Cisco Systems Inc. continued its recent security push with several new products designed to better-protect Cisco networks and an acquisition geared towards enhancing the company’s SSL-based remote access VPN equipment.
The security enhancements include new features in Cisco IOS, in addition to new hardware.
IOS Software Release 12.3T includes the Cisco IP Source Tracker, a transparent firewall and support for extended SMTP.
The IP Source Tracker is designed to protect networks from Denial of Service (DoS) attacks, said Scott Pope, manager of security platforms in Cisco’s VPN and security business unit.
When companies see a DoS emerging, they can turn on the source tracker of the router nearest to the threatened application server. The source tracker collects stats and traces traffic throughout the network to find out where the DoS traffic is coming from, Pope said. Once IT staff have identified the ingress point of the DoS traffic, they can rate limit the traffic, or shut it down entirely.
“With the IP Source Tracker, people can now do this in five minutes or so, instead of spending an hour or more,” Pope said.
The transparent firewall feature allows the firewall built into IOS to do access control and filtering based on Layer 2, Ethernet, or MAC address information. This allows customers to segment the network into “trust” zones.
“For example, someone coming in by wireless LAN would have more stringent requirements,” Pope said. “You could control the servers they can get to. Instead of having to know the IP addresses for those individual people using the wireless LAN and doing the access control policy that way, you could have any traffic coming in over the MAC address or Ethernet address on the wireless LAN access point have the tighter security policies.”
The IOS firewall now includes support for Ipv6, allowing it to inspect both Ipv4 and Ipv6 traffic. It also supports Extended SMTP, giving customers better packet inspection capabilities on their mail traffic.
Finally, Cisco has built a couple of new safeguards into the latest IOS version. A control plane policing feature protects some of a router’s resources, allowing network managers to access the router even if it’s under a DoS attack.
A role-based command line interface feature lets companies define access based on roles, so the chances of a staff member misconfiguring a security setting is reduced.
On the device side, Cisco introduced the 7301 router, which provides central site aggregation of VPNs from remote locations. The 1U box can handle up to 370Mbps of VPN throughput and costs around US$21,000.
Cisco also unveiled the VPN 3020 Concentrator, targeted at medium-sized enterprises. The 3020 can handle up to 750 concurrent IPSec sessions, or up to 200 SSL sessions. The box lists at just under US$10,000.
Cisco’s acquisition of privately-held Twingo Systems in March for US$5 million also had a security theme. Twingo makes SSL VPN products for desktops. Cisco plans to incorporate Twingo’s Virtual Secure Desktop into Cisco’s WebVPN product, beginning with Cisco’s VPN 3000 Concentrator series.
Twingo’s product appealed to Cisco, because it wipes out sensitive data such as temporary files, history files, caches and cookies at the end of an SSL VPN session.
Cisco, as the pre-eminent supplier of enterprise network equipment, is in a good position to integrate security at the network level, said Jeff Wilson, director of Infonetics Research Inc. in San Jose.
“Cisco really is the only vendor that can take this position, because they not only offer the security products but the network equipment as well,” he said.
But there are caveats. Since Cisco is trying to be a one-stop shop, its technologies may not always measure up to products from more specialized vendors. “A lot of companies that sell stand-alone products would take issue with the quality of the individual (security) components that Cisco has,” Wilson said.
Also, over the long term, Cisco is going to have to address issues such as Web services and application-level security, he added.
— with files from IDG News Service