Mad Dog 21/21: Wither Thou Ghost–That IBM-Fortinet Halloween Deal
November 8, 2010 Hesh Wiener
IBM was about to buy security gadget maker Fortinet, said a Bloomberg news service story published as Halloween weekend began. By the time the weekend was over, so, too, was the hypothesized acquisition. Fortinet said there was no such deal. It’s kind of a shame, because IBM could have picked up a seasoned shenanigans expert, Hong Liang Lu, improving IBM’s potential for corporate mischief, which has not yet recovered from the loss of former Systems and Technology Group GM, Bob Moffat. But don’t give up on IBM yet.
Hewlett-Packard was able to bring Leo Apotheker to its helm after Mark Hurd fled to Oracle.
The Hurd-Apotheker double play probably gives HP the lead in bigwig monkey business for now. Still, just as HP’s ability to generate more revenue than IBM could be temporary, so, too, could its place at the scruple nadir of high tech enterprises. Having its executives entertain the world with public displays of moral turpitude is a new experience for the company founded in a garage a couple generations ago by Bill Hanky and Dave Panky. IBM, by contrast, has often managed to experience ignominy at the hands of trustbusters and other misfits, the kind of people who don’t think business ethics is an oxymoron.
In any event, Hong Lu is one of the people who really knows how to make money for himself and his investors. Before taking up a major role at Fortinet, Lu served as the boss of UTStarcom, where his activities brought him a hundred grand fine and nearly got him banned from serving as a director of any public company. UTStarcom coughed up a lot more to settle various charges brought by the Securities and Exchange Commission. The situation at UTStarcom stemmed from the way the company kept–or more accurately failed to keep–satisfactory records. At the end of the episode, Lu promised the authorities he would never to make certain mistakes again. And he hasn’t.
Still, Fortinet is in a segment of the computer business that is apparently a wiseacre magnet. The companies in the firewall business and the broader security appliance industry it pretends to have grown into make gadgets that cost pennies and sell for a lot more. The gizmos also require constant updates, so the cost of services, support, firmware updates, and so on ends up being a much larger number than the price of getting the firewall box in the first place. In some cases, in fact, the box, which is a cousin of a network router, doesn’t even have to exist. It can be entirely virtual, a creature made wholly of software, the way firewalls on the AS/400 and some of its descendants used to be built. Like the AS/400, which ran firewall stuff on an internal X86 co-processor, most firewall products from most of the security appliance companies run on X86 (or X64) hardware today. The typical software setup is based on a hardened version of Linux and these days, they are increasingly plunked into a virtual machine running on a standard hypervisor.
At various times, the firewall companies have tried to glom open source and treat it as their own. The behavior has in the past become so egregious that even the usually patient open source community has lost its temper. It’s really messy, and the situation is so big and ugly that there’s even a Web site built just to more or less keep up with the (usually successful) battles fought by open source folk to keep their GPL and similarly licensed code in the public domain the way they intended.
If you imagine that all this acrimony might discourage IBM from buying into the firewall business, you are probably wrong even if the Fortinet deal never happens. In August, Intel bought McAfee, the security software company, for around $7.5 billion. McAfee is one of the companies that can provide protection from the two kinds of threats that plague computers day in, day out. One group of threats arises when user organizations hook up to the outside world over the Internet. The hookups can be Web sites, email systems, VPNs, or other setups. The more open the door–a Web site is about as available as can be–the greater the number and variety of potential attacks. Companies with systems that are different from the most common Windows and Linux setups are probably less susceptible to villainy by wire, but even an IBM i box speaking in EBCDIC is not hack proof.
If the outside world isn’t enough of a threat, how about the dangers from inside? Most companies have a population of client machines that might be out on the road one day and jacking into the office network the next.
The upshot is that a complete security solution includes whatever hardware and software it takes to provide perimeter defense, usually a firewall if you accept that a firewall can be as small as a little MIPS, Atom, or ARM router or as large as a multi-socket Xeon-class server. (And if you are an Amazon or Yahoo one firewall, even a biggie, is nothing; you have myriads.)
HP is already in the game, too, formally since last month’s acquisition of Arcsight. HP is, by the way, hooked up with Fortinet, which sells HP a security package that runs on some HP router/switches. If IBM bought Fortinet, that deal would be at risk, and it might be under scrutiny even now, as HP strives for independence.
The security and firewall game may usually be played on a Linux field, but Microsoft has been putting quite a bit of effort into protection for Windows client and server systems. Windows users can get free protective software from Microsoft and Windows also has a built-in software firewall. There are also Microsoft products that reinforce Exchange Server and other corporate systems.
Symantec, probably the security outfit with the biggest mindshare, has tried its hand at the hardware appliance game and while it says it has been successful, reports on the security business don’t give it much credit when it comes to total solutions, by which we mean providing hardware, software, whatever that lets a company buy protection from one source. The New York Times quotes sources it trusts that indicate Fortinet is the leader in unified solutions. And while the Times doesn’t explain why unified offerings are so important, computer professionals know from (often sad) experience just how hard it is to get security technology to work well with production technology. So even if working with end-to-end coverage from Fortinet is a nightmare, it’s only one nightmare. Companies with a mix of security and network equipment from Cisco Systems, Citrix Systems, Juniper Networks, Fortinet, Symantec, McAfee, and dozens of others have a nightmare of nightmares.
One of the events that got the attention of directors at all the big IT players was the Stuxnet affair, which is not yet over. Stuxnet is a virus that is believed to have been aimed at Siemens industrial controllers used by Iran in its atomic energy facilities. Of course Siemens hardware is used to manage industrial systems and power grids and lots of other vital apparatus the world over, because, despite the bad nerves arising from Stuxnet, the Siemens equipment is superb.
The whole idea that IBM is making noise about what it calls a smart planet while not actually making the products that keep the vandals from taking the handles is as silly as a Bloomberg reporter running at a rumor and quickly discovering that his shoelaces had been tied together. So while IBM doesn’t have to buy Fortinet, it absolutely has to take over some kind of enterprise-class security technology company . . . unless it wants to be the charity of the year, promoting a smart stuff concept that its rivals (or at least the ones that can deliver both solutions and security) will exploit.
IBM has to choose between Fortinet and un-Fortinet. There’s no other option.