January 12, 2007

Proofpoint and VMware – an apparently non-trivial virtual appliance success story

I talked with Proofpoint today, and got a more positive view about VMware’s virtual appliance strategy than I’ve gotten from other appliance vendors. They cite over 500 downloads in the past couple of months, of which a significant fraction have turned into actual sales. Specific deployment scenarios they mentioned include:

Read more

January 10, 2007

Sendio — no effective response to the niche-forever challenge

Sendio is something of an exception to the appliance vendors I’ve been chatting with. There’s nothing particularly unique about their hardware or software architecture, and ease of deployment isn’t a big deal for them either. Indeed, it’s a little unclear to me that they really need to be an appliance vendor at all – but what the heck, they’re in the anti-spam market, and appliances are popular there.

So let’s go straight to their anti-spam technology, which is challenge/response. Read more

January 5, 2007

David and Richi on Cisco and Ironport

The Ferris Research lads offer a succinct analysis of the Cisco/Ironport deal. As an old software stock analyst, I was particularly struck by their estimates that A. Cisco paid over 10 times revenue for Ironport and B. Ironport’s revenues weren’t growing. Even more interesting in my opinion is what Richi said to me by e-mail in response to a query, namely (emphasis mine):

Yes, clearly IronPort’s reputation data is part of the prize for Cisco. …

An interesting question is what will happen (if anything) with SpamCop. IronPort deliberately ran SpamCop at arm’s length as a matter of policy. I wonder if Cisco will maintain that policy. SpamCop is of course part of the raw data feeding into SenderBase, along with the data phoned home by the IronPort boxes.

As we’ve seen with the BlackSpider acquisition by SurfControl, spam control companies that aggregate lots of data about spam sources are valuable, for reasons in addition to spam control. If a zombie is sending spam, it’s also probably a potential source of other bad stuff, such as worms and DDoS connections.

Quite possibly, one of Cisco’s goals (dreams?) for this acquisition is to put a whole lot of sender policing into the network infrastructure. Mainly, that’s a good thing — but like most kinds of internet policing, that technology also has the potential for abuse.

In that vein, I note that the Ferris guys say Ironport’s big competitor was Ciphertrust, acquired by Secure Computing. Well, in my opinion Secure Computing are bad guys, or at least were as of my research a few years ago. They have long helped enforce nationwide Web censorship in Saudi Arabia; they got dinged by the SEC for early for CEO stock hyping/selective disclosure; they in my opinion were guilty of a lot more hyping than that; and for the cherry on top of this ethical sundae, CEO John McNulty has a resume in Secure’s SEC filings that is inconsistent with the SEC filings of a previous employer.

December 27, 2006

Some thoughts from Blue Coat Systems

Another vendor I spoke with in my research into appliances is Blue Coat, who offer systems that help with caching (not a recent emphasis), proxy, “performance enhancement,” and/or “WAN optimization.” Details differ, but their story is generally consistent with what I’m hearing elsewhere.

*But then, the vast majority of enterprise computing appliances are in the security/networking space. Data warehouse appliances are probably the biggest exception, at least if we define “appliance” loosely enough to include Teradata.

December 27, 2006

Computing appliances — architected for network stream processing

I’ve been researching computing appliances quite a lot recently, including for an upcoming trade press column. As part of the research, I circulated preliminary thoughts and questions to a variety of appliance vendors. One, Barracuda Networks, responded at length via e-mail. Credit goes to Steve Pao, VP of Product Management. I’m posting the interchange below.

Q1. Stream processing is different from conventional business computing. Different hardware architectures are commonly appropriate.

A1. Stream processing is different, particularly for enterprise networks, because data in the stream should not back up during processing to create latency. In traditional business computing, total throughput is measured more often than latency. Minimizing latency requires careful attention to layering processing to handle as much as possible with the least expensive operations first, keeping the footprint as small as possible to minimize any virtual memory swapping, and minimizing I/O. There are some hardware considerations, but this is often over-emphasized. As applications delivered through appliances continue to grow in complexity, software architecture plays an often under-represented role.

Barracuda Networks has designed the architecture of its appliances with these characteristics in mind. For example, the Barracuda Spam Firewall’s architecture leverages 12 defense layers, focusing on those layers that require the least processing upfront. This layered approach minimizes the processing of each spam message, which yields the performance required to process email for tens of thousands of users in a single appliance.

CAM note: This kind of “it’s the software, stupid” response is typical of what I hear from appliance vendors.

Q2. For most kinds of appliances, custom chips are nice-to-have but not must-have. And by the way, if there are “custom” chips, they will usually actually be FPGAs.

A2. Custom chips are useful for very high volume/low cost appliances because they can help reduce cost of goods. That said, for most enterprise-class networking and network security appliances, off-the-shelf chips generally provide the performance and flexibility to deliver performance for today’s networks.

