Two leading network performance specialists go head to head. Les Howarth, managing director, F5 Networks and Shaun Page, vice president, Juniper Networks ANZ talk strategy and numbers.
Page: In terms of SSL VPNs, how do you expect to follow the market into the Service Provider space?
Howarth: This question might have been more timely immediately following our entry into the secure remote access space two years ago. Regardless, F5 is already present in the vast majority of telco and service providers around the world -- including many SSL VPN solution implementations. In fact, many major telcos are picking up F5's FirePass SSL VPN controller as a value-added service offering for their own client bases and rolling it into their primary product lines. F5 has a strong customer history with all of Australia's largest mobile and fixed service providers and we are very optimistic about the viability of FirePass as a VAS with each of them.
Howarth: Do you believe integration with end-point security solutions such as antivirus and personal firewalls are important? Pursuant to this, how many end-point solutions do you provide out-of-the-box integration with?
Page: Juniper absolutely believes that the network must work with end-point software and applications. In the remote access space our Juniper Endpoint Defense Initiative (JEDI) provides out-of-the box integration with many partner security products. Current JEDI partners include InfoExpress, Microsoft, McAfee, Sygate, TrendMicro, Whole Security, and Zone Labs.
This allows customers to validate end-point security postures using their existing software and then use Juniper Secure Access gateways to enforce resource policies based on the results.
At the carrier level we have been working for two years on an industry initiative known as the Infranet. This brings together network vendors such as Juniper, carriers like BT, and application developers such as Microsoft to create a way for applications to request service characteristics directly from the network and for one network to request services from another network. These interfaces are using the well-developed Web services request framework.
Page: Have you found that the acquisition of ArrowPoint increased competition in the Server Load Balancing space or decreased it?
Howarth: I assume you are asking about Cisco's acquisition of ArrowPoint some four years ago. Pursuant to this, F5 has gained 12 points of market share from Cisco in the total L4-7 market globally since then and closed the market share gap between F5 and Cisco from 30 percent to only five percent. Further to this, following Nortel's acquisition of Alteon (shortly after the Cisco/Arrowpoint deal) F5 has subsequently gained 14 percent market share from Nortel.
Increased competition? Absolutely! And the marketplace has voted loudly.
Lastly, it is interesting to note your reference to the SLB space. At F5 we haven't used this acronym for a very long time. Yes, we do perform server load-balancing, in fact, we invented it, but the marketplace has evolved so much since then and our real focus today is on application traffic management, encompassing all levels of application optimisation, delivery, and security -- not merely load balancing.
Howarth: What steps have you taken to make the installation, setup, and on-going management of your devices more intuitive and efficient?
Page: Let's look at this from the point of view of the carrier and of the enterprise. In the service provider space we ensure our routers can interface with carrier management platforms using standards-based XML configuration management tools.
In the enterprise we've focused on providing easy-to-use Web interfaces regardless of the type of product. For enterprise routers we have added a Web front-end for configuration and management. We have found that engineers with prior routing experience can get up to speed on our routers with our one-day cross-over training course. Our firewalls have a well-regarded Web interface as well as a centralised manager called NSM to ease deployment of large numbers of devices. It too has a Web interface. Our SSL remote access products use only a Web interface and have won numerous awards in the IT press.
Page: What is the value of your recent Watchfire acquisition and how do you plan to support Watchfire's customers in the future?
Howarth: Firstly, let me clarify -- F5 did not acquire Watchfire. We purchased the assets and intellectual property of Watchfire's Appshield product in a mutually beneficial transaction, the value of which was not disclosed.
With respect to your question about customers, Watchfire will continue to service their installed base of customers with existing service contracts. F5 and Watchfire are also jointly encouraging customers wishing to address their future application security needs to transition over to F5's TrafficShield product, an industry leading application security gateway.
Howarth: Top competitors use intuitive and dynamic resource management frameworks which allow groups of resources to be assigned to groups of users in a way that reduces administrative overhead; how do you plan to stay competitive with the static, one-to-one nature of your devices?
Page: In typical usage, group-based provisioning does not apply so much to routers and firewalls, so we'll concentrate on broadband remote access and SSL VPNs.
In the broadband remote access market our customers need to enable services and access profiles for literally hundreds of thousands of customers. While some of these customers will write their own tools, we do offer a service deployment platform called the SDX to allow automated provisioning and accounting. New Internet services such as video-on-demand, IP television, or integrated voice and data, are offered over a variety of broadband access technologies, such as DSL, cable, Ethernet, ATM, Frame Relay, SONET, and fixed wireless. Working with the Juniper Networks ERX edge router, the SDX application allows subscriber managers to activate service offerings as they need them and automatically provision the network to deliver those services.
With SSL remote access, we integrate with the customer's existing directory services to allow resources to be associated with a defined group. This group would be created using, for example, standard LDAP, Active Directory, or RADIUS tools. The user can also be assigned a role, such as an administrator, within that group to have customised privileges. The strength of our support for realms (different authentication domains), roles (group and user types), and resources is one of the main reasons Juniper is the number one provider of SSL VPN solutions worldwide.
Page: What kind of growth path do you envisage in Australia?
Howarth: F5 grew 67 percent globally in our last financial year (ending October 2004) and in Australia we grew 70 percent (with 101 percent growth year-on-year 2003 to 2004 across Asia-Pacific).
In FY2005 we are experiencing even more dramatic growth rates across our entire business in Australia. There is no reason to believe that next year will be any different because of the enthusiasm for F5's products that we see in the marketplace, particularly due to our ability to integrate all of our products on a single unified high-speed platform using our Traffic Management Operating System (TMOS) and the strong market interest in our new application security product, TrafficShield.
