• A high-end “proxy”-style firewall, which was widely used in the US intelligence and defense communities
• A two-factor authentication division
• A censorware division that, for example, had run Saudi Arabia’s web censorship since the late 1990s
• A firewall-on-a-board OEM deal with 3COM

The short idea was in large part that the firewall-on-a-board idea had caused great overoptimism, stoked by the company. On further digging, I found that CEO John McNulty’s resume, as stated for example in Secure Computing’s SEC filings, seemed inconsistent with his resume as stated in SEC filings of his prior employer. Nobody seemed to care much about correcting that, however.

I quickly stopped doing business with the investment research firm in question, and nothing came of the investment project. But I wasn’t surprised when, in its very first batch of Reg FD enforcement actions, the SEC slapped Secure Computing and McNulty.

Secure Computing has subsequently made a lot of acquisitions and divestitures. I have no doubt many of the products deserve to live on, and almsot all of the people working on them deserve jobs making that happen. Even so, I’m glad to see the company itself going out of existence. And I’d guess it’s no coincidence that Secure is selling out less than half a year after McNulty’s much-belated resignation as CEO.

1. I need a mail host that can stand up under the kind of mailbomb/DDOS attacks that shut me down twice in the past year.
2. Similarly, I want to diversify my email addresses among two providers, rather than leaving them all with my general web hosting company.
3. David Ferris first wrote up Google Mail outsourcing, with a favorable view, last July. And some of his criticisms (e.g., lack of IMAP support) have already been rectified.
4. What’s more — as I remarked last night, David and his associate Richi Jennings have been voting with their feet, and moving their own email to Google. That’s an impressive endorsement. Ferris Research is a serious rival to Gartner as an analyst firm covering email, and Richi — who evidently LOVES Gmail — has also carved out a non-trivial identity as an expert in his own right.
5. Free sounds good, compared with the alternatives.

Now that I’ve gone ahead with the move to Google Mail, here are some scattered thoughts:

• Some terminology: Technically, Google Mail is part of the Google Apps service. And the terms “Google Mail” and “Gmail” are pretty interchangeable (you even have two choices of server name when setting up POP3 access).
• Google’s UI to get started can be a bit confusing. But googling on Google Apps will get you to the right place, namely this link.
• Particularly confusing is dealing with the MX records. My domain registrar didn’t seem to offer a way to redirect them at all. The cpanel interface for redirecting MX at my hosting company wasn’t very good; Google asks for about 7 entries of declining priority, but cpanel only makes it easy to enter 1. (I wound up asking my hosting company’s support to make sure all the entries were listed that should be.)
• If there’s a way to sort messages by subject or sender in Gmail online, I haven’t found it. That’s a major oversight if it can’t be done, or a minor one if it’s merely too hard to figure out how to do it.
• Setting up POP3 access has some steps that aren’t present in, say, setting up POP3 via a typical hosting company. You need to go into “Settings” and explicitly enable POP3 access. You also need to explicitly enable SSL in your mail client (on Eudora, the default setting did NOT work). Basically, you need to open this page or something similar, and actually look at the steps for your client. Chances are one or two will be non-obvious.

That’s about it for now. In particular, I haven’t done anything yet with Google Mail’s search capabilities. More on that down the road, perhaps.

• Crossbeam has two main hardware platforms – the high-end X-series and the midrange C-series. The X-series is the one with the architecture I previously praised, and about which Paul himself is “really excited.” The less remarkable C-series, however, is the one Check Point’s UTM-1 products are actually based on.
• There are three UTM-1 models. Two of them use hardware that exactly duplicates Crossbeam’s C2 and C6. The most powerful of the three – the 2050 – is based on a modified C6 design. Paul isn’t 100% sure in his recollection of what the modification was, but thinks it’s probably extra RAM.
• The hardware is actually manufactured by an unnamed Asian outfit. Crossbeam currently buys the boxes and resells them to Check Point. It is anticipated that this will change over time, and Check Point will take care of procuring its own boxes (from the same manufacturer). At least, that’s the plan if the Check Point and Crossbeam hardware specs significantly diverge.
• The Crossbeam C-Series — and hence also the new Check Point UTM-1 – are indeed classic Type 1 appliances. The biggest difference vs. generic Dell/HP/whatever servers is the density of Ethernet ports (4-8 per box, depending on model). In particular, Check Point is very proud of the work it’s done optimizing for Intel processors.*
• Notwithstanding anything above, the UTM-1 machines really are Check Point appliances. Check Point does 100% of the support, it has some administrative software pieces that are different from Crossbeam’s, etc.

*Indeed, as the focus of security processing shifts more and more to the application layer, they contend security processing is more and more like any other kind – rather than, say, low-level network processing.

