gorillaTaking shots at the industry behemoth is not for the faint of heart and can't be done (successfully) unless your side has the logistics of the US Army (Air Corps in the graphic) on your side. 

Interesting actions this past week on the PR front. Firstly, my friend and collaborator Steve Taylor sponsored an email dialog with 2 leading proponents in the marketplace. In his newsletter at NetworkWorld, Steve sponsored a 'battle royale' between Cisco and Nortel. The debate?

Resolved: That there are benefits of single vendor solutions.

Cisco's director of marketing, Ben Goldman, gave a somewhat earnest rendition of the Cisco company song.  

Nortel's director of strategic enterprise technology Tony Rybczynski explained the risks of lock-in and the like.

And in a quick survey of respondent comments, it seems there are very real costs of being trapped.

And in another sector of the galaxy…

When the 800-lb gorilla changes strategy to adopt one that is the identical of a major competitor speaks volumes for the credibility of that competitor. But the issue is how to deal with that?

There were so many advantages to being different. Now, being the same doesn't seem to be so unique (well because it's not).

There can be only one answer: You tell people about it. Everybody you can find, you tell about it.

This is exactly what Aruba has done with respect to Cisco's big change in their mobile security strategy.

Cisco Admits Defeat of Port-Centric Security, Switching to Aruba's User-Centric Security Model

January 31, 2003 – Aruba revealed major advancements in Wi-Fi switching technology that for the first time let corporations lock the air against intruders, enable high-speed mobile firewalls that follow users, and construct self-calibrating Wi-Fi networks in a single integrated platform. (http://www.arubanetworks.com/company/press/2003/01/20)

December 5, 2007  Cisco unveiled its "novel" TrustSec role-based architecture that they claim addresses key compliance requirements and simplifies security deployments. TrustSec functionality is scheduled to be available across the Cisco switching platforms over the next 18 months with the rollout starting in the first quarter of 2008.

After 4 years Cisco has finally realized that their vaunted port-centric security and NAC are inadequate for mobile users, and the time has come =o adopt Aruba's identity-based security model. Problem is it will take Cisco another 18 months to roll it out across their product line if they are fortunate enough to get the model right. That's a full 5 BD years after Aruba launched its user-centric security model.

The Claims

1. Cisco claims that their Aruba-like security will be designed into their switches, but doesn't explain how they will overcome the integration issues they face trying to integrate the Aruba-like security into their acquired-over-time multi-appliance deployments. 18 months may not be long enough or they might have to scrape much of the architecture they spent hundreds of millions of dollars acquiring.

2. Cisco claims that the Aruba-like security will work for mobile workforces, but doesn't explain how it will be integrated with their client-based VPN solutions. Cisco has not analog for Aruba's Remote Access point technology, and it may well be that branch offices and remote users will have to navigate layers of security barriers before being admitted into the network – plug-and-pray vs. Aruba's plug-and-be-done model.

3. Cisco claims that TrustSec will encompass its switches, routers, and wireless controllers. In writing worthy of Ayn Rand, this will be "converged into a single central policy engine that dynamically communicates across the entire switch infrastructure…greatly simplifying the management of identity."  Hold the press – Cisco also claims that they will "distribute admission control and access control =mechanisms throughout the network." Where will the policies reside? Is there a single, centralized point of management even in massively scalable deployments? How will the network recover in the event of a device failure? Will all of these devices have different service management interfaces?  WCS, IOS, CiscoWorks – will they integrate these management platforms as well?

Cisco's TrustSec white paper shows security group access control lists (SGACLs) enforced across multiple Catalyst switches, but doesn't identify the engine responsible for driving them. If the SGACLs are each maintained separately in every Catalyst then the possibility exists for out-of-synch information to be propagated. If the list resides in a single switch then it remains unclear how standalone WLAN controllers or other appliances will be supported in the event of a communications failure.

4. Nemertes Research claims that IT executives cited Cisco as the top strategic security vendor relied on to help with security initiatives.  A recent VeriSign report (available on request) shows that few Cisco wireless LAN deployments actually implement security including firewalls and WIDS.

5. Cisco announced that it is enabling IEEE 802.1AE-based components to communicate and negotiate the encryption of data, while preserving the full range of network-based services. This may enhance interoperability between Cisco TrustSec capable switches and Intel AE Ethernet controllers, but it is a far cry from offering Aruba-like identity-based security that overlays over any existing L2/L3 network infrastructure including Cisco's.

6. Cisco plans to retain the existing hardware capabilities within Cisco  Catalyst AE switches. That may mean a new appliance/blade – and most certainly means an expensive new software upgrade. The "preservation of assets" does not mean that additional "investments" will not be required including components such as chassis and power supplies.

7. TrustSec is scheduled to be available across the Cisco switching platforms throughout the next 18 months beginning in the first quarter of 2008. Announced products that will incorporate this new technology: Catalyst 6500 switches.


The implications of this about-face are monumental for Cisco's  customers. Equipment upgrades, extensive retraining, reimplementation of existing networks, obsolescence of recent equipment purchases – all of these burdens will fall squarely on the shoulders of Cisco's customers. Any why? Because Cisco lacked the foresight to see that secure mobility was the wave of the future, a model that Aruba embraced and has been delivering to its fast-growing base of more than 3500 customers since 2003.

Michael R. Tennefoss, Head of Strategic Marketing


Pretty biting commentary, but definitely several strong points from Michael. The key has got to be to fight for every deal, every positioning point and exploit changes in the gorilla's movements. The burden of Cisco's own success will affect their ability to respond to real market needs.

With other vendors like Nortel and Aruba constantly challenging the gorilla to respond to real innovations, and box them into the context of responding to losing arguments (single vendor strategies tend to only serve the needs of the vendor chosen), real arguments customers will gradually get weary of the Cisco model, and in that way work to create vibrant markets. 

We're not there yet though, so we need more. 

This post has already been read 0 times!