Skip Links

Network World

Brad Reese

Cisco invention NetFlow appears missing in action as Cisco invests into the network behavior analysis business

By Brad Reese on Mon, 11/26/07 - 10:24pm.
Newsletter Signup

NetFlow Architecture Diagram

Beware Mazu Networks, Lancope, Q1Labs, Arbor Networks and the like, the creator of NetFlow: Cisco Systems, appears to be investing in the Network Behavior Analysis Business and unlike the above companies, they aren’t doing it with NetFlow.

Paul Brady"We can very quickly tell users, how people are behaving on the network, what threats exist and help them optimize it for business purposes," said Paul Brady – President of Mazu Networks.

"We are able to without agents or inline devices through the use of NetFlow which is pervasive on almost all networks and transparent, meaning very little to no overhead."

However, Cisco’s strategy appears to take a different approach.

First, Cisco is adding a deep-packet-inspection ASIC to the Cisco 6500 Catalyst switching line, challenging competitive single-function appliances for local-area networks (i.e. PISA - Programmable Intelligent Services Accelerator).

Second, they have the Cisco Security Agent.

And third, it all comes together under the Cisco Security Management Suite.

Introducing PISA - on Cisco Switches

The Programmable Intelligent Services Accelerator (PISA) is a hardware element within the Supervisor Engine 32, a card introduced in 2005 for the Cisco Catalyst 6500 Switch Series.

Cisco Supervisor Engine 32 PISA with 8-Port Gigabit Ethernet and PFC3B:

Cisco Supervisor Engine 32 PISA with 8-Port Gigabit Ethernet and PFC3B

Cisco configures the PISA board with either eight 1-Gbit Ethernet ports pictured above or dual 10-Gbit Ethernet ports. The Cisco Supervisor 32 is priced at $28,000 in either version which also includes one port of 10/100/1000 RJ-45 for ease of network management. All ports on the Cisco Supervisor Engine 32 PISA can be active at the same time.

The addition of PISA allows packets to be filtered based on application type, such as customer relationship management or Internet Protocol video, and makes it possible to block or prioritize traffic types based on high-layer business objectives. Quality-of-Service prioritization management is centralized in the Cisco QoS Policy Manager 4.0 Tool.

Cisco Supervisor Engine 32 PISA Deployment Example in LAN Access:

Cisco Supervisor Engine 32 PISA Deployment Example in LAN Access

The solution above can be deployed at the campus access, allowing customers to move security and classification to the edge of the network.

Cisco Supervisor Engine 32 PISA Deployment Example in WAN Aggregation:

Cisco Supervisor Engine 32 PISA Deployment Example in WAN Aggregation

The solution above can be deployed at the Enterprise WAN aggregation utilizing the comprehensive support of services modules and WAN interfaces on the Cisco Catalyst 6500 platform.

Cisco Supervisor Engine 32 PISA Management Model:

Cisco Supervisor Engine 32 PISA Management Model

The above flexible Configuration option in the Cisco Security Manager (CSM) allows network administrators to push down configuration files containing FPM policies to multiples switches.

PISA also supports security filtering, using Super ACL pattern matching engines operating on Layers 2 through 7.

The security application acts on zero-day threats, worms and viruses, using Cisco Security Manager 3.1 as a central manager.

The software however, is not a substitute for pattern-matching tools (i.e. antivirus software) from companies such as Kaspersky Labs, but instead acts in concert with such tools.

Cisco Security Agent - on the End Systems

Cisco Security Agent software provides threat protection capabilities for server, desktop and Point-of-Service (POS) computing systems.

This security software goes beyond conventional endpoint security solutions by providing an industry-leading defense against targeted attacks, spyware, rootkits and day-zero attacks.

Cisco Security Agent offers proactive protection against unknown threats that have not been seen before threats along with new exploits and variants that are trying to take advantage of published and unpublished vulnerabilities.

John Stewart"We lead the industry with our multi-layered, integrated, systems-based approach to security, and we continue to create new and more effective tools against network-based attacks and crimes," said John Stewart - Vice President and Chief Security Officer of Cisco Systems.

