Cisco Systems: Choke One Throat
Cisco Systems covers security's bedrock. It has used a powerful hold in data networking gear to slipstream firewall and virtual private networking products into the mix. The strategy has been effective: Many Cisco customers say that the convenience of dealing with one vendor is the principal reason they've chosen its security products.
"We found it much easier to find a product from Cisco to do what we needed instead of looking at several different vendors," says Frank Yuan, network manager at ReserveAmerica, which provides reservation services for 100,000 U.S. campgrounds.
Yuan says that in past years, the main security challenge was to get the infrastructure locked down. Now, he says, the bigger issue for Cisco is to make it easier to identify the cause of specific problems. At the same time, he notes, because ReserveAmerica uses Cisco's firewall, VPN and intrusion detection systems, "It's easier to troubleshoot than if we'd had separate vendors. In the past, we've had vendors point fingers at each other."
Exempla Healthcare, a three-hospital system in Denver, uses Cisco's PIX firewalls as well as its intrusion detection systems and virtual private networking equipment. "We're a pretty solid Cisco shop," says chief technology officer Lots Pook. "They have been very progressive at helping us with security."
In Pook's view, the fact that all of Exempla's equipment is based on common software—Cisco's Internetwork Operating System (IOS)—makes it easier for one group to manage the network and security infrastructure. "We view security as extending down to the physical infrastructure, which is why we wanted a total solutions provider for security," he says.
But the single-vendor approach can be a double-edged sword. Vulnerabilities discovered in IOS, such as those detailed in an advisory from Cisco in July, leave Cisco's products with older versions of IOS susceptible to attacks that could potentially knock out networks. Cisco points out that the possibility of an attack successfully exploiting the July IOS vulnerability is fairly low, because such an attack would have to originate from a local network segment and target devices configured to handle IPv6, an advanced networking technology that is not widely used today.
Pook allows that there's reason to be concerned about flaws in IOS. But he says his security team has "really locked down the firewall, with some very complex rules set up." For example, certain kinds of network traffic, such as requests from partners for information on Exempla patients, are allowed to only access specific kinds of servers.
But Chad Hoggard, manager of information security for Holland America Line, a Seattle-based cruise ship operator, says Cisco isn't at the forefront of delivering new security technologies: "They buy up companies to get into a market. I think of them as an infrastructure company that has some security products."
Indeed, Cisco has made five security acquisitions since October 2004, including Protego Networks, a maker of security monitoring and threat management appliances, and Perfigo, a developer of network access control software. Cisco positions those deals as part of its "self-defending network" strategy, to let devices automatically adapt to changing threats. A key element is the Network Admission Control (NAC) initiative, which provides a set of capabilities that grants network access only to computers that meet a company's security policies.
Hoggard says it sounds like a good idea, in theory. But to date, "NAC has been very vendor-specific," he says. Cisco's first NAC endpoint products were available only on Windows desktops or servers (although the company last month introduced a version for Red Hat Linux), and work only with Cisco routers and switches.
So what's the upside of Cisco's security offerings? Says Hoggard: "They let me stick with one vendor."