What seems to be going on here is that Check Point is cannibalizing Crossbeam’s C-Series business, and Crossbeam is being gracious about giving it up while focusing on the much more differentiated and strategic X-Series. Crossbeam self-identifies as a high-end player anyway, so this all makes perfect sense. The real issue for Crossbeam going forward has little to do with whether it can squeeze a few more commodity dollars out of the midrange. Rather, it’s whether Crossbeam can hold its technical lead when the large server manufacturers finally figure out the need to create virtualization-friendly, networking-friendly, blade-based systems. The key point here is “networking-friendly”; many servers just need more data movement capability than conventional systems now provide.

Or to put it another way: The computer is a network.

However, that turns out to be wrong in two interesting ways. First, it was slightly incorrect all along; Check Point’s “Edge” product line has been Type 1 for almost five years. Second and more important, a few weeks ago Check Point announced that it was finally entering the Type 1 appliance mainstream market itself.

“Edge” products almost don’t count; they’re limited-functionality perimeter devices that only work well if managed and strengthened by bigger Check Point deployments at remote locations. But the new Check Point UTM-1 appliances absolutely compete head-on with Juniper (nee’ Netscreen) and other mainstream firewall – excuse me, “unified threat management” — appliance vendors.

Check Point says its motivation for introducing physical appliances is their ease-of-deployment benefit. That sounds right to me. The primary other alternative would be performance, and that’s not what’s going on. While custom-manufactured, these Intel-based boxes seem to be quite generic, with the biggest non-standard aspect being the number of high-speed Ethernet ports. (Configurations vary among three models, targeted at 100- to 1000-user installations.)

So how does this affect Nokia and Crossbeam, Check Point’s two most important hardware partners? At the moment, it hardly affects them at all; they sell to a higher-end market than is served by these new appliances. Longer-term, it’s harder to say.

Technically, Crossbeam isn’t dependent on Check Point at all. But in practice, Crossbeam would be in a world of hurt should Check Point decide to compete directly. On the other hand, it’s not at all obvious that there are enough hardware margins to make it worthwhile for Check Point to turn against its partners. As for software – well, “unified threat management” is impressive in either its unification or its management. There’s a ways to go before we’ll know whether Crossbeam’s “best of breed” software mix will outdo Check Point’s “unified”-but-actually-involving-multiple-partners own umbrella offering.

*Uh, Matt, can you do anything about increasing the 150 capacity limit of the Akismet spam quarantine? I run over it all the time, often in less than 24 hours.

Suppose it were still the case that spammers could get search engine ranking boosts from blog comment spam. Don’t you think they would be motivated to craft subject-specific comments that are very hard to distinguish from the real things? Search engine ranking algorithms are taking ever more accounting of the topics of pages that link to sites, the topics of the pages that link to THOSE pages, the topic of the text around the link, and so on. Few forms of search engine optimization are more valuable than “good” links. A comment that stayed up on a popular and topic-relevant blog would be of high SEO value — think $25-$250 in perceived value as a super-rough estimate — and great efforts would be devoted to getting them. The whole blogosphere might be corrupted in the process.

Blog software’s adoption of the NoFollow tag is a VERY good thing.

Half or more of the computing appliance vendors I’ve looked into follow very similar hardware strategies: They use mainly standard parts; they include uncommon but off-the-shelf networking (and sometimes encryption) accelerators; and they of course optimize the mix of those parts and general hardware architecture as well. (EDIT: I actually gave names to three strategies — even if they were just “Type 0″, “Type 1″, and “Type 2″ — in this overview of data warehouse appliance vendors. And in another post I considered arguments about whether one would want a data warehouse appliance at all.) Examples I’ve posted about recently include – and I quote the forthcoming column – “DATallegro and Teradata (data warehousing), Cast Iron Systems (data integration), Barracuda Networks (security/antispam), Blue Coat Systems (networking), and Juniper (security and networking).” (ANOTHER EDIT: But I think DATAllegro’s strategy has changed.)

By way of contrast, there’s also a group whose stance is more along “hardware/schmardware” lines. Sendio and Proofpoint (in most cases) don’t really do anything special at all in their boxes; what’s more, Proofpoint actually has significant software-only deployments over VMware’s virtualization layer. Kognitio and Greenplum think their software-only data warehouse offerings are appliance-equivalents too; indeed, Greenplum’s software is sold mainly bundled with Sun hardware (to the extent it’s sold at all), and Kognitio is hinting at an appliance-like offering for competitive reasons as well. Check Point Software plays both sides of the field; it offers its own kind of “virtual appliance,” but also gets many of its sales through appliance vendors. Its most interesting such partner, if not its biggest, is Crossbeam Systems, which in my opinion may very well represent the future of appliance technology.

