Cisco Evolving Into A Security Company 196
ChipGuy writes "Om Malik has an opinion piece stating his opinion that Cisco Systems is slowly becoming a security company, a move which may prove problematic for traditional security vendors like Symantec. Cisco has bought its way into the market, worried about the security moves of its main rival, Juniper Networks. The company expects to make major announcements at the RSA Conference later this week. "
Elliptic curves (Score:4, Funny)
Re:How is this funny?? (Score:2)
ECC not patent encumbered (Score:3, Informative)
Kind of like (Score:5, Funny)
Re:Kind of like (Score:5, Interesting)
Similar, not the same though. (Score:5, Informative)
While I'm not defending the issues listed on that page, Microsoft are directly responsible for the flaws in their software, as they wrote it, where as the products described on the Attrition site came to Cisco via acquisition (the ONS products came from Pirelli (I think the same company that make tires and very "interesting" calendars)), in times when security probably wasn't one of the checkpoints on the due diligence list.
The only "true" Cisco products are routers, IOS, and more recently the IOS that is on the CRS-1. The security record for IOS has been pretty resonable, when you consider that it has and will always be "exposed" to the Internet.
Re:Similar, not the same though. (Score:2, Informative)
Even Cisco's routers are not 100% Cisco engineered these days -- hardware or software. Cisco has bought their way into just about every market they touch. And that's not necessarily a bad thing.
Re:Kind of like (Score:2)
Interesting read. Normally, Cisco doesn't (or didn't as of last year) offer security fixes on any of the equipment it sells...unless you have a service contract. This refusal to fix this one device is not a good sign, though.
Re:Kind of like (Score:5, Interesting)
Microsoft and Cisco are both becoming "security companies" in the sense that "security" == "enforcing Trusted Computing". First I'll skim over the Windows issue, then I'll cover this new and insane threat from Cisco.
I assume we've all heard of Palladium. Well the next Windows release, Longhorn, *is* Palladium. Microsoft's own website [microsoft.com] documents that:
The Next-Generation Secure Computing Base (NGSCB) is new security technology for the Microsoft® Windows® platform. It will be included as part of an upcoming version of the Microsoft Windows operating system, code-named "Longhorn."...
"SSC" refers to the Security Support Component, a new PC hardware component...
The term "SSC" is generally interchangeable with "TPM" or trusted platform module. The TPM is a secure computing hardware module specified by the Trusted Computing Group
While Longhorn will likely technically run on a non-trusted computer, Microsoft has elswhere documented that it will go into a brain-damged cripple mode and lock you out of the full desktop graphics interface mode. Microsoft has documented that only Trusted Compliant hardwill will be "CertifiedWindowsCompatible". And we all know no PC manufacturer can afford to sell new PC's that are not CertifiedWindowsCompatible and which only run with a crippled and downgraded interface. Whebn Longhorn rolls out the simple fact is that ALL new PCs will ship with Trusted Computing compliant hardware. No major PC manufacturer can afford to do otherwise. At least one manufacturer - Samsung - has already declared that they are nor manufacturing nothing but Trusted compliant machines.
And now for Cisco. Cisco Cisco Cisco.
