Cisco's Security on a Switch
With dangers lurking all around, equipment vendors are adding more and more security features to high-end interfaces throughout the network.
The latest development in this area, and certainly the most far-reaching yet, came with Cisco Systems Inc.'s (Nasdaq: CSCO) announcement on Tuesday that it has integrated four security service modules into its Catalyst 6500 switch series (see Cisco Boosts Network Security).
The four new security modules offer firewall, IPSecVPN (IP Security Virtual Private Network), SSL (Secure Socket Layer), and network analysis services. They perform the same functions as Cisco’s existing standalone products but, according to Cisco, with the scaleability of the Catalyst 6500 and the flexibility to be deployed anywhere in the network. Each firewall module, for instance, delivers 5-Gbit/s throughput and 100,000 connections per second, with inspection up to Layer 7; each Catalyst 6500 can hold up to four firewall modules, claims the company.
“It’s orders of magnitudes faster than Cisco’s current platform,” says Current Analysis analyst Joel Conover, who notes that, with four modules, "Cisco has the fastest firewall out there.”
If so, this could be remarkably bad news not only for other incumbent switch and router vendors -- which have yet to announce a similar level of support for security in their products -- but especially for high-end specialist, hardware-based firewall outfits like NetScreen Technologies Inc. (Nasdaq: NSCN), ServGate Technologies Inc., and WatchGuard Technologies Inc. (Nasdaq: WGRD).
Still, it's not yet known whether Cisco's approach will deliver the goods. David Newman, president of Network Test Inc., says that he’s impressed with the performance levels Cisco’s touting, but he cautions that performance doesn’t equal security. “Just because something goes fast doesn’t mean it’s strong or secure,” he says, emphasizing that he has not tested Cisco’s platform and does not know how secure it is. “There can be tradeoff between performance and security.”
Another theoretical security concern about this kind of platform, where vital security services are integrated into the overall network architecture, is that if the security functions were to be compromised, the attacker would have direct access to the switch or the router that holds the security modules.
Speed and integration may not guarantee security, but they do allow security services to be deployed in areas where they couldn’t previously have functioned. Security appliances like firewalls and VPNs have traditionally not been able to handle the amount or the speed of traffic passing through the core of the network, so they have been limited to securing the perimeters only. “That’s fine if you don’t trust the outside world,” Newman says. “But what about internal security?”
Hesham Eassa, the manager of network design engineering at WebEx Communications Inc., one of the companies beta-testing Cisco’s new security platform, says the new firewall module is a lot faster than the standalone appliances the company is already using: “It’s really fast. We’re planning on deploying it when it’s released.” Eassa, however, says that the company is not planning to replace its existing security appliances with the new platform but will add it on as an additional layer of security.
In addition to the performance benefits of the platform, Cisco claims companies that use it can cut back a lot on both capital and operational expenses. The modules, going for between $18,000 and $35,000 apiece, are less expensive than standalone appliances; and they not only fit into the 6500 switch but also into Cisco’s 7600 series router. If a company needs higher performance, it can simply upgrade by adding additional modules to the switch.
Eassa says WebEx definitely will save money using the platform. “We already have these switches,” he says, “a whole lot of them. We only have to buy the [modules].”
But, while the platform may be less expensive for companies looking for very high-performance security equipment, it still isn’t cheap. “It’s an expensive platform no matter how you slice it,” Conover says. “It’s expensive to buy it and expensive to maintain it… [But] it does have an incredible life expectancy.”
This will appeal to large enterprises and service providers only, he says. Smaller enterprises won’t be able to afford the platform, and they won’t need the performance levels it promises. “It’s extremely high performance. Everybody would like that, but this isn’t something for everybody.”
Cisco wouldn’t say how many customers are beta-testing its new platform or how many have signed on to buy its modules, but there is reason to believe the interest level will be high. “The 6500 is the best selling switch in the world,” Newman points out, saying he thinks service providers will be especially interested in the platform since it will allow them to sell security along with other network services.
Of course, Cisco won’t be without competition, although it might want to think so. “We’re really the first to integrate Layers 2 through 7 with full security,” Tom Russel, the director of Cisco’s marketing, VPN, and security business unit, says. “We’re the only game in town. This is new stuff.”
But while no one else may be offering the same level of integrated security services, some aren’t far behind. Juniper Networks Inc. (Nasdaq: JNPR) has already announced that it provides IPSec on all of its high-end interfaces, and Conover believes that Nortel Networks Corp. (NYSE/Toronto: NT) is certainly capable of offering a platform along the lines of the one Cisco just launched. “Nortel is the next most capable vendor out there,” he says. “They’ll probably have a competitive response. The competition is going to rally around this.” At the enterprise level, Newman says, Enterasys Networks Inc. (NYSE: ETS) is probably also close to launching a similar security platform.
In addition to saving on equipment costs, Russel claims companies can save a lot of money on having many different services on the same switch. This simplifies the network, he contends, giving them fewer boxes to manage. “There’s an inherent cost in managing a box. Consolidation cuts costs.”
Some observers, however, question how integrated Cisco’s solution really is. “It’s really not all that integrated,” Conover says. “Each module is managed separately. It’s like PIX firewalls on a stick.”
“Right now, it’s like putting a bunch of standalone systems in a big chassis… They have to be provisioned and managed separately,” agrees Infonetics Research Inc. analyst Jeff Wilson. “It’s useful, [but] it’s not a completely unified system. You can’t just click a button.”
Cisco has said it's planning to virtualize the management of the different modules on the 6500 in the future, according to Wilson. “Opex savings will really start to show up when they integrate the management."
The firewall and SSL modules will be available in mid-September, while the VPN and network analysis modules are ready to ship now.
— Eugénie Larson, Reporter, Light Reading