Q2A (followup): Looking into this further, I’m getting the sense that boxes are custom but components are not. That is, appliances with a stream-processing flavor commonly include networking cards that, while standards, aren’t common in general-purpose computers. Encryption also is commonly handled by specialized chips.

A2A. Yes, delivery of appliances often requires use of components that, while standard, are not typically used in general purpose computers. Even beyond hardware that vendors may use to enhance system performance, there are also hardware components that are included for the reliability requirements of networking appliances.

For example, the Barracuda Web Filter and Barracuda IM Firewall are network appliances designed to be deployed inline. On the Barracuda Web Filter models 310 and higher and the Barracuda IM Firewall models 320 and higher, the appliances include an Ethernet hard bypass that fails “safe” – allowing traffic to flow through – in the event of system failure.

As another example, the Barracuda Load Balancer is diskless and boots from high capacity flash memory.

Q3. Deliberately limiting the capability of the system makes it harder to hack. But this is important only in security appliances, and I’m not so sure it’s important even for them.

CAM note: The answer below confirms what I said, but with more accurate phrasing.

A3. It is common practice to minimize the number of traditional operating services in order to reduce the potential for vulnerabilities in the system. Every component that is used has the potential to open another vulnerability. That said, today’s applications require a level of sophistication that also requires more underlying services than ever before. As such, the important thing is to have a great internal development process for system design and maintaining a great relationship with the “white hat” security research community. Of course, while larger vendors are larger targets for exploits, they also have the advantage of having the notoriety to attract top security researchers to work with.

Q4. A huge part of appliances’ appeal is ease of deployment and administration. Applications used to arrive bundled with hardware very commonly, especially for smaller buyers (and for them it’s often true even today). Appliances offer the same benefit for system software.

A4. We agree with this assessment. Customers usually can get a Barracuda Networks appliance completely deployed in less time than it takes to load an OS onto a hardware platform – let alone install or configure software applications.

Q5. There’s a lot of grumbling about appliance maintenance costs, as appliance vendors charge percentage-of-purchase-price fees that would be appropriate for packaged software and apply them to the whole bundled hardware/software appliance.

A5. Interestingly, the appliance vendor often has to do more than a traditional software or hardware vendor. There’s a set of support issues that a traditional software vendor can simply sidestep because they don’t support the OS on the hardware. A hardware vendor can generally wash themselves of all issues not related to hardware. What the customer gains from support from a good appliance vendor is a complete solution and no finger pointing. All that said, if the appliance is overpriced, the customer may not get a good value. Customer should always look at the value and absolute dollars as opposed to percentages.

Barracuda Networks does not charge on a per-user basis. Customers pay a one-time fee for the appliance and a recurring yearly fee for Barracuda Energize Updates which include not only basic technical support and firmware updates but also, depending on the product, ongoing virus, spam definition, spyware definition, content filter, IM protocol, and intrusion prevention definitions. For a low annual fee, Barracuda Networks’ customers can deploy secure solutions with virtually no ongoing administration. Energize Update pricing is based on model number and starts at $499 per year.

Optionally, customers can also purchase an Instant Replacement service. In the event of hardware failure, Barracuda Networks products with active Instant Replacement subscriptions can be cross-shipped the next business day to minimize downtime. Instant Replacement pricing is also based on model and starts at $499 per year.

November 30, 2006

Anonymizer – penetrating the Great Firewalls of China and Iran

Lance Cottrell of Anonymizer is one of those rare guys who make me believe he started a company in no small part to do good. And so his cloaking-technology company is providing free services to help Chinese citizens sneak through their national firewall, and is doing the same thing for Iran on a paid basis, under contract to the Voice of America. I think this is wonderful, and he reports that it’s working well now. Even so, I think there are scalability concerns. Right now only 10s of 1000s of users are covered. If there were a few more zeroes on that, standard spam-blocking techniques, currently ineffective, might work. What’s more, the Chinese bureaucracy, currently not highly motivated to shut the service down, might bestir itself to be much more effective.

Read more

November 30, 2006

Anonymizer — internet privacy through anonymity

I chatted today with Lance Cottrell, the founder and president of Anonymizer. They’re a little 30-40 person company, but even so they do three different interesting kinds of things. In increasing order of importance, these are:

  1. Provide anonymity services to ordinary individuals.
  2. Provide anonymity services to enterprises (aka enterprise sneakiness support).
  3. Help people get through the national firewalls in Iran and China.

Read more

May 2, 2006

Spam: the bottom line

David Ferris tells me that his surveys show email users think they spend an average of five minutes a week dealing with spam. (Could somebody please post a link to the study in the comment thread below? David? Richi? Thanks!) On the one hand, that’s a huge problem. If you take the 5 minutes figure literally, that’s on the order of $100/year/user worldwide — i.e., order of magnitude $10 billion/year.