Some time ago Slashdot ran this story: Cisco Working to Block Viruses at the Router. [slashdot.org] Sounds wonderful, right? What the Slashdot story missed was that it does not actually have anything to do with routers blocking viruses. What it actually is is Cisco's new Network Admission Control (NAC). Anyone attempting to research exactly what Network Admission Control is and exactly how it works will find very little information available. Most Trusted Compuing projects tend to bury the fact that they are Trusted Computing based because they know it will draw anger and bad press, but Network Admission Control it a real whopper. I can back it up better with bits and peices from various sources, but this source [zdnet.com] has just enough details in one place to pin it down. The title is "Cisco, others plan to ban insecure PCs". The last few paragraphs state that it requires "new hardware" and states that it will "spur sales of PCs and devices that use trusted-computing hardware". If you read tha article it should be quite clear how it functions. Any computer which attempts to connect to the router and request a net connection must be running a Cisco Trust Agent. That Trust Agent only works on a Trusted Computing compliant computer. If you don't have a Trusted Computer then you are denied access to the net. The Trust agent then scans the operating system and software running on your computer and reports it to the router. If you are not running an approved operating system and running selected MANDATORY software then you are denied access to the net. The advertized purpose is to ensure that you have all of the latest operating system patches and that you are running an approved (mandatory) firewall and/or virus scanner. Of course it can be arbitrarily configured to make absolutely any kind of software mandatory, but the firewall and virus scanner are the ones they hype. And that where the silly Slashdot title about "Blocking viruses at the router" came from. It doesn't block viruses at the router, the router BANS computers that are not Trusted Compliant and it CAN be configured to enfor
Re: (Score:3, Informative)
Re:Kind of like (Score:2)
Ok, and you can presumably confirm that it is in fact based on the Trusted Computing Group's Trust specification?
there is plenty of info out there on what NAC is.
There's plenty of information about it, but I spend a couple of hours pouring over Cisco's website and reading any PDFs/files I could find on the subject and Googling the internet for details. Assuming you do in fact directly confirm this is Trusted Computing based, I'd like to see you produce a public link documenting that fac
Re:Kind of like (Score:2)
Re:Kind of like (Score:2)
Re:Kind of like (Score:2)
Re:Kind of like (Score:2)
It was burried in the middle of my original post:
this source [zdnet.com] has just enough details in one place to pin it down. The title is "Cisco, others plan to ban insecure PCs". The last few paragraphs state that it requires "new hardware" and states that it will "spur sales of PCs and devices that use trusted-computing hardware".
If it requires hardware and it will spur the sales of Trusted Computing hardware the
Re:Kind of like (Score:2)
In its current version, NAC does NOT require trusted computers.
The so called "trusted" functionnalities are implemented by software only and things such as libraries wrapping. It is not 100% safe, altough the marketing docs pretends it. Indeed, you can go back to old security advisories to find problems. If you want, you can look at competing products like McAfee Entercept.
At then end, th
Re:Kind of like (Score:2)
Cisco Systems and Broadcom are already developing switches that will use the TPM for authentication and more [networkmagazine.com]
recent move by members of the Trusted Computing Group to create an open standards NAC alternative [cbronline.com]
and While Cisco presents NAC as an industry-standard approach, at this point, it's a Cisco approach, which apparently Cisco is hoping will become a de facto standard. Elsewhere, there's the Trusted Network Connect standard that's being put tog [eweek.com]
Re:Kind of like (Score:2)
if they did change t
Cell "doubtless Trusted Computing"? Don't think so (Score:2)
I guess IBM will be crippling linux rather than protecting Sony's profits on the PS3? Hmm, no. Take off your tinfoil hat and realize that anything designed to take away our freedoms is at least slightly more insidious than giving Microsoft and Apple and Sun monopolies on the OS market.
Re:Cell "doubtless Trusted Computing"? Don't think (Score:2)
I'm don't think it's completed yet, but there will be a Trusted Linux available soon. It will almost definitely be available before Longhorn is out.
Oh, and in case it wasn't clear, Trusted Computing processors will run existing Linux and all existing software just fine. Hoever normal Linux and software will not be able to read Trusted files. Also you will increasingly run into software and servers that will refuse to talk to normal Linux or unTrusted applications. In a
Treacherous Computing doesn't stop Linux entirely (Score:2)
TC is evil, but it's more subtle than a hardware lock that prevents you from running Linux on the plaform.
Can we say "flop"? (Score:2)
A) A large percentage (growing all the time) of people connect to the Internet via their own little NAT boxes. Killing everyone's NAT boxes will not fly well.
B) What about all the non-Windows boxes hooked to the network? And I'm not talking about Macs, I'm talking about all the little doo-hickeys that get hooked to the net like my printer, people's TIVO's, etc.
