an architecture made up of three remote location scenarios, an Internet edge where E-commerce is conducted and data center which offers a best practice for PCI validation. The security and wireless architecture was developed according to the spirit of PCI and in many cases went above PCI keeping with security best practices. Cisco used partners as no single company can address all PCI requirements. Cisco's PCI validated architecture includes point of sale, application servers, wireless devices, internet connection, security systems, etc. with retail partners such as IBM, Wincor Nixdorf, NCR, Intermec, VeriFone and others. RSA provides key management, factor authentication and encryption. Once the PCI validated architecture was build, Cybertrust performed an audit on the technology components of the standard to validate compliance. The approach in which Cisco has deployed the technology in the architecture meets PCI requirements. Cisco and its partners offer a PCI guide of how best to deploy security technology, configure devices, monitor systems and implement authentication management to meet PCI compliance.

Merchants can use the architecture as a guide to review security device selection, placement, configuration, etc. The Cisco PCI solution for retail is an end-to-end architecture that includes firewalls, IPS, CSA, server access, web application firewall, VPN, wireless LANs, Ethernet switching and routing, a wide range of retail end-points, transport options, etc. This architecture provides views of a retail store, data center, server access, internet edge, storage and remote access for partners, customers and teleworkers.

What you find with PCI is that compliance with its twelve recommendations means that a merchant needs to distribute security technology throughout their enterprise. This includes remote locations, internet edge, main offices and network management center(s). PCI forces merchants to view IT security from a holistic consistent approach rather than a box-by-box or requirement-by-requirement knee jerk reaction to threat mitigation. The piece meal approach will not work.

Small Private Firms Need To Be PCI Compliant Too

One thing to keep in mind is that PCI is not a big company issue. It's systemic through the economy and is required for all firms that process credit card information. Small firms need to be PCI compliant too, even private family owned companies such as restaurants. While this may be a burden for smaller firms, and many will be reluctant to invest in PCI compliance, unfortunately they simply no longer have a choice. But putting this into perspective, smaller firms will have the same requirements, but their spend will be much smaller than larger firms as the more complex a business is the more expensive it tends to cost to secure it.

Smaller firms may be more vulnerable too, especially privately owned firms, as compliance has never been important to them. Typically small commercial enterprises haven't had to participate in Sarbanes-Oxley or other government regulations. Their security concerns have been primarily physical security and theft.

PCI is increasingly important to the healthcare industry too as their business is changing. Patients pay their insurance co-pay with credit cards and at times their entire medical bill. Many healthcare institutions are requiring self-registration versus the typical interview process that occurs during hospital admittance. These two processes and others are pulling the healthcare industry into PCI.

Recommendations

We provide the following recommendations for those responsible for PCI compliance within commercial establishments.

Systems Approach: Think in terms of a holistic and distributed approach to security versus a box-by-box or requirement-by-requirement approach.

All Should Do Audits: Level 2 through 4 firms should perform audits at least twice a year and scan their networks once a quarter, as required. Even if your firm does not support WLANs, you still have to scan for APs to ensure that there are no network breaches. Audits and scans should mitigate this potential breach and others.

Security Gap Analysis: Perform a PCI security gap analysis to identify vulnerabilities before the audit so that either a remediation analysis can be performed to gain compliance or to ensure that your firm is compliant. Consider an annual gap analysis as firms are required to re-certify PCI compliance every year.

Quarterly Health Check: Consider a quarterly health check to ensure configuration changes made during the quarter do not change conformance status. If a breach occurs a bank will start its fines back to the time of the breach, if the firm was not in compliance when the breach occurred. It's important to document that the firm is in compliance at regular intervals of time to demonstrate compliance if a breach event occurs.

Auditor With Security Competence: Consider PCI auditors who started off as a security practice first, and then decided to enter into auditing as they will possess the competency to analyze security systems and work with you to address shortfalls. Beware there are many auditors that started auditing without security practice experience. These audits usually are equipped with a checklist versus competence. These are usually the auditors that inform management of a need for ten different products to meet all of the checklist requirements when in reality a single device may be all that's required.

When it comes down to it PCI is about protecting customers and customer information. Being PCI compliance signals to customers that the establishment cares enough to protect customer privacy. This in turn protects the establishment's reputation and signals to customers that they are conducting business with a safe establishment. PCI is good for building brand, customer loyalty and improved customer experience.

