Slashdot Mirror
Cisco Evolving Into A Security Company
ChipGuy writes "Om Malik has an opinion piece stating his opinion that Cisco Systems is slowly becoming a security company, a move which may prove problematic for traditional security vendors like Symantec. Cisco has bought its way into the market, worried about the security moves of its main rival, Juniper Networks. The company expects to make major announcements at the RSA Conference later this week. "
They are still a "networking" company and networks are becoming security battlefields.
"a move which may prove problematic for traditional security vendors like Symantec."
Which means competition and is therefore good for the user.
Apart from that, another company concerned about security is no bad thing.
And some pretty good stuff, I might add. Popular with PHBs, too. Can we say "No one ever got fired for buying [Cisco]." yet?
This is going to be their major advantage when it comes to security, even down to the linksys brand for home users.
Good, proactive hardware provides real security. Bloaty, reactive software (Norton AV) goes down with the sinking ship (an exploding windows box).
Software, and security software has its purpose and can have value, but Cisco's advantage doesn't lie there.
~Rebecca
Or security is a network battefield.
You don't 'sell' security : security for security is useless. Networking is something you sell and it needs security.
Sig (appended to the end of comments you post, 120 chars)
It will probably be Cisco's continued development of Network Admission Control(NAC) as it extends further down the network. NAC will interrogate a PC(via Cisco Trust Agent) that is plugged in to see if it running the latest MS patches, latest virus definitions, and Cisco Secure Agent policies. If not, it will prevent the workstation from going anywhere but to MS update, the AV vendor for updates, and the CSA policy server. Cisco is also pushing their IPSes into their devices. I wouldn't be surprised to see Cisco pushing IPSes to their switching line.
do you really have to evolve into a security company in order to ensure that your products are secure... isn't it a fair expectation that when you buy an expensive router etc. that it won't have enormous flaws that allow for numerous exploits? regardless of who you buy it from?
Get your torrents...
...when you ask them why you must use plaintext telnet to maintain routers you bought as recently as a year or two ago...they mumble around and then say "have you heard of our self defending networks?"
Then there are other little things, like the limited authentication options unless you spend bookoo bucks...or the very limited logging/audit functions...or the way PIX assumes all 'outgoing' connections are valid (the very concept of 'outgoing' is a SOHO concept and not an enterprise firewalling concept)...ugh...don't get me started on the pix....
The more you look at Cisco products hands-on, it just highlight what Cisco does: Make networking products.
Granted, they make networking products *very* well and I wouldn't hesitate to recommend them over anyone else. But myself and just about every security pro I know sees them as networking devices with security kind of bolted on...NOT security devices. It's more like some IOS networking programmers tried to figure out what security folks need instead of researching what's actually going on out there or getting some real world infosec experience.
If they are becoming a security company, great. But they've said this for awhile now and it hasn't changed the fact that the focus is networking networking networking.
There is also the issue of whether any security, except your own, can be trusted. Will Cisco guarantee the absence of backdoors or 'approved' (not by the user) surveillance?
Then there is the issue of who makes the call on what 'security' is. There's a fair chance the average geek, sys admin, government and music trade rep will all have different ideas of what security is. Who's version gets implemented by Cisco and friends? Better that each one gets to do their own security.
I hate to sound like a sales guy for the company, but they have something called NAP that's just completely sick.
An agent (CSA) runs on all endpoints and checks them for AV, firewall, OS patches, etc. If it's clean, the switch or router let's them through to the main netowrk. If not, you get VLAN'd off to a remediation network, and once you are done there you are allowed on.
The trick here is that no one is in better position to do such a thing than the company that owns most of the network infrastructure.
Don't dismiss them as a security company; we've only seen the beginning.
dmiessler.com -- grep understanding knowledge
Software firewalls and security software are inherently pervertible - some even have programmatic interfaces to open ports!
The only good system security comes in part from sitting behind a hardware firewall router - something Cisco, with its subsidiary Linksys, is in a position to sell
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
And I suspect you organization is the same. Internal networks are victims of strange political forces, ridiculous budgets and a crippling blindness that expensive boxes that protect us from the evil commie internets is all we need.
Their PIX firewall is no competition to the other popular vendors. It lacks both the performance and features of Netscreen/Junpier and has a shoddy security record.
Their IDS is less sensitive than Snort and its VMS manager software is slow, hideously bloated and buggy.
For several years, Cisco have been promoting an insecure combination of IPSEC shared-secret with xauth. Despite being documented as dangerous on their own website, it was still the taught and recommended way of configuring "convenient" secure remote access VPNs. Only in the last six months have they fixed this.
Their NAC/self-deluding-network initiative is broken as proposed. All enforcement is performed in the wrong place: routers off in the edge of the network. Right now, there is no way to deploy NAC on a switch or even a MSFC.
Cisco need to stop their marketing droids from directing their product development and get back to competing on technology.
Remember kids: some people may be experts in their field, but when they are so outrageously immoral you should never trust them. Never. Because one day those greedy bastards will gladly betray you as soon as they see even a slightest possibility of profit.
Of course it would. Cisco is a corporation, not a human being. It has no soul and should not be expected to have one. A successful corporation works for shareholder profits and nothing more. If China wants a firewall, Cisco will sell one at the right price.
Real problems occur when people naïvely trust corporations to "do no evil". Such a concept is antithetical to their nature. It's not a corporation's business to police the world, and it should never be entrusted with that obligation.
hat is to stop us (geeks, hackers, ect.) from forming our own little patchwork TC-less "internet"?
Nothing. But what's going to be ON this new network? None of the existing internet websites and services. Just a handful of people. And anyway, none of the new software will run on a non-Trusted machine, the new media files won't work on a non-Trusted machine, Trusted e-mail won't be readable on a non-Trusted machine, you won't be able to send e-mail to the Trusted public network.
And even if you did start to build up websites and stuff on this freenet, well, everyone on the Trustednet would be able to access all of the stuff on the Trustednet PLUS all of your stuff. There is absolutely no reason data from outside the Trust wall can't move into the Trust system. The restriction is that stuff inside the wall can't move out. No matter what you do the Trustednet is always "bigger and better and more" because anyone on a Trusted machine can see stuff on both the inside and the outside.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
i would not even buy a computer if it were locked down like that
There are some very common missunderstandings about Trusted Computing. One is that you are better off with a normal non-Trusted computer. You are not. That's why Trusted Computing is so insidious. Buying a computer without a Trust chip is like buying a computer without speakers. There's no reason NOT to take the computer with speakers, you can just leave the off and pretend they aren't there.
A Trusted computer can do anything and everything a normal computer can do. All of your old software and old files still work.
The difference is that a trusted Computer has a new handcuff mode. This is something "more" or "extra".
The problem is that all of the new software and files and websites will only work if you turn on the new handcuff mode.The new software and files and websites may be crippled crap in handcuff mode, but at least they work. They don't work at all with handcuff mode off, and they don't work at all on a normal computer.
It is the person with a normal computer who suffers. None of the new stuff works. And in a few years your ISP may only grant you a net connection through their Trusted software that only runs in handcuff mode. But by the time that happens you'll already be suffering pretty badly if you attempt to resist.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.