These kind of big bang schemes are often dreamed up by marketing
Re:Can we say "flop"? (Score:2)
A) A large percentage (growing all the time) of people connect to the Internet via their own little NAT boxes.
I don't think the NAT matters. It's the data you are passing through that NAT that matters. It's the PC creating those packets that matters. Those packets are encrypted and signed. It is impossible for you or your NAT to alter the contents of those encrypted packets expect to block/destroy them. The ISP would only accept an authenticated packet that origina
Re:Can we say "flop"? (Score:3, Informative)
B) What about all the non-Windows boxes hooked to the network? And I'm not talking about Macs, I'm talking about all the little doo-hickeys that get hooked to the net like my printer, people's TIVO's, etc.
Well, there's no reason your OLD printer and stuff can't still work on an internal network. They just wouldn't be able to talk to the outside internet.
As for new stuff, there's a big push to start dumping Trust chips into pretty muc
Re:Kind of like (Score:2)
When the next desktop OS comes out, they won't upgrade again until at least 2008, although 2010 is certainly a possibility.
As I said thing only really get started when Longhorn comes out. From there there it phases in over several years. Assoming Longhorn actually comes out in 2006, and as I said figure four years for a su
Re:Kind of like (Score:3, Insightful)
Nothing. But what's going to be ON this new network? None of the existing internet websites and services. Just a handful of people. And anyway, none of the new software will run on a non-Trusted machine, the new media files won't work on a non-Trusted machine, Trusted e-mail won't be readable on a non-Trusted machine, you won't be able to send e-mail to the Trusted public network.
And even if you did start to
Re:Kind of like (Score:2)
Not a dirty word. This is a rather obscure and technical subject. On top of that the people behind it are actively consealing information and pushing disinformation.
one could install their favorite packet sniffer and [] watch the traffic
The packets are encrypted. The encryption key is locked inside the Trust chip and you are forbidden to see it. The only way to get at your keys is to physically rip open a tamper-resistant self-destructing chip and try to read it out with a extremely powerful
Re:Kind of like (Score:3, Insightful)
There are some very common missunderstandings about Trusted Computing. One is that you are better off with a normal non-Trusted computer. You are not. That's why Trusted Computing is so insidious. Buying a computer without a Trust chip is like buying a computer without speakers. There's no reason NOT to take the computer with speakers, you can just leave the off and pretend they aren't there.
A Trusted computer can do anything and everything
Or (Score:5, Insightful)
The other way around : networking is the product (Score:3, Insightful)
You don't 'sell' security : security for security is useless. Networking is something you sell and it needs security.
competition - not a bad thing (Score:5, Insightful)
Which means competition and is therefore good for the user.
Apart from that, another company concerned about security is no bad thing.
Re:competition - not a bad thing (Score:2)
Which means competition and is therefore good for the user.
I don't consider Symantec a security company. They make software add-ons that plug holes in another company's product(s).
Using Symantec's software to increase security is like adding bouncers to a pub that not only sells beer but hands out free baseball bats and crack cocaine while leaving everything on the bar because it's easier that way.
Cisco has hardware (Score:5, Insightful)
This is going to be their major advantage when it comes to security, even down to the linksys brand for home users.
Good, proactive hardware provides real security. Bloaty, reactive software (Norton AV) goes down with the sinking ship (an exploding windows box).
Software, and security software has its purpose and can have value, but Cisco's advantage doesn't lie there.
~Rebecca
Re:Cisco has hardware (Score:3, Interesting)
Cisco/linksys stuff out of the box is insecure by default, which is not good.
Have you ever tried any cisco software(not ios), but their vpn clients etc?
From my experiences, those are worst crap I've seen since mobile data suites.
It's easy to compare hardware firewall to some software like norton av. The software runs on your workstation instead on separate box and cpu. It's clear it'll eat resources when processing incoming/outgoing traffic.
But why compare them in first plac
Re:Cisco has hardware (Score:2, Insightful)
Whether I have or not, I didn't say anything about Cisco's software. I'd be willing to bet that "crappy" or not; it does more stuff better than Norton.
