Slashdot Mirror
Cisco Evolving Into A Security Company
ChipGuy writes "Om Malik has an opinion piece stating his opinion that Cisco Systems is slowly becoming a security company, a move which may prove problematic for traditional security vendors like Symantec. Cisco has bought its way into the market, worried about the security moves of its main rival, Juniper Networks. The company expects to make major announcements at the RSA Conference later this week. "
While I'm not defending the issues listed on that page, Microsoft are directly responsible for the flaws in their software, as they wrote it, where as the products described on the Attrition site came to Cisco via acquisition (the ONS products came from Pirelli (I think the same company that make tires and very "interesting" calendars)), in times when security probably wasn't one of the checkpoints on the due diligence list.
The only "true" Cisco products are routers, IOS, and more recently the IOS that is on the CRS-1. The security record for IOS has been pretty resonable, when you consider that it has and will always be "exposed" to the Internet.
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
It's trivially easy to add ACLs to connections from higher security interfaces to lower security interfaces in PIX.
That said, there is a significant amount of work left on PIX usability. It is not an easy box to configure it, and given the price point of 501E and 506E boxes we've seen customers buy them without realizing what they are getting themselves into as far as configuring the box to do something as simple as what a typical Linksys firewall does out of the box.
For example, PAT is supported, but not when configured through GUI. The PDM will scream obscenities, or make the customer do that to itself, but it won't accept perfectly valid configurations.
My experience is with the PixOS 6.3 whatever the current release is and PDM 3.0.
Leonid S. Knyshov
Find me on Quora
Actually, NAP is the Microsoft quarantine solution. Cisco's solution is NAC.
NAP is not a security feature, it's a client health feature.
Cisco has always been a security company. My favorite quote from the article:
"Cisco isn't known as a security company,"
Really? IOS doesn't have any security features built in? What exactly are my PIX firewalls doing for me?
Security isn't something you can buy from a vendor and just roll out over a weekend. Security must be present at every layer of your network. Routers, firewalls, switches, servers, desktops, operating systems, applications, user accounts, and even peripherals must be scrutinzed for security these days. Cisco realizes this, and is taking steps to secure "their" part - the network part.
Now if we could just get some software guys in Redmond to check their input buffers...
-ted
Sorry, this is just conspiracy theory stuff. I work at Cisco and there is plenty of info out there on what NAC is. This is for corporate networks and yes it will deny access the unauthorized or non-standard devices that attempt to use a network. It is policy based so if there is a PC or Laptop that does not fit the bill, then that device will be put on a different VLAN which will either allow the user to update Service Packs or virus definition or just have bandwidth restricted Internet access (like a guest VLAN). So it is not an all or nothing thing. IT departments can set it up how they want. NAC is cool stuff. You can even have ACL's that are tied to a certain user or group for instance. Also it is open so other companies can make applications that work with it. If you have seen the "Self Defending Networks" advertisements, this is part of it.
So there is no grand plan to take over the world. Just help IT departments control what devices access the business critical network. Would you really want someone to stick an unpatched fresh out of the box Windows PC with no Anti-virus on your network? Now that many companies have voice on their network 3, 4, or 5 9's is not the goal anymore. Now it is 100% uptime (excluding change windows) so having as much centralization, standardization and automation is critical to getting to that 100%.
With NAC and related technologies, companies can be sure of who is on, what they are doing, and the device they are connecting with meets IT standards.
Regards,
Andy
PS If you want more info on NAC just search on the CCO.
Whoops, I accidentally posted only half a post. Her's the second half:
B) What about all the non-Windows boxes hooked to the network? And I'm not talking about Macs, I'm talking about all the little doo-hickeys that get hooked to the net like my printer, people's TIVO's, etc.
Well, there's no reason your OLD printer and stuff can't still work on an internal network. They just wouldn't be able to talk to the outside internet.
As for new stuff, there's a big push to start dumping Trust chips into pretty much everything that will be networked. Your 5 year old printer and webcam won't be supported by your ISP, but your New and Improved Network Secure printer and webcam will probably work fine.
If Dell said they were doing it it might be something to take seriously.
YES, I AGREE.
Only a few Dell models are currently Trusted Compliant, but as I said, not a single PC manufacturer will be selling non-compliant systems once Longhorn rolls out. Do you seriously think Dell is going to sell computers that can't fully run the new version of Windows? Computers that can only run the new Windows in crippled mode with a downgraded graphics interface? And you KNOW Windows will occationally pop up "error" messages complaining that it can't do X Y and Z becuase your hardware is incompatible.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Despite what Certicom would have you believe, it's perfectly possible to use ECC and point compression without trespassing their patents. There are some optimizations and nice tricks that are patented, but they are not essential.
Xenu loves you!