As Cisco Systems Inc. (Nasdaq: CSCO) continues to integrate security technologies from its latest purchases into its portfolio, industry observers speculate over which security companies might be next on the equipment giant’s shopping list (see Cisco's Serious About IDS).

Over the past couple of months, Cisco has focused on expanding its intrusion detection and protection product portfolio, through its acquisition of Psionic last December and its planned purchase of Okena (see Cisco Buys Psionic and Cisco's Got an Okena ). Now, word on the street has it that the company may be looking to take network protection to the next level through the acquisition of Arbor Networks Inc. Arbor makes systems for the network core that not only allow network operators to detect and isolate incoming distributed denial-of-service (DDOS) and worm attacks, but also to improve network management.

“Arbor is certainly high on my list for [Cisco],” says one analyst who has asked to remain anonymous.

“It fits in the overall category of IDS [intrusion detection systems] -- and that seems to be where they’re focusing now,” agrees Infonetics Research Inc. analyst Jeff Wilson, although he claims no knowledge of whether an acquisition is actually being contemplated. "Cisco doesn't have a DDOS appliance yet... and their routers are often the target of attacks. This is definitely another piece of the puzzle that I can see them adding."

Cisco itself, of course, won’t comment on the rumors, but Arbor has the credentials to be a Cisco acquisition target. Cisco was an investor in both the company’s funding rounds, totaling $33 million to date, and also has a tight-knit R&D partnership with the startup (see Arbor Scores $22M).

“The Cisco relationship goes beyond just the funding,” admits co-founder and chief strategist of Arbor, Ted Julian. “Cisco’s an incredibly important partner of ours.” He wouldn’t comment on the acquisition rumors. Julian points out that Arbor also has a close relationship with Juniper Networks Inc. (Nasdaq: JNPR). Both Cisco and Juniper sell Arbor's equipment to their customers and make joint sales calls with Arbor, he says.

Arbor also has very valuable customers in the service provider space -- an area Cisco has increasingly targeted. The startup, which says it will break even by the end of this year, claims to have four Tier 1 service provider customers in North America and one in Europe, each with contracts running up to six -- and in one case, seven -- figures. Arbor also has several large enterprise customers and three separate contracts with the Department of Defense, according to Julian. So far, the company has publicly announced Telus Corp. (NYSE: TU; Toronto: T) and Rackspace Managed Hosting as customers.

Arbor has commercialized technology developed at the University of Michigan with Cisco funding. It “hardens” off-the-shelf Pentium servers with its custom software to create “collectors” and “controllers” of information. The collectors, which cost about $40,000 each, are sprinkled throughout the core of the network, where they use statistics gathered from Cisco or Juniper routers to flag anomalies in network traffic. The controllers, which cost about $80,000 each, can then be activated to filter and isolate attacks.

Arbor’s ability to get data from existing routers is the main reason Telus chose to deploy the company’s technology, according to Telus's director of marketing, Leonard Hendricks. “It’s not an invasive technology,” he says. “We’ve been quite happy with it as a diagnostic tool.”

Arbor's technology works in two ways. First, it builds up a profile of normal traffic conditions so that it can spot anomalies when they occur -- be they security attacks or other problems, such as network instability resulting from a mistake by engineering staff. Second, it monitors changes to routing tables. By correlating these changes with anomalies, it can quickly pinpoint the cause of problems.

When a traffic abnormality occurs, the Arbor collector establishes a "fingerprint" of the problem, which can be compared with fingerprints of other potential problems in the network. This way, it can quickly tell if it’s dealing with an isolated incident or a network-wide attack. “You can tell that this is one, and not hundreds of attacks,” Julian says.

This also allows the network manager to pinpoint the source of the attack. “We now can tell you that you have an attack, and that it’s not just this router but this particular line-card and this particular interface,” he says. “Then we suggest what filters [to use].”

Julian says that this helped Rackspace deal with the January 25 SQL worm attack within a few hours, before its customers were aware of the problem.

In addition to being able to quickly identify and isolate DDOS and worm attacks, Arbor’s technology is also useful for non-real-time route changes, Julian says, since it can use the statistics it gathers to identify the best routes.

Judging from the way Cisco has gone about acquiring companies in the past -- carefully scoping out a company and the market it's in before pouncing -- Arbor is a good fit. "They dip their toes, they see their opportunity, and then they dive in," Infonetics' Wilson says.

But while partnerships and funding may be signs of a close relationship between Arbor and Cisco, they don't necessarily mean that the startup will be Cisco’s first acquisition choice. One industry analyst, who has asked to remain unnamed, points out that Cisco had a great partnership going with host-based security company Entercept Security Technologies but decided to purchase one of its competitors, Okena.

Does that mean that Cisco will end up buying one of Arbor’s main competitors, which include Riverhead Networks Inc., Mazu Networks, and Captus Networks Corp., instead? Doubtful, analysts say. If Arbor’s not the next company to land in Cisco’s security shopping cart, industry observers say hardware-based antivirus vendor Fortinet Inc. or security software vendor Neoteris Inc.are likely candidates.

— Eugénie Larson, Reporter, Light Reading