Slashdot Mirror
Cisco Evolving Into A Security Company
ChipGuy writes "Om Malik has an opinion piece stating his opinion that Cisco Systems is slowly becoming a security company, a move which may prove problematic for traditional security vendors like Symantec. Cisco has bought its way into the market, worried about the security moves of its main rival, Juniper Networks. The company expects to make major announcements at the RSA Conference later this week. "
Apparently they are very intersted in elliptic curve cryptography.
Cisco is becoming a security company - sort of like how Microsoft is becoming a security company.
They are still a "networking" company and networks are becoming security battlefields.
"a move which may prove problematic for traditional security vendors like Symantec."
Which means competition and is therefore good for the user.
Apart from that, another company concerned about security is no bad thing.
And some pretty good stuff, I might add. Popular with PHBs, too. Can we say "No one ever got fired for buying [Cisco]." yet?
This is going to be their major advantage when it comes to security, even down to the linksys brand for home users.
Good, proactive hardware provides real security. Bloaty, reactive software (Norton AV) goes down with the sinking ship (an exploding windows box).
Software, and security software has its purpose and can have value, but Cisco's advantage doesn't lie there.
~Rebecca
The market for security is much bigger anyway. There are dozens of network retailers, yet there are also dozens of security measures out there as well. From my experiance with Linksys equiptment (Part of Cisco, for those not in the know), security is a major strongpoint in their network hardware.
Anyway, as I'm trying to make out, the more competition in the security market, the more security has to evolve. This can only be a good thing, I feel.
And it took them how long to get SSH into the IOS? Give me a break. They are going to have to move at a lot faster pace if they want to be a security company.
Or security is a network battefield.
You don't 'sell' security : security for security is useless. Networking is something you sell and it needs security.
Sig (appended to the end of comments you post, 120 chars)
It will probably be Cisco's continued development of Network Admission Control(NAC) as it extends further down the network. NAC will interrogate a PC(via Cisco Trust Agent) that is plugged in to see if it running the latest MS patches, latest virus definitions, and Cisco Secure Agent policies. If not, it will prevent the workstation from going anywhere but to MS update, the AV vendor for updates, and the CSA policy server. Cisco is also pushing their IPSes into their devices. I wouldn't be surprised to see Cisco pushing IPSes to their switching line.
I live in Bangalore, you insensitive clod!
That's why they invented ACs.
do you really have to evolve into a security company in order to ensure that your products are secure... isn't it a fair expectation that when you buy an expensive router etc. that it won't have enormous flaws that allow for numerous exploits? regardless of who you buy it from?
Get your torrents...
Given the recent theft of the IOS source code, I certainly hope they get their shit together first.
bash: rtfm: command not found
...when you ask them why you must use plaintext telnet to maintain routers you bought as recently as a year or two ago...they mumble around and then say "have you heard of our self defending networks?"
Then there are other little things, like the limited authentication options unless you spend bookoo bucks...or the very limited logging/audit functions...or the way PIX assumes all 'outgoing' connections are valid (the very concept of 'outgoing' is a SOHO concept and not an enterprise firewalling concept)...ugh...don't get me started on the pix....
The more you look at Cisco products hands-on, it just highlight what Cisco does: Make networking products.
Granted, they make networking products *very* well and I wouldn't hesitate to recommend them over anyone else. But myself and just about every security pro I know sees them as networking devices with security kind of bolted on...NOT security devices. It's more like some IOS networking programmers tried to figure out what security folks need instead of researching what's actually going on out there or getting some real world infosec experience.
If they are becoming a security company, great. But they've said this for awhile now and it hasn't changed the fact that the focus is networking networking networking.
"The communications and computing sectors are coming together, and the key for us as a company is to leverage the expertise we have in those two sectors and develop vertical solutions." Hilarious.