The software runs on your workstation instead on separate box and cpu. It's clear it'll eat resources when processing incoming/outgoing traffic.
This is true, but not the reason I cited as Cisco's hardware advantage.
But why compare them in first place?
Because the orig
Re:Cisco has hardware (Score:2)
They have real hardware firewalls aswell, see Gateway security 400 or 5400.
Cisco hardware isn't secure by default.
They have minimal configuration which will make it run(this is good thing from a view of network engineer, since the device will be configured when placed in its place), but it'll be open to the world with default password until changed.
Same thing with linksys, but atleast they include ip filter
Cisco has exploits like Microsoft. (Score:3, Interesting)
Security is good though... (Score:3, Interesting)
Anyway, as I'm trying to make out, the more competition in the security market, the more security has to evolve. This can only be a good thing, I feel.
Re:Security is good though... (Score:2)
This can only be a good thing
Even if "security" is redefined to mean securing the computer against its owner? This is all about Trusted Computing.
-
Re:Security is good though... (Score:2)
Really? Please explain to me when your kitchen table needs to be protected against you? Please explain to me when your computer needs to be protected against you? Please tell me when your home needs to be protected against you? Please explain to me when your left foot needs to be protected against you?
You do understand property rights, don't you?
It is impossible for anything someone does to themselves (or to their own property) to be an "attack". My b
SSH (Score:5, Interesting)
And it took them how long to get SSH into the IOS? Give me a break. They are going to have to move at a lot faster pace if they want to be a security company.
Re:SSH (Score:2)
They are going to have to move at a lot faster pace if they want to be a security company.
No kidding. I just got finished with a 4-month battle with Cisco to fix a bug that disabled access control lists in my core switch.
If that's how long it takes a security bug to get fixed, I don't want to know how long it takes features to get implemented...
They may have been being reasonable (Score:2)
General design philosophy is that "core" anything shouldn't have ACLs, as they inhibit performance.
ACLs on a core device is usually a sign that a non-optimal design is being used. Push the ACLs to towards the edge if you can, so traffic is dropped as early as possible. It also distributes the ACL processing load across many more devices, by distributing subsets of the network ACL set to those devices, rather than concentrating the network ACL set on a more central device.
Cisco Announcement (Score:3, Insightful)
Re:Cisco Announcement (Score:2)
Re:Cisco Announcement (Score:2)
I'm pretty sure it authenticates the packets themselves, as crafted by the source. It doesn't matter whether your NAT is Trusted so long as your desktop is Trusted. Your desktop encrypts and signs the packets. Your NAT cannot read or alter the packets, at least not without destrying them. You cannot "tamper" with your own packets, they are encrypted and your Trusted computer secures them against you. You are forbidden to kn
Re:Cisco Announcement (Score:2)
IPV6
Yes, an IPV6 deployment would be a very effective avenue for rolling in deployment of mandatory Trust compliance. Anyone moving to IPV6 is going to face a major software change anyway, and quite likely a hardware upgrade in the process. It makes a perfect fit for replacing the entire network infrastructure. Everything from NAT's
Re:Cisco Announcement (Score:2)
While companies should keep their support contracts current, the fact is that this is not being acknowledged by cisco in any of the discussions I have had with them.
So, if you are thinking about this as an option - remmeber that service is typically in the range of ~20% of the equipemtn cost anually - a
security? (Score:3, Insightful)
Re:security? (Score:3, Insightful)
Security? (Score:3, Interesting)
Re:Security? (Score:2)
Re:Security? (Score:2)
Given the recent theft of the IOS source code, I certainly hope they get their shit together first.
Genuine security built into IOS would mean that public release of the source code would have almost no impact.
But you are correct that it shows slipshod corporate practices if a release occurred when it wasn't supposed to.
They have said this for awhile BUT..... (Score:5, Insightful)
Then there are other little things, like the limited authentication options unless you spend bookoo bucks...or the very limited logging/audit functions...or the way PIX assumes all 'outgoing' connections are valid (the very concept of 'outgoing' is a SOHO concept and not an enterprise firewalling concept)...ugh...don't get me started on the pix....