On the other hand, while it’s plenty of reason for enterprises to have good anti-spam, it’s not quite enough to motivate individuals to do a lot about it, unless there’s clever marketing driving them. Putting cash in the end-user’s pocket would be a good start; people like free money, the more so if it’s advertisers who are made to pay.

Thus I stand by my prior opinion: Sender-pay systems are a good idea if and only if some of that pay goes directly to the email recipients.

April 20, 2006

Flash drives and security — a modest proposal

I’ve argued that Flash-based “diskless” PCs would offer major improvements in security. On the other hand, evidence from US military installations in the Middle East suggests than Flash drives are actually a major security hole.

Can these views be reconciled? I think so. The answer, simply, is that Flash drives need embedded RFID chips (or some substitute technology) so that their movements can be detected and controlled.

“But wait!”, you cry. “Doesn’t that mean anybody who legitimately carries a secure Flash drive around can have her movements nefariously tracked?” Well yes, it does, but that genie is out of the bottle anyway. We just have to deal with it on another level.

Technorati Tags: , , ,

March 22, 2006

Goodmail, Esther Dyson, Andrew Orlowski, etc.

Esther Dyson weighed in in the New York Times on Goodmail-like services. Andrew Orlowski of The Register responded with his usual clueless misogyny.

Orlowski doesn’t just gratuitously bash Esther; whenever possible, he goes after Ann Winblad too. One hilariously stupid instance is this one, in which he fabricated a marriage between Ann and her business partner John Hummer. Hmm, Mitchell Kertzman is there now too. My mind is reeling at the possible menage’-a-trois possibilities …

Esther’s opinion, which I first heard her express almost 20 years ago, is this: Senders should pay readers for the time they spend in looking at email. And you know what? She’s right. Advertisers in broadcast, web, and print media pay us for our attention, by subsidizing the content we consume. So do event sponsors. Almost everything you read or hear about the technology industry is subsidized in one way or another by somebody who would like to sell something. (E.g., if you’re reading this free blog, I may be interested in selling you consulting services.)

Now to Orlowski’s response. Most of it was the kind of ad hominem trash he loves to dish out, especially but not exclusively about smart women such as Esther Dyson and Ann Winblad. Besides that, the main substance I found was “Think of the poor people who can’t afford to pay to send email?!” Well, Andrew — who are they writing to? Whoever it is, those recipients do NOT have to charge them for sending mail, whether that recipient is their mother, their electric company, or you. If you want to open your mailbox to, say, everything that comes in from the poor country of Nigeria, there’s nothing stopping you. (And you can still apply spam filters if you like.) Personally, I find that I get email from the occasional Third-World businessman or professor, but no starving Guatemalan peasant has ever found the time or motivation to send me a personal letter.

So what would my fees be? Without thinking it over at great length, they might be something like this:

Free — friends, acquaintances, family, return mail from tech support, etc.
Free — some news mailing lists
$.01 — other commercial mailing lists, if I opted in
$.25 — unsoliticited email from commercial vendors I have relationships with
$.50 — everybody else

I imagine the cost to senders would be roughly double the prices quoted above, which is OK.

One beauty of this system is that it would immediately turn spam into a matter of pure financial theft. I.e., you wouldn’t be able to spam unless you got somebody else to pay the email delivery charges, presumably by hijacking their computer and/or identity. Most users would have safeguards in place that made them go through security hoops if they wanted to send true spammishly large volumes of mail. And just as online theft isn’t really that big a problem today, this new form of online theft would probably also be a much smaller problem than spam now is.

Implementation of course isn’t easy. The trickiest part would probably be assigning prices to different senders, then adjusting the prices for different senders, and having the senders be automatically notified of the price adjustments. There’s also an antifraud problem, of a sort; if people are paid to get junk mail, they might make efforts to get lots and lots and lots of it to pad their bank accounts. (Wouldn’t that be just a wonderful recreation for smart teenage boys?)

But the technical issues, while non-trivial, are all solvable (or at least controllable — this scheme would indeed add more complexity that could then annoyingly malfunction). So what about adoption? Here’s one scheme that might work — email service providers might compete on the basis of not only being free, but of actually rebating cash to their users. This gets around what could otherwise be a bottleneck, namely the reluctance of consumer service providers such as AOL to share revenue with their customers.

What about nefarious uses? E.g., the government of China is all too eager to control information coming into the country, and this could be another tool. Hmm. I don’t have a fast answer. But I have even less of an answer as to what good would be done is this regard by refraining from using the technology in the rest of the world. After all, they can adopt it themselves if they want.

OK. I’m on board. How do we make this happen?

← Previous Page

Feed including blog about enterprise technology strategy and public policy Subscribe to the Monash Research feed via RSS or email:


Search our blogs and white papers

Monash Research blogs

User consulting

Building a short list? Refining your strategic plan? We can help.

Vendor advisory

We tell vendors what's happening -- and, more important, what they should do about it.

Monash Research highlights

Learn about white papers, webcasts, and blog highlights, by RSS or email.