Marketecture vs. Momentum

2,863 people reacted 1 3 min. read
Nir Zuk


Category: Uncategorized


Cisco’s news at this years RSA Conference is the unveiling of SecureX. Cisco itself describes this next generation security architecture as “complicated” in that it includes new scanning elements, policy language and enforcement capabilities (endpoint control, presumably), all aimed at improving security in a broader range of contexts. While Cisco admits these context-aware scanning elements are “completely independent of the architecture”, the company is only talking about embedding them into its line of ASA firewalls. Is that a round-about way of answering enterprises’ call for a next-generation firewall?

Over the next 12 months, Cisco promises to get SecureX into its line of ASA appliances. When the press asked if this will be a software upgrade or require new hardware, Cisco executives say they aren’t sure. Official quote: “that’s to be determined.” Cisco claims to have developed a new context aware policy language that’s designed “to manage the context aware enforcement elements” but Cisco isn’t saying anything about how policies can be created or managed across an enterprise deployment of multiple boxes (and multiple types of boxes). As those who have felt the pain of implementing Cisco MARS, only to have it EOL’d, can testify – this is a significant issue. So let me get this straight – it’s complex, and we don’t know how it’s going to work, where it will be instantiated, or how it’ll be managed?

Complex architectures are one thing. Delivering on them is another. We at Palo Alto Networks have been shipping next-generation firewalls for nearly 4 years. We’ve had four major releases (with nine feature releases interspersed between them) in that time. We are pleased to announce that we now have over 3500 enterprise customers of our next generation firewall. Every firewall we’ve ever shipped does application visibility and control.

We’re established as the visionary in the network security space. Our App-ID technology continues to be the only firewall traffic classification engine using application as the primary element. User-ID and Content-ID technologies bring the critical user/group and content angles into the next-generation firewall policy picture, enabling organizations to safely USE applications, rather than block them. For many organizations, this ability to safely enable applications completely changes the game.

Bottom line:
The rest of the industry has acknowledged the game-changing nature of next-generation firewalls with lots of marketing. But execution on the product side isn’t as easy to change, and it shows. Port-based firewalls coupled with IPS can’t do the same thing – neither functionally nor performance-wise. Therefore, as expected, many network security vendors have changed their marketing stories accordingly. Cisco’s self-described “complex” security architecture is just that. Marketecture.

8 Reader Comments

  1. Avatar

    Thumbs up! Very well written article. Thanks for sharing.

  2. Avatar

    looks like standard cisco bashing. i think the bigger question is when cisco does have this solution in next 12 months, how is palo alto network’s solution any different? application visibility is no lonfer next-generation, it is current generation. what do you have to say about that

  3. Nir

    Do you really think that stateful inspection plus a contextual language that looks for applications is the same as what we do? Its not. And it won’t be based on what they claimed they were working on. So you think that taking that route is innovative in any way shape or form?

    Any further analysis is pure speculation, given the dearth of details. What we plan on doing is continuing to enhance our features, expand our platforms, and prove our success. Let’s talk again when they finally ship whatever it is they announced.

  4. Avatar

    Having had the priveledge to look at Cisco’s SecureX technology, I can safely say that Palo Alto has nothing to worry about anytime soon. I cannot give specifics due to NDA, but they are far far behind Palo Alto.

  5. Matt

    Thanks for the vote of confidence Jonathan. We plan on continuing our efforts to innovate and stay far ahead.

  6. Avatar

    Came across to this article that is written in 2011. Not everything but some theories/statements are still applicable. Thanks for sharing!

    Cheers, 2019!

  7. Avatar

    Well written article Nir! Thanks for sharing with us. I will bookmark this website for future post.

  8. Avatar

    Amazing Article!! Appreciatable job Nir..Thanks for sharing !!

Got something to say?