Cisco's news at this years RSA Conference is the unveiling of SecureX. Cisco itself describes this next generation security architecture as "complicated" in that it includes new scanning elements, policy language and enforcement capabilities (endpoint control, presumably), all aimed at improving security in a broader range of contexts. While Cisco admits these context-aware scanning elements are "completely independent of the architecture", the company is only talking about embedding them into its line of ASA firewalls. Is that a round-about way of answering enterprises' call for a next-generation firewall?
Over the next 12 months, Cisco promises to get SecureX into its line of ASA appliances. When the press asked if this will be a software upgrade or require new hardware, Cisco executives say they aren't sure. Official quote: "that's to be determined." Cisco claims to have developed a new context aware policy language that’s designed "to manage the context aware enforcement elements" but Cisco isn't saying anything about how policies can be created or managed across an enterprise deployment of multiple boxes (and multiple types of boxes). As those who have felt the pain of implementing Cisco MARS, only to have it EOL'd, can testify – this is a significant issue. So let me get this straight – it's complex, and we don't know how it's going to work, where it will be instantiated, or how it'll be managed?
Complex architectures are one thing. Delivering on them is another. We at Palo Alto Networks have been shipping next-generation firewalls for nearly 4 years. We've had four major releases (with nine feature releases interspersed between them) in that time. We are pleased to announce that we now have over 3500 enterprise customers of our next generation firewall. Every firewall we've ever shipped does application visibility and control.
We're established as the visionary in the network security space. Our App-ID technology continues to be the only firewall traffic classification engine using application as the primary element. User-ID and Content-ID technologies bring the critical user/group and content angles into the next-generation firewall policy picture, enabling organizations to safely USE applications, rather than block them. For many organizations, this ability to safely enable applications completely changes the game.
The rest of the industry has acknowledged the game-changing nature of next-generation firewalls with lots of marketing. But execution on the product side isn't as easy to change, and it shows. Port-based firewalls coupled with IPS can't do the same thing – neither functionally nor performance-wise. Therefore, as expected, many network security vendors have changed their marketing stories accordingly. Cisco's self-described "complex" security architecture is just that. Marketecture.