Check Point Software’s unusual appliance strategy
Check Point Software is the traditional leader in the firewall market, having seized large market share in its early days by innovating convenient, GUI-based policy management tools. Except in niches, its competitors today are mainly networking giants Cisco and Juniper. (Juniper acquired Netscreen in 2004.) Unlike most other security software vendors, Check Point continues to focus on being a packaged software vendor (but see below). Even so, almost all Check Point software is sold either on appliances or as a “virtual appliance.” I’ll explain.
Check Point started out selling software on Sun boxes and the like. Rather than get into appliances itself, it formed partnerships with hardware vendors who’d roll its software into appliances, and soon a lot of its business came from this channel, especially via Nokia. This strategy has continued, with Crossbeam Systems joining Nokia in providing large chunks of Check Point’s overall revenue.
While not liking to disclose much in the way of revenue breakdowns, Check Point admits that appliances dominate its business at the high end of the market, where high-speed networking, extra reliability, and so on are important (especially the reliability). Appliances also dominate at the low-end, where ease of deployment is crucial. (“Custom” hardware in this case is best represented by an accelerator card called “VPN-1,” made by Silicom, Ltd.) But in the big middle, packaged software is still highly competitive, accounting for (according to outside estimates that the company doesn’t laugh at) half or so of Check Point’s business.
But here’s the thing. Relatively little of that software is still, say, a firewall you can install on a Linux server. Rather, Check Point sells many more firewall/OS bundles, which are (it is claimed) super-easy to install on random Intel-based boxes. These are the “virtual appliances.”* Is this cheaper than a tailored appliance? Well, that depends a whole lot on whether you had an extra box lying around, or whether you have a master maintenance contract with a standard box vendors, and so on. Evidently, many customers think it is, while many other customers prefer physical appliances.
*Check Point also has VMware-based virtual appliances, but so far isn’t getting much uptake of those except for demo purposes.
| Categories: Check Point Software, Computing appliances, Crossbeam Systems, Security and anti-spam | 3 Comments |
Juniper’s integrated appliance story
Juniper Networks acquired super-hot security appliance vendor Netscreen in 2004. At the time, Netscreen’s products were ASIC-based. But as of the 2006 release of its SSG product line, Juniper has come in line with what is pretty much the standard appliance vendor technical strategy. It builds its boxes from standard parts, with the exception of some unusual but still off-the-shelf networking accelerators (most notably an IPsec and encryption accelerator chip from Cavium). It has its own OS, with unneeded services left out both for performance and security. One cool point – Juniper’s security products and routers run in some cases on literally identical hardware, despite having different operating systems, let alone “application” software. The customer can, for example, keep one set of spares for both classes of product. Read more
| Categories: Computing appliances, Juniper Networks, Security and anti-spam | 1 Comment |
Proofpoint and VMware – an apparently non-trivial virtual appliance success story
I talked with Proofpoint today, and got a more positive view about VMware’s virtual appliance strategy than I’ve gotten from other appliance vendors. They cite over 500 downloads in the past couple of months, of which a significant fraction have turned into actual sales. Specific deployment scenarios they mentioned include:
- Demo (of course).
- Tweak, test, deploy – between patches and new anti-spam rulesets, Proofpoint users seem to have a rapid change/test/deploy cycle. Virtualization makes it possible to do that without having multiple copies of an appliance.
- Disaster recovery – this seems to be a big one.
- “Surges” – depending on what the bad guys are doing, one’s need for anti-spam servers can go up and down in a hurry. Virtualization makes it easy to respond.
| Categories: Companies and products, Computing appliances, EMC and VMware, Platforms, Proofpoint, Security and anti-spam, Virtualization | 4 Comments |
Sendio — no effective response to the niche-forever challenge
Sendio is something of an exception to the appliance vendors I’ve been chatting with. There’s nothing particularly unique about their hardware or software architecture, and ease of deployment isn’t a big deal for them either. Indeed, it’s a little unclear to me that they really need to be an appliance vendor at all – but what the heck, they’re in the anti-spam market, and appliances are popular there.
