Read this press release on Friday:
SAN JOSE, Calif., January 4, 2007 - Cisco (NASDAQ: CSCO) - Cisco today announced a definitive agreement to acquire the privately held company, IronPort Systems, Inc. of San Bruno, Calif. IronPort is a leading provider of messaging security appliances, focusing on enterprise spam and spyware protection.
For many years now, the Cisco PIX firewalls have been a big part of the security landscape. From most reports, they're good boxes and do their jobs well. However, I inevitably watch mail admins come to loathe them with a deep and unending hatred, because they include one of the lamest, most brain-dead SMTP proxy modules in existence. In both the Postfix and Exchange communities, the advice is inevitably, "Oh, you're running a PIX? Shut off the SMTP screener. It's breaking your email."
Now, of course, they're going to have access to the tasty goodness of the IronPort appliances. I've not used one myself, but everyone I know who has raves about them and thinks they're the best thing on earth. It will be very interesting to see whether they continue to be a separate product offering in the next couple of years, or whether they get broken apart for the crunchy technological bits and integrated into existing Cisco offerings.
Of course, I've never been big on the appliance route myself anyway. I want control over my border mail router, and the typical appliance doesn't tend to give you that deep level of access you occasionally need to really understand why things aren't working (and to get them fixed quickly). I have a special dark place in my heart for appliances and appliance makers that reserve backdoor channels into the appliance (which you've bought) to perform specific administrative functions and won't give you that access in return, even when you assure them that yes, you understand that if you break it you'll need to jump through extra hoops/sacrifice extra goats/pay extra money to get it all set right again. It's bad enough to have to pay an ongoing subscription fee for updates to the anti-spam filters; to lock me out of administrative access of the box I bought and paid for is beyond the pale and bespeaks a certain arrogance for one's customers that I don't like to see rewarded with financial success. I'm all for targeting your product to a less-knowledgeable crowd, but when the customer says, "Yes, I understand that this course of action I want to pursue could really break things and that I'll have to pay above and beyond to get it fixed," you give the customer access to their hardware.
Thank goodness for the Exchange 2007 Edge role. I can run it on my hardware of choice, it integrates fully with Active Directory and my Exchange organization without lots of silly generic LDAP configuration, and it will even recognize and use my users' Blocked Senders and Safe Senders lists. I've got decent spam and virus filtering capabilities, I've got lots of other crunchy message hygiene options, and there's a good API for developing additional plugins and functionality. In my opinion, Exchange admins are beter off with Exchange 2007 Edge than any appliance....and then they'll never have to admit to have a PIX mangling their SMTP.