Slashdot Mirror
Cisco Evolving Into A Security Company
ChipGuy writes "Om Malik has an opinion piece stating his opinion that Cisco Systems is slowly becoming a security company, a move which may prove problematic for traditional security vendors like Symantec. Cisco has bought its way into the market, worried about the security moves of its main rival, Juniper Networks. The company expects to make major announcements at the RSA Conference later this week. "
The market for security is much bigger anyway. There are dozens of network retailers, yet there are also dozens of security measures out there as well. From my experiance with Linksys equiptment (Part of Cisco, for those not in the know), security is a major strongpoint in their network hardware.
Anyway, as I'm trying to make out, the more competition in the security market, the more security has to evolve. This can only be a good thing, I feel.
And it took them how long to get SSH into the IOS? Give me a break. They are going to have to move at a lot faster pace if they want to be a security company.
Given the recent theft of the IOS source code, I certainly hope they get their shit together first.
bash: rtfm: command not found
"The communications and computing sectors are coming together, and the key for us as a company is to leverage the expertise we have in those two sectors and develop vertical solutions." Hilarious.
Cisco is certainly a very experienced and knowledgeable company. The question is: would I trust someone who has built the greatest machine of censorship and oppression in the history of human kind to manage my "security"? Only an idiot would! Remember kids: some people may be experts in their field, but when they are so outrageously immoral you should never trust them. Never. Because one day those greedy bastards will gladly betray you as soon as they see even a slightest possibility of profit. Cisco is happy to collaborate with oppressive regimes helping to take away the last pieces of liberty from their citizens. Only a naïve child would think that they would not help the CIA and FBI to violate your privacy. Hiring Cisco as a security company would be an utterly foolish idea.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Indeed.
An agent (CSA) runs on all endpoints and checks them for AV, firewall, OS patches, etc. If it's clean, the switch or router let's them through to the main netowrk. If not, you get VLAN'd off to a remediation network, and once you are done there you are allowed on.
Not to sound like a sales guy, but Bradford Software has an appliance that's been doing this for over a year. It polls switches for clients, can perform port and VLAN management, and it does remediation scans. Best of all, it interoperates with most managed switching equipment from any vendor.
Also cool is the fact that it doesn't require software on the clients (I couldn't tell from your description if NAP requires this). The appliance scans the client machines with various penetration tools and automatically sends them to a remediation VLAN. Very helpful for rogue clients on the network.
Microsoft was working on something like this too, called Network Quarantine. Basically, the server would request a ticket from the machine indicating its virus definition file version, system health, etc.
If anything was less than kosher, the same kind of thing would happen as you speak of. You'd be put on a VLAN with access limited to servers with patches and other updates.
My problem with it was that you have to trust the client machine to report its health status correctly, while such information could be easily mangled by virii or spyware.
good hardware != security
Cisco/linksys stuff out of the box is insecure by default, which is not good.
Have you ever tried any cisco software(not ios), but their vpn clients etc?
From my experiences, those are worst crap I've seen since mobile data suites.
It's easy to compare hardware firewall to some software like norton av. The software runs on your workstation instead on separate box and cpu. It's clear it'll eat resources when processing incoming/outgoing traffic.
But why compare them in first place? Nobody in corporate networks should run any software like that on their machines in first place.
The it administration should have limited certain set of programs that user can run, and they shouldn't have permissions to install any own software on machines.
If you notice the AV part in Norton, it pretty clearly hints that it's anti-virus, not firewall. And can you really compare anti-virus to firewall/router?
Sure, there are some L7 firewalls, which slow the traffic equally(depending on connection and traffic load of course), but they are pretty much outside budget and overkill solution for most users anyway.
There are no atheists when recovering from tape backup.
Does it support Macs, Linux, and BSD? I would be surprised if it did. Though I guess you don't need AV and such with non-Windows machines, but some sort of visibility into these systems would be nice.
There is very few end-user software out there that makes a legitimate effort to support all platforms. Though actually, Cisco's VPN client does a pretty good job. They have Windows, Mac, and Linux versions.
Carl
Vote Libertarian
Cisco has a terrible security track record, using them for security is absolutely retarded. And although its not firing, I have consistantly refused to hire people who think of cisco as the default solution to network problems for the last 3 years. You can get better hardware much cheaper, and install open source OSs like linux and openbsd and get a way better solution than cisco for a fraction of the price. The only think cisco is in competition is switches and high end routers. And there are superior products from other vendors in both those areas.
shouldn't trust the hosts.
In "Routing in the Internet", Christian Huitma, when describing the Internet architecture, describes why hosts shouldn't trust the network to perform reliable delivery. Hosts have more of an interest in reliable communication than the network as ultimately they will suffer the most if the network isn't as reliable as it says it is; therefore hosts should take the primary interest in ensuring the network delivers data reliably. That leads to absolute reliablity mechanisms in the network being redundant, as the hosts will implement them anyway. This is why TCP is an end-to-end protocol, why the IP header checksum only covers the IP header, and why the network layer in the Internet is only "best-effort".
