Slashdot Mirror
Cisco Evolving Into A Security Company
ChipGuy writes "Om Malik has an opinion piece stating his opinion that Cisco Systems is slowly becoming a security company, a move which may prove problematic for traditional security vendors like Symantec. Cisco has bought its way into the market, worried about the security moves of its main rival, Juniper Networks. The company expects to make major announcements at the RSA Conference later this week. "
While I'm not defending the issues listed on that page, Microsoft are directly responsible for the flaws in their software, as they wrote it, where as the products described on the Attrition site came to Cisco via acquisition (the ONS products came from Pirelli (I think the same company that make tires and very "interesting" calendars)), in times when security probably wasn't one of the checkpoints on the due diligence list.
The only "true" Cisco products are routers, IOS, and more recently the IOS that is on the CRS-1. The security record for IOS has been pretty resonable, when you consider that it has and will always be "exposed" to the Internet.
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
" ...when you ask them why you must use plaintext telnet to maintain routers you bought as recently as a year or two ago...they mumble around and then say "have you heard of our self defending networks?"
I can't decide what's worse, the misinformation of the post or the fact that it currently stands at +5. The IPSec capable IOS supports SSH. And for whatever uninformed shrieking idiot that wants to ask the inevitable question : "Why isn't it supported by default?" I'll give you two answers in advance : the IPSec feature set has export control concerns; and just fucking order the IPSec IOS with the router if you want SSH.
Even if you did have to use telnet for administration, between vty access lists, snmp access lists, a AAA server, and good logging, you would have the risks pretty well mitigated.
Not to mention their FW - PIX. SSH1/DES only...
It's trivially easy to add ACLs to connections from higher security interfaces to lower security interfaces in PIX.
That said, there is a significant amount of work left on PIX usability. It is not an easy box to configure it, and given the price point of 501E and 506E boxes we've seen customers buy them without realizing what they are getting themselves into as far as configuring the box to do something as simple as what a typical Linksys firewall does out of the box.
For example, PAT is supported, but not when configured through GUI. The PDM will scream obscenities, or make the customer do that to itself, but it won't accept perfectly valid configurations.
My experience is with the PixOS 6.3 whatever the current release is and PDM 3.0.
Leonid S. Knyshov
Find me on Quora
Actually, NAP is the Microsoft quarantine solution. Cisco's solution is NAC.
NAP is not a security feature, it's a client health feature.
Juniper's made some great strides, but as much as I like their products, what I've seen of Fortinet products is much more impressive. Having all your enterprise netowrk and infrastructure devices in one product is reaaaaaaaaaaalllly fucking handy. No more explaining "ok, the up-link is coming from our IDS, then comes our firewall, then comes our VPN device, then comes the spam filtering boxes."
Fortinet was founded by one of the guys who started Netscreen (which is now Juniper) and some of their ideas are really worth checking out (like re-ordering packets to search them as one complete packet -- no "deep-inspection" BS like Netscreen or TippingPoint IDS'. From what I understand from speaking to company reps, this was one of the things that made the founder go from netscreen to creating his own company.
Purpose-specific products (e.g. sealed boxes with ASICs that do one thing reallllly well,) are the future of enterprise-level security, imo. Linux (or solaris or what-have-you,) doing firewalling or routing or anti-spam or whatver may be adequate for small offices, but is not an ideal solution for large companies (10000+ users.)
Cisco has always been a security company. My favorite quote from the article:
"Cisco isn't known as a security company,"
Really? IOS doesn't have any security features built in? What exactly are my PIX firewalls doing for me?
Security isn't something you can buy from a vendor and just roll out over a weekend. Security must be present at every layer of your network. Routers, firewalls, switches, servers, desktops, operating systems, applications, user accounts, and even peripherals must be scrutinzed for security these days. Cisco realizes this, and is taking steps to secure "their" part - the network part.
Now if we could just get some software guys in Redmond to check their input buffers...
-ted
Sorry, this is just conspiracy theory stuff. I work at Cisco and there is plenty of info out there on what NAC is. This is for corporate networks and yes it will deny access the unauthorized or non-standard devices that attempt to use a network. It is policy based so if there is a PC or Laptop that does not fit the bill, then that device will be put on a different VLAN which will either allow the user to update Service Packs or virus definition or just have bandwidth restricted Internet access (like a guest VLAN). So it is not an all or nothing thing. IT departments can set it up how they want. NAC is cool stuff. You can even have ACL's that are tied to a certain user or group for instance. Also it is open so other companies can make applications that work with it. If you have seen the "Self Defending Networks" advertisements, this is part of it.
So there is no grand plan to take over the world. Just help IT departments control what devices access the business critical network. Would you really want someone to stick an unpatched fresh out of the box Windows PC with no Anti-virus on your network? Now that many companies have voice on their network 3, 4, or 5 9's is not the goal anymore. Now it is 100% uptime (excluding change windows) so having as much centralization, standardization and automation is critical to getting to that 100%.
With NAC and related technologies, companies can be sure of who is on, what they are doing, and the device they are connecting with meets IT standards.
Regards,
Andy
PS If you want more info on NAC just search on the CCO.
> Bloaty, reactive software (Norton AV) goes down with the sinking ship (an exploding windows box).
4 1eb76f2c0adc72440aafe3477bac43
d -misc&m=108248948202715&w=2
m isc&m=108264490523927&w=2
- misc&m=108431540506674&w=2
You don't mean the TCP Reset Vulnerability in Cisco's BGP do you? You know, the one Cisco tried to blow it out of proportion by including the internet, while in reality it was their own implementation that didn't take security seriously. But that's not all, Cisco then tried to patent the fix for largely their own vulnerability.
"Feature: Understanding TCP Reset Attacks, Part I"
http://kerneltrap.org/node/
3072?PHPSESSID=9
"You are being told "lots of people have a problem". By not seperating out the various problems combined in their notice, or the impact of those problems, you are not being told the whole truth."
http://marc.theaimsgroup.com/
?l=openbs
"cisco is affected and tries to make it look like it was a problem everybody has, which it isn't, and it looks like they managed to fool you."
http://marc.theaimsgroup.com/
?l=openbsd-
Cisco applied for a patent to the TCP Reset vulnerability Fix. Patenting a freaking FIX...
http://marc.theaimsgroup.com/
?l=openbsd
Whoops, I accidentally posted only half a post. Her's the second half:
B) What about all the non-Windows boxes hooked to the network? And I'm not talking about Macs, I'm talking about all the little doo-hickeys that get hooked to the net like my printer, people's TIVO's, etc.
Well, there's no reason your OLD printer and stuff can't still work on an internal network. They just wouldn't be able to talk to the outside internet.
As for new stuff, there's a big push to start dumping Trust chips into pretty much everything that will be networked. Your 5 year old printer and webcam won't be supported by your ISP, but your New and Improved Network Secure printer and webcam will probably work fine.
If Dell said they were doing it it might be something to take seriously.
YES, I AGREE.
Only a few Dell models are currently Trusted Compliant, but as I said, not a single PC manufacturer will be selling non-compliant systems once Longhorn rolls out. Do you seriously think Dell is going to sell computers that can't fully run the new version of Windows? Computers that can only run the new Windows in crippled mode with a downgraded graphics interface? And you KNOW Windows will occationally pop up "error" messages complaining that it can't do X Y and Z becuase your hardware is incompatible.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Despite what Certicom would have you believe, it's perfectly possible to use ECC and point compression without trespassing their patents. There are some optimizations and nice tricks that are patented, but they are not essential.
Xenu loves you!