Network management Toolkit

Cisco slammed despite upgrades

Marguerite Reardon CNET News

Published: 10 Mar 2004 10:30 GMT

Cisco Systems announced several new upgrades on Tuesday in an effort to beef up its security portfolio, but some analysts said the company still lacks a key technology that would help keep malicious code from even entering networks.

As worms and viruses such as SoBig, MSBlast (also known as Blaster) and MyDoom continue to propagate through millions of networks throughout the world, the need for technology to keep those elements off networks has increasingly become important. According to Richard Stiennon, a security analyst with Gartner, more than 30 per cent of traffic on some network backbones is a combination of spam, viruses and worms.

"There's a lot of capacity on these networks that is being wasted on carrying viruses and worms," Stiennon said. "Networking vendors need to do more filtering to keep these threats off the network. Cisco is way behind in doing that. I think they are missing an inflection point."

In Tuesday's announcement, Cisco introduced two new hardware products: the Cisco 7301 Router and the Cisco VPN 3020 Concentrator. These products fit into existing product portfolios. The company also announced new management capabilities and several enhancements to its IOS software.

A new element in the updated IOS is improved protection against denial-of-service attacks, which flood networks with millions of packets causing routers and servers to freeze under the pressure. It also added support for Internet Protocol version 6 (IPv6) for its firewall applications, and it added a feature that enables users to partition security in certain segments of their network. Check Point Security announced similar functionality in January of this year.

Addressing network threats
Cisco said its new products and enhancements are part of its overall strategy to extend security end to end. The new features will help networks identify threats, react appropriately based on risk level, isolate infected endpoints and reconfigure network resources in response to an attack, according to the company.

But Stiennon said these new products do little to help Cisco address the larger problem of preventing security threats from getting on networks in the first place.

"Ninety per cent of this announcement is public relations," he said. "And the other 10 per cent is legitimately filling in the features and enhancing management capability. Some of this is good stuff, but there is no mention of a device that can recognise worms and drop them from the network."

Cisco has begun heading in this direction. In early 2003, it acquired Okena, a small maker of intrusion prevention software for desktops, in a deal valued at $154m (£84.5m).

Okena's software agent sits on a user's PC and identifies malicious code in communications between network software systems. When it detects a virus or worm, it denies access to the PC. While this software agent protects the desktop itself, it does nothing to prevent worms and viruses from entering the corporate network. But Jeff Platon, a marketing executive at Cisco, argued that when the software agent is widely deployed, it cuts back the amount of viruses and worms traversing a network.

In November 2003, Cisco also announced that it was working with several antivirus vendors, including Network Associates, Symantec and Trend Micro, to introduce a solution that would check to make sure that a device wasn't infected with a virus before allowing it to connect to a network. Last month, it extended the relationship to include IBM.

"It's not like we haven't done anything in this area," Platon said. "We've been highlighting prevention in several recent announcements."

Detecting intrusions
Platon said the company is also working to extend its intrusion detection technology, which is already shipping as an appliance and as a blade for the Catalyst 6500. This product passively identifies suspicious traffic and alerts network administrators. Platon said the company is working on a product that sits in line with the traffic, looking at the content of the packets. If it sees something fishy, it would drop those packets.

But Platon said Cisco is taking its time in developing this product. Many intrusion prevention solutions have suffered from a high rate of false positives, causing some nonthreatening traffic to be dropped. Cisco is using technology it bought at the end of 2002 from a start-up called Psionic Technologies to help reduce these false alarms.

"Taking technology from an acquisition and deeply integrating it at a true system level with a high degree of reliability is not something that can be done in a couple of months," Platon said. "It takes more time to make sure that we won't disrupt business processes."

Meanwhile, Cisco will be facing stiff competition from its rival, Juniper Networks. Through its recently announced acquisition of NetScreen Technologies, Juniper will have a strong security portfolio that will include a firewall, virtual private networking products and an intrusion prevention product. NetScreen's intrusion prevention technology comes from the 2002 acquisition of a start-up called OneSecure.

"Juniper has already proven that it can make Cisco work hard to defend its turf in the service provider market," said Joel Conover, an analyst at Current Analysis. "They have strong security products through the NetScreen acquisition, and they are building some momentum."