The Lippis Report

Thanks for visiting the Lippis Report. We provide access to thousands of industry white papers, case studies, presentations and podcasts, all you need to do is register. Enjoy!

Nick Lippis: The IT security industry is fast growing, fragmented and enterprise buyers are brand agnostic. How does Cisco plan on winning in this market?

Robert Gleichauf: By becoming better integrated into our customers’ business processes and best practices. It no longer is sufficient to offer customers best of breed products and services. The best vendors must also understand how to integrate with the ways customers actually run their business. For example, our Self-Defending Network solution must accommodate for the fact that more and more users connecting into Enterprise networks are not under the control of the corporate IT department. So our solutions must be able to authenticate users via alternate means when standard corporate user directories do not apply. We also need to know how to integrate with the parts of our customers’ infrastructure and business processes that fall outside our product portfolio. For example, our Content and Application-Oriented Network solutions integrate with a variety of application suites from vendors such as BEA, Oracle, SAP, and so on. Our customers win and we win when we make their existing business infrastructure work better.

Nick Lippis: For one of the first times I can remember, Cisco has led an industry campaign, with Self-Defending Networks, educating the market before products were fully ready. How will Cisco capitalize on this investment while assuring smaller nimbler firms don’t?

Robert Gleichauf: Customers rarely buy just products. Enterprise customers in particular are as much buying into a vision and a lasting partnership as they are buying a product at a given point in time. Cisco has proven time and again that once it puts its mind to something it stands by its customers and delivers on that vision. We have done this with Security, with Voice, with Wireless, and now we have made it clear that we are committing ourselves to Service Oriented Network Architectures (SONA). And Cisco is proving to be more “nimble” than some may realize. The Network Admission Control (NAC) initiative is a key component of the Self-Defending Network. While it may have taken longer to get the full solution to market than we would have liked, we are the first major vendor to ship a comprehensive solution that crosses our entire product line including Switching, Routing, Wireless, and Security Appliances. The other major competitors will not ship until 2007. And Cisco also makes sure its solutions are comprehensive. In 2005 Cisco acquired the Clean Access solution from Perfigo and is now called the Cisco NAC Appliance to accommodate heterogeneous network environments and deployment scenarios that fall outside an embedded infrastructure solution. Cisco is showing a high level of commitment as well as a “nimbleness” to do what we say we will do.

Nick Lippis: Cisco is delivering on its Network Admission Control and vertical integration of appliances via its Adaptive Security Appliances. What is the feedback from the field on how these roll-outs are going?

Robert Gleichauf: The response from our field is very positive because we are providing them with the products and solutions their customers are asking for. That said these products require our field staff to gain an even deeper understanding of their customers’ business and it frequently requires bringing in a Managed Service Provider to help with the design and deployment of the product/solution. With NAC it also requires working with other vendors to develop the solution. In many respects we are laying the foundation for a whole new way of working with our customers which will remain a best practice for years to come.

Nick Lippis: To deliver on the self-defending part of Cisco’s network security strategy, the network needs to automate mitigation to various attacks. Can you describe Cisco’s approach to network exploit containment?

Robert Gleichauf: We now think of this aspect of SDN as Network *Incident* Containment since many problems turn out to be a symptom of a non-security event such as misconfiguration of a device or application. In many instances these can be just as disruptive and difficult to diagