Optical/IP Networks

Cisco's Security on a Switch

With dangers lurking all around, equipment vendors are adding more and more security features to high-end interfaces throughout the network.

The latest development in this area, and certainly the most far-reaching yet, came with Cisco Systems Inc.'s (Nasdaq: CSCO) announcement on Tuesday that it has integrated four security service modules into its Catalyst 6500 switch series (see Cisco Boosts Network Security).

The four new security modules offer firewall, IPSecVPN (IP Security Virtual Private Network), SSL (Secure Socket Layer), and network analysis services. They perform the same functions as Cisco’s existing standalone products but, according to Cisco, with the scaleability of the Catalyst 6500 and the flexibility to be deployed anywhere in the network. Each firewall module, for instance, delivers 5-Gbit/s throughput and 100,000 connections per second, with inspection up to Layer 7; each Catalyst 6500 can hold up to four firewall modules, claims the company.

“It’s orders of magnitudes faster than Cisco’s current platform,” says Current Analysis analyst Joel Conover, who notes that, with four modules, "Cisco has the fastest firewall out there.”

If so, this could be remarkably bad news not only for other incumbent switch and router vendors -- which have yet to announce a similar level of support for security in their products -- but especially for high-end specialist, hardware-based firewall outfits like NetScreen Technologies Inc. (Nasdaq: NSCN), ServGate Technologies Inc., and WatchGuard Technologies Inc. (Nasdaq: WGRD).

Still, it's not yet known whether Cisco's approach will deliver the goods. David Newman, president of Network Test Inc., says that he’s impressed with the performance levels Cisco’s touting, but he cautions that performance doesn’t equal security. “Just because something goes fast doesn’t mean it’s strong or secure,” he says, emphasizing that he has not tested Cisco’s platform and does not know how secure it is. “There can be tradeoff between performance and security.”

Another theoretical security concern about this kind of platform, where vital security services are integrated into the overall network architecture, is that if the security functions were to be compromised, the attacker would have direct access to the switch or the router that holds the security modules.

Speed and integration may not guarantee security, but they do allow security services to be deployed in areas where they couldn’t previously have functioned. Security appliances like firewalls and VPNs have traditionally not been able to handle the amount or the speed of traffic passing through the core of the network, so they have been limited to securing the perimeters only. “That’s fine if you don’t trust the outside world,” Newman says. “But what about internal security?”

Hesham Eassa, the manager of network design engineering at WebEx Communications Inc., one of the companies beta-testing Cisco’s new security platform, says the new firewall module is a lot faster than the standalone appliances the company is already using: “It’s really fast. We’re planning on deploying it when it’s released.” Eassa, however, says that the company is not planning to replace its existing security appliances with the new platform but will add it on as an additional layer of security.

In addition to the performance benefits of the platform, Cisco claims companies that use it can cut back a lot on both capital and operational expenses. The modules, going for between $18,000 and $35,000 apiece, are less expensive than standalone appliances; and they not only fit into the 6500 switch but also into Cisco’s 7600 series router. If a company needs higher performance, it can simply upgrade by adding additional modules to the switch.

Eassa says WebEx definitely will save money using the platform. “We already have these switches,” he says, “a whole lot of them. We only have to buy the [modules].”

But, while the platform may be less expensive for companies looking for very high-performance security equipment, it still isn’t cheap. “It’s an expensive platform no matter how you slice it,” Conover says. “It’s expensive to buy it and expensive to maintain it… [But] it does have an incredible life expectancy.”

This will appeal to large enterprises and service providers only, he says. Smaller enterprises won’t be able to afford the platform, and they won’t need the performance levels it promises. “It’s extremely high performance. Everybody would like that, but this isn’t something for everybody.”

Cisco wouldn’t say how many customers are beta-testing its new platform or how many have signed on to buy its modules, but there is reason to believe the interest level will be high. “The 6500 is the best selling switch in the world,” Newman points out, saying he thinks service providers will be especially interested in the platform since it will allow them to sell security along with other network services.

Of course, Cisco won’t be without competition, although it might want to think so. “We’re really the first to integrate Layers 2 through 7 with full security,” Tom Russel, the director of Cisco’s marketing, VPN, and security business unit, says. “We’re the only game in town. This is new stuff.”

But while no one else may be offering the same level of integrated security services, some aren’t far behind. Juniper Networks Inc. (Nasdaq: JNPR) has already announced that it provides IPSec on all of its high-end interfaces, and Conover believes that Nortel Networks Corp. (NYSE/Toronto: NT) is certainly capable of offering a platform along the lines of the one Cisco just launched. “Nortel is the next most capable vendor out there,” he says. “They’ll probably have a competitive response. The competition is going to rally around this.” At the enterprise level, Newman says, Enterasys Networks Inc. (NYSE: ETS) is probably also close to launching a similar security platform.

In addition to saving on equipment costs, Russel claims companies can save a lot of money on having many different services on the same switch. This simplifies the network, he contends, giving them fewer boxes to manage. “There’s an inherent cost in managing a box. Consolidation cuts costs.”

Some observers, however, question how integrated Cisco’s solution really is. “It’s really not all that integrated,” Conover says. “Each module is managed separately. It’s like PIX firewalls on a stick.”