"We use behavioral technology. The first and best defense we use on computers at Cisco is the Cisco Security Agent. And by behavioral, what it is really doing is saying an operating system is running this way normally but everything else is questionable."

Cisco Security Agent provides numerous benefits, including:

Identify and Quarantine rootkits.
Optimization of Wi-Fi bandwidth.
Regulatory policy compliance enforcement.
Helps ensure the availability of critical client-server applications and transactions.
Preventive protection against targeted attacks, spyware, malware and worms.
Industry-leading host intrusion prevention, personal firewall and day zero attack protection.

Pricing for the Cisco Security Agent:

$10,500 for 10 Servers.
$6,305 for 100 desktops.
Prices vary depending on volume.

The Cisco Security Management Suite – Management

Cisco Security Management SuiteThis suite is a framework of products and technologies designed for scalable policy administration and enforcement for the Cisco Self-Defending Network.

This integrated solution can simplify and automate the tasks associated with security management operations, including: configuration, monitoring, analysis and response.

Does this sound familiar Venture Capital funded companies?

Cisco Security Management Suite Components

Cisco Security Manager is a powerful but easy-to-use solution for configuring firewall, VPN, and intrusion prevention system (IPS) policies on Cisco security appliances, firewalls, routers and switch modules.
Cisco Security MARS is an appliance-based, all-inclusive solution that allows network and security administrators to monitor, identify, isolate, and counter security threats.

Cisco’s Complete Security Solution

There you have it, if you believe the marketing fluff, Cisco appears to have it covered from all angles.

Introducing PISA - on the Switches
Cisco Security Agent - on the End Systems
Cisco Security Management Suite – Management

Notice the Cisco price point for what appears to be a more thorough security solution seems to be palatable.

This maybe especially true when compared to the venture capital funded alternatives which generally start around $50K.

Can proactive security be done with NetFlow?

NetFlow v5 which is about 80% of the market, lacks the information to perform inspections deep in the packets where viruses bury their evils in order spread on the corporate network.

Most of the data field just isn’t in NetFlow.

However, network anomalies all ready underway (e.g. DoS attack) can often be detected, but tracking the actual initial spread of the virus is largely not possible with NetFlow.

Rely on NetFlow for what?

Cisco advertises NetFlow on their web site for mainly network accounting and for providing a detailed view of network behavior. This means:

Bandwidth utilization
Application monitoring
Anomaly detection (i.e. problems already underway)

Cisco’s approach to network security seems to go beyond in line packet analysis and NetFlow reporting tools.

Perhaps NetFlow collectors with some behavior analysis capabilities (e.g. looking at the TCP flags within flows) is the best space for companies competing in the NetFlow space.

Niche companies such as AdventNet and Plixer International may want to add this feature to their NetFlow applications.

Related Stories:

Network World Cisco Flexible NetFlow expert Mike Patterson, Denial of Service (DoS) attacks can be accurately diagnosed
Network World Q & A with network behavior analysis software expert - Adam Powers
Network World Cisco’s NetFlow vs. Inmon’s sFlow: Which will prevail?
Network World Developed by Cisco, NetFlow reporting morphs into hyper-competitive industry
Network World Cisco customers have been kept in the dark about the extremely powerful NetFlow-NBAR technology combination
Network World NetFlow or sFlow: which is the open standard?
Network World Are you taking advantage of NetFlow and IP SLA?
Network World Appealing to CCIEs, hardware vendors copy Cisco's CLI and NetFlow to get into Cisco accounts
Network World NetFlow Tracker hits triple home run for Cisco VARS and their enterprise Cisco customers
Network World Demanding business applications have Cisco and rival HP ProCurve featuring their network behavior analysis strengths

Contact Brad Reese
http://www.BradReese.Com

Commercial

0
By endorphn (not verified) on Tue, 11/27/2007 - 9:54am.

Sounds like one long, deeply inflated Cisco commercial to me.

If you talk to Cisco's

0
By Anonymous (not verified) on Tue, 11/27/2007 - 11:38am.

If you talk to Cisco's internal security staff, they say NetFlow is either their #1 or #2 tool, along with heavily tuned IDS sensors.

