Many vendors promote their "purpose-built" appliances and closed software as a value to the customer. These vendors have the "plug and play" advantage and you can "set it and forget it".
I haven’t been in the industry very long (5 years), but I imagine this appliance trend caught on after Cisco began producing purpose-built routers and switches. Every other vendor also decided it would be easier to sell networking and security solutions like canned fruit off the shelf. Customers got sick of the resulting congo line of appliances in their network and didn’t have time to log in to every different web interface to do anything. Vendors responded by adding more features and functionality; combining mature technologies into new solutions that got new names like Unified Threat Management.
Appliances Have Disadvantages
I make a living largely selling network appliances, but I’m a reseller, so I see things from the customers’ perspective. (Although vendors call resellers their partners, resellers are more like customers). I can tell you there are distinct disadvantages to the appliance approach:
- The customer is at the mercy of the vendor when it comes to product development. Unless a critical mass of customers want the same thing you do, you probably won’t get it. Since you have a black box with a GUI, there is nothing you can do about it other than jump ship to another vendor. The vendor may totally change directions or become stagnant. You will have to make another large capital expenditure to replace their appliance.
- When you do jump ship, you will have an expensive door stop that accounting still hasn’t fully depreciated.
- You may have bought the appliance for features A and B but you also bought features C, D, E and F. "Set and forget" takes on a whole new meaning.
From a salesman’s point of view, the appliance model makes it difficult to give the customers exactly what they need because there isn’t enough granularity or portability of features. They often are forced to make trade-offs and sacrifices because they can’t find a solution that meets all of their conditions. They have to spend more and overlap solutions, or not buy anything, hoping they will get what they need in the next release. Despite the UTM all-in-one trend, customers still have to deploy multiple appliances to piece together what they want, or go without.
Will StillSecure Fix This?
What is the new paradigm that will give us the freedom and extensibility we now lack? Mitchell Ashley envisions a framework entitled the Unified Networking Platform. The UNP is off-the-shelf hardware, linux, and a collection of modules. These modules will do whatever you want. You need a firewall? Install the firewall module. You want an email server, then install that module. What will be great is that you can mix and match networking and security modules to fit your needs and you won’t end up with any hardware that you can’t use. If there isn’t a module that does exactly what you want, then write one, or find a vendor to write one for you. Vendors could focus on writing software that solves problems rather than trying to commoditize a product that isn’t a commodity.
The further division of labor and greater variety of solutions would spawn an ecosystem of networking and security solutions that are much more resilient and responsive, would cost less and ultimately work better. I imagine it would be similar to installing WordPress or Drupal or any of the other content management systems on a LAMP server and then download additional modules to customize to your requirements.
Mitchell wrote a whitepaper introducing the idea and promised more to come. You can download it here.
8 responses so far ↓
1 Rob Newby // Mar 14, 2007 at 3:21 am
Hi Jon,
First off you’re right to say that devices caught on from Cisco’s mass production of routers and switches as dedicated machines to do a single job rather than the functionality being built into their UNIX hosts – as had happened up until then.
Devices became popular because they addressed a business issue (way back in time), simple supply and demand. The reason devices are now lost is because they are seen as the easy way out. If you want to sell it, package it up and ship it out. They no longer address a business need, but we are trying to crowbar them in to our networks, whether we need them or not.
However, I can’t see why as a reseller you hate appliances. You get to pick and choose after all. You ARE the demand.
Are you sales or a techie? If you’re sales then you should be delighted at how much margin you can make on these things, the challenge of the sale is getting around the objections. You ARE the crowbar!
If you’re a techie, enjoy yourself! You’ll learn (and earn) loads in the channel, and before you know it you’ll end up at a vendor, realising why it’s so hard in the first place!
You are also correct to think that Mitchell Ashley has the right idea in pushing for a framework approach to IT. He is the smartest of cookies. We will be seeing a lot more in the open source SOA framework space in the coming months, vendors providing add on tools where neccessary. And as a vendor, I hope to be riding the new wave, not stuck at the end of the last one watching everyone else ride in to the beach.
2 Osama Salah // Mar 14, 2007 at 10:07 am
“1. The customer is at the mercy of the vendor when it comes to product development….”
Isn’t that always the case? What other situation is there where you wouldn’t be at the mercy of the vendor? Are you going to reverse engineer and patch products to your liking?
“Mitchell Ashley envisions a framework entitled the Unified Networking Platform.”
Sound close to what Crossbeam are doing. I suppose their platform is propretary, maybe UNP will be open. Security products need to talk one common language, they need to be interfacable but no vendor seems to be interested, they prefer selling you their own modules and lock you down.
Another apsect of appliances I don’t like is that if they should break you are at the mercy of the reseller to provide a replacement unit which can take some time. With software you can just reinstall it on another server. In that regard solutions that come as ISO images and you can pretty much install on any hardware are pretty cool. Virtual machine images are also a neat solution in that regard.
rgds Osama Salah
3 Rory McCune // Mar 14, 2007 at 1:59 pm
There’s one other element to appliances that always makes me worry somewhat, which is that you’re at the mercy of the vendor for security patches.
Fundamentally most of these appliances run some sort of Linux or BSD based OS and where there are security vulnerabilities in the bits of the OS that the vendor has installed (which end-users probably won’t have a list of) you need the vendor to provide a patch…
In terms of comparing Stillsecure Cobia with Crossbean I think that they’re taking a slightly different approach maybe more in terms of scale than anything else.
Crossbeam (AFAICS) focuses on integrating existing security products like Checkpoint Firewalls, sourcefire IDS etc and putting them alltogether in a clever form-factor with some v. clever integration, whereas the stillsecure UNP product looks (again AFAICS) to be more shaping up as something they’ll provide all the base modules for…
4 Jon Robinson // Mar 14, 2007 at 4:08 pm
@Rob: I am in sales and the great thing about sales is that there will always be something to sell. My goal is to solve problems. Appliances do have advantages and do solve problems, obviously, but they have disadvantages that can be overcome if they had more extensibility and modularity.
@Osama: I think that if you had a product where the feature sets were more like plug-ins then you wouldn’t be as much at the mercy of a vendor. You may be at the mercy of the framework that you chose, but adding, changing, and managing features would be a matter of buying or creating the appropriate plug-in for your needs. You wouldn’t have to swap out the entire solution for an incremental increase in the feature set.
@Rory: “There’s one other element to appliances that always makes me worry somewhat, which is that you’re at the mercy of the vendor for security patches.” Good Point.
“whereas the stillsecure UNP product looks (again AFAICS) to be more shaping up as something they’ll provide all the base modules for…”
I’m wondering how this will shape up as well. Hopefully anyone will be able to create a mod. That would hopefully spark lots of innovation and advancement.
5 Rob Newby // Mar 21, 2007 at 4:46 am
I’m impressed. A lot sales guys I came across in the channel wouldn’t have had the first clue about these ideas.
What would be really nice is a standardised (SOA-based) compliance framework (open-source of course) that we could build on and just add very specific tools to address our various needs.
6 Mitchell Ashley // Mar 21, 2007 at 6:25 am
All – great conversation here and thanks to you Jon for sparking the discussion.
A couple of things about UNP; one of the areas I’m working to innovate in is to create an open platform where essentially everything is open, including the platform as well as modules that ride along on top of it.
In my mind, that’s the best of all worlds; create an appliance-like environment but instead of an appliance the vendor puts together (software choices, and hardware), you the user can take the UNP as the starting point and if you chose to you can then fully customize it with other modules, or even create your own security and network functions. Additionally, if you as a security professional don’t like something in how the platform is constructed then that would open for customization as well.
Here’s an interesting idea; make the UNP available in some form of open source. Now anyone can innovate with UNP and completely craft their own environment or make technology that others can use, and create new modules that can be shared with others.
Also, regarding the comparison with Crossbeam, I think Rory said it well. Crossbeam has an excellent platform for operating 3rd party products on some attractive hardware. Chris Hoff, a good friend of mine, has done an excellent job with Crossbeam’s architecture and approach. One thing to note is that they focus on carrier and high end enterprise markets. Here’s a thought; UNP could actually be a good complement to what they are doing.
Thanks for the conversation all. If you like, check out some early work we are doing with UNP at http://cobia.stillsecure.com.
Also, Jon, I put up a post about your site; http://www.theconvergingnetwork.com/2007/03/jonsviewsonappliances1.html
Good work all.
7 Jon Robinson // Mar 21, 2007 at 8:11 am
@Rob-Thank you. I got my degree in electrical engineering, so my mind operates slightly differently than a typical sales guy. I also don’t have a quota or a manager, and I think that is half the reason sales people behave the way they do!
@Mitchell-Thank you for the complimentary post. I am glad to hear that you plan to make everthing open. In that case, I’m positive that UNP will be the best option for many.
8 Brian // Oct 23, 2009 at 9:45 am
I like the package OS and software services in ISO distro from IPCOP. Open source and installable to most hardware platforms.
Leave a Comment