The company seems to be doing well. It was founded with a focus on telecom carriers, but gets 40% of its business from enterprises (post-bubble strategy shift). Privately held, it claims many hundreds of customers, with lots of repeat business. There seems to be an analyst study ranking them extremely highly for the high-end of the market. Check Point mentioned Crossbeam to me in the same breath as Nokia as one its two principal revenue sources among appliance partners, which is impressive because the Check Point/Nokia combination goes back to very early days. It also suggests that Crossbeam is selling a lot of stuff.

According to my notes, there are four major components to Crossbeam’s chassis-based products:

• the chassis itself;
• network processing modules (NPMs), for load-balancing and the like;
• control processing modules (CPMs), and
• application processing modules (APMs).

(Actually, I’m not too clear on whether it’s “processing” or ”processor” in those names; indeed, I’m not 100% sure they’re firm on the point themselves …)

NPMs, CPMs, and APMs are all separate blades; in fact, they can be bought separately, potentially with various software products already loaded, if you already have a Crossbeam chassis. Each incorporates a Crossbeam networking-oriented FPGAs. The NPM itself has further FPGAs (I’m not sure what they’re used for). Next-generation product plans incorporate a 16-core MIPS security processor (I’m not sure in which modules). Except for these components, the modules seem to be fairly generic Intel-based blades.

Crossbeam’s choice of specific software partners is probably the least interesting aspect of the story. It’s biased towards traditional industry leaders who haven’t committed to an appliance strategy themselves, notably Check Point, ISS, Sourcefire, Trend Micro, Websense, and Optinet. However, it’s not a strict best-of-breed list. For example, the French defense agencies don’t like to buy from Israeli vendors, and hence Crossbeam supports a couple of no-name Gallic firewalls as Check Point alternatives.

Crossbeam claims that lack of management integration among these point products is not a competitive problem, since it sells to customers large enough that different individuals management different aspects of security and networking anyway. In fact, separation of duties and hence privileges is a best practice for maximum security.

Check Point started out selling software on Sun boxes and the like. Rather than get into appliances itself, it formed partnerships with hardware vendors who’d roll its software into appliances, and soon a lot of its business came from this channel, especially via Nokia. This strategy has continued, with Crossbeam Systems joining Nokia in providing large chunks of Check Point’s overall revenue.

While not liking to disclose much in the way of revenue breakdowns, Check Point admits that appliances dominate its business at the high end of the market, where high-speed networking, extra reliability, and so on are important (especially the reliability). Appliances also dominate at the low-end, where ease of deployment is crucial. (“Custom” hardware in this case is best represented by an accelerator card called “VPN-1,” made by Silicom, Ltd.) But in the big middle, packaged software is still highly competitive, accounting for (according to outside estimates that the company doesn’t laugh at) half or so of Check Point’s business.

But here’s the thing. Relatively little of that software is still, say, a firewall you can install on a Linux server. Rather, Check Point sells many more firewall/OS bundles, which are (it is claimed) super-easy to install on random Intel-based boxes. These are the “virtual appliances.”* Is this cheaper than a tailored appliance? Well, that depends a whole lot on whether you had an extra box lying around, or whether you have a master maintenance contract with a standard box vendors, and so on. Evidently, many customers think it is, while many other customers prefer physical appliances.

*Check Point also has VMware-based virtual appliances, but so far isn’t getting much uptake of those except for demo purposes.

Juniper is pushing an “integrated” security product that, like most such offerings, sounds pretty cobbled-together. Still, they’re trying. And what’s really interesting is their point that networking and security can most cost-effectively be deployed in the same box. While this may not be a compelling story at the high end, for reasons I mention in my post on Crossbeam, it sure should have a lot of appeal for branch office deployments, and even for central offices of less-than-utterly-paranoid organizations.

• Demo (of course).
• Tweak, test, deploy – between patches and new anti-spam rulesets, Proofpoint users seem to have a rapid change/test/deploy cycle. Virtualization makes it possible to do that without having multiple copies of an appliance.
• Disaster recovery – this seems to be a big one.
• “Surges” – depending on what the bad guys are doing, one’s need for anti-spam servers can go up and down in a hurry. Virtualization makes it easy to respond.

It probably is not coincidental that Proofpoint makes less use of custom hardware that many other appliance vendors. In most cases, Proofpoint just buys servers from a vendor such as Dell and fiddles with their packaging. For some applications it does add enhanced networking capabilities, as other appliance vendors do; while I neglected to ask explicitly, I got the impression these weren’t the ones commonly deployed on VMware.

Proofpoint said that very few of its customers bought VMware in connection with their Proofpoint deployments; except in a couple of cases, they already had it and were using it for other things.