WoW 2007 is almost over! It seems like it has flown by. Cisco security has made some great strides over the year. Let’s take a look back at some of the most interesting, useful, and/or innovative security related features & products that Cisco released in 2007. I’d also like to hear from you what ones you’ve been most impressed with this year.
#1 on my list is the Ironport email and web security appliances. Their innovative approach to spam blocking, url filtering, and email encryption are impressive. Ironport’s SenderBase email and web reputation service is the company’s secret sauce. For email it works by looking up the reputation score (-10 to +10) of all sending MTAs (mail transfer Agents) at connection time. If their reputation is poor (for example between -10 to -5) then the Ironport Appliance will refuse the MTAs connection. This means that the spammers MTA is not ever able to send you even a single email. This approach saves bandwidth too because you are refusing the mail connection, not dropping individual emails that have already arrived. The fact that using Ironports reputation service alone allows you to detect and drop 80% of spam and malware makes it my top pick for 2007. Sweet! Read my previous NW article for details on the way Ironport has completely changed the game in email encryption. http://www.networkworld.com/community/node/19588
#2 on my list is the greatly enhanced sslvpn features added to the ASA this year. This summer Cisco released ASA 8.0 software. For all intensive purposes this release single handedly brought Cisco up to feature parity with the other major sslvpn players in the market. I particularly like its ability to connect SSLVPN users using UDP 443 instead of TCP 443. This is done using the DTLS protocol, the UDP equivalent of TCP based TLS. The benefits of using DTLS are decreased jitter and latency with increased performance for TCP based applications. This is especially compelling for voice and video applications! The new Anyconnect SSLVPN client has the same look and feel as Cisco’s IPSEC client thus making the transition easier for end-users. The clientless SSLVPN has also made significant progress from past releases as well. For more info take a look here http://www.cisco.com/application/pdf/en/us/guest/products/ps6120/c1161/cdccont_0900aecd805c768e.pdf
#3 on my list is the release of the Cisco 4270 IPS sensor. The 4270 is capable of up to 4GB of real world throughput. This is not the backplane speed (which is much higher btw), this is not a pie in the sky lab performance metric, and its not with inspection turned off. 4GB worth of traffic is what the 4270 can truly inspect with the default signatures enabled and a rich-media sampling of traffic. Finally Cisco is a player in the high speed IPS appliance market! For more info see my previous article on this topic http://www.networkworld.com/community/node/22686
#4 on my list this year is Cisco Security Manager (CSM) 3.1.1. You read it right, YES I have a Cisco Management package on my top 5 list. Now before you start laughing at me, or flaming me, I’m not the only one that thinks Cisco’s CSM has come a long way this year. Network World’s latest firewall all-in-one test gave Cisco’s CSM higher scores and kudos than Checkpoint’s Smartcenter! I never thought I’d see the day that Cisco security management would beat checkpoint, but it has happened. CSM also beat Sonicwall and SC Sidewinder management. I know this is only one test, but CSM has made some great strides this year in almost all areas. CSM can be used to manage all of Cisco firewall products (IOS, ASA, PIX, FWSM), all of Cisco’s IPS products (IOS, 42XX, and IDSM), and Cisco VPN products (IOS, ASA, and VPNSM). Is it time to give Cisco’s security management another look, I think so. See here for more info http://www.cisco.com/en/US/products/ps6498/products_data_sheet0900aecd8062bf6e.html
Last but closest to my heart, #5 on my list this year is Cisco NAC Appliance (formerly known as Clean Access). I know I’m biased (I wrote the book for this product) but I really feel this product line has made great strides this year. For starters the NAC Appliance team added 3 new products to their lineup this year. A NAC network module that plugs into a Cisco ISR router, a NAC guest server, and a NAC profiler product. These additions help advance the flexibility, ease of use, and deployability of the Cisco NAC Appliance solution. The NAC guest server is a guest access provisioning portal. This allows receptionists or employees to quickly and easily create new guest accounts for NAC and Wireless LAN Controller access. It has full auditing, reporting, and support for Active Directory built-in. The new NAC profiler very cool indeed. To quote from Cisco, “Cisco NAC profiler is a sophisticated endpoint recognition technology that maintains a detailed inventory of networked devices so they can be evaluated before and during their connection to corporate networks. In particular, the Cisco NAC Profiler enhances the ability for networked devices that are unassociated with a particular user (e.g. printers, IP phones, wireless access points, HVAC sensors, medical devices, etc.) to be identified, authenticated, admitted, or denied network access. It also provides continuous behavioral assessment for post-admission access control.”
For more info on the NAC NM see my previous article on the topic here http://www.networkworld.com/community/node/19003
For more info on the other products I mentioned see here
http://www.cisco.com/en/US/products/ps6128/products_data_sheets_list.html
So that is my top 5 coolest Cisco security features of 2007 list. What would be on your list? Come on, don’t be shy, blog away.
