Rest in peace, my WAF friend

A few years ago, Cisco bought a company that made application-level firewalls, first an XML-focused product (XML Gateway) that was also able to verify your XML data, later a Web Application Firewall (WAF), which was effectively the XML product with half of the brains ripped out.

I was really looking forward to these products. Layer-3 firewalls cannot protect web sites against application-layer problems like SQL injections or cross-site scripting, so we definitely need something on the application layer and the WAF (and XML Gateway) ran as virtual appliance in VMware, making them ideal for my lab environment. I quickly lost interest after the first cursory contact with the XML Gateway as you could only manage both products with a web-based GUI (and I definitely don’t want to publish blog posts full of screenshots).

The development of these products was obviously stopped for quite a while, they never got IPv6 support and now Cisco has decided to kill them giving the customers no product migration options.

Killing a product is never a problem for me; I understand the need to consolidate and redesign products and platforms gained through an acquisition and usually Cisco offers a decent migration program. Killing old and obscure technologies makes perfect sense. Exiting a whole (highly relevant) market segment makes me nervous; I don’t doubt it was a right decision for Cisco, but how can we guess which market segment they’ll exit next?

6 comments:

  1. Hi Ivan,

    Maybe Cisco wants us to migrate to the IronPort Web Security Appliances. They do http(s)/ftp/layer-4 inspections, ... aparently.

    Regards,
    Erik

    ReplyDelete
  2. Ironport Web Security boxes aren't reverse proxies, which is what Cisco ACE family of products are. They protect your internal users from threats on the Internet, but do not perform content verification, SSL offload or load balancing for the server farm in your DMZ.

    ReplyDelete
  3. pavel skovajsa04 August, 2010 18:19

    Hi Ivan,

    maybe Cisco realized there is not a market for these kind of appliances or was ran over by somebody else.

    Personally I believe that Cisco realized (finally) that this is not a segment they should play on, as all web hosting designs are governed on L7 by the application folks, which usually get to choose stuff protecting their apps on their own. What I noticed they usually do is choose software based server protective mechanism, as a apache/php mod for example.
    As the application guys speak totally different language and the world of Cisco is unknown to them, they never choose anything from Cisco, hence Cisco has no stakes in it.

    Also, to express my opinion, the network engineers do not rush into suggesting anything else, as putting L7 devices managed by network guys infront of public facing servers is a bad idea due to the "it's not our fault" tendency.
    To further illustrate the concept, and to be very strict about it, putting WAN accelators in is similar in a way that you find ourself working on obscure "it's the WAN Accelator fault" issues 8 hours a week.

    All in all, what is your view on the older NANOG discussion http://markmail.org/thread/fvordsbnuc74fuu2

    ReplyDelete
  4. This is walking away from their Security Products and showing how little Cisco thinks of Security.

    If cisco isn't going to deliver a full spectrum of security products, are they are viable partner ?

    Of course, if they had a camera or did videoconferencing, they wouldn't have been killed.

    ReplyDelete
  5. This is the second product line in as many months that they're walking away from -- both are security products. They've made it clear that they have no interest in the SIM/SEIM market, so they've effectively given up on CS-MARS. They don't even recommend it any more.

    Is Cisco going to move to just offering a cursory line of security products now? Stuff they can just bundle with other product sales when a customer wants the get it from one vendor? I don't see them killing off the ASA or IPS, but those products aren't really leaders anymore.

    In fact, what in their security products line IS worth a crap any more?

    ReplyDelete
  6. Give Barrier1 a try. Barrier1 uses WAF and other components as sensors thus inspecting ALL 7 OSI layers in near real time. Along with that Barrier1 Adv. Reporting and it's 736 different log formats becomes a SIEM, Log Analysis, and DLP as well. With the speed 1 device can and has been inspecting data, VOIP, and IP/TV for over 4 years.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.