N+I: Cisco takes aim at Web services security

LAS VEGAS – Web services are a key concern for Cisco Systems Inc. as the company plans initiatives over the next year to integrate security more deeply into network infrastructures, executives said Wednesday at NetWorld+Interop in a question-and-answer session that followed a keynote address by Cisco President and Chief Executive Officer John Chambers.

The rapid growth of Web services, designed to allow systems in different companies and departments to interact machine-to-machine to deliver business processes automatically, will raise both network congestion and security issues, said Mike Volpi, senior vice-president for Cisco’s Internet Switching and Services Group.

In some cases, those problems could cause tension within organizations, another executive pointed out.

“It’s unclear if these things are really going to be in the best interests of the enterprise,” when security concerns are taken into account, said Bob Gleichauf, chief technology officer of Cisco’s VPN and Security Business Unit. “You have the IT departments in conflict with the people who are running the business and new offerings in companies.”

For example, Web services could utilize Hypertext Transfer Protocol (HTTP) as an envelope and use Port 80, typically used for Web-page traffic, Gleichauf said.

“Clever people are starting to use that not only to send valid traffic but to effectively use it as a conduit for (malicious) misuse…and the firewall isn’t in its current form necessarily well-suited to deal with that,” he said.

What is needed is deep packet inspection, a computation-intensive technique that most network equipment today is not designed to do, because it is designed to make decisions based on certain kinds of packet header information, Gleichauf said.

Greater network intelligence also is needed to provide functions such as load-balancing of Web services traffic, based on Extensible Markup Language (XML), Volpi said.

Enterprises have balked at security by not budgeting it into their networks, Gleichauf said. Cisco aims to make it an integral part of a company’s IT services, he said.

If companies are to realize productivity gains from IT, chief information officers need to embrace technology that benefits the business while also maintaining security, Chambers said.

“They can’t just be the traffic cops or policemen or women, they have to say, ‘How do you do this in parallel?’ ” he said.