Cisco has the NAC In the holding cell Mining switch security Network vendor plans

As you mop up after the latest worm attack and chat with your network infrastructure vendors, talk inevitably will turn to preventive and protective measures. Chances are, your vendors will encourage you to secure every switch and router, making your infrastructure gear part of the layered security approach you are taking toward security under the new data center.

You just never know when or where software will be waylaid by its next vulnerability, the vendors will say. As such, they'll argue, switches and routers should be smart enough to be your helpmates - able to recognize and halt buffer overflows, quarantine infected or unknown clients or help push out patches.

That's a particularly logical gambit in discussions of zero-day attacks, in which the hacker games begin the same day that the software vulnerability is publicized. But just as experienced shoppers know that you never ask a tire salesman if you need new tires, so do enterprise network executives understand that they must do their homework when vendors push security frameworks. That means, of course, pushing back - and hard - to make them prove their claims of performance, interoperability and management.

Still, zero-day attacks highlight a continuing enterprise challenge: the drawbacks of the hard-shell/soft-center architecture created by traditional network security designs. Such designs might make the perimeter harder than nails, but that won't stop a rogue internal user or a corrupted download from making a shambles of the whole network, says Timon Sloane, director of product management at Extreme.

Preventing the network infrastructure from turning to mush is behind gear vendor's latest strategies such as Cisco's Self-Defending Network, Enterasys Networks' SecureNetworks, Extreme's Clear-Flow and Nortel's Unified Security Framework. Everybody wants to make sure their network equipment can help identify, prevent or at least lessen the impact of security threats.

Cisco has the NAC

Cisco has its Network Admission Control (NAC) program for using network infrastructure devices to prevent the spread of viruses and worms. NAC, which Cisco defined with the help of anti-virus vendors Symantec and Trend Micro, falls under the Self-Defending Network umbrella.

As a start, Cisco offers Cisco Security Agent (CSA). The CSA software, which runs on user clients and enterprise servers, authenticates users and provides policy-based access. If users have not updated their desktops with the latest patch for Microsoft's Internet Explorer or don't have the latest virus' digital signature files, the CSA would quarantine the non-compliant devices or restrict access.

With this effort is a focus on tougher security for VPNs. Cisco has extended link-layer encryption to IPSec- and Secure Sockets Layer (SSL)-based VPNs. Previously available only for SSL VPNs, link-layer encryption ensures the security between every two endpoints that an IP tunnel traverses from origin to destination. Each link might use a different encryption key or algorithm.

Cisco also is looking at certificate exchanges as a way to make positive identification of a user and handle identity management, says Jeff Platon, senior director of product and technology marketing for Cisco.

The company also is researching a VPN model that goes beyond IPSec, SSL or a dedicated service, creating secured links between all nodes on the Internet, he says. That would mean embedding ASICs in public and private switches and routers to use link-layer encryption that's more tightly integrated to the application in use - whether it's e-mail, an accounting package or a large e-commerce transaction.

In the holding cell

While Siemens Energy and Automation (SEA) hasn't necessarily embraced Cisco's whole NAC program or Self-Defending Network concept, it has found the CSA piece a godsend. SEA relies on the authentication software to support almost 11,000 internal users and multiple third parties accessing Web-based applications, says Kathy Taylor, information security officer at the Alpharetta, Ga., company.

This sort of authentication is great for ensuring that SEA engineers, who spend more time at customer sites than they do at the home office, do not infect the internal network, she says. "We want to be able to grab their devices and make sure they're up to date when they initiate dial-up connectivity," she says.

Taylor says she doesn't foresee the need to blanket SEA's switches and routers with Cisco security software, but cautions that she views the issue from a WAN-facing perspective.

Whitepapers

• Symantec State of the Data Center Report
• Gene Kim's Practical Steps to Mitigate Virtualization Security Risks
• Monitoring and Managing App Performance
• Monitoring and Managing VoIP
• SNMP Monitoring: One Critical Component to Network Management
• SNMP Monitoring: One Critical Component to Network Management

View more DATA CENTER whitepapers

Webcasts

• Managing the End User Experience-A Real World Example of Success
• Best Practices for Deploying WAN Optimization for Disaster Recovery
• Tips and Techniques for Remote Data Backup and Delivery
• WAN Optimization Landscape
• Oracle Database 11g: Advances in Compression, Real Application Testing and Data Guard
• Solutions to the Toughest IT Challenges in Remote Offices

View more DATA CENTER webcasts

Special Reports

• Data Centers: At the center of the action
• Executive Guide: Data Center Decisions
• Get More From Your WAN
• Executive Guide: Storage Heats Up
• Network World Executive Guide: Perfecting Application Performance Management

View more DATA CENTER special reports