Tweet

The Cisco mobility group has always had the broadest view and product portfolio for mobility solutions. Their definition of mobility expands beyond wireless LANs to include cellular, VPNs, and location services. But last week the Cisco mobility group elevated their value proposition beyond physical and geographic independent networked computing with the launch of Cisco Motion. Cisco Motion offers the broadest technical and business architecture for mobile networks and communications positioning Cisco far from its smaller WLAN competitors such as Aruba, Meru, Trapeze, et al.

Cisco Motion is yet another example of how Cisco is pivoting its value position to compete for a larger share of IT budgets. With the Network as a Business Platform initiative Cisco is blurring the boundary between computing, communications and networking. Cisco now offers Linux and Windows platforms within its Integrated Services Router (ISR) and Wide Area Application Services (WAAS) products. In the ISR its Application eXtension Platform offers a technical and business architecture for partners creating an ecosystem and value creation around its branch office offerings. The Workspace Ready Networks initiative from its unified communications group links communications and networks together so that collaboration takes place independent of workspace. Its Vframe and Nexus data center orchestration and switch products offer a new approach to data center design that eliminates the old boundaries between computing, applications, networking and storage. Cisco Motion offers a new organizing principal for mobile computing and communications, which connects disparate mobile technologies while offering developers both a technical architecture to build value and business architecture to generate revenues.

There is no doubt that Cisco is increasingly going head-to-head with Microsoft and HP in particular as they seek to gain a larger share of IT budgets. Clearly Cisco has in-segment competitors, which it focuses on, but the real initiatives are engaging business and IT leaders to demonstrate the power of value creation through the network as a core business platform. To that end, Cisco Motion sets Cisco apart from its in-segment competitors such as Aruba, Meru, Trapeze, etc., and engages business and IT leaders with an approach to mobility that includes the following.
The Cisco Motion initiative seeks to:

Unify disparate networks thus allowing mobile applications to be extended to end-points.

Enable end-point choice by being agnostic to various mobile clients while in the process securing and managing devices via centralized client provisioning.

Facilitate Collaboration by using the network to select the appropriate communications media (voice, IM, Video, or a combination thereof) to deliver end-point appropriate collaboration services.

Open Mobility Applications by delivering an open API for ISVs to inject innovation and value creation addressing line of business and/or corporate requirements.

To deliver on the above goals Cisco Motion needs a deep technical architecture. It delivers on that by providing common access to disparate wireless networks and clients through a set of open source protocols, an open API (XML/SOAP) and its Mobility Services Engine (MSE). Cisco Motion includes all versions of 802.11 as well as cellular/WiMax, Zigbee for wireless control of everyday devices and instrumentation, Ultra-Wideband

(UWB) for short wireless gigabit links and Radio-frequency identification (RFID) for supply chain management and senior network applications. Access to these networks is via unified wireless network controllers, which in turn connect disparate wireless networks via a set of open source protocols.
Applications such as conferencing, presence, inventory management, assembly line monitoring, CRM, email, search, et al are presented with a set of mobility services, which increase their access to the above mentioned wireless networks. Mobility services provided in MSE such as context aware, adaptive wireless IPS, secure client manager, mobile intelligent roaming, voice, guest access, spectrum intelligence, et al, are delivered to applications via Cisco's MSE. MSE provides an open API (XML/SOAP based) for developers, which is Cisco's innovation injection and value creation point of entry for partners.

Central to Cisco Mobility is the Cisco Mobility Services Engine (MSE). The 3300 Series MSE is an appliance-based platform that integrates with WLAN Controller and Cisco Wireless Control System (WCS). The 3300 Series MSE provides a common framework for multiple services easing deployment and efficient allocation of capital spend. An abstraction layer based upon Network Mobility Services Protocol (NMSP) and the Control and Provisioning of Wireless Access Points (CAPWAP) allows transport and applications to evolve at their own separate pace.

As MSE is central to Cisco Mobility it is the basis for the Cisco ecosystem of application partners where Cisco hopes to accelerate development and deployment of customized solutions for customers. As mentioned above MSE provides a range of mobility services to applications. Today MSE provides four services in its software suite. These include: 1) Context Aware which optimizes business process with context such as location and telemetry; 2) Adaptive Wireless IPS to mitigate wireless threats with integrated intrusion protection; 3) Secure Client Manger to simplify device provisioning and management for the wave of new mobile devices; and 4) Mobile Intelligent Roaming to deliver handoff for mobility applications across public and private networks.