Cisco is certainly a very experienced and knowledgeable company. The question is: would I trust someone who has built the greatest machine of censorship and oppression in the history of human kind to manage my "security"? Only an idiot would! Remember kids: some people may be experts in their field, but when they are so outrageously immoral you should never trust them. Never. Because one day those greedy bastards will gladly betray you as soon as they see even a slightest possibility of profit. Cisco is happy to collaborate with oppressive regimes helping to take away the last pieces of liberty from their citizens. Only a naïve child would think that they would not help the CIA and FBI to violate your privacy. Hiring Cisco as a security company would be an utterly foolish idea.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
I love how the ad that popped up above this article was a Cisco ad.
There is also the issue of whether any security, except your own, can be trusted. Will Cisco guarantee the absence of backdoors or 'approved' (not by the user) surveillance?
Then there is the issue of who makes the call on what 'security' is. There's a fair chance the average geek, sys admin, government and music trade rep will all have different ideas of what security is. Who's version gets implemented by Cisco and friends? Better that each one gets to do their own security.
I hate to sound like a sales guy for the company, but they have something called NAP that's just completely sick.
An agent (CSA) runs on all endpoints and checks them for AV, firewall, OS patches, etc. If it's clean, the switch or router let's them through to the main netowrk. If not, you get VLAN'd off to a remediation network, and once you are done there you are allowed on.
The trick here is that no one is in better position to do such a thing than the company that owns most of the network infrastructure.
Don't dismiss them as a security company; we've only seen the beginning.
dmiessler.com -- grep understanding knowledge
Software firewalls and security software are inherently pervertible - some even have programmatic interfaces to open ports!
The only good system security comes in part from sitting behind a hardware firewall router - something Cisco, with its subsidiary Linksys, is in a position to sell
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
Cisco in Singaporehttp://www.cisco.com.sg/ is already a security company. They provide private policemen , armoured transport and have control over much of Singapores electronic infrastructure. They do have their fingers in more than just producing routers.
...I obey the laws of physics....
And I suspect you organization is the same. Internal networks are victims of strange political forces, ridiculous budgets and a crippling blindness that expensive boxes that protect us from the evil commie internets is all we need.
While I'm not defending the issues listed on that page, Microsoft are directly responsible for the flaws in their software, as they wrote it, where as the products described on the Attrition site came to Cisco via acquisition (the ONS products came from Pirelli (I think the same company that make tires and very "interesting" calendars)), in times when security probably wasn't one of the checkpoints on the due diligence list.
The only "true" Cisco products are routers, IOS, and more recently the IOS that is on the CRS-1. The security record for IOS has been pretty resonable, when you consider that it has and will always be "exposed" to the Internet.
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
Their PIX firewall is no competition to the other popular vendors. It lacks both the performance and features of Netscreen/Junpier and has a shoddy security record.
Their IDS is less sensitive than Snort and its VMS manager software is slow, hideously bloated and buggy.
For several years, Cisco have been promoting an insecure combination of IPSEC shared-secret with xauth. Despite being documented as dangerous on their own website, it was still the taught and recommended way of configuring "convenient" secure remote access VPNs. Only in the last six months have they fixed this.
Their NAC/self-deluding-network initiative is broken as proposed. All enforcement is performed in the wrong place: routers off in the edge of the network. Right now, there is no way to deploy NAC on a switch or even a MSFC.
Cisco need to stop their marketing droids from directing their product development and get back to competing on technology.
The grammar called, it want's it's apostrophe's back.
Escher was the first MC and Giger invented the HR department.
Cisco has a terrible security track record, using them for security is absolutely retarded. And although its not firing, I have consistantly refused to hire people who think of cisco as the default solution to network problems for the last 3 years. You can get better hardware much cheaper, and install open source OSs like linux and openbsd and get a way better solution than cisco for a fraction of the price. The only think cisco is in competition is switches and high end routers. And there are superior products from other vendors in both those areas.
shouldn't trust the hosts.
