Q&A: Palmer discusses Cisco’s latest security initiatives

Cisco is among the market leaders in most major security product categories, but the company is still primarily known as a router and switch vendor. One person trying to change that is Richard Palmer, vice president and general manager of Cisco’s VPN and security business unit. He spoke recently with Network World Senior Editor Phil Hochmuth about Cisco’s latest security initiatives, its attempts at making IOS safer, and Cisco’s relationship with Microsoft. The following is an edited transcript:

How have Cisco’s various security business lines evolved over the years since the company began making security acquisitions in the late 1990s?

Historically many [security] capabilities have been provided to customers in the form of purpose-built dedicated devices. That was the case for remote access VPN, that was the case for firewall and the case for IDS. Over five years ago, we started down the path of integrating these capabilities into our infrastructure products. VPN was probably the earliest, closely followed by firewall and intrusion prevention. Because of that, we focused these things not as products, but as services. We thought about trying to build a common services layer or technology that could be supported on multiple platforms.

There is a orthogonal track in that some of these technologies themselves were converging; VPN and firewall converged, and then also in intrusion detection and prevention. That has culminated both with the Adaptive Security Appliance, where all of those are integrated, and also in an approach in management, which is thinking about these things as services that can be deployed in multiple areas. Certainly with a couple of minor exceptions, no one has really pursued these kinds of security services into the infrastructure the same way we have. Juniper has sort of tried to with the acquisition of NetScreen but it hasn’t really gelled in the same way. And of course we have a five year head start.

How do you sell a “network system” to customers used to buying products?

I think clearly something like Network Admission Control is a great example, because it’s a system. It’s not done in any one place. It does not rely on a new box. It relies on components and capabilities that already exist. And it’s also collaborative, in the sense that it requires the interaction of multiple Cisco products. But even more importantly, a bunch of our partners’ products. We think this systemic form of providing security is actually the future of how security will be done.

Some critics say Cisco is more of a follower in terms of developing next-generation security technologies, while real innovation is done by small start-ups and people in the larger IT security community. What are your thoughts on this?

We are doing significant amounts of innovation. We are the absolute thought leader in systemic security services, both network admission control and Incident Control System being examples … Two or three years ago, the outbreaks of viruses and worms were top of mind. Within the last 24 or 18 months, there has been an increasing focus on spyware, as well as intellectual property theft and privacy violation — phishing, yes, but also the theft of property data, people going after massive blocks of social security numbers. The mitigation technologies required to deal with those new threats are very straight forward extensions of the things we do. Primarily because a lot of the focus that we have from a mitigation point of view is on behavior as opposed to signatures. And so with behavior-based anomaly detection in the network, as well as behavioral based policies in endpoints, you get day zero detection against those threats.

Also, if you have behavior-based policy enforcement on the endpoint, you can enforce what applications can be used. You can disable peer-to-peer and various kinds of instant messaging. You can require that no customer data or account data or healthcare data can be copied to removable media. You can restrict someone’s access to an application that prevents them from putting data on a memory stick. That becomes a very important aspect of both intellectual property protection as well as enforcement of privacy and compliance restrictions. That’s an example of where, if you structure your technology right, you’re able to deal with evolving threats.

It seems there is more buzz about hacking Cisco routers and IOS lately, and an increase in security advisory warnings for Cisco products. What is Cisco doing to secure its own gear?

There is a emphasis across the entire company in making Cisco products secure. That is implemented in the form of best practices. Every product area has notions of how to approach the designs of their products. We have an internal project with multiple layers of best practices, in terms of coding and things we do to secure various protocols. We do stuff to secure the data plane, to make sure that, during a denial-of-service attack, that the control plane and data plane are not both affected. IOS is increasingly becoming more modular, as we recently announced on Catalyst switches. It’s multi-tiered. We’re as confident as you can be in a security type of environment that we’re taking the right steps.

We have over 1,500 engineers focused on security, specifically working on security products, which would not include all the people building ASICs who are integrating security into their products. The security technology group itself has about 1,200 engineers, and there are another 300 or so engineers who work throughout the company on security in other products.

What is the status of Cisco’s agreement with Microsoft to make Cisco NAC and Microsoft Network Access Protection (NAP) work together?

It’s going well. We’ve demonstrated compatibility and interoperability between NAC and NAP infrastructures. We’ve progressed at the technical and marketing areas quite a bit. We’ve done a number of joint briefings of leading-edge customers. We’re working on our technical architectural specifications, with the goal of making it simple for our customers, and our mutual partners, like the anti-virus partners, so they won’t have multiple APIs to write to. We expect to do some more public discussion on that with specifics when they are ready.

What do you mean by compatibility and interoperability between NAC and NAP?

Compatibility, so they don’t break each other; interoperability, which means that for instance, if a customer decides to have a NAP-centric technology on the end point, they could also rely on a Cisco network-based enforcement for compliance. And conversely, you could have Cisco and NAC components sitting on an endpoint, and they would be compatible with existing and future Microsoft architectures. The two objectives are to enable customer choice, so customers can choose what they want to do without having compatibility issues. The goal is also to simplify development in terms of the ecosystem, so you don’t have multiple APIs, or worse, conflicting APIs. The major anti-virus vendors need to have a single API on the client side with a defined set of mechanisms so the policy servers can communicate with them.

How will this NAC/NAP development effort affect, or be affected by, what’s going on with the Trusted Computing Group?

That’s a consortium as opposed to a standards body. We propose to work with key technology vendors, such as Microsoft, and then go to the standards bodies with it. We would expect that what we’re doing with NAC and what we’re doing with in terms of NAC/NAP development will result in a well-defined standard.

What does Cisco do keep to keep track the latest security threats? Are you getting out there among the hackers?

We have our own intelligence experts. We just made a acquisition of a unit of Cybertrust, which specializes in security information services. That capability is more of an interest to us in helping us communicate to our customers, as opposed to actually collecting the data ourselves. The other thing we pay attention to is the fact that we’re trying to build technology that focus on day zero protection. It’s less important for us to have, from a technology point of view, the latest signature for anti-virus. The Cisco Security Agent has behavioral policies that stop [those kinds of threats]. It’s important for us to make sure we understand how that new threat operates, what security polices and rules are needed to stop it. Our need for security intelligence is a little different from other players, but it still exists and we do quite a bit of that.

Do you think the industry needs a better way to share network intelligence and information when new threats break out?

The system actually works pretty well. You have end users, security services personnel, and the security companies themselves. You have IT infrastructure providers and government agencies and they all need to be linked in. And they are. It’s an interesting network. When there is a new outbreak, from vulnerability point of view, there’s a pretty close linkage between security companies, the IT infrastructure elements that may be a target, the end users — large users of IT — and the government; they are all plugged in pretty quickly and can propagate information to their respective constituencies.