Delivering a platform is only 10% of a solution; the other 90% comes from an ecosystem of partners. The Cisco Motion ecosystem includes business application partners such as Oracle, Philips, AeroScout, PanGo, airetrak, Intellidot, Oat, et al. Client or end-point partners include AeroScout, Nokea, PanGo, Intel and airetrak.

Cisco gets credit for delivering the most comprehensive vision plus technical and business architecture for mobility services in Cisco Motion. MSE offers a great rallying point for Cisco partners and the creation of an ecosystem, but it needs to expand both the number of partners and services delivered to applications via MSE. Cisco also has to remain competitive with its in-segment competitors while offering great application integration value to business and IT leaders. As the WLAN market transitions to 802.11n and meshing, network technology will gain the spotlight, and Cisco needs to keep up with that while increasing its application value proposition through Cisco Motion. This is a tricky balance, but it's a task Cisco has done so well with previous initiatives.
While Cisco continues to put the technical pieces together to deliver the network as the business platform, it needs to do a better job at organizing, growing and galvanizing its Cisco Developers Network (CDN) to offer business and IT leaders thought-leading networked-based application solutions. Cisco Motion is a good step in that direction.

Tweet

The conventional wisdom in IT threat mitigation is to build a layered "œdefense in-depth" approach with security technology such as firewalls, IPS, network access control, anti-x client software, alarm aggregation and event correlation, etc. And while the layered approach to defense is a useful threat mitigation strategy, the threat landscape has changed, forcing conventional wisdom to shift toward a systems approach to protecting corporate assets.

The traditional layered approach was built upon deploying best-of-breed products, which were best-of-breed only until other products emerged and relegated them to either stand-alone appliances and/or loosely coupled security silos such as the linking of IPS and firewall devices. The systems approach builds upon this IT security investment by wrapping it with System Management for policy, reputation and identity that transcend end-pointss, networks, content and application security. The systems approach promises to:

1. Enforce business policies and protect critical assets
2. Decrease IT/secops administration burden and reduce TCO
3. Reduce IT security and compliance risk
4. Protect corporations from new pervasive threats

Complex World With A New Threat Landscape

We conduct business in a complex and ever-connected world. New applications such as unified communications, collaboration and conferencing drive deeper levels of engagement between employees, partners, suppliers and customers. Mobile and nomadic workers connect to their business network from any geographic point on the planet. Web 2.0 applications enable new combinations of dissimilar content and communications, which were once separate, to offer new ways to communicate and connect. All these trends are wonderful new economic productivity advances but they also create a new set of security threats and challenges.

Net Security 2.0: What Are The New Threats?

Network Security 1.0 infected the communication and collaboration tools dominant at the time, that being email, IM, the web and infrastructure with exploits such as malware, worms, viruses and other exploits. Hackers attacked using these communication tools to cause damage, so IT leaders built a perimeter defense with firewall and IPS network security technology. But hackers were able to bypass perimeter defense by targeting employee behavior of using IM, email, visiting websites or using other applications which become a great target for hackers to attack with spam, malware, etc. In short, hackers found new ways to target behavior and circumvent firewall policies and rules reducing the perimeter's defensive strength. Thus Network Security 2.0 was born.

Hackers have matured well beyond thrill seeking mischief to cyber-criminal which is the basis of the new threat landscape called Network Security 2.0. Clearly, organized on-line crime groups are profit-driven and motivated to cash in on their exploits. On-line crime groups seek ways to access corporate databases rich in identity, social security and/or credit card information and either sell or mine this information. Other on-line crime groups seek to run a service bureau by building a large botnet to send spam or engage in other illegal activities.

From a corporate perspective the main IT security concern is loss of data and data theft as this damages corporate brand and complicates business relationships with customers, partners and suppliers, not to mention regulatory and legislative consequences. For business leaders, data loss and theft is a lose, lose scenario since executives are obligated to communicate a breach to their customers and government officials in the most public of arenas even if they only think or assume a data loss has occurred. Even if the data loss is not maliciously used, the board of directors (BoD) is required to communicate the loss via mass media, which creates the same risk as if the data loss is actually used maliciously. At times the lack of malicious use can be worse for corporations as customers are left wondering when their identity will be stolen thanks to the breach.

