Slashdot Mirror
Cisco Evolving Into A Security Company
ChipGuy writes "Om Malik has an opinion piece stating his opinion that Cisco Systems is slowly becoming a security company, a move which may prove problematic for traditional security vendors like Symantec. Cisco has bought its way into the market, worried about the security moves of its main rival, Juniper Networks. The company expects to make major announcements at the RSA Conference later this week. "
Apparently they are very intersted in elliptic curve cryptography.
Cisco is becoming a security company - sort of like how Microsoft is becoming a security company.
They are still a "networking" company and networks are becoming security battlefields.
"a move which may prove problematic for traditional security vendors like Symantec."
Which means competition and is therefore good for the user.
Apart from that, another company concerned about security is no bad thing.
And some pretty good stuff, I might add. Popular with PHBs, too. Can we say "No one ever got fired for buying [Cisco]." yet?
This is going to be their major advantage when it comes to security, even down to the linksys brand for home users.
Good, proactive hardware provides real security. Bloaty, reactive software (Norton AV) goes down with the sinking ship (an exploding windows box).
Software, and security software has its purpose and can have value, but Cisco's advantage doesn't lie there.
~Rebecca
The market for security is much bigger anyway. There are dozens of network retailers, yet there are also dozens of security measures out there as well. From my experiance with Linksys equiptment (Part of Cisco, for those not in the know), security is a major strongpoint in their network hardware.
Anyway, as I'm trying to make out, the more competition in the security market, the more security has to evolve. This can only be a good thing, I feel.
And it took them how long to get SSH into the IOS? Give me a break. They are going to have to move at a lot faster pace if they want to be a security company.
Or security is a network battefield.
You don't 'sell' security : security for security is useless. Networking is something you sell and it needs security.
Sig (appended to the end of comments you post, 120 chars)
It will probably be Cisco's continued development of Network Admission Control(NAC) as it extends further down the network. NAC will interrogate a PC(via Cisco Trust Agent) that is plugged in to see if it running the latest MS patches, latest virus definitions, and Cisco Secure Agent policies. If not, it will prevent the workstation from going anywhere but to MS update, the AV vendor for updates, and the CSA policy server. Cisco is also pushing their IPSes into their devices. I wouldn't be surprised to see Cisco pushing IPSes to their switching line.
do you really have to evolve into a security company in order to ensure that your products are secure... isn't it a fair expectation that when you buy an expensive router etc. that it won't have enormous flaws that allow for numerous exploits? regardless of who you buy it from?
Get your torrents...
...when you ask them why you must use plaintext telnet to maintain routers you bought as recently as a year or two ago...they mumble around and then say "have you heard of our self defending networks?"
Then there are other little things, like the limited authentication options unless you spend bookoo bucks...or the very limited logging/audit functions...or the way PIX assumes all 'outgoing' connections are valid (the very concept of 'outgoing' is a SOHO concept and not an enterprise firewalling concept)...ugh...don't get me started on the pix....
The more you look at Cisco products hands-on, it just highlight what Cisco does: Make networking products.
Granted, they make networking products *very* well and I wouldn't hesitate to recommend them over anyone else. But myself and just about every security pro I know sees them as networking devices with security kind of bolted on...NOT security devices. It's more like some IOS networking programmers tried to figure out what security folks need instead of researching what's actually going on out there or getting some real world infosec experience.
If they are becoming a security company, great. But they've said this for awhile now and it hasn't changed the fact that the focus is networking networking networking.
I love how the ad that popped up above this article was a Cisco ad.
There is also the issue of whether any security, except your own, can be trusted. Will Cisco guarantee the absence of backdoors or 'approved' (not by the user) surveillance?
Then there is the issue of who makes the call on what 'security' is. There's a fair chance the average geek, sys admin, government and music trade rep will all have different ideas of what security is. Who's version gets implemented by Cisco and friends? Better that each one gets to do their own security.
I hate to sound like a sales guy for the company, but they have something called NAP that's just completely sick.
An agent (CSA) runs on all endpoints and checks them for AV, firewall, OS patches, etc. If it's clean, the switch or router let's them through to the main netowrk. If not, you get VLAN'd off to a remediation network, and once you are done there you are allowed on.