So let’s go straight to their anti-spam technology, which is challenge/response. Read more
| Categories: Computing appliances, Security and anti-spam, Sendio | 5 Comments |
David and Richi on Cisco and Ironport
The Ferris Research lads offer a succinct analysis of the Cisco/Ironport deal. As an old software stock analyst, I was particularly struck by their estimates that A. Cisco paid over 10 times revenue for Ironport and B. Ironport’s revenues weren’t growing. Even more interesting in my opinion is what Richi said to me by e-mail in response to a query, namely (emphasis mine):
Yes, clearly IronPort’s reputation data is part of the prize for Cisco. …
An interesting question is what will happen (if anything) with SpamCop. IronPort deliberately ran SpamCop at arm’s length as a matter of policy. I wonder if Cisco will maintain that policy. SpamCop is of course part of the raw data feeding into SenderBase, along with the data phoned home by the IronPort boxes.
As we’ve seen with the BlackSpider acquisition by SurfControl, spam control companies that aggregate lots of data about spam sources are valuable, for reasons in addition to spam control. If a zombie is sending spam, it’s also probably a potential source of other bad stuff, such as worms and DDoS connections.
Quite possibly, one of Cisco’s goals (dreams?) for this acquisition is to put a whole lot of sender policing into the network infrastructure. Mainly, that’s a good thing — but like most kinds of internet policing, that technology also has the potential for abuse.
In that vein, I note that the Ferris guys say Ironport’s big competitor was Ciphertrust, acquired by Secure Computing. Well, in my opinion Secure Computing are bad guys, or at least were as of my research a few years ago. They have long helped enforce nationwide Web censorship in Saudi Arabia; they got dinged by the SEC for early for CEO stock hyping/selective disclosure; they in my opinion were guilty of a lot more hyping than that; and for the cherry on top of this ethical sundae, CEO John McNulty has a resume in Secure’s SEC filings that is inconsistent with the SEC filings of a previous employer.
| Categories: Computing appliances, Privacy, censorship, and freedom, Security and anti-spam | Leave a Comment |
Flash drives as hard-drive replacements
SanDisk is pushing a 32-gig flash disk that costs multiple hundreds of dollars more than a large hard drive. (Here’s The Register’s take on it.) One figure they cite is a 100-fold+ improvement in access speed. The speed difference between disk and silicon, of course, is something I’ve focused on in my research into memory-centric data management, and also in some of the work on data warehouse appliances as well. They are proposing this as the entire fixed memory for laptops. And in a much cheaper vein, Nicholas Negroponte is proposing a diskless architecture for the 100-dollar laptop.
But to me, the really interesting future here is PCs with removable persistent solid-state storage. I wrote about the subject a year ago, and I just want to take this opportunity to remind people that’s it’s a desirable and not-implausible way for personal computing and consumer electronics to evolve. If the storage part of the system can be separated out, what you’re left with is mainly the human-facing I/O and the processing power to drive that. So from where I sit, portable external storage could drive an explosion in interesting and useful electronic device form factors.
| Categories: Diskless PCs, Hardware | 2 Comments |
(Crosspost) New ways to read our research!
We’ve finally redesigned the Monash Information Services website. In particular, we’ve created two great new ways to read our research. First, there’s a new, Google-based integrated search engine. (And it really works well, the one glitch being that it brings back feeds and pages interchangeably. Try it out!) Also – and I really encourage you all to subscribe to this — there’s a new integrated research feed.