In a later chapter, regarding QoS, he makes the point that the network shouldn't trust the hosts. The network should provide generally equal service to all its "customers" - the hosts that are attached to the edge of the network. Therefore, if one host is misbehaving, the network should penalise it. That is what the default queuing algorithm (Random Early Dectection) for the Internet does. Some details are in Recommendations on Queue Management and Congestion Avoidance in the Internet.
The same model applies to security. Security should be end-to-end when the host has the most interest in the consequences of lack of security. Hosts shouldn't trust the network to deliver data securely, as the consequences of secure delivery are most felt by the hosts (and therefore the users sitting behind them).
The network's security needs aren't quite the same as the hosts; the main thing the network has to secure is availability and the ability to continue to provide equal service to all its customers (the hosts.) Authentication in routing protocols, secure administration tools such as SNMPv3 and SSH, and traffic rate limiting mechanisms like RED are network security mechanisms that protect the network's service.
Security problems come about when attempts are made to implement host security in the network, and network security in the hosts. For example, a firewall's purpose is really to protect the hosts. The current location for most firewalls is inside the network. Unfortunately that doesn't fully extend the host protection a firewall provides up to the host itself. With the current model, it is easy enough to "unprotect" the host by inserting a device, for example a wireless access point, between the firewall and the host. The firewall may still protect the host from Internet based attackers, however it doesn't protect the host from war drivers. Ideally, a firewall should reside on the host itself, to protect the host from attacks from all (network) directions. Interestingly, that is happening already through evolution - most host OSes are coming with firewalls out of the box. Administration of firewall security policy is a problem with this model, due to the increased number of firewalls to now administer, however, mechanisms are being developed to apply distributed security policy. Distributed Firewalls by Steven M. Bellovin describes this model further.
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
You're more right than you realize.
Microsoft and Cisco are both becoming "security companies" in the sense that "security" == "enforcing Trusted Computing". First I'll skim over the Windows issue, then I'll cover this new and insane threat from Cisco.
I assume we've all heard of Palladium. Well the next Windows release, Longhorn, *is* Palladium. Microsoft's own website documents that:
The Next-Generation Secure Computing Base (NGSCB) is new security technology for the Microsoft® Windows® platform. It will be included as part of an upcoming version of the Microsoft Windows operating system, code-named "Longhorn."...
"SSC" refers to the Security Support Component, a new PC hardware component...
The term "SSC" is generally interchangeable with "TPM" or trusted platform module. The TPM is a secure computing hardware module specified by the Trusted Computing Group
While Longhorn will likely technically run on a non-trusted computer, Microsoft has elswhere documented that it will go into a brain-damged cripple mode and lock you out of the full desktop graphics interface mode. Microsoft has documented that only Trusted Compliant hardwill will be "CertifiedWindowsCompatible". And we all know no PC manufacturer can afford to sell new PC's that are not CertifiedWindowsCompatible and which only run with a crippled and downgraded interface. Whebn Longhorn rolls out the simple fact is that ALL new PCs will ship with Trusted Computing compliant hardware. No major PC manufacturer can afford to do otherwise. At least one manufacturer - Samsung - has already declared that they are nor manufacturing nothing but Trusted compliant machines.
And now for Cisco. Cisco Cisco Cisco.
Some time ago Slashdot ran this story: Cisco Working to Block Viruses at the Router. Sounds wonderful, right? What the Slashdot story missed was that it does not actually have anything to do with routers blocking viruses. What it actually is is Cisco's new Network Admission Control (NAC). Anyone attempting to research exactly what Network Admission Control is and exactly how it works will find very little information available. Most Trusted Compuing projects tend to bury the fact that they are Trusted Computing based because they know it will draw anger and bad press, but Network Admission Control it a real whopper. I can back it up better with bits and peices from various sources, but this source has just enough details in one place to pin it down. The title is "Cisco, others plan to ban insecure PCs". The last few paragraphs state that it requires "new hardware" and states that it will "spur sales of PCs and devices that use trusted-computing hardware". If you read tha article it should be quite clear how it functions. Any computer which attempts to connect to the router and request a net connection must be running a Cisco Trust Agent. That Trust Agent only works on a Trusted Computing compliant computer. If you don't have a Trusted Computer then you are denied access to the net. The Trust agent then scans the operating system and software running on your computer and reports it to the router. If you are not running an approved operating system and running selected MANDATORY software then you are denied access to the net. The advertized purpose is to ensure that you have all of the latest operating system patches and that you are running an approved (mandatory) firewall and/or virus scanner. Of course it can be arbitrarily configured to make absolutely any kind of software mandatory, but the firewall and virus scanner are the ones they hype. And that where the silly Slashdot title about "Blocking viruses at the router" came from. It doesn't block viruses at the router, the router BANS computers that are not Trusted Compliant and it CAN be configured to enfor
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.