I Agree

0
By Anonymous (not verified) on Mon, 12/03/2007 - 12:05am.

Actually if you talk to Cisco's biggest customers (meaning their network is large), netflow is critical. Hmmm, standardized way to get information about a network and use open source tools to digest the data...sounds like a good idea to me.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Welcome, visitor. Register Log in
Advertisement:
About Brad Reese on Cisco

Brad Reese cofounded BradReese.Com Cisco Refurbished which offers one year warranties on Cisco Refurbished and Cisco Repair.

Contact Brad Reese

Archives
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
Categories
A government official in possession of a large corporate stockholding while that corporation is subject to administrative rulings by that same government official
After contacting Cisco
Agito adds that its enterprise fixed mobile convergence (eFMC) platform enables low-cost in-building voice coverage
Agito introduced Agito for BlackBerry
Agito's BlackBerry smart phone functionality for Cisco VoIP
Agito's RIM BlackBerry support announcement
Americas Vice President and General Manager of HP ProCurve - Karl Soderlund
An assortment of communications companies
Andreessen plans to watch what companies Cisco acquires
Andreessen sees as the next market transition
As a matter of Cisco policy
Back in April the CCIE Security track changed
Black Hat attack on Cisco's network admission control (NAC)
Boas also led an educational session at the Gartner Security Summit
Boas shares his insight on the most prevalent threats to the enterprise network
Bragging about Cisco's ability to catch market transitions
Brings enterprise VoIP over WiFi for dual-mode BlackBerry smartphones
But neither felt it as bad as Cisco did
Can Cisco VARs profitably match HP ProCurve pricing on a deal-by-deal basis?
Careers
Chairman and CEO of Cisco China - Jim Sherriff
Cisco
Cisco CEO John Chambers has never been shy
Cisco Chief Technology Officer Padmasree Warrior
Cisco NAC design flaws that the folks at Black Hat so alarmingly described
Cisco VARs no longer have enough margin left to profitably match HP ProCurve pricing
Cisco customer a discount
Cisco has held this share position since CY02
Cisco has produced a new CCIE count
Cisco is celebrating its 25th anniversary this year
Cisco is the revenue-leading vendor overall with 38% of total network security appliances and software in 1Q09 (down 2.8 points from 4Q08)
Cisco might do very well with the Flip
Cisco offer price-matching discounts to existing customers in order to equal ProCurve prices
Cisco only counts your CCIE number once
Cisco released its new worldwide CCIE count
Cisco's executive biographies web page
Cisco's loss of market share has in itself become the networking industry's newest market transition
Compromised the Cisco agent installed on the end system
Confirmation testimony before the U.S. Senate noteworthy
Customer-proven best practices of network access control (NAC)
Data Center
Didn’t RIM already support voice over WiFi?
Doesn’t RIM’s Ascendent acquisition give them this?
Douglas Gourlay - Vice President of Cisco Data Center Solutions
Douglas Gourlay is as sharp as a tack and one of the most impressive people I've ever had the honor of collaborating with on Cisco stories
Dual CCIE #18532 Routing and Switching/Security - George Morton
Dual-mode BlackBerry smartphones
Enables BlackBerry to be integrated into corporate PBXs and Unified Communications systems
Enterasys NAC is agent-less assessment based on a network scan
Enterasys security expert Dennis Boas
Enterasys uses multiple criteria beyond end system health assessment to assign and limit access granted to an end system
Enterprise concerns about the financial and management aspects of NAC
Enterprises that have standardized on the BlackBerry platform
Exactly what's causing everybody to quack?
Famous networking industry journalist
Flexible options with Enterasys NAC
Flip video below of Chambers' doing his quacks
Flip video of Cisco CEO John Chambers performing his duck quacks
Further details on why Cisco has lost market share in network security
Gourlay was featured just 7 days earlier in the Cisco Data Center Networks blog story
Gourlay's office is located at Cisco's nearby headquarters in San Jose
HP ProCurve continues to win business and gain market share
HP ProCurve is calling the shots now
HP ProCurve is whacking Cisco in its most vulnerable spot
HP ProCurve pricing on a deal-by-deal
HP ProCurve will take 20% off its list price