The reason you should care about these is in both cases the same: Our research is actually spread across multiple sites and feeds. I write about Google both in the Monash Report and on Text Technologies. I write about enterprise text management both on Text Technologies and on DBMS2. I write about computing appliances both on DBMS2 and in the Monash Report. I write about data mining in all three places. And now that there’s an integrated, industry history relevant to any of the other subject areas may find its way onto Software Memories. Your view of my views simply isn’t complete unless you have access to all of those sites.
| Categories: About this blog, Monash Research highlights | Leave a Comment |
Typical nonsense from SAP
Below, essentially in its entirety, is an e-mail I just received from SAP, today, January 3. (Emphasis mine.)
Thank you for attending SAPs 4th Annual Analyst Summit in Las Vegas. We hope you found the time to be valuable. To ensure that we continue meeting your informational needs, please take a few moments to complete our online survey by using the link below. We ask that you please complete the survey before December 20. We look forward to receiving your feedback.
What makes this typical piece of SAP over-organization particularly amusing is that I didn’t actually attend the event. I was planning to, but after considerable effort I think I finally made it clear to VP of Analyst Relations Don Bulmer that I was fed up with being lied to* by him and his colleagues. In connection with that, we came to a mutual agreement, as it were, that I wouldn’t go.
*and lied about
Obviously, administrative ineptitude and dishonesty are two very different matters, united only by the fact that they both are characteristics of SAP, particularly its analyst relations group. Having said that, I should hasten to add that there are plenty of people at SAP I still trust. If Peter Zencke or Lothar Schubert tells me something, I expect it to be true. And it’s not just Germans; I feel the same way about Dan Rosenberg or Andrew Cabanski-Dunning, to name just a couple non-German SAP guys.
But I have to say this — both SAP’s ethics and its internal business processes are sufficiently screwed up as to cast doubt on SAP’s qualifications to “run the world’s best-run businesses.”
| Categories: Enterprise applications, SAP | 12 Comments |
Virtual appliances, virtual SaaS?
I chatted with VMware today about virtualization, virtual appliances, and so on. But first we covered some basics:
- VMware quotes a figure of 20,000 enterprise customers, if you count everybody who is at least testing the software and so on; i.e., it’s a somewhat inflated figure. Still, the “real” number is surely big.
- They claim ¼ of those have a “VMware first” policy, to deploy new apps on a virtual rather than dedicated machine. That’s impressive until you realize enterprise try to roll their own apps as rarely as possible these days.
- They suggest VMware is extremely helpful at times you’d like to have two copies of the same platform – e.g., for development, or when you have to take the system down for brief maintenance. It’s hard to argue with that claim.
- We didn’t have the time to talk about my performance concerns.
As for how this all plays with appliances and SaaS – that’s largely a future, but potentially a very interesting one. Here’s what I mean. Read more
| Categories: Computing appliances, EMC and VMware, Hardware, Platforms, Software as a service, Virtualization | 4 Comments |
Some thoughts from Blue Coat Systems
Another vendor I spoke with in my research into appliances is Blue Coat, who offer systems that help with caching (not a recent emphasis), proxy, “performance enhancement,” and/or “WAN optimization.” Details differ, but their story is generally consistent with what I’m hearing elsewhere.
- They use pretty generic computer parts. The biggest exceptions are specialized but still off-the-shelf cards for networking (fail-to-wire capability) and encryption. They think – as do I – that this is pretty typical for appliance manufacturers. However, different appliance vendors in the same market differ greatly in the mix of parts they use. (This is also true in data warehouse appliances.)
- They wrote their own OS. With fewer services than general operating systems, it’s inherently more secure (they fondly and credibly believe).
- They think there’s a general trend for specialized appliances to merge into more general ones. In the security/networking space, I’ve seen this too, but I don’t know whether the point has broader applicability.*
- Their maintenance fees as a percentage of purchase price are a lot lower than those typical for packaged software.
*But then, the vast majority of enterprise computing appliances are in the security/networking space. Data warehouse appliances are probably the biggest exception, at least if we define “appliance” loosely enough to include Teradata.
| Categories: Blue Coat Systems, Computing appliances, Security and anti-spam | 1 Comment |