The more you look at Cisco products hands-on, it just highlight what Cisco does: Make networking products.
Granted, they make networking products *very* well and I wouldn't hesitate to recommend them over anyone else. But myself and just about every security pro I know sees them as networking devices with security kind of bolted on...NOT security devices. It's more like some IOS networking programmers tried to figure out what security folks need instead of researching what's actually going on out there or getting some real world infosec experience.
If they are becoming a security company, great. But they've said this for awhile now and it hasn't changed the fact that the focus is networking networking networking.
Re:They have said this for awhile BUT..... (Score:3, Informative)
That said, there is a significant amount of work left on PIX usability. It is not an easy box to configure it, and given the price point of 501E and 506E boxes we've seen customers buy them without realizing what they are getting themselves into as far as configuring the box to do something as simple as what a typical Linksys firewall does out of the box.
For example, PAT is supported, but not
Re:They have said this for awhile BUT..... (Score:2)
Um, all Cisco routers come with SSH. If you don't know how to enable it, fault lies with you, not Cisco.
Re:They have said this for awhile BUT..... (Score:2)
Weren't those crypto export regulations eased up years ago?
No... no combination of those things offers anywhere near the level of security SSH provides.
Looky here. (Score:2, Interesting)
Re:Looky here. (Score:2)
Good news? (Score:2, Interesting)
Capitalism supporting communism (Score:2)
I'd be pretty sure that the only reason they built the "Great Firewall of China" is because they could sell a lot of kit to do it, as well as establish a relationship and presence in China to sell a lot more kit in the future. If they didn't, probably one of their competitors would have.
Who demands Cisco continue to be a profitable company ? Who demands Cisco continue to provide ever increasing share value, on a trajectory similar to the past ? Who demands that Cisco never accept letting their competitor
Re:Good news? (Score:2, Insightful)
Of course it would. Cisco is a corporation, not a human being. It has no soul and should not be expected to have one. A successful corporation works for shareholder profits and nothing more. If China wants a firewall, Cisco will sell one at the right
Re:Good news? (Score:2)
China is one of the biggest emerging markets in history. Besides, more global interdependency means a major global enconomic meltdown would be the prelude of another world war. At least we'll know when to start stocking up on canned goods before the shit hits the fan.
Ads (Score:3, Funny)
A 'judgemental' network? (Score:4, Insightful)
There is also the issue of whether any security, except your own, can be trusted. Will Cisco guarantee the absence of backdoors or 'approved' (not by the user) surveillance?
Then there is the issue of who makes the call on what 'security' is. There's a fair chance the average geek, sys admin, government and music trade rep will all have different ideas of what security is. Who's version gets implemented by Cisco and friends? Better that each one gets to do their own security.
Hosts shouldn't trust the network; Network .. (Score:4, Interesting)
shouldn't trust the hosts.
In "Routing in the Internet", Christian Huitma, when describing the Internet architecture, describes why hosts shouldn't trust the network to perform reliable delivery. Hosts have more of an interest in reliable communication than the network as ultimately they will suffer the most if the network isn't as reliable as it says it is; therefore hosts should take the primary interest in ensuring the network delivers data reliably. That leads to absolute reliablity mechanisms in the network being redundant, as the hosts will implement them anyway. This is why TCP is an end-to-end protocol, why the IP header checksum only covers the IP header, and why the network layer in the Internet is only "best-effort".
In a later chapter, regarding QoS, he makes the point that the network shouldn't trust the hosts. The network should provide generally equal service to all its "customers" - the hosts that are attached to the edge of the network. Therefore, if one host is misbehaving, the network should penalise it. That is what the default queuing algorithm (Random Early Dectection) for the Internet does. Some details are in Recommendations on Queue Management and Congestion Avoidance in the Internet [faqs.org].
The same model applies to security. Security should be end-to-end when the host has the most interest in the consequences of lack of security. Hosts shouldn't trust the network to deliver data securely, as the consequences of secure delivery are most felt by the hosts (and therefore the users sitting behind them).
