http://matasanochargen.disqus.com/enWed, 04 Apr 2007 03:15:53 -0000http://www.matasano.com/log/768/why-consentry-isnt-going-to-solve-security/#comment-2322025It would seem I promised the world in my blog!<br><br>Is every security feature you're ever going to use within the LAN going to get embedded in a switch? And come from ConSentry? No. But are there a lot of LAN security functions you can and should provide within the network itself? And is ConSentry doing that? Yes.<br><br>You're right - building the horsepower to inspect and control every user flow is indeed hard. But we've built it. So calling it a crazy idea because it's hard seems a bit late.<br><br>And if you merely dump all the flows from the switch into another box, doesn't it have to have all the horsepower to process the flows anyway? Why is that easier? Besides, you want immediate enforcement - better that it's in the forwarding plane directly.<br><br>And again, we're not trying to do EVERYTHING. So the questions around full app decode and all that - we're not trying to do that. Parse enough to know the app - for real, not by L4 info - and enforce policy on that info, but not take over all the granularity you'd apply within the app itself.<br><br>Appreciate your take on our level of "commitment" to security. The analogy leaves a bit to be desired, but that's just because we're the bacon in this case...<br><br>Actually, it'd be great to talk live sometime. We could probably have a richer discussion that way, with more clarity around what ConSentry is and isn't trying to do. I'd really enjoy that chance. In the meantime, thanks for the dialogue.<br>--MichelleMichelle McLeanWed, 04 Apr 2007 03:15:53 -0000http://www.matasano.com/log/768/why-consentry-isnt-going-to-solve-security/#comment-2322024I just commented on something you left me on my blog prior to seeing this. I should have included ConSentry to the list:<br><br><a href="http://rationalsecurity.typepad.com/blog/2007/04/the_philosophy_.html" rel="nofollow">http://rationalsecurity.typepad.com/blog/2007/0...</a><br><br>The port density "commitment" to high-speed security that Crossbeam has is, indeed, like comparing bacon to eggs ;) <br><br>We're not trying to replace the access layer. We sit in different areas of the network protecting different things. Perimeter or off the core switching fabric in the datacenter is where we sit. No need for high port densities; shunts off the switches with MLT gig ports or 10Gb/s connections into the load-balanced network processing modules that load balance across security applications running on blades in the same chassis.<br><br>Don't need 500 core MIPS processors or a bunch of ASICs. FPGA's and Intel processors do just find when you can scale sideways, thankyouverymuch.<br><br>As to your other points (and not trying to single out Consentry) you're absolutely correct.<br><br>/HoffChristofer HoffTue, 03 Apr 2007 15:59:51 -0000