Because of the new type of brand and reputation threat environment that is associated with Network Security 2.0, network security is now a high-level business issue. Business and IT leaders have responded with risk management and in particular IT risk management positions, which focus on defense, compliance and security management which are funded through compliance and departmental budgets appropriated at the board level. In particular the payment card industry (PCI)projects, which refers to the Payment Card Industry Security Standards Council, are BoD top down projects which dictate specific network security requirements to safeguard debit, credit, ATM, POS, confidential information, et al.

Most boards around the globe are worried about compliance, PCI compliance in particular, data loss and theft and they are asking their IT and business leaders what are we doing to defend against these exploits and be compliant? What are our policies, what technologies do we have in place or need to acquire to build up our defenses against malware, spyware, botnets or something inside our corporation potentially contributing to data leakage or non-compliance?

What's different about Network Security 2.0 is that the defenses of the year 2000 era will no longer work. In early 2000 if a corporation was infected with an Internet worm propagating through its network, IT could simply buy an IPS with good signature coverage, deploy it, and it would block the worm and the problem went away. There are multiple Network Security 2.0 threats with imbedded policy to circumvent single purpose defenses such as firewalls, spam filters, IPS devices, etc. To defend against "œsmart threats" the totality of network security devices need to work together. To defend against smart threats or exploits a systems approach to security that builds upon prior investments of layered defense security is required. In short, an orchestration function is needed that uses the defense intelligence already in the network to mitigate against this new class of threats.

Systems Approach To IT Security

End-point, network, content and application security are the four architectural components to the systems approach of network security. Each of these components are part of a layered security defense. End-points are protected with anti-x software. Networks are defended with firewalls, IPS, NBAD, NAC and NAP security technology. The network needs to be defended at the protocol level to look deep into flows for anomalistic behavior and act upon it.

Content security is a new and emerging threat defense approach, which protects users from content in email, web sites, IM etc as it's the content flow that can be the threat needing mitigation. New email servers come on line and go away very rapidly, as do web servers that host malware. This requires a reputation-based defense approach versus one based on signature, and the ability to respond to a very large number of variants since the attacks are often very targeted, yet changing rapidly based on environments. This requires the capability to address many different unique attacks, as each attack is different. Gone are the days of wide spread, single pattern attacks like NIMDA, being replaced with varying attacks with policy affording them to change to defeat defenses. These collaboration applications attacks come from email, web, IM or other emerging communication applications. With the attacker now relying on users to propagate attacks, versus self-propagating, content security focuses on inspecting the content to protect users from actions that may fuel a successful attack.

The application and data they access are forecasted to be the next target attackers go after. With more and more Web 2.0 and SOA/Web Services enabled in organizations, attackers are expected to target these applications, especially given the customer information, business data and intellectual property that resides there.

The systems approach is focused on orchestrating these existing threat defense technologies to work together as a system much like Tivoli does for IT. To achieve this, system management capabilities tie all four components together via policy, reputation, services and identity. System management can push common policy across all four components. Products such as Cisco's MARS 6.0 aggregate alarm information creating correlated events delivering either automated or actionable remediation suggestions to network operations. These security alarm aggregation and event correlation security products upload alarm information from each of the above four components and correlate the data providing scenarios of possible threats in the network and then proactively either address a policy or respond to a threat.
The system's approach is based upon exploiting "œbest-of-breed" security products already implemented within a corporation but managing them via system management. The systems approach enforces business policies across the four components and protects critical IT assets while decreasing IT operational burden and cost. The end result is reduced security and compliance IT risk. This approach frees security buyers from the dilemma of do I buy "œbest-of-breed" or build a systems approach to IT defense?

