With companies opening up their networks to business partners, road warriors and telecommuters, security today requires an approach that involves nearly every network element, according to executives at Cisco Systems Inc.
Putting up a wall on the company’s perimeter doesn’t work anymore, said Richard Palmer, Cisco’s vice president and general manager for VPN & Security Services in a news briefing at the company’s San Jose, Calif., headquarters. “The perimeter is rapidly disappearing. You can’t find a perimeter anymore,” he quipped.
“Almost every element in the network (including clients and servers) is either helping or hurting,” he added.
A key factor in making networks secure is making sure elements such as switches and routers work in concert with security-specific tools, he said. For example, virtual LANs, which typically are created on network switches, can be a valuable tool for segregating Web servers that might otherwise infect each other if one falls victim to an attack like the Code Red virus. The switching, routing and intrusion detection systems all have to work together, he said.
Moving to help its customers manage their security architectures and help those systems keep up with traffic, Cisco early this year announced new software for its Pix Firewall platform and the availability of new hardware models to join that line.
The introductions come as Cisco labours to expand its popular security and intrusion-detection tools to deal with growing traffic and new ways of using data networks. As part of the software upgrade, the dominant router and data-switch vendor also introduced software features for securing IP phone calls and multicast traffic.
“While we’re trying to secure the network, the network’s getting more diverse all the time,” said Mike Volpi, senior vice president of Cisco’s Internet Switching & Services Group.
In addition to supplying the routers and switches used in many enterprise networks worldwide, Cisco offers several popular tools to keep those networks secure.
Version 6.2 of the Pix Firewall Operating System will allow firewalls at remote sites to serve as end points of a VPN and automatically download new configurations and policies as VPN tunnels are established, said Palmer. This will make it easier for large enterprises to deploy thousands of firewalls across an organization, he said.
The software upgrade also adds features to help the firewalls secure voice traffic that uses the H.323v2 protocols and Session Initiative Protocol (SIP). In addition, support for a function called Stub Multicast Routing will allow customers to securely use multicasting, a bandwidth-conserving way of sending one stream of data to many places, according to Cisco.
The introductions are aimed in directions that analysts said are important for security vendors.
Cisco rival Check Point Software Technologies Ltd.’s biggest advantage is the way it lets administrators set up policies for a whole network and then apply those on a series of firewalls across the organization, said Richard Stiennon, a Gartner Inc. analyst based in Detroit. Cisco’s management software has required them to set up policies on each firewall individually.
Cisco’s Palmer said the policy-downloading feature of the new Pix software addresses that need.
Competitors such as NetScreen Technologies Inc. and SonicWall Inc. are gaining on Cisco with firewall appliances that can apply a company’s security rules on a purpose-built chip instead of having to call on slower general-purpose central processors, said Charles Kolodgy, an analyst at IDC, in Framingham, Massachusetts.
Cisco is looking to increase performance by various other hardware methods, Palmer and Volpi said. ASICs (application-specific integrated processors) still are “overkill” for firewalls because the interfaces at the edges of most enterprise networks still are smaller than 10G bps (bits per second), Palmer said. Network processors, which can be reprogrammed to deal with new security threats, are a more attractive option, he said.
Demand is growing faster for security products than in most other areas of Cisco’s business, according to Volpi.