Cisco boosts its security offerings

Moving to help its customers manage their security architectures and help those systems keep up with traffic, Cisco Systems Inc. on Feb. 13 announced new software for its Pix Firewall platform and the availability of new hardware models to join that line.

The introductions come as Cisco labours to expand its popular security and intrusion-detection tools to deal with growing traffic and new ways of using data networks. As part of the software upgrade, the dominant router and data-switch vendor also introduced software features for securing IP phone calls and multicast traffic.

“While we’re trying to secure the network, the network’s getting more diverse all the time,” said Mike Volpi, senior vice-president of Cisco’s Internet Switching & Services Group, in a news briefing at Cisco’s headquarters.

In addition to supplying the routers and switches used in many enterprise networks worldwide, Cisco offers several popular tools to keep those networks secure. They include the Pix firewalls, a software router integrated with its router software, and an appliance built for VPN (virtual private network) termination. For intrusion detection, Cisco offers a standalone appliance, a hardware module for Cisco Catalyst 6000 switches and a software product.

Version 6.2 of the Pix Firewall Operating System will allow firewalls at remote sites to serve as end points of a VPN and automatically download new configurations and policies as VPN tunnels are established, said Richard Palmer, vice-president and general manager for VPN & Security Services at Cisco. This will make it easier for large enterprises to deploy thousands of firewalls across an organization, he said.

The software upgrade also adds features to help the firewalls secure voice traffic that uses the H.323v2 protocols and Session Initiative Protocol (SIP). In addition, support for a function called Stub Multicast Routing will allow customers to securely use multicasting, a bandwidth-conserving way of sending one stream of data to many places, according to Cisco.

The Pix 506E and 515E firewalls introduced Wednesday are similar to the outgoing Pix 506 remote-office firewall and Pix 515 for small and medium-sized businesses, but with much higher throughput, according to Cisco. Added processing power helped the new models achieve up to two and a half times the maximum data throughput of the previous models, the company said in a statement. Pix 515E models can also be purchased with integrated hardware-based acceleration of VPN functions, boosting VPN speed while offloading work from the firewall’s central processor.

The Pix 506E and 515E Firewalls are available now, priced starting at US$1,695 for the 506E and US$3,495 for the 515E. Version 6.2 of the Pix operating system will be available by the end of this quarter and is free to customers with a current Cisco Smartnet contract.

Both introductions are aimed in directions that analysts said are important for security vendors.

Management software should be the biggest focus for improvement at Cisco, said Richard Stiennon, a Gartner Inc. analyst based in Detroit, earlier this week.

“They absolutely have to improve their interface,” he said.

Cisco rival Check Point Software Technologies Ltd.’s biggest advantage is the way it lets administrators set up policies for a whole network and then apply those on a series of firewalls across the organization, Stiennon said. Cisco’s management software has required them to set up policies on each firewall individually.

Cisco’s Palmer said Wednesday the policy-downloading feature of the new Pix software addresses that need.

Competitors such as NetScreen Technologies Inc. and SonicWall Inc. are gaining on Cisco with firewall appliances that can apply a company’s security rules on a purpose-built chip instead of having to call on slower general-purpose central processors, said Charles Kolodgy, an analyst at IDC, in Framingham, Mass.

“There’s a lot of competition in that market, so the hardest aspect is staying up with everyone else,” Kolodgy said.

In addition to boosting the processing power on the Pix 506E and 515E firewalls, Cisco is looking to increase performance by various other hardware methods, Palmer and Volpi said. ASICs (application-specific integrated processors) still are “overkill” for firewalls because the interfaces at the edges of most enterprise networks still are smaller than 10Gbps, Palmer said. Network processors, which can be reprogrammed to deal with new security threats, are a more attractive option, he said.

Demand is growing faster for security products than in most other areas of Cisco’s business, according to Volpi, and on Wednesday the company touted its expertise in the field.

With companies opening up their networks to business partners, road warriors and telecommuters, security today requires an approach that involves nearly every network element, the executives said. Putting up a wall on the company’s perimeter doesn’t work anymore, according to Palmer.

“The perimeter is rapidly disappearing. You can’t find a perimeter anymore,” Palmer quipped.

“Almost every element in the network (including clients and servers) is either helping or hurting,” he added.

A key factor in making networks secure is making sure elements such as switches and routers work in concert with security-specific tools, he said. For example, virtual LANs, which typically are created on network switches, can be a valuable tool for segregating Web servers that might otherwise infect each other if one falls victim to an attack like the Code Red virus. The switching, routing and intrusion detection systems all have to work together, Palmer said.

Cisco, in San Jose, can be reached at