Start-ups Can't Keep Up

Every new wave of security threats has provided a market for start-ups to develop a best-of-breed product designed to mitigate that threat. These firms are usually very good at engineering a defense to a particular threat but do not possess the resources to address the next wave of threats. In short, these start-ups are in an arms race with attackers and as the attackers have evolved to on-line criminals equipped with large financial resources which outpace that of start-up budgets, the on-line criminals always win. The result of this cycle is that best-of-breed-products by themselves are dead ends. They become a stand-alone device/appliance such as a firewall, NBAD, IPS, NAC appliance etc or they attempt to expand their threat mitigation portfolio in a small number of areas via internal development or partner and build a loosely coupled security silo. For example, 3Com's IPS Tipping Point partnership with Lancope's StealthWatch is a loosely coupled security silo of IPS and NBAD threat mitigation.

Mitigating Emerging Threats or Pervasive Threats?

This is not to say that best-of-breed is bad. But best-of-breed when implemented as part of a holistic system approach extends the life of these security products and improves the security posture of the company. For example, consider Cisco. Cisco offers a NAC appliance that is a best-of-breed product but to gain greater value from the NAC appliance it can become part of the systems approach, which allows the NAC appliance to work with other security products such as Cisco's TrustSec. In a systems approach, the NAC appliance touches everything the network connects extending its diameter and usefulness. For Cisco, their security strategy is to offer both best-of-breed products that can operate and migrate over time into a systems approach delivering greater value to customers. For example, a Cisco customer may implement Cisco's IronPort, which may not be part of its common management framework, or Cisco Security Manager may not manage IronPort at day one, but it is a best-of-breed email security product that over time will become part of the systems approach. In short, Cisco has developed a vision and strategy for a network security platform that places their customers on a journey.

Cisco promises that the security posture of this company will improve as they move through this journey. For example, to provide data loss prevention (DLP), a customer can leverage their IronPort email security best-of-breed solution with CSA (Cisco Security Agent) capabilities, plus storage media encryption and put these best-of-breed solutions together as a system to deliver an effective DLP solution. That's a systems approach built on best-of-breed products. This approach increases the value of best-of-breed solutions, which excel at mitigating existing and near term emerging threats to providing a defense to pervasive threats such as DLP.
Don't look to any standards bodies to define standard security interfaces or architecture. The industry does not have such an organizing principal. Business and IT leaders need to look toward large IT providers such as Cisco, EMC, IBM, HP, Microsoft et al to provide vision, a platform and partners to address these smart threats. All the big IT providers are realizing that security is a common thread throughout IT and needs to be a part of an overall systems approach. That's good because to defend against Network Security 2.0 exploits, a systems approach is needed. Don't think of the systems approach as providing automated threat response by shutting down ports, IP address, subnets or changing ACLs. Think in terms of an autonomic system to understand the new direction is system wide threat defense.

Autonomic Network Security

The industry vision is to think in terms of an autonomic effect which increases over time as more and more of the four components are connected into the system approach. As the four components start to work together under system management, the autonomic effect will increase. Much like the human nervous system which automatically responds to sensors, action the brain doesn't need to think about before it is taken. For example, a person places their hand on a hot stove, the nervous system automatically responds by telling your hand to get off the hot stove. There is no thought needed. Nor is there thought required for the immune system to mitigate a virus or infection or for the lungs to breath air and the heart to beat. These are autonomic systems. This is the way that networks will start to behave as best-of-breed security products are plugged into the systems approach.

How to Start Building A Systems Approach to Network Security

The beauty of the systems approach is that it builds upon existing defense infrastructure and does not require early retirement of exiting security investments. Cisco is leading this approach with investments in its MARS Monitoring, Analysis, and Response System and CSA products. Existing customers of these products can start their deployment without the acquisition of new products. Other large security and IT suppliers such as IBM, Microsoft, HP and CA will respond with offerings and an ecosystem of their own. What will differentiate these solutions will be the particular company's strengths. Microsoft's solution will be desktop and server-based while IBM and HP may be data center focused; CA could be application-based. Cisco is the only firm that will be network-based and with all IT assets connected via the network, it's a strong position to defend against threats.

Business and IT leaders need to make a systems management supplier decision. Cisco's MARS is mentioned above, but there is Q1 Labs QRader too which is a security event management and correlation system which may evolve into a Systems Management system. Nortel and Juniper partner with Q1 while Enterasys OEMs its system to provide its Dragon Security Command Console. Independent of a feature set to deliver policy, reputation and identity, Nortel, Juniper and Enterasys lack the vision, platform, ecosystem and completeness of solution to realistically deliver a systems approach to network security.