The network's security needs aren't quite the same as the hosts; the main thing the network has to secure is availability and the ability to continue to provide equal service to all its customers (the hosts.) Authentication in routing protocols, secure administration tools such as SNMPv3 and SSH, and traffic rate limiting mechanisms like RED are network security mechanisms that protect the network's service.
Security problems come about when attempts are made to implement host security in the network, and network security in the hosts. For example, a firewall's purpose is really to protect the hosts. The current location for most firewalls is inside the network. Unfortunately that doesn't fully extend the host protection a firewall provides up to the host itself. With the current model, it is easy enough to "unprotect" the host by inserting a device, for example a wireless access point, between the firewall and the host. The firewall may still protect the host from Internet based attackers, however it doesn't protect the host from war drivers. Ideally, a firewall should reside on the host itself, to protect the host from attacks from all (network) directions. Interestingly, that is happening already through evolution - most host OSes are coming with firewalls out of the box. Administration of firewall security policy is a problem with this model, due to the increased number of firewalls to now administer, however, mechanisms are being developed to apply distributed security policy. Distributed Firewalls [columbia.edu] by Steven M. Bellovin [columbia.edu] describes this model further.
Slight edit. (Score:2)
I wrote
Hosts shouldn't trust the network to deliver data securely, as the consequences of secure delivery are most felt by the hosts (and therefore the users sitting behind them).
which really should be
Hosts shouldn't trust the network to deliver data securely, as the consequences of insecure delivery are most felt by the hosts (and therefore the users sitting behind them).
NAP is sick... (Score:4, Insightful)
An agent (CSA) runs on all endpoints and checks them for AV, firewall, OS patches, etc. If it's clean, the switch or router let's them through to the main netowrk. If not, you get VLAN'd off to a remediation network, and once you are done there you are allowed on.
The trick here is that no one is in better position to do such a thing than the company that owns most of the network infrastructure.
Don't dismiss them as a security company; we've only seen the beginning.
Re:NAP is sick... (Score:4, Interesting)
An agent (CSA) runs on all endpoints and checks them for AV, firewall, OS patches, etc. If it's clean, the switch or router let's them through to the main netowrk. If not, you get VLAN'd off to a remediation network, and once you are done there you are allowed on.
Not to sound like a sales guy, but Bradford Software [bradford-sw.com] has an appliance that's been doing this for over a year. It polls switches for clients, can perform port and VLAN management, and it does remediation scans. Best of all, it interoperates with most managed switching equipment from any vendor.
Also cool is the fact that it doesn't require software on the clients (I couldn't tell from your description if NAP requires this). The appliance scans the client machines with various penetration tools and automatically sends them to a remediation VLAN. Very helpful for rogue clients on the network.
Re:NAP is sick... (Score:2)
I can't say enough good things about what they can do.
Re:NAP is sick... (Score:3, Interesting)
If anything was less than kosher, the same kind of thing would happen as you speak of. You'd be put on a VLAN with access limited to servers with patches and other updates.
My problem with it was that you have to trust the client machine to report its health status correctly, while such information could b
Re:NAP is sick... (Score:2)
Exactly. Sure, it works great but effectively this is security through obscurity. Currently there is little incentive to reverse engineer the NAP / Network Quarantine protocol. The zillions of unpatched Windows boxes are easier targets. But if the pay-off is there (remember the Xbox hack?) it can and will be done. If only by some CS Phd
Re:NAP is sick... (Score:2)
It's interesting that you note this... especially with the parent article's quote about Juniper. Juniper bought Netscreen last year. And for over a year, Netscreen has partnered with Infoexpress to support their CyberGatekeeper product - providing this kind of functionality. In fact, Cisco apparently had some interest in aquiring Netscreen but not the same dedication to the aquisition as J
Re:NAP is sick... (Score:3, Interesting)
Does it support Macs, Linux, and BSD? I would be surprised if it did. Though I guess you don't need AV and such with non-Windows machines, but some sort of visibility into these systems would be nice.
