Where do Cisco's network security plans go from here?
- 21 March, 2013 16:07
For example, the overarching security plan Cisco outlined two years ago known as SecureX remains very much a work in progress. The basic idea behind SecureX is to give customers a broad view of what computer and mobile device users are doing on the network.
The SecureX architecture has been called over-complicated and perhaps too dependent on having a Cisco-based infrastructure, but the basic idea is that by collecting real-time information about the individual's network usage and applications, device make, location and other variables, appropriate security policies can be established for network authorization.
MORE ON SECURITY: 13 of the biggest security myths busted ]
Originally spearheading SecureX was Tom Gillis, a former vice president and general manager for the Cisco technology group who departed in 2011 and is now CEO of startup Bracket Computing. But Cisco says the importance of the SecureX initiative remains the same.
Support for SecureX has come first in the Cisco ASA CX Context-Aware Security Next-Generation Firewall. Dave Frampton, vice president of security at Cisco, says it's now on to "the next phase of SecureX," which will be the "routing and switching infrastructure," though he offers no specific time frame for completion.
Frampton emphasizes that "SecureX coveys our entire approach to security." He says about 3,000 Cisco customers have adopted SecureX security components, which include the older Cisco Identity Services Engine and TrustSec tagging methodology. He says tens of thousands more are indicating a high level of interest in SecureX.
Beyond SecureX, Cisco faces other challenges from analysts and enterprise IT security managers alike.
Gartner -- the consultancy whose thumbs-up or thumbs-down opinions on information technology are often a strong influence on enterprise managers and vendors -- has been critical of Cisco, especially in terms of its firewalls. For example, Gartner says that so-called next-generation firewalls (NGFW) that are application-aware rather than simply port-based are the direction that firewalls should be going. So while lavishing praise on other Cisco competitors -- Palo Alto Networks for its NGFW and Check Point Software Technologies for its array of firewalls and their management for complex environments, putting these two vendors in the Gartner firewall "leaders" category -- Gartner's report calls Cisco merely a "challenger."
While giving Cisco kudos for having a good support network and reputation analysis capabilities for its firewall customers, Gartner indicates that Cisco at this time does not seem to be displacing Palo Alto or Check Point on "vision or feature" and Cisco "does not effectively compete in the NGFW field that is visible to Gartner."
According to Cisco spokesman David Oro, "Cisco customers would say differently." He notes that the Cisco ASA CX firewall only shipped last July, and it would only be fair to give it time in the market. He says Cisco consider Gartner's research in this case "outdated," perhaps because it takes considerable time to put together this kind of lengthy Gartner report.
But Gartner says it sees Cisco winning most procurements through sales/channel execution or "aggressive discounting for large Cisco networks where firewall features are not highly weighted evaluation criteria (that is, as part of a solution sell in which security is one component)."
Gartner also notes that Gartner clients often find Cisco's security strategy, nomenclature and product descriptions "confusing." Gartner cites by way of example that Cisco uses the terms "context-aware" and "CX" rather than "application control" or "NGFW," and says Gartner clientele will out of confusion exclude Cisco in comparing its offerings to competitors' offerings.
Terms like "SecureX" and Cisco's marketing campaign "Internet of Everything," referring to how many devices are coming online, are confusing, says Erik Devine, information security manager at Riverside HealthCare, based in Kankakee, Ill. Devine says he has huge respect for Cisco as a network provider but simply "doesn't believe they're a strong security firm." He says that, like Juniper, Cisco should "stick to switching and routing."
Devine, who not only directs security but also networking decisions that include wireless and mobility for the healthcare organization, chose to migrate away from what was a Cisco-based network to an HP-based one, in part because licensing proved more attractive. In the course of that change, Riverside also moved away from Cisco-based ASA firewall modules. Instead, Riverside went with a variety of Fortinet firewall, SSL/VPN, encryption and messaging protection gateways that include wireless control for the core network.
Though he did look at Palo Alto and Cisco gear as part of the evaluation process, in the end Devine felt the Fortinet firewalls had sufficient application-level control for what the healthcare organization needed and were technically sound and cost-effective. In his own experience over the decades, Devine says he's found Cisco's licensing models to be overly complicated and expensive.
Palo Alto Networks, which Gartner considers the front-runner firewall maker technically in application-aware capability (though perhaps a bit pricey), says it sees Cisco as a worthy competitor.
"They are an impressive company. They have tremendous presence in the customer base," says Chris King, director of product marketing at Palo Alto, adding Cisco seems to have something akin to "absolute dominance" in the networking organization and remarkable sway with networking managers, who may have budgets for firewalling security, too. (Cisco doesn't disclose what portion of its firewall sales come from blades in switches and routers or as stand-alone firewall appliances.)
Because Cisco and Juniper alike stress that security should be part of the networking infrastructure and be integrated into it, the challenge for a firm such as Palo Alto is to get potential enterprise customers to understand the advantage of application-aware controls. King argues Cisco firewalls are simply stateful inspection with some application controls, and Palo Alto has to win acceptance by proving its NGFW functionality is worth it. According to its latest SEC filing, Palo Alto had 6,000 end-user customers at the start of last year and about 11,000 today.
Cisco faces a broad competitive field in IT security, according to IDC. Its main competitors in network security include Check Point, Juniper, Fortinet, McAfee, HP, Palo Alto Networks, IBM, Dell SonicWall and Sourcefire. In messaging security, Symantec, McAfee, Trend Micro, Websense, Barracuda, Sophos, EMC, Microsoft and F-Secure. In Web security, Websense, Trend Micro, McAfee, Barracuda, Sophos, Check Point, Symantec, F-Secure and IBM, among others, keep the pressure on Cisco. Cisco is not considered a major player in the endpoint security market, dominated by Symantec, Intel's company McAfee, Trend Micro, Kaspersky Lab and others.
"Cisco is No. 1 in network security, No. 2 in Web security and No. 3 in messaging security," notes IDC analyst Charles Kolodgy. According to IDC, Cisco's IT security revenue bounced back to $1.834 billion by the end of 2012 after sinking the year before to $1.735 billion, and Cisco's fiscal statement last month indicates continuing modest growth in its sales of its IT security products and services, which include firewalls, intrusion-prevention systems, IronPort secure Web gateway and cloud-based ScanSafe service.
Cisco hasn't won every match. Cisco edged away from its own denial-of-service mitigation technology, Anomaly Guard and Anomaly Detector Modules, announcing "end of sale" back in 2010. Just this month, Cisco announced an alliance with Arbor Networks -- they had teamed together in the past -- that involves embedding Arbor anti-DDoS technology directly in Cisco routers.
And acquisitions remain a way to gain technologies that are seen as important for the future. For example, Cisco just acquired Prague-based Cognitive Security for its behavior-based threat analysis. Cisco's Frampton says this will play a role in identifying threats, especially targeted mobile devices.
Frampton does acknowledge that Cisco could be doing a better job in one area: uniting the security products it has acquired over the years so that they have a more unified policy and management platform. An integrated system, says Frampton, "will happen over the next several years."
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: email@example.com.
Read more about wide area network in Network World's Wide Area Network section.