Cisco Bolsters Network Security with Innovative Program, Unique Products

November 18, 2003

Over the last month, Cisco Systems has announced an array of significant new enhancements to its portfolio of networking security products and services. The enhancements are all part of Cisco's strategy to create a dynamic, comprehensive, multi-layered security system rather than simply selling point products that only partially address the myriad of threats facing networks these days. Cisco's strategy aims to create an immune system of sorts for networks, one that not only protects a network from dangers but also deals with any internal problems while keeping the network up-and-running.

News@Cisco recently spoke with Richard Palmer, vice president and general manager of the Cisco Virtual Private Network (VPN) and Security Services business unit, about these new announcements and how they support Cisco's systems-based network security strategy.

What are the new enhancements to Cisco's network security portfolio?

Richard Palmer: The most wide-reaching of our new announcements is our Self-Defending Network security strategy, a groundbreaking, multi-phased program to create greater security coordination between our networks and "end-point" systems--the desktop, laptop, and server computers connected at the "end" of networks. We launched this program with the announcement this month of a key component of the strategy, called the Cisco Network Admission Control program. As part of this effort, we are working with leading anti-virus software makers, including Network Associates, Symantec and Trend Micro. We have also developed the Cisco Trust Agent, a small piece of client-based software. The Trust Agent works in conjunction with anti-virus software to ascertain the security status of end-point systems. The Trust Agent then relays that information to the network, which can apply enforcement policy to permit, deny or limit the end-point's network access.

As a part of the Self-Defending Network security strategy, our Cisco Security Agent (CSA) provides customers with unique client-based software that identifies and prevents malicious behavior before it can occur. This provides what we call "day zero" protection, meaning that a network and associated business applications are protected from a virus or worm from the very first day it appears. The Cisco Security Agent has already proven its mettle by stopping Nimbda, CodeRed, Slammer and Blaster worms sight-unseen with out-of-the-box policies.

And in a separate announcement we have introduced a software upgrade that provides SSL VPN support for the Cisco VPN 3000 Series Concentrator. This means that customers with the Cisco VPN 3000 Series Concentrator can now support both SSL (secure socket layer) VPNs as well as VPN's based on IPSec. Again, this is a case of Cisco providing comprehensive security support to our customers. With this software upgrade, network managers will have the choice between these two VPN technologies-each with their own benefits and limitations-without increasing the management complexity of their networks.

How do these announcements further Cisco's network security strategy while better assisting companies in protecting their networks?

Richard Palmer: There are two noteworthy aspects to the announcements. First, the Network Admission Control technology, along with the deployment of the Cisco Security Agent, marks the first time Cisco has extended its networking security to end-points. In fact, this marks a radical rethinking of networking security. Until now, networking security stopped at the edge of the network. Computer security was considered a separate realm. But Cisco views the end-points as part of the same system. After all, they are connected to the network and are the primary targets for attacks. So our approach is to leverage the resources of the network by giving network equipment more information about the status of the end-points connected to the network. This way the infrastructure that controls the flow of data on a network can make more automated and intelligent decisions about how to respond to security threats. Cisco's goal is to design network security that functions in much the same way the human body protects us from disease-by working hard to keep us from getting infected and then having several means for battling infection if it does occur.

The second significant aspect of these announcements is that they reinforce Cisco's "system-level" approach to network security. Again, this is a departure from the industry norm. Traditionally, network equipment makers and software developers have delivered stand-alone point products, such as firewalls, intrusion detection devices, etc. to bolster network security. But Cisco believes that for a network to be most secure it must have multiple layers of defenses coordinated through a common network infrastructure and management interface. That is why Cisco has taken the step to bring end-point security into our strategy. The computers attached to a network and the network infrastructure itself are all part of the same system. So, in essence, these new announcements advance Cisco's strategy to leverage our extensive array of networking equipment to deliver robust security throughout a network.

How will Cisco's new security strategy and its systems-level approach to security help companies and other data network operators?

Richard Palmer: Most importantly, our security approach will help companies use their networks in the ways they want to use them. That sounds simplistic, but security architecture has lagged behind the real-life use of networks. Until now, networking security has focused on creating a tough perimeter that is closely guarded by such things as firewalls, intrusion detection devices, etc. But these days, corporate networks receive data from a growing array of sources: partners, suppliers, customers, as well as mobile or remote workers. So companies can't simply keep everyone out if they want to benefit from the communications capabilities of their networks. And as we've seen, perimeter defenses, while an important part of network security, cannot always prevent something bad from sneaking into a network, as has been dramatically demonstrated by the "Trojan Horse" technique used by worms and viruses. The reality is that networks have become much more open and this requires security that assures network availability even during attacks by worms and viruses. Again, like the human body, networks need to function even when "sick."

So these latest security enhancements take a dramatic step forward in giving network managers more tools to deal with security threats inside their perimeter defenses. Another way to think of our security approach is how a large ship is designed to deal with a leak. First, you make the exterior of the ship as durable as possible to withstand breaches. Then, you compartmentalize the ship by using water-tight doors which can seal off parts of the ship and keep it from sinking. Then, there are tools to pump out the water and fix the damage. The main point is you don't simply rely on the exterior to protect the ship because if you do, and it fails, then the whole thing will go down, just like a network.

There are many excellent security hardware and software vendors in the marketplace. Why would Cisco be any better at providing network security than all these other companies?

Richard Palmer: Cisco is in a unique position as a security vendor because of our leadership in the corporate data networking arena. Our products, such as our routers and switches, reach virtually every corner of the network. And our security approach is based on integrating networking security services into that equipment-into the basic fabric of any corporate operation. That way, security isn't something extra that people add on to a network. These days, security must be part-and-parcel with the network. It's not an option, but, rather, a necessary function of the network. By integrating security service with routers and switches, a Cisco network can much more effectively respond to security threats by more quickly recognizing problems, more adroitly quarantining network segments, and more rapidly purging malignant coding from networks and end-point systems.

And because of our extensive line of corporate networking equipment, we can also provide security that is more cost-effective and easier to manage. By integrating security support into our existing product line, either via software or hardware "blade" upgrades, companies don't have to add additional components to their network. And since all of these tools are from the same Cisco family, network managers can control them via the same management interface. These advantages help companies boost security while reducing their management overhead and maximizing their network investments.