Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Cisco Evolving Into A Security Company 196

ChipGuy writes "Om Malik has an opinion piece stating his opinion that Cisco Systems is slowly becoming a security company, a move which may prove problematic for traditional security vendors like Symantec. Cisco has bought its way into the market, worried about the security moves of its main rival, Juniper Networks. The company expects to make major announcements at the RSA Conference later this week. "
This discussion has been archived. No new comments can be posted.

Cisco Evolving Into A Security Company

Comments Filter:
  • by 2.7182 ( 819680 ) on Sunday February 13, 2005 @04:38PM (#11662095)
    Apparently they are very intersted in elliptic curve cryptography.
  • by Dachannien ( 617929 ) on Sunday February 13, 2005 @04:40PM (#11662109)
    Cisco is becoming a security company - sort of like how Microsoft is becoming a security company.

    • Re:Kind of like (Score:5, Interesting)

      by In-Doge ( 116196 ) on Sunday February 13, 2005 @04:56PM (#11662238)
      Indeed. [attrition.org]
      • by anti-NAT ( 709310 ) on Sunday February 13, 2005 @05:32PM (#11662488) Homepage

        While I'm not defending the issues listed on that page, Microsoft are directly responsible for the flaws in their software, as they wrote it, where as the products described on the Attrition site came to Cisco via acquisition (the ONS products came from Pirelli (I think the same company that make tires and very "interesting" calendars)), in times when security probably wasn't one of the checkpoints on the due diligence list.

        The only "true" Cisco products are routers, IOS, and more recently the IOS that is on the CRS-1. The security record for IOS has been pretty resonable, when you consider that it has and will always be "exposed" to the Internet.

        • The ONS came from Cerent. And Cisco has fixed all of the bugs in the code it purchased from them. There are situations where they cannot fix the bugs that pop up -- and others where marketing tells them not to... don't fix it; make 'em buy the new stuff.

          Even Cisco's routers are not 100% Cisco engineered these days -- hardware or software. Cisco has bought their way into just about every market they touch. And that's not necessarily a bad thing.
        1. Indeed.

        Interesting read. Normally, Cisco doesn't (or didn't as of last year) offer security fixes on any of the equipment it sells...unless you have a service contract. This refusal to fix this one device is not a good sign, though.

    • Re:Kind of like (Score:5, Interesting)

      by Alsee ( 515537 ) on Sunday February 13, 2005 @07:21PM (#11663359) Homepage
      You're more right than you realize.

      Microsoft and Cisco are both becoming "security companies" in the sense that "security" == "enforcing Trusted Computing". First I'll skim over the Windows issue, then I'll cover this new and insane threat from Cisco.

      I assume we've all heard of Palladium. Well the next Windows release, Longhorn, *is* Palladium. Microsoft's own website [microsoft.com] documents that:
      The Next-Generation Secure Computing Base (NGSCB) is new security technology for the Microsoft® Windows® platform. It will be included as part of an upcoming version of the Microsoft Windows operating system, code-named "Longhorn."...

      "SSC" refers to the Security Support Component, a new PC hardware component...

      The term "SSC" is generally interchangeable with "TPM" or trusted platform module. The TPM is a secure computing hardware module specified by the Trusted Computing Group


      While Longhorn will likely technically run on a non-trusted computer, Microsoft has elswhere documented that it will go into a brain-damged cripple mode and lock you out of the full desktop graphics interface mode. Microsoft has documented that only Trusted Compliant hardwill will be "CertifiedWindowsCompatible". And we all know no PC manufacturer can afford to sell new PC's that are not CertifiedWindowsCompatible and which only run with a crippled and downgraded interface. Whebn Longhorn rolls out the simple fact is that ALL new PCs will ship with Trusted Computing compliant hardware. No major PC manufacturer can afford to do otherwise. At least one manufacturer - Samsung - has already declared that they are nor manufacturing nothing but Trusted compliant machines.

