Cisco takes aim at Web services security

Web services are a key concern for Cisco Systems Inc. as the company plans initiatives over the next year to integrate security more deeply into network infrastructures, executives said May 8 in a question-and-answer session that followed a keynote address by Cisco President and Chief Executive Officer John Chambers at NetWorld+Interop 2002 in Las Vegas.

The rapid growth of Web services, designed to allow systems in different companies and departments to interact machine-to-machine to deliver business processes automatically, will raise both network congestion and security issues, said Mike Volpi, senior vice-president for Cisco’s Internet Switching and Services Group.

In some cases, those problems could cause tension within organizations, another executive pointed out.

“It’s unclear if these things are really going to be in the best interests of the enterprise,” when security concerns are taken into account, said Bob Gleichauf, chief technology officer of Cisco’s VPN and Security Business Unit. “You have the IT departments in conflict with the people who are running the business and new offerings in companies.”

For example, Web services could utilize HTTP (Hypertext Transfer Protocol) as an envelope and use Port 80, typically used for Web-page traffic, Gleichauf said.

“Clever people are starting to use that not only to send valid traffic but to effectively use it as a conduit for (malicious) misuse…and the firewall isn’t in its current form necessarily well-suited to deal with that,” he said.

What is needed is deep packet inspection, a computation-intensive technique that most network equipment today is not designed to do, because it is designed to make decisions based on certain kinds of packet header information, Gleichauf said.

Greater network intelligence also is needed to provide functions such as load-balancing of Web services traffic, based on XML (Extensible Markup Language), Volpi said.

Enterprises have balked at security by not budgeting it into their networks, Gleichauf said. Cisco aims to make it an integral part of a company’s IT services, he said.

If companies are to realize productivity gains from IT, chief information officers need to embrace technology that benefits the business while also maintaining security, Chambers said.

“They can’t just be the traffic cops or policemen or women, they have to say, ‘How do you do this in parallel?’ ” he said.

More standards development will have to take place before effective systems can be developed for securing networks carrying Web services traffic, according to a Sun Microsystems Inc. executive at the conference.

“XML and SAML (Secure Assertions Markup Language) haven’t settled down yet, and until they do it’ll be difficult to know how the Web services content can be managed” in relation to networks, said Rama Moorthy, a product manager in Sun’s network security group. Other standards also need more work, added Sanjay Sharma, market development manager for electronic commerce at Sun.

Sun might use deep packet inspection in some of its security platforms, the executives said, though they did not discuss any specific plans.

How Web traffic can be inspected and treated within an enterprise network may depend partly on encryption strategies, Sharma said. Deep packet inspection can’t be done on encrypted packets, so if encrypted Internet traffic is decrypted at the Web server, the enterprise may not be able to do things such as load-balancing the traffic. However, a proxy system at the edge of the network might use deep packet inspection for additional functions, he said.

Sun’s booth on the N+I show floor is focused on the Sun ONE (Open Network Environment) Platform for Network Identity, designed to help companies integrate user identity information that may now be spread across several departments. That identity system later can be integrated with the Sun-led Liberty Alliance’s specification for distributed identity management across different Web sites and services. Sun has said that specification should be completed around the middle of this year.

Sun earlier this year announced an integrated network security system called iForce that includes a combination of firewall, antivirus, intrusion detection, and data integrity software from third parties.