The opinions and information presented here are my personal views not those of my employeer.
Jamey Heary, CCIE No. 7680, is a security consulting systems engineer at Cisco. He leads its Western Security Asset team and is a field advisor for Cisco's global security virtual team. Jamey is the author of the recently published Cisco NAC Appliance: Enforcing Host Security with Clean Access. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey has been working in the IT field for 14 years and in IT security for 9 years.
The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.
|
|
A cheap and biased (The author works for Cisco) article
Network world, we know you are better than this. Allowing someone who works for Cisco, who clearly has a lot to gain (book sales, bonuses, increased stock value) to write an article like this just stinks. You are de-valuing the magazine and your website. Let's try and appear a little impartial. Can I get equal time then for my company who sells networking equipment?
This site is cisco subnet
Dear reader,
I guess you are new here. This site on network world is called Cisco Subnet. it is dedicated to discussing all things Cisco. It is a site specifically designed for Cisco information. I do my best to contribute useful information to those interested in Cisco stuff. NW also has a subnet for microsoft as well. Maybe you can get NW to create a subnet just for your company. Thanks for the flame though, happy holidays.
-Jamey
RE:Jamey
Give me a break! Everyone who posts on these blogs is biased, obviously you can peddle your gear on the Cisco Subnet, and nobody would be the wiser. Just becuase it says "Cisco" doesn't mean others can't jump in and say "think outside of the Cisco box".
I would love for NetworkWorld to create a Juniper or Nortel Subnet. Lets really make things interesting.
Bottom line is that Cisco still is way behind in its security offerings. So yes your shameless plug is a huge joke, seriously have you even looked at your competitors offereings?
Happy Holidays!
(Another CCIE whom would take JunOS/ScreenOS over IOS/PIXos and day of the week)
Cisco has never claimed to
Cisco has never claimed to be the "best in breed" with niche products on a grand-scale. Every vendor leap frogs the others over time, it's a fact of life in this industry.
As Juniper expands their product portfolio, they are going to be subject to the same challenges that Cisco has faced over time. For example, take note of the Netscreen integration into the business (most founders of Netscreen are gone). It's taken years for them to come out with products that leverage that technology (SSG). The comical part about JNPR in particular, is that Scott Kriens continually proclaims to the street that he doesn't want to follow the same road that Cisco did, and he wants to focus on R&S. He at one point said that Juniper would never be a security company, followed by an acquisition of Netscreen. He also said that Juniper would never be an applications networking company (never mind the fact that there are Application Accelerations products in their portfolio with an Interface Module on the roadmap).
I think that JNPR has made rock solid routing products, and they bought a company that makes an excellent firewall. JunOS is very flexible, and I've been impressed with *some* of the advantages it provides. From a business perspective, it's difficult to fully bet my business on a collection of "best of breed" made by different vendors, as managing a single vendor is difficult enough.
Cisco has a vested interest in creating an architecture that meets business needs as opposed to focusing on moving packets faster than the next guy (this was hot in the late 90's). IT is becoming a commodity to many organizations due to the mindset of favoring the building of a network for the sake of speeds & feeds as opposed to building a network based on real business requirements (What does Marketing, Advertising, HR or Sales need to do business?? Not what does IT need to say we have a fast network).
-Bryan
CCIE, JNCIS-M, CISSP
RE: Bryan
"Cisco has never claimed to be the "best in breed" with niche products on a grand-scale."
You've obviously never dealt with anyone in Cisco's sales or marketing departments. ;-)
Your feedback here is welcome
Hi Robert,
Thanks for your comments. The comment mechanism is to let readers place their views (good or bad) about the blog they've read. As Jamey says, this is Cisco Subnet and our focus is on Cisco. But if you take a look at the Cisco Subnet page http://www.ciscosubnet.com and track back to the Cisconet blog http://www.networkworld.com/community/user/1860/track, you'll see plenty of comments about Cisco products/strategies vs. those of its competitors.
So yes, if your company competes with Cisco and you can post a response to this blog about your company's competitive product and how it differs/is better/is cheaper/is of higher quality, I'm sure our readers would love to hear about it and be able to compare and make up their own minds.
Thanks,
Linda Leung
Cisco Subnet editor
Consider the source
Personally, any article noting their 5 favorite things about any OEM company should send up RED FLAGS EVERYWHERE to be on the lookout for a company troll. In this particular case, I think jheary did an admirable job pimping Cisco's wares. The problem is that there are MULTIPLE other options available and much lower price-points and without all the Cisco overhead involved. Surely, Mr. Jheary will never get fired for buying Cisco, but he'll also overspend by 10-fold over what his competitors are doing with just a little bit of imagination and due diligence.
Post new comment