      And now for Cisco. Cisco Cisco Cisco.

      Some time ago Slashdot ran this story: Cisco Working to Block Viruses at the Router. [slashdot.org] Sounds wonderful, right? What the Slashdot story missed was that it does not actually have anything to do with routers blocking viruses. What it actually is is Cisco's new Network Admission Control (NAC). Anyone attempting to research exactly what Network Admission Control is and exactly how it works will find very little information available. Most Trusted Compuing projects tend to bury the fact that they are Trusted Computing based because they know it will draw anger and bad press, but Network Admission Control it a real whopper. I can back it up better with bits and peices from various sources, but this source [zdnet.com] has just enough details in one place to pin it down. The title is "Cisco, others plan to ban insecure PCs". The last few paragraphs state that it requires "new hardware" and states that it will "spur sales of PCs and devices that use trusted-computing hardware". If you read tha article it should be quite clear how it functions. Any computer which attempts to connect to the router and request a net connection must be running a Cisco Trust Agent. That Trust Agent only works on a Trusted Computing compliant computer. If you don't have a Trusted Computer then you are denied access to the net. The Trust agent then scans the operating system and software running on your computer and reports it to the router. If you are not running an approved operating system and running selected MANDATORY software then you are denied access to the net. The advertized purpose is to ensure that you have all of the latest operating system patches and that you are running an approved (mandatory) firewall and/or virus scanner. Of course it can be arbitrarily configured to make absolutely any kind of software mandatory, but the firewall and virus scanner are the ones they hype. And that where the silly Slashdot title about "Blocking viruses at the router" came from. It doesn't block viruses at the router, the router BANS computers that are not Trusted Compliant and it CAN be configured to enfor
      • Re: (Score:3, Informative)

        Comment removed based on user account deletion
      • "The new CELL processor is documented as having a DRM enforcment system embedded in the CPU itself. There's no details available on this "DRM enforcement system", but it is doubtless Trusted Computing."
        I guess IBM will be crippling linux rather than protecting Sony's profits on the PS3? Hmm, no. Take off your tinfoil hat and realize that anything designed to take away our freedoms is at least slightly more insidious than giving Microsoft and Apple and Sun monopolies on the OS market.
        • I guess IBM will be crippling linux

          I'm don't think it's completed yet, but there will be a Trusted Linux available soon. It will almost definitely be available before Longhorn is out.

          Oh, and in case it wasn't clear, Trusted Computing processors will run existing Linux and all existing software just fine. Hoever normal Linux and software will not be able to read Trusted files. Also you will increasingly run into software and servers that will refuse to talk to normal Linux or unTrusted applications. In a
        • You will still be able to run Linux on a TC platform. It's just that you'll no longer be able to fool other (local and remote) software into thinking you're running Windows.

          TC is evil, but it's more subtle than a hardware lock that prevents you from running Linux on the plaform.
      • This might be that actual strategy but I guarantee that this will flop big time.

        A) A large percentage (growing all the time) of people connect to the Internet via their own little NAT boxes. Killing everyone's NAT boxes will not fly well.

        B) What about all the non-Windows boxes hooked to the network? And I'm not talking about Macs, I'm talking about all the little doo-hickeys that get hooked to the net like my printer, people's TIVO's, etc.

        These kind of big bang schemes are often dreamed up by marketing
        • guarantee that this will flop big time.

          A) A large percentage (growing all the time) of people connect to the Internet via their own little NAT boxes.


          I don't think the NAT matters. It's the data you are passing through that NAT that matters. It's the PC creating those packets that matters. Those packets are encrypted and signed. It is impossible for you or your NAT to alter the contents of those encrypted packets expect to block/destroy them. The ISP would only accept an authenticated packet that origina
        • by Alsee ( 515537 )
          Whoops, I accidentally posted only half a post. Her's the second half:

          B) What about all the non-Windows boxes hooked to the network? And I'm not talking about Macs, I'm talking about all the little doo-hickeys that get hooked to the net like my printer, people's TIVO's, etc.