Half the smartphones in use in the US today are BlackBerry devices
Hogtied by Cisco's new committee culture
How Cisco was working overtime AGAINST the Buy America provisions of the $7.2B broadband stimulus fund
I can still see those wishing to cash out selling to Cisco
I have worked for a handful of telecommunications companies of varying sizes
I voted for President Obama seeking change
If you trade-in your Cisco equipment
Independent companies operating in Silicon Valley able to out innovate Cisco
Interesting CCIE news from around the world
Is Cisco likely to innovate? No
Its been proven that a government official can be bribed with free dinners
Jeff Wilson - network security analyst at Infonetics Research
Joel Bion - Senior Vice President of Cisco's Product Resiliency Research
Juniper and Check Point are second and third with 10.4% and 9.5% respectively
LANs / WANs
Larry Strickling is confirmed as the new Administrator of the National Telecommunications and Information Administration (NTIA)
Last month Cisco missed the multiple CCIE numbers
Made by Strickling during his March 19
Manny Rivelo - Senior Vice President of Cisco's Development Organization
May 2009 vs. June 2009 Worldwide CCIE Count Comparison
Mobile features integrated into the BlackBerry
My previous government service at the FCC provide me a unique background for the position of Assistant Secretary
My source suggested Gourlay had left Cisco
Network security vendor Enterasys
Not only among the Cisco workforce
Not too many senior executives are around from Cisco's early days
Now it appears the Internet is quacking too
Omitted the years of Cisco service for both John Morgridge and Richard Justice because they are no longer full-time Cisco executives
Only 66% of all applicants who passed were for the CCIE Router and Switch track
Only one CCIE is a member of Cisco's 59 strong senior executive team
Out innovate Cisco simply because they have no desire to be acquired
Pacific Rim CCIE numbers didn't change over the last 39 days
Pejman Roshan - Chief Marketing Officer of enterprise fixed mobile convergence (eFMC) vendor Agito Networks
Ponemon Institute reported
Post a comment to Cisco's blog that contains a link to your duck quacking video
ProCurve wants to make all Cisco customers aware of this offer
ProCurve’s momentum and market share gains
R & S + Security this year as the most popular dual CCIE track
R & S + Service Provider was 49% of the successful attempts for dual CCIE
RIM offers only data services over WiFi on their dual-mode smartphones
Responsible for Cisco's IOS Software
SMB
Security
Security mechanisms are used to validate the integrity and authenticity of the Enterasys agent for all server/agent communications
Security sales will come back for Cisco
Showed that Stickling owned a large Cisco stock position
So we had 251 new CCIEs
Subject of Cisco's senior executive team came up
The CEO of Cisco quacked
The Cisco workforce quacked
The IOS 12.4 track with ISR routers is slowing down the Security CCIE track
The National Telecommunications and Information Administration (NTIA) granted Cisco its coveted Buy American Exception
The average tenure would be of the 61 executives listed on Cisco's Mount Rushmore
The best duck call will win a new Flip Mino HD from John Chambers
The change in the CCIE Security track has had a major impact on new security CCIEs
Tremendous benefits HP ProCurve provides by offering the best value
VoIP / Convergence
We build our culture at Cisco around catching market transitions
We can confirm that Doug Gourlay is no longer with Cisco and we wish him well in his future endeavors
We're also now starting to see the CCIE Wireless track
We've experienced a new low for CCIE Security track
What exactly has Agito Networks announced this week?
What's your take on the implications of the new worldwide Cisco CCIE count?
What's your take on why Douglas Gourlay left Cisco and where do you think he will land?
Which had Gourlay inviting guests to Cisco Live in the following video
Which video quacks you up the most?
While Cisco salivates over 30 to 50 new market adjacencies
Why does Cisco lack pricing flexibility?
Why is cellular-only PBX and UC integration incomplete?
Why the Enterasys NAC solution is doing so well
Why the Enterasys NAC solution is in such high demand
Wireless / Mobile
Without ducking my question
Would you back the technology vision of Marc Andreessen
You too will understand why duck quacking has become such an overnight sensation
On The Web
Twitter