In "Routing in the Internet", Christian Huitma, when describing the Internet architecture, describes why hosts shouldn't trust the network to perform reliable delivery. Hosts have more of an interest in reliable communication than the network as ultimately they will suffer the most if the network isn't as reliable as it says it is; therefore hosts should take the primary interest in ensuring the network delivers data reliably. That leads to absolute reliablity mechanisms in the network being redundant, as the hosts will implement them anyway. This is why TCP is an end-to-end protocol, why the IP header checksum only covers the IP header, and why the network layer in the Internet is only "best-effort".
In a later chapter, regarding QoS, he makes the point that the network shouldn't trust the hosts. The network should provide generally equal service to all its "customers" - the hosts that are attached to the edge of the network. Therefore, if one host is misbehaving, the network should penalise it. That is what the default queuing algorithm (Random Early Dectection) for the Internet does. Some details are in Recommendations on Queue Management and Congestion Avoidance in the Internet.
The same model applies to security. Security should be end-to-end when the host has the most interest in the consequences of lack of security. Hosts shouldn't trust the network to deliver data securely, as the consequences of secure delivery are most felt by the hosts (and therefore the users sitting behind them).
The network's security needs aren't quite the same as the hosts; the main thing the network has to secure is availability and the ability to continue to provide equal service to all its customers (the hosts.) Authentication in routing protocols, secure administration tools such as SNMPv3 and SSH, and traffic rate limiting mechanisms like RED are network security mechanisms that protect the network's service.
Security problems come about when attempts are made to implement host security in the network, and network security in the hosts. For example, a firewall's purpose is really to protect the hosts. The current location for most firewalls is inside the network. Unfortunately that doesn't fully extend the host protection a firewall provides up to the host itself. With the current model, it is easy enough to "unprotect" the host by inserting a device, for example a wireless access point, between the firewall and the host. The firewall may still protect the host from Internet based attackers, however it doesn't protect the host from war drivers. Ideally, a firewall should reside on the host itself, to protect the host from attacks from all (network) directions. Interestingly, that is happening already through evolution - most host OSes are coming with firewalls out of the box. Administration of firewall security policy is a problem with this model, due to the increased number of firewalls to now administer, however, mechanisms are being developed to apply distributed security policy. Distributed Firewalls by Steven M. Bellovin describes this model further.
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
Wire Cutters
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
Cisco has always been a security company. My favorite quote from the article:
"Cisco isn't known as a security company,"
Really? IOS doesn't have any security features built in? What exactly are my PIX firewalls doing for me?
Security isn't something you can buy from a vendor and just roll out over a weekend. Security must be present at every layer of your network. Routers, firewalls, switches, servers, desktops, operating systems, applications, user accounts, and even peripherals must be scrutinzed for security these days. Cisco realizes this, and is taking steps to secure "their" part - the network part.
Now if we could just get some software guys in Redmond to check their input buffers...
-ted
Whoops, I accidentally posted only half a post. Her's the second half:
B) What about all the non-Windows boxes hooked to the network? And I'm not talking about Macs, I'm talking about all the little doo-hickeys that get hooked to the net like my printer, people's TIVO's, etc.
Well, there's no reason your OLD printer and stuff can't still work on an internal network. They just wouldn't be able to talk to the outside internet.
As for new stuff, there's a big push to start dumping Trust chips into pretty much everything that will be networked. Your 5 year old printer and webcam won't be supported by your ISP, but your New and Improved Network Secure printer and webcam will probably work fine.
If Dell said they were doing it it might be something to take seriously.
YES, I AGREE.
Only a few Dell models are currently Trusted Compliant, but as I said, not a single PC manufacturer will be selling non-compliant systems once Longhorn rolls out. Do you seriously think Dell is going to sell computers that can't fully run the new version of Windows? Computers that can only run the new Windows in crippled mode with a downgraded graphics interface? And you KNOW Windows will occationally pop up "error" messages complaining that it can't do X Y and Z becuase your hardware is incompatible.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Despite what Certicom would have you believe, it's perfectly possible to use ECC and point compression without trespassing their patents. There are some optimizations and nice tricks that are patented, but they are not essential.
Xenu loves you!