          Well, there's no reason your OLD printer and stuff can't still work on an internal network. They just wouldn't be able to talk to the outside internet.

          As for new stuff, there's a big push to start dumping Trust chips into pretty muc
  • Or (Score:5, Insightful)

    by venicebeach ( 702856 ) on Sunday February 13, 2005 @04:40PM (#11662114) Homepage Journal
    They are still a "networking" company and networks are becoming security battlefields.
  • by ngc.for.life ( 858780 ) <ngc.for.life@g[ ]l.com ['mai' in gap]> on Sunday February 13, 2005 @04:42PM (#11662124)
    "a move which may prove problematic for traditional security vendors like Symantec."

    Which means competition and is therefore good for the user.

    Apart from that, another company concerned about security is no bad thing.
      1. "a move which may prove problematic for traditional security vendors like Symantec."

        Which means competition and is therefore good for the user.

      I don't consider Symantec a security company. They make software add-ons that plug holes in another company's product(s).

      Using Symantec's software to increase security is like adding bouncers to a pub that not only sells beer but hands out free baseball bats and crack cocaine while leaving everything on the bar because it's easier that way.

  • Cisco has hardware (Score:5, Insightful)

    by rkcallaghan ( 858110 ) on Sunday February 13, 2005 @04:43PM (#11662129)
    And some pretty good stuff, I might add. Popular with PHBs, too. Can we say "No one ever got fired for buying [Cisco]." yet?

    This is going to be their major advantage when it comes to security, even down to the linksys brand for home users.

    Good, proactive hardware provides real security. Bloaty, reactive software (Norton AV) goes down with the sinking ship (an exploding windows box).

    Software, and security software has its purpose and can have value, but Cisco's advantage doesn't lie there.

    ~Rebecca
    • by Keruo ( 771880 )
      good hardware != security

      Cisco/linksys stuff out of the box is insecure by default, which is not good.
      Have you ever tried any cisco software(not ios), but their vpn clients etc?
      From my experiences, those are worst crap I've seen since mobile data suites.

      It's easy to compare hardware firewall to some software like norton av. The software runs on your workstation instead on separate box and cpu. It's clear it'll eat resources when processing incoming/outgoing traffic.

      But why compare them in first plac
      • Have you ever tried any cisco software(not ios), but their vpn clients etc?

        Whether I have or not, I didn't say anything about Cisco's software. I'd be willing to bet that "crappy" or not; it does more stuff better than Norton.

        The software runs on your workstation instead on separate box and cpu. It's clear it'll eat resources when processing incoming/outgoing traffic.

        This is true, but not the reason I cited as Cisco's hardware advantage.

        But why compare them in first place?

        Because the orig
        • Symantec does real security products as well as norton, which is software geared for home users.
          They have real hardware firewalls aswell, see Gateway security 400 or 5400.

          Cisco hardware isn't secure by default.
          They have minimal configuration which will make it run(this is good thing from a view of network engineer, since the device will be configured when placed in its place), but it'll be open to the world with default password until changed.
          Same thing with linksys, but atleast they include ip filter
    • by Anonymous Coward
      Cisco has a terrible security track record, using them for security is absolutely retarded. And although its not firing, I have consistantly refused to hire people who think of cisco as the default solution to network problems for the last 3 years. You can get better hardware much cheaper, and install open source OSs like linux and openbsd and get a way better solution than cisco for a fraction of the price. The only think cisco is in competition is switches and high end routers. And there are superior
  • by Gareth Saxby ( 859006 ) <saxby182@@@hotmail...com> on Sunday February 13, 2005 @04:44PM (#11662135)
    The market for security is much bigger anyway. There are dozens of network retailers, yet there are also dozens of security measures out there as well. From my experiance with Linksys equiptment (Part of Cisco, for those not in the know), security is a major strongpoint in their network hardware.

    Anyway, as I'm trying to make out, the more competition in the security market, the more security has to evolve. This can only be a good thing, I feel.
    • Security is good though...
      This can only be a good thing


      Even if "security" is redefined to mean securing the computer against its owner? This is all about Trusted Computing.

      -
  • SSH (Score:5, Interesting)

    by cyberkahn ( 398201 ) on Sunday February 13, 2005 @04:45PM (#11662138) Homepage


    And it took them how long to get SSH into the IOS? Give me a break. They are going to have to move at a lot faster pace if they want to be a security company.

    • They are going to have to move at a lot faster pace if they want to be a security company.

      No kidding. I just got finished with a 4-month battle with Cisco to fix a bug that disabled access control lists in my core switch.

      If that's how long it takes a security bug to get fixed, I don't want to know how long it takes features to get implemented...

      • General design philosophy is that "core" anything shouldn't have ACLs, as they inhibit performance.

        ACLs on a core device is usually a sign that a non-optimal design is being used. Push the ACLs to towards the edge if you can, so traffic is dropped as early as possible. It also distributes the ACL processing load across many more devices, by distributing subsets of the network ACL set to those devices, rather than concentrating the network ACL set on a more central device.

  • Cisco Announcement (Score:3, Insightful)

    by dangermen ( 248354 ) on Sunday February 13, 2005 @04:47PM (#11662156) Homepage
    It will probably be Cisco's continued development of Network Admission Control(NAC) as it extends further down the network. NAC will interrogate a PC(via Cisco Trust Agent) that is plugged in to see if it running the latest MS patches, latest virus definitions, and Cisco Secure Agent policies. If not, it will prevent the workstation from going anywhere but to MS update, the AV vendor for updates, and the CSA policy server. Cisco is also pushing their IPSes into their devices. I wouldn't be surprised to see Cisco pushing IPSes to their switching line.
    • And if this gets implemented at the ISP level, we're going to be in trouble. While it'll curtail the latest worms and viruses, we're going to have to deal with what's classified as a "trusted" application - obviously, corporations like Symantec and MS with their big bucks can buy access into the definition fields, but what about the little guys like Grisoft, and what of the users who use nonstandard configurations (like me on a 68K Macintosh)? We don't all conform to green-out-of-the-box Dell specifications
    • and my point on this has always been that these features increase the TCO of the network in that one must keep all their service subscriptions up to date in order to ensure that all is clean on the network.

      While companies should keep their support contracts current, the fact is that this is not being acknowledged by cisco in any of the discussions I have had with them.

      So, if you are thinking about this as an option - remmeber that service is typically in the range of ~20% of the equipemtn cost anually - a
  • security? (Score:3, Insightful)

    by torrents ( 827493 ) on Sunday February 13, 2005 @04:49PM (#11662180) Homepage
    do you really have to evolve into a security company in order to ensure that your products are secure... isn't it a fair expectation that when you buy an expensive router etc. that it won't have enormous flaws that allow for numerous exploits? regardless of who you buy it from?
    • Re:security? (Score:3, Insightful)

      by _Sprocket_ ( 42527 )
      It's not about making secure products. It's about making products for security - firewalls, remote access, intrusion detection / prevention, etc.
  • Security? (Score:3, Interesting)

    by ErichTheWebGuy ( 745925 ) on Sunday February 13, 2005 @04:50PM (#11662187) Homepage
    Given the recent theft of the IOS source code, I certainly hope they get their shit together first.
    • Cisco is a huge, massive company. Massive companies are clumsy and usually find it tough to shift corners and sell something else.


    • Given the recent theft of the IOS source code, I certainly hope they get their shit together first.

      Genuine security built into IOS would mean that public release of the source code would have almost no impact.

      But you are correct that it shows slipshod corporate practices if a release occurred when it wasn't supposed to.

  • by flinxmeister ( 601654 ) on Sunday February 13, 2005 @04:51PM (#11662194) Homepage
    ...when you ask them why you must use plaintext telnet to maintain routers you bought as recently as a year or two ago...they mumble around and then say "have you heard of our self defending networks?"

    Then there are other little things, like the limited authentication options unless you spend bookoo bucks...or the very limited logging/audit functions...or the way PIX assumes all 'outgoing' connections are valid (the very concept of 'outgoing' is a SOHO concept and not an enterprise firewalling concept)...ugh...don't get me started on the pix....

    The more you look at Cisco products hands-on, it just highlight what Cisco does: Make networking products.

    Granted, they make networking products *very* well and I wouldn't hesitate to recommend them over anyone else. But myself and just about every security pro I know sees them as networking devices with security kind of bolted on...NOT security devices. It's more like some IOS networking programmers tried to figure out what security folks need instead of researching what's actually going on out there or getting some real world infosec experience.

    If they are becoming a security company, great. But they've said this for awhile now and it hasn't changed the fact that the focus is networking networking networking.
    • It's trivially easy to add ACLs to connections from higher security interfaces to lower security interfaces in PIX.

      That said, there is a significant amount of work left on PIX usability. It is not an easy box to configure it, and given the price point of 501E and 506E boxes we've seen customers buy them without realizing what they are getting themselves into as far as configuring the box to do something as simple as what a typical Linksys firewall does out of the box.

      For example, PAT is supported, but not
    • ...when you ask them why you must use plaintext telnet to maintain routers you bought as recently as a year or two ago...they mumble around and then say "have you heard of our self defending networks?"

      Um, all Cisco routers come with SSH. If you don't know how to enable it, fault lies with you, not Cisco.
  • Looky here. (Score:2, Interesting)

    by idono ( 858850 )
    "The communications and computing sectors are coming together, and the key for us as a company is to leverage the expertise we have in those two sectors and develop vertical solutions." Hilarious.
  • Good news? (Score:2, Interesting)

    by Pan T. Hose ( 707794 )
    Cisco is certainly a very experienced and knowledgeable company. The question is: would I trust someone who has built the greatest machine of censorship and oppression in the history of human kind [slashdot.org] to manage my "security"? Only an idiot would! Remember kids: some people may be experts in their field, but when they are so outrageously immoral you should never trust them. Never. Because one day those greedy bastards will gladly betray you as soon as they see even a slightest possibility of profit. Cisco is hap
    • I'd be pretty sure that the only reason they built the "Great Firewall of China" is because they could sell a lot of kit to do it, as well as establish a relationship and presence in China to sell a lot more kit in the future. If they didn't, probably one of their competitors would have.

      Who demands Cisco continue to be a profitable company ? Who demands Cisco continue to provide ever increasing share value, on a trajectory similar to the past ? Who demands that Cisco never accept letting their competitor

    • Re:Good news? (Score:2, Insightful)

      by Anonymous Coward
      Remember kids: some people may be experts in their field, but when they are so outrageously immoral you should never trust them. Never. Because one day those greedy bastards will gladly betray you as soon as they see even a slightest possibility of profit.

      Of course it would. Cisco is a corporation, not a human being. It has no soul and should not be expected to have one. A successful corporation works for shareholder profits and nothing more. If China wants a firewall, Cisco will sell one at the right

    • China is one of the biggest emerging markets in history. Besides, more global interdependency means a major global enconomic meltdown would be the prelude of another world war. At least we'll know when to start stocking up on canned goods before the shit hits the fan.

  • Ads (Score:3, Funny)

    by mattthateeguy ( 850214 ) on Sunday February 13, 2005 @04:57PM (#11662245)
    I love how the ad that popped up above this article was a Cisco ad.
  • by femto ( 459605 ) on Sunday February 13, 2005 @05:01PM (#11662274) Homepage
    Surely security belongs on the edges of the network, where users can make their own judgements about how much security they desire? Need high security? Do your own encryption at each end.

    There is also the issue of whether any security, except your own, can be trusted. Will Cisco guarantee the absence of backdoors or 'approved' (not by the user) surveillance?

    Then there is the issue of who makes the call on what 'security' is. There's a fair chance the average geek, sys admin, government and music trade rep will all have different ideas of what security is. Who's version gets implemented by Cisco and friends? Better that each one gets to do their own security.

    • by anti-NAT ( 709310 ) on Sunday February 13, 2005 @06:34PM (#11662970) Homepage

      shouldn't trust the hosts.

      In "Routing in the Internet", Christian Huitma, when describing the Internet architecture, describes why hosts shouldn't trust the network to perform reliable delivery. Hosts have more of an interest in reliable communication than the network as ultimately they will suffer the most if the network isn't as reliable as it says it is; therefore hosts should take the primary interest in ensuring the network delivers data reliably. That leads to absolute reliablity mechanisms in the network being redundant, as the hosts will implement them anyway. This is why TCP is an end-to-end protocol, why the IP header checksum only covers the IP header, and why the network layer in the Internet is only "best-effort".

      In a later chapter, regarding QoS, he makes the point that the network shouldn't trust the hosts. The network should provide generally equal service to all its "customers" - the hosts that are attached to the edge of the network. Therefore, if one host is misbehaving, the network should penalise it. That is what the default queuing algorithm (Random Early Dectection) for the Internet does. Some details are in Recommendations on Queue Management and Congestion Avoidance in the Internet [faqs.org].

      The same model applies to security. Security should be end-to-end when the host has the most interest in the consequences of lack of security. Hosts shouldn't trust the network to deliver data securely, as the consequences of secure delivery are most felt by the hosts (and therefore the users sitting behind them).

      The network's security needs aren't quite the same as the hosts; the main thing the network has to secure is availability and the ability to continue to provide equal service to all its customers (the hosts.) Authentication in routing protocols, secure administration tools such as SNMPv3 and SSH, and traffic rate limiting mechanisms like RED are network security mechanisms that protect the network's service.

      Security problems come about when attempts are made to implement host security in the network, and network security in the hosts. For example, a firewall's purpose is really to protect the hosts. The current location for most firewalls is inside the network. Unfortunately that doesn't fully extend the host protection a firewall provides up to the host itself. With the current model, it is easy enough to "unprotect" the host by inserting a device, for example a wireless access point, between the firewall and the host. The firewall may still protect the host from Internet based attackers, however it doesn't protect the host from war drivers. Ideally, a firewall should reside on the host itself, to protect the host from attacks from all (network) directions. Interestingly, that is happening already through evolution - most host OSes are coming with firewalls out of the box. Administration of firewall security policy is a problem with this model, due to the increased number of firewalls to now administer, however, mechanisms are being developed to apply distributed security policy. Distributed Firewalls [columbia.edu] by Steven M. Bellovin [columbia.edu] describes this model further.

      • I wrote

        Hosts shouldn't trust the network to deliver data securely, as the consequences of secure delivery are most felt by the hosts (and therefore the users sitting behind them).

        which really should be

        Hosts shouldn't trust the network to deliver data securely, as the consequences of insecure delivery are most felt by the hosts (and therefore the users sitting behind them).

  • NAP is sick... (Score:4, Insightful)

    by danielrm26 ( 567852 ) * on Sunday February 13, 2005 @05:04PM (#11662291) Homepage
    I hate to sound like a sales guy for the company, but they have something called NAP that's just completely sick.

    An agent (CSA) runs on all endpoints and checks them for AV, firewall, OS patches, etc. If it's clean, the switch or router let's them through to the main netowrk. If not, you get VLAN'd off to a remediation network, and once you are done there you are allowed on.

    The trick here is that no one is in better position to do such a thing than the company that owns most of the network infrastructure.

    Don't dismiss them as a security company; we've only seen the beginning.
    • Re:NAP is sick... (Score:4, Interesting)

      by jhealy1024 ( 234388 ) on Sunday February 13, 2005 @05:24PM (#11662432)

      An agent (CSA) runs on all endpoints and checks them for AV, firewall, OS patches, etc. If it's clean, the switch or router let's them through to the main netowrk. If not, you get VLAN'd off to a remediation network, and once you are done there you are allowed on.

      Not to sound like a sales guy, but Bradford Software [bradford-sw.com] has an appliance that's been doing this for over a year. It polls switches for clients, can perform port and VLAN management, and it does remediation scans. Best of all, it interoperates with most managed switching equipment from any vendor.

      Also cool is the fact that it doesn't require software on the clients (I couldn't tell from your description if NAP requires this). The appliance scans the client machines with various penetration tools and automatically sends them to a remediation VLAN. Very helpful for rogue clients on the network.

    • There's a company called PatchLink that has an agent which does much the same - their product not only includes AV, firewall and patch scans, but also common misconfiguration scans. Their agent also allows allows a network admin to instantly deploy OS and software patches, as well as remote product installations, AND it collects a complete hardware/software inventory of every machine's system and keeps the central console informed of any updates.

      I can't say enough good things about what they can do.

    • Re:NAP is sick... (Score:3, Interesting)

      by isometrick ( 817436 )
      Microsoft was working on something like this too, called Network Quarantine. Basically, the server would request a ticket from the machine indicating its virus definition file version, system health, etc.

      If anything was less than kosher, the same kind of thing would happen as you speak of. You'd be put on a VLAN with access limited to servers with patches and other updates.

      My problem with it was that you have to trust the client machine to report its health status correctly, while such information could b
      • My problem with it was that you have to trust the client machine to report its health status correctly, while such information could be easily mangled by virii or spyware.

        Exactly. Sure, it works great but effectively this is security through obscurity. Currently there is little incentive to reverse engineer the NAP / Network Quarantine protocol. The zillions of unpatched Windows boxes are easier targets. But if the pay-off is there (remember the Xbox hack?) it can and will be done. If only by some CS Phd

    • I hate to sound like a sales guy for the company, but they have something called NAP that's just completely sick.

      It's interesting that you note this... especially with the parent article's quote about Juniper. Juniper bought Netscreen last year. And for over a year, Netscreen has partnered with Infoexpress to support their CyberGatekeeper product - providing this kind of functionality. In fact, Cisco apparently had some interest in aquiring Netscreen but not the same dedication to the aquisition as J

    • Re:NAP is sick... (Score:3, Interesting)

      by carlivar ( 119811 )
      An agent (CSA) runs on all endpoints and checks them for AV, firewall, OS patches, etc.

      Does it support Macs, Linux, and BSD? I would be surprised if it did. Though I guess you don't need AV and such with non-Windows machines, but some sort of visibility into these systems would be nice.

      There is very few end-user software out there that makes a legitimate effort to support all platforms. Though actually, Cisco's VPN client does a pretty good job. They have Windows, Mac, and Linux versions.

      Carl

    • Re:NAP is sick... (Score:2, Informative)

      by jsindell ( 470747 )
      Actually, NAP [microsoft.com] is the Microsoft quarantine solution. Cisco's solution is NAC [cisco.com].

      NAP is not a security feature, it's a client health feature.
    • What happens if the CSA is compromised ? The network shouldn't trust the host, or any software running it it, to make network protection decisions that the network will blindly follow. This model implies that Cisco believe they can write perfectly secure and perfectly trustworthy software that operates on a perfectly insecure and perfectly untrustworthy OS such as Windows. I'd doubt they actually believe that.

      I explain some more about the network security model I believe should be followed in this previou

      • The network shouldn't trust the host, or any software running it it, to make network protection decisions that the network will blindly follow.

        The alternative today is to do no such access control from a network standpoint. Don't let perfect be the enemy of vastly improved.
        • I don't disagree with your sentiment.

          First up I'll admit that I don't really know much about how the software in question works, so my opinion below is based on speculation.

          Thinking a bit more about how this model could be implemented, there are fundamentally two components :

          • the software itself
          • the protocol used by the software to communicate policy to the network devices

          Each of those two components provide an opportunity for attack.

          Firstly, as I mentioned before, the software will have bugs in

      • You missed the fact that Cisco's system runs on top of Trusted computing. Of course that is mainly because Cisco and other compaines actively BURY the fact that such projects are Trusted Computing based. They want to hide from outrage and bad press related to Trusted Computing.

        If you don't have a Trusted compliant machine then Cisco's system denies you a net connection.

        -
    • It'd be nice for ISPs to instigate such a thing. I imagine it's around the corner.

      on the other hand: can you imagine the draconian enforcement which would lead to roughly 20% (all Mac and Linux users) getting shut off (or forced to upgrade "business" grade service)?

      I'd be very angry.
  • by CdBee ( 742846 ) on Sunday February 13, 2005 @05:04PM (#11662296)
    Software firewalls and security software are inherently pervertible - some even have programmatic interfaces to open ports!

    The only good system security comes in part from sitting behind a hardware firewall router - something Cisco, with its subsidiary Linksys, is in a position to sell
  • by mcc ( 14761 )
    Well I'd rather Cisco buy their way into the market than, say, Microsoft. Bought in or no, if Cisco wants to get somewhere meaningful, they're going to have to do it entirely based on quality products. If Symantec has to improve their own products to keep up, or Cisco's mainline products are indirectly improved in the process, well, so much the better.
  • Cisco in Singaporehttp://www.cisco.com.sg/ [cisco.com.sg] is already a security company. They provide private policemen , armoured transport and have control over much of Singapores electronic infrastructure. They do have their fingers in more than just producing routers.
  • by gelfling ( 6534 ) on Sunday February 13, 2005 @05:13PM (#11662350) Homepage Journal
    And I suspect you organization is the same. Internal networks are victims of strange political forces, ridiculous budgets and a crippling blindness that expensive boxes that protect us from the evil commie internets is all we need.
  • by Anonymous Coward on Sunday February 13, 2005 @05:33PM (#11662507)
    Their PIX firewall is no competition to the other popular vendors. It lacks both the performance and features of Netscreen/Junpier and has a shoddy security record [mitre.org].

    Their IDS is less sensitive than Snort [snort.org] and its VMS manager software is slow, hideously bloated and buggy.

    For several years, Cisco have been promoting an insecure combination of IPSEC shared-secret with xauth. Despite being documented as dangerous [cisco.com] on their own website, it was still the taught and recommended way of configuring "convenient" secure remote access VPNs. Only in the last six months have they fixed this.

    Their NAC/self-deluding-network initiative is broken as proposed. All enforcement is performed in the wrong place: routers off in the edge of the network. Right now, there is no way to deploy NAC on a switch or even a MSFC.

    Cisco need to stop their marketing droids from directing their product development and get back to competing on technology.
  • I would have though that Sun would have filled this vacuum a couple of years ago. With all their "network is the computer" marketing, and the huge demand for security on the networks that Sun pioneered, Sun had an even better position to fill this niche than does Cisco. But no real move by Sun on security for everyone since Java's sandbox. I think the Sun really is setting if it lets opportunities like this fall to companies like Cisco instead.
  • Comment removed (Score:3, Informative)

    by account_deleted ( 4530225 ) on Sunday February 13, 2005 @10:36PM (#11664566)
    Comment removed based on user account deletion
  • Hum, it seems they are already publishing info ...

    For example, this Cisco Clean Access is the re-badged and cisco-integrated Perfigo CleanMachines [perfigo.com].

My sister opened a computer store in Hawaii. She sells C shells down by the seashore.

Working...