Howarth: Any plans in the near future to release your SSL VPN products on purpose-built hardware rather than off-the-shelf hardware that is years old?
Page: We typically announce new products when they ship, so this isn't the forum for discussing what we might or might not launch in the future. But let's talk about the philosophies behind the architecture for SSL VPN products. One way to look at it is to compare our firewall architecture with SSL VPN. Our firewalls use custom-designed application specific integrated circuits (ASIC) to maximise session throughput. This was because, prior to NetScreen, everyone was building firewalls on general purpose hardware and these designs could not keep up with modern networks. Since a firewall did not need a hard-disk or other features of general purpose platforms we could strip it out.
By contrast, an SSL VPN appliance is essentially a very sophisticated Web-proxy and needs most of the hardware features of any other Web server, including a hard disk and logging sub-system in addition to network interfaces. So our current SSL VPN appliances are built on a server platform because they need most of the support that a Web server needs. These requirements wouldn't change even if we opted for custom hardware. The primary strength of our multiple-award winning (20 magazine and analyst awards since last year) SSL VPNs is the feature-rich software.
Page: Where are you most competitive in your product offerings and why?
Howarth: We are highly competitive in all our offerings. BigIP is the industry recognised leading solution for Application Traffic Management as recognised by Gartner in their Web-Enabled Application Optimisation magic quadrant.
Our Firepass SSL VPN solution has won numerous awards and accolades for its breadth of features and leadership position and continues to attract new business growth for us, while our most recent offering, Trafficshield application security, leads the market in the new product category.
Howarth: What types of compression, bulk data encryption, and other technologies do you use to ensure that users have a high-performance, low-latency experience?
Page: It depends on what products you are talking about, really. Routers support IPSec encryption and various types of compression such as compressed real time protocol (CRTP) for voice packets. Firewalls use IPSec encryption. SSL VPN concentrators use SSL encryption, of course. The server-side application acceleration products do compression for a Web farm using Web compression standards that any recent browser will support automatically.
This enhances Web server performance without any changes to the server itself. With our recent announcement that we intend to acquire Peribit we will also be able to offer specific compression and acceleration functions through these products. This unique technology is called Molecular Sequence Reduction and is derived from algorithms originally used to analyse DNA sequences. For applications this can offer performance improvements well beyond what traditional compression techniques can do.
For latency-sensitive applications our products offer quality-of-service mechanisms appropriate to their function. Some very interesting ones again come from the planned Peribit acquisition, as they offer application-based QoS to complement the network-based QoS of our other products.
Page: What are the biggest challenges facing F5 Networks over the next 12 months?
Howarth: The biggest challenge we face is no doubt managing our growth. This is a large, growing market where opportunities abound for the types of products and services we offer. As we continue to grow, we will need to recruit and develop additional high-calibre partners and employees who understand the market and how to deliver on the potential that exists.
Howarth: You claim to offer Web Application Security on your network firewalls, but you have not subjected those claims to testing by someone like ICSA -- do you have any plans to validate those claims?
Page: Nothing to hide here! In fact, all our firewalls have been ICSA certified. Full reports are available on the ICSA Web site. We have also ICSA-certified the firewall services PIC (acceleration blade) in our M-series routers. The firewalls are also Common Criteria-certified to EAL level 4 which is important for our government and defence customers worldwide.
If you meant to refer to our SSL VPN products, which are more typically used in a Web-application environment, these are ICSA certified using the version 1 of SSL-TLS certification. Version 2 is in progress and certification is expected to be completed shortly. As the SSL-TLS certification is quite a narrow test we also had the SSL VPN gateways independently analysed by TruSecure, a sister-company to the ICSA, the VPNC (Virtual Private Network Consortium), and iSEC partners.
Page: What would you say is the main differentiator that F5 Networks takes to the market?
Howarth: I think our main differentiator is focus. Unlike our competitors, we concentrate on a specific market segment -- the delivery, optimisation, and security of applications. The experience we have in this area has allowed us to build the best products in the industry today and integrate these products with all of the leading application providers' solutions.
Howarth: What is your Australian channel strategy for the L4-L7 market? Do you have the right channel partners for these new products?
Page: Juniper has a strong history of successful channel partnerships which deliver some of the most complex and mission critical networks in the world. The J-Partner program is the business framework for our channel partnerships and it is designed to reward the partner's value-add and to support specialisations such as application products.
Page: What is F5 Networks most successful market sector and why?
Howarth: Application Traffic Management has been our focus since the inception of the company. We have been instrumental in driving this sector of the industry with continual innovation. For example, with our UIE (Universal Inspection Engine) we are able to make a traffic management decision on any value in the entire bi-directional data flow.
We have also evolved strong partnerships with all the major application vendors who use our open API to make our BIG IP product an extension of the application rather than just a standalone network device. These sorts of capabilities have made BIG IP the most flexible Application Traffic Management solution available today. As a result, we have been successful in winning business across all industry segments including government, finance, telcos, and even SMBs.
Howarth: I understand you play football in your spare time. What position do you play?
Page: My football position would have to be Left Right Out as I don't play! My golf handicap on the other hand is far more impressive, I play off four.
Page: What is the greatest piece of advice you were given and did you use it?
Howarth: I once had a sales manager who told me that everybody has two ears, one mouth and that a good salesman should use them in that ratio. So I've always found that listening is much more productive than talking.
This article was first published in Technology & Business magazine.
Click here for subscription information.