“Right now, it’s like putting a bunch of standalone systems in a big chassis… They have to be provisioned and managed separately,” agrees Infonetics Research Inc. analyst Jeff Wilson. “It’s useful, [but] it’s not a completely unified system. You can’t just click a button.”

Cisco has said it's planning to virtualize the management of the different modules on the 6500 in the future, according to Wilson. “Opex savings will really start to show up when they integrate the management."

The firewall and SSL modules will be available in mid-September, while the VPN and network analysis modules are ready to ship now.

— Eugénie Larson, Reporter, Light Reading
Page 1 / 2   >   >>
betterfilet 12/4/2012 | 9:51:11 PM
re: Cisco's Security on a Switch Beware of UDP vs TCP throughput measurements in vendor provided firewall benchmarks. HTTP over TCP is the bulk of the traffic a firewall must filter.
umustbejokin 12/4/2012 | 9:51:06 PM
re: Cisco's Security on a Switch Don't forget to beware of Cisco math!
lob 12/4/2012 | 9:51:04 PM
re: Cisco's Security on a Switch Don't forget to beware of unsubstantiated claims of "full security".

Firewalls do nothing to protect against the most common source of attacks - i.e. insiders. They also don't do anything about WiFi LANS, loose modems, people bringin in floppies or downloading stuff from the Web, etc, etc.

Thinking that simply installting a firewall would secure the internal network is a very dangerous fallacy.
ntwkeng 12/4/2012 | 9:51:00 PM
re: Cisco's Security on a Switch Its funny how often I hear 'Cisco Math' and such. I remember back in 1995/1996 when Cisco Math on the Catalyst 5000 series was spot-on (1.2Gb/s Backplane). Then they started getting beat up by companies like Cabletron counting pkts twice for 'full duplex' and then again for 'in and out of the backplane'.

Cisco pretty much followed suit on it and then started doubling the numbers for full-duplex on the Cat4000 and Cat6500. The Lightstream1010 product was 5Gb/s then expanded to 10Gb/s backplane when they followed suit and doubled the numbers there as well.

I wouldn't blame Cisco for following an industry trend, but then getting abused about it because they are the industry leader.

As far as these modules go they may look like a 'PIX on a stick' but as a security operations guy I like that. It lets me manage my piece of it and not have to share a CLI with the other parts of the organization.

As I understand it it is integrated into the switch through with its interfaces being VLANs and can suport up to 100 of them. This is great for me in my datacenter and in my extranet sites. I can firewall off my datacenter from the rest of the network, at rate, and only let people get to my servers the way they are supposed to. (No more telnetting to my SAP server!)

BobbyMax 12/4/2012 | 9:50:56 PM
re: Cisco's Security on a Switch First of all the prices of the modules is prohibitive. It is also not clear the how Cisco claim that they can provide end-to-end security without degrading performance and throghput.

Cisco also has not provided any data in terms of cost savings when user wants to make a decision betwwen chosing MPLS security vs Cisco module provided security.

Cisco has not disclosed how the security violations will be reported. It is nor clear even if it has implemented all the security violations.
Certain claims on security scalability also needs to be closely examined. There are more unknowns than knowns at this time.
AAL5 12/4/2012 | 9:50:55 PM
re: Cisco's Security on a Switch
Bobbymax you forgot to add about Cisco

- They are a "junky" company
- They are based in California and hence corrupt
- Are filled full of people from "third world countries"
- They have only 2 people with PHDs in the whole company
- Bell Labs is far superior to Cisco
- Every other company in the world is incompetent and corrupt
- Bobbymax's contribution to any discussion contains the same worthless drivel

Which one of these above statements is true Bobby?


SaberJB 12/4/2012 | 9:50:43 PM
re: Cisco's Security on a Switch Looks like someone we know works for Cisco... Wink wink nod nod
ntwkeng 12/4/2012 | 9:50:36 PM
re: Cisco's Security on a Switch I wish, there stock held its value more than mine! :)
BobbyMax 12/4/2012 | 9:50:25 PM
re: Cisco's Security on a Switch Dear "Dr. AAL5:

Ihope you are taking some classes on continuing education to improve your skills in your chosen field. I also hope you are reading New York Times, Wall Street, and Washington Post.

I would urge you not to write hate e-mails. It appears to me you are a paid agent of Cisco. Do you know what AAL5 is? Do you know which Cisco products have implemented AAL5. Do you know all AALs? Do know which school did you get your degree? How much do you know about Cisco? What kind of exposure you have with various technologies.

Do you know any thing about SAN and NAS technologies?o you know various protocols associated with SAN and NAS?

In stead of writing hate e-mails, I was expecting you would throw some light on Cisco's SAN satrategy. Cisco is going to be 85th or 90th player in this industry? Since you are a Cisco employee, I would like to give your expert advice to your employer.

"Dr." AAL5, you are a very strange and hateful person. Dr. I would like you to study some work on morality, ethics, honesty, and integrity. By writing hate mails, you are impeding your own growth.

Best regards.
Belzebutt 12/4/2012 | 9:50:24 PM
re: Cisco's Security on a Switch You are not the real Bobby Max. He never replies to anyone! You gave yourself away, impostor.
Page 1 / 2   >   >>
Sign In