The trick here is that no one is in better position to do such a thing than the company that owns most of the network infrastructure.
Don't dismiss them as a security company; we've only seen the beginning.
dmiessler.com -- grep understanding knowledge
While I'm not defending the issues listed on that page, Microsoft are directly responsible for the flaws in their software, as they wrote it, where as the products described on the Attrition site came to Cisco via acquisition (the ONS products came from Pirelli (I think the same company that make tires and very "interesting" calendars)), in times when security probably wasn't one of the checkpoints on the due diligence list.
The only "true" Cisco products are routers, IOS, and more recently the IOS that is on the CRS-1. The security record for IOS has been pretty resonable, when you consider that it has and will always be "exposed" to the Internet.
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
Their PIX firewall is no competition to the other popular vendors. It lacks both the performance and features of Netscreen/Junpier and has a shoddy security record.
Their IDS is less sensitive than Snort and its VMS manager software is slow, hideously bloated and buggy.
For several years, Cisco have been promoting an insecure combination of IPSEC shared-secret with xauth. Despite being documented as dangerous on their own website, it was still the taught and recommended way of configuring "convenient" secure remote access VPNs. Only in the last six months have they fixed this.
Their NAC/self-deluding-network initiative is broken as proposed. All enforcement is performed in the wrong place: routers off in the edge of the network. Right now, there is no way to deploy NAC on a switch or even a MSFC.
Cisco need to stop their marketing droids from directing their product development and get back to competing on technology.
Cisco has a terrible security track record, using them for security is absolutely retarded. And although its not firing, I have consistantly refused to hire people who think of cisco as the default solution to network problems for the last 3 years. You can get better hardware much cheaper, and install open source OSs like linux and openbsd and get a way better solution than cisco for a fraction of the price. The only think cisco is in competition is switches and high end routers. And there are superior products from other vendors in both those areas.
shouldn't trust the hosts.
In "Routing in the Internet", Christian Huitma, when describing the Internet architecture, describes why hosts shouldn't trust the network to perform reliable delivery. Hosts have more of an interest in reliable communication than the network as ultimately they will suffer the most if the network isn't as reliable as it says it is; therefore hosts should take the primary interest in ensuring the network delivers data reliably. That leads to absolute reliablity mechanisms in the network being redundant, as the hosts will implement them anyway. This is why TCP is an end-to-end protocol, why the IP header checksum only covers the IP header, and why the network layer in the Internet is only "best-effort".
In a later chapter, regarding QoS, he makes the point that the network shouldn't trust the hosts. The network should provide generally equal service to all its "customers" - the hosts that are attached to the edge of the network. Therefore, if one host is misbehaving, the network should penalise it. That is what the default queuing algorithm (Random Early Dectection) for the Internet does. Some details are in Recommendations on Queue Management and Congestion Avoidance in the Internet.
The same model applies to security. Security should be end-to-end when the host has the most interest in the consequences of lack of security. Hosts shouldn't trust the network to deliver data securely, as the consequences of secure delivery are most felt by the hosts (and therefore the users sitting behind them).
The network's security needs aren't quite the same as the hosts; the main thing the network has to secure is availability and the ability to continue to provide equal service to all its customers (the hosts.) Authentication in routing protocols, secure administration tools such as SNMPv3 and SSH, and traffic rate limiting mechanisms like RED are network security mechanisms that protect the network's service.
Security problems come about when attempts are made to implement host security in the network, and network security in the hosts. For example, a firewall's purpose is really to protect the hosts. The current location for most firewalls is inside the network. Unfortunately that doesn't fully extend the host protection a firewall provides up to the host itself. With the current model, it is easy enough to "unprotect" the host by inserting a device, for example a wireless access point, between the firewall and the host. The firewall may still protect the host from Internet based attackers, however it doesn't protect the host from war drivers. Ideally, a firewall should reside on the host itself, to protect the host from attacks from all (network) directions. Interestingly, that is happening already through evolution - most host OSes are coming with firewalls out of the box. Administration of firewall security policy is a problem with this model, due to the increased number of firewalls to now administer, however, mechanisms are being developed to apply distributed security policy. Distributed Firewalls by Steven M. Bellovin describes this model further.
The Internet's nature is peer to peer - 20050301_cs_profs.pdf