March 9, 2004

Now, more than ever network administrators need to protect their networks. Viruses are becoming more common and more virulent. At the same time, corporate networks are increasingly interconnected with other networks belonging to partners and customers. While such connections are crucial for productivity, they create even more ways hackers or viruses can harm a company's data communications system. Unfortunately, traditional-and the most common-approaches to network security cannot provide the protection needed by today's networks. Stand-alone firewalls, intrusion detection devices, anti-virus software or other point products are struggling to address growing security demands. Clearly, networking security needs a new way. Cisco Systems' answer is the Self-Defending Network.

Unlike other security approaches, Cisco is integrating security throughout the network, providing a comprehensive defense without inhibiting the access of legitimate users and, as a result, preserving the rich productivity advantages of Internet Protocol (IP)-based communications. This month Cisco announced an array of enhancements to its integrated security portfolio, including new functionality to Cisco IOS, the operating system of Cisco's switches, routers, and other equipment. Cisco IOS serves as a key component for creating the automated, integrated, and multi-layered defense architecture of the Cisco Self-Defending Network.

News@Cisco spoke with Sangeeta Anand, vice president of product marketing in the Internet Technology business unit at Cisco, about the new software and hardware security advancements and the company's strategy to create the Self-Defending Network.

What new security hardware is Cisco announcing?

Sangeeta Anand: The two key hardware announcements are the Cisco 7301 Series Router and the Cisco VPN 3020 Series Concentrator. The 7301 Series is a customer premise LAN router supports integrated firewall, intrusion detection, and quality-of-service (QoS) management with high-bandwidth IP Security (IPSec) VPN throughput in a compact one-rack unit. The VPN 3020 Series Concentrator offers both IPSec and Secure Socket Layer (SSL) remote VPN access for enhanced flexibility for mobile and remote users. It provides for very high performance and highly scalable support.

What Cisco IOS software security enhancements is Cisco announcing?

Sangeeta Anand: Improvements to the Cisco IOS threat defense capabilities include Cisco IP Source Tracker, which lets IT managers identify and locate entry points of denial-of-service (DoS) attacks. New control plane policing features provide network administrators with a better defense against DoS attacks and more secure access control with support for secure shell (SSH) version 2. Cisco IOS can now more easily allow the system administrator to set user configuration and monitoring capability limits with a new feature for called role-based command line interface access. Since many attacks start internally in an organization, a best practice is to limit users' capabilities on the router depending on job role and responsibilities. Finally, new firewall support lets IS personnel segment the network into security "trust zones," helping create more elaborate defenses to contain any possible security breaches.

We have also improved the Cisco Security Device Manager (SDM), which helps simplify security provisioning and monitoring of Cisco routers. SDM now offers one-step router lock-down and security auditing, configuration of redundancy features to limit business disruptions, and a graphical interface for monitoring security and traffic flows.

How will these security improvements help business productivity and profitability?

Sangeeta Anand: The first, and most obvious, benefit is that better security means less business disruption. Viruses can knockout hundreds of PCs and servers, crippling corporate networks and leaving employees without access to information vital to their jobs or denying customers vital services. But simply preventing attacks isn't enough. An integral part of the Cisco Self-Defending Network is to not only prevent disastrous network failures but also to make security far more cost-effective and easy to manage. That means security measures should not be so inflexible that they prevent users from taking full advantage of IP-based networks. We've seen this in the past where firewalls prevent outside partners from accessing a corporate network. In other cases, VPNs have been so onerous to use that remote or mobile employees can't access the company network. These new advances aim to avoid such shortfalls of past security technologies.

Our security improvements now and in the future aim to reduce the cost of security. Management issues, such as anti-virus patching, have created huge management overhead for IT departments. Security must be cost-effective to implement. All of the new enhancements we're announcing aim to simplify network security while strengthening it. This approach lowers cost and increases network availability, resulting in higher productivity and profitability.

How do these new advancements further Cisco's development of the Self-Defending Network?

Sangeeta Anand: These security advances are one more step in Cisco's long-term strategy. The Self-Defending Network is a multi-faceted approach designed to dramatically improve the ability of networks to autonomously identify, prevent and adapt to a range of security threats. The Self-Defending Network concept embodies our strategy of integrating security services throughout IP-based networks by delivering system-level network security. It has become clear that manual methods for security simply can't respond fast enough to counter a virus attack. Our latest security advancements and the Self-Defending Network strategy aim to improve security by integrating it as part-and-parcel of network operations. That means that security is not some additional box added to the network but, rather, is an innate component of any router, switch or other network device. In this way, security is woven into the very fabric of the network and security technologies can harness the information from the routers and switches to implement security and respond to attacks. This makes network defenses far more proactive than reactive. And Cisco IOS provides us with a unique ability to do this. As the core operating system, or brains, of our routers and switches, the IOS can tie all security layers and operations into one cohesive defense.