Beware Mazu Networks, Lancope, Q1Labs, Arbor Networks and the like, the creator of NetFlow: Cisco Systems, appears to be investing in the Network Behavior Analysis Business and unlike the above companies, they aren’t doing it with NetFlow.
 "We can very quickly tell users, how people are behaving on the network, what threats exist and help them optimize it for business purposes," said Paul Brady – President of Mazu Networks.
"We are able to without agents or inline devices through the use of NetFlow which is pervasive on almost all networks and transparent, meaning very little to no overhead." |
However, Cisco’s strategy appears to take a different approach.
First, Cisco is adding a deep-packet-inspection ASIC to the Cisco 6500 Catalyst switching line, challenging competitive single-function appliances for local-area networks (i.e. PISA - Programmable Intelligent Services Accelerator).
Second, they have the Cisco Security Agent.
And third, it all comes together under the Cisco Security Management Suite.
Introducing PISA - on Cisco Switches
The Programmable Intelligent Services Accelerator (PISA) is a hardware element within the Supervisor Engine 32, a card introduced in 2005 for the Cisco Catalyst 6500 Switch Series.
Cisco Supervisor Engine 32 PISA with 8-Port Gigabit Ethernet and PFC3B:
Cisco configures the PISA board with either eight 1-Gbit Ethernet ports pictured above or dual 10-Gbit Ethernet ports. The Cisco Supervisor 32 is priced at $28,000 in either version which also includes one port of 10/100/1000 RJ-45 for ease of network management. All ports on the Cisco Supervisor Engine 32 PISA can be active at the same time.
The addition of PISA allows packets to be filtered based on application type, such as customer relationship management or Internet Protocol video, and makes it possible to block or prioritize traffic types based on high-layer business objectives. Quality-of-Service prioritization management is centralized in the Cisco QoS Policy Manager 4.0 Tool.
Cisco Supervisor Engine 32 PISA Deployment Example in LAN Access:
The solution above can be deployed at the campus access, allowing customers to move security and classification to the edge of the network.
Cisco Supervisor Engine 32 PISA Deployment Example in WAN Aggregation:
The solution above can be deployed at the Enterprise WAN aggregation utilizing the comprehensive support of services modules and WAN interfaces on the Cisco Catalyst 6500 platform.
Cisco Supervisor Engine 32 PISA Management Model:
The above flexible Configuration option in the Cisco Security Manager (CSM) allows network administrators to push down configuration files containing FPM policies to multiples switches.
PISA also supports security filtering, using Super ACL pattern matching engines operating on Layers 2 through 7.
The security application acts on zero-day threats, worms and viruses, using Cisco Security Manager 3.1 as a central manager.
The software however, is not a substitute for pattern-matching tools (i.e. antivirus software) from companies such as Kaspersky Labs, but instead acts in concert with such tools.
Cisco Security Agent - on the End Systems
Cisco Security Agent software provides threat protection capabilities for server, desktop and Point-of-Service (POS) computing systems.
This security software goes beyond conventional endpoint security solutions by providing an industry-leading defense against targeted attacks, spyware, rootkits and day-zero attacks.
Cisco Security Agent offers proactive protection against unknown threats that have not been seen before threats along with new exploits and variants that are trying to take advantage of published and unpublished vulnerabilities.
 "We lead the industry with our multi-layered, integrated, systems-based approach to security, and we continue to create new and more effective tools against network-based attacks and crimes," said John Stewart - Vice President and Chief Security Officer of Cisco Systems.
"We use behavioral technology. The first and best defense we use on computers at Cisco is the Cisco Security Agent. And by behavioral, what it is really doing is saying an operating system is running this way normally but everything else is questionable." |
Cisco Security Agent provides numerous benefits, including:
 |
Identify and Quarantine rootkits. |
|
|
Optimization of Wi-Fi bandwidth. |
|
|
Regulatory policy compliance enforcement. |
|
|
Helps ensure the availability of critical client-server applications and transactions. |
|
|
Preventive protection against targeted attacks, spyware, malware and worms. |
|
|
Industry-leading host intrusion prevention, personal firewall and day zero attack protection. |
Pricing for the Cisco Security Agent:
|
|
$10,500 for 10 Servers. |
|
|
$6,305 for 100 desktops. |
|
|
Prices vary depending on volume. |
The Cisco Security Management Suite – Management
 This suite is a framework of products and technologies designed for scalable policy administration and enforcement for the Cisco Self-Defending Network.
This integrated solution can simplify and automate the tasks associated with security management operations, including: configuration, monitoring, analysis and response. Does this sound familiar Venture Capital funded companies? |
Cisco Security Management Suite Components
|
|
Cisco Security Manager is a powerful but easy-to-use solution for configuring firewall, VPN, and intrusion prevention system (IPS) policies on Cisco security appliances, firewalls, routers and switch modules. |
|
|
Cisco Security MARS is an appliance-based, all-inclusive solution that allows network and security administrators to monitor, identify, isolate, and counter security threats. |
Cisco’s Complete Security Solution
There you have it, if you believe the marketing fluff, Cisco appears to have it covered from all angles.
|
|
Introducing PISA - on the Switches |
|
|
Cisco Security Agent - on the End Systems |
|
|
Cisco Security Management Suite – Management |
Notice the Cisco price point for what appears to be a more thorough security solution seems to be palatable.
This maybe especially true when compared to the venture capital funded alternatives which generally start around $50K.
Can proactive security be done with NetFlow?
NetFlow v5 which is about 80% of the market, lacks the information to perform inspections deep in the packets where viruses bury their evils in order spread on the corporate network.
Most of the data field just isn’t in NetFlow.
However, network anomalies all ready underway (e.g. DoS attack) can often be detected, but tracking the actual initial spread of the virus is largely not possible with NetFlow.
Rely on NetFlow for what?
Cisco advertises NetFlow on their web site for mainly network accounting and for providing a detailed view of network behavior. This means:
|
|
Bandwidth utilization |
|
|
Application monitoring |
|
|
Anomaly detection (i.e. problems already underway) |
Cisco’s approach to network security seems to go beyond in line packet analysis and NetFlow reporting tools.
Perhaps NetFlow collectors with some behavior analysis capabilities (e.g. looking at the TCP flags within flows) is the best space for companies competing in the NetFlow space.
Niche companies such as AdventNet and Plixer International may want to add this feature to their NetFlow applications.
Related Stories:
About Brad Reese on Cisco
Brad Reese is research manager at BradReese.Com, advancing the careers of 1 million certified individuals in the growing Cisco Career Certification Program.
Contact him.
Brad's blogroll
Brad Reese on Cisco archive.
Cisco Subnet
|
|
Commercial
Sounds like one long, deeply inflated Cisco commercial to me.
If you talk to Cisco's
If you talk to Cisco's internal security staff, they say NetFlow is either their #1 or #2 tool, along with heavily tuned IDS sensors.
I Agree
Actually if you talk to Cisco's biggest customers (meaning their network is large), netflow is critical. Hmmm, standardized way to get information about a network and use open source tools to digest the data...sounds like a good idea to me.