There is very few end-user software out there that makes a legitimate effort to support all platforms. Though actually, Cisco's VPN client does a pretty good job. They have Windows, Mac, and Linux versions.
Carl
Re:NAP is sick... (Score:2, Informative)
NAP is not a security feature, it's a client health feature.
I disagree with this model. (Score:2)
What happens if the CSA is compromised ? The network shouldn't trust the host, or any software running it it, to make network protection decisions that the network will blindly follow. This model implies that Cisco believe they can write perfectly secure and perfectly trustworthy software that operates on a perfectly insecure and perfectly untrustworthy OS such as Windows. I'd doubt they actually believe that.
I explain some more about the network security model I believe should be followed in this previou
Re:I disagree with this model. (Score:2)
The alternative today is to do no such access control from a network standpoint. Don't let perfect be the enemy of vastly improved.
Re:I disagree with this model. (Score:2)
I don't disagree with your sentiment.
First up I'll admit that I don't really know much about how the software in question works, so my opinion below is based on speculation.
Thinking a bit more about how this model could be implemented, there are fundamentally two components :
Each of those two components provide an opportunity for attack.
Firstly, as I mentioned before, the software will have bugs in
Re:I disagree with this model. (Score:2)
If you don't have a Trusted compliant machine then Cisco's system denies you a net connection.
-
Re:I disagree with this model. (Score:2)
Re:I disagree with this model. (Score:2)
The one setting up the corporate network and website would choose whether they want to allow non-Trusted connections in. If you want everyone to see your website then just leave it wide open.
However you are going to see an increasing number of websites that are only viewable with a Trusted Computer and using a Trusted browser. The website is then able to use the Trust system to ENFORCE that it's ads are displayed. It can prevent you from using a pop-up b
Re:NAP is sick... (Score:2)
on the other hand: can you imagine the draconian enforcement which would lead to roughly 20% (all Mac and Linux users) getting shut off (or forced to upgrade "business" grade service)?
I'd be very angry.
About time too! Hardware security (Score:3, Insightful)
The only good system security comes in part from sitting behind a hardware firewall router - something Cisco, with its subsidiary Linksys, is in a position to sell
Re:About time too! Hardware security (Score:3, Insightful)
hardware firewall router
And what do you think runs on this hardware? Right, IOS or a simlar OS. Now go scan for IOS vulnerabilities and enjoy! There's no such thing as "hardware security."
Yes there is (Score:3, Funny)
Re:Yes there is (Score:2)
That ain't no "backhoe" (Score:2)
Hmm (Score:2)
Private Policemen (Score:2, Funny)
4/5ths of our problems are from the inside (Score:3, Insightful)
The will have to improve their products then... (Score:3, Insightful)
Their IDS is less sensitive than Snort [snort.org] and its VMS manager software is slow, hideously bloated and buggy.
For several years, Cisco have been promoting an insecure combination of IPSEC shared-secret with xauth. Despite being documented as dangerous [cisco.com] on their own website, it was still the taught and recommended way of configuring "convenient" secure remote access VPNs. Only in the last six months have they fixed this.
Their NAC/self-deluding-network initiative is broken as proposed. All enforcement is performed in the wrong place: routers off in the edge of the network. Right now, there is no way to deploy NAC on a switch or even a MSFC.
Cisco need to stop their marketing droids from directing their product development and get back to competing on technology.
Where comes the Sun? (Score:2)
Comment removed (Score:3, Informative)
Cisco websites already updated (Score:2)
For example, this Cisco Clean Access is the re-badged and cisco-integrated Perfigo CleanMachines [perfigo.com].
Re:Cisco websites already updated (Score:2)
Re:The [job] security company? (Score:2, Funny)
Re:Heh (Score:2, Funny)
Re:Heh (Score:2)
Re:The Year 2000 wants it's headline back. (Score:3, Funny)
Re:It would make sense (Score:2)
The trick is keeping the signatures up to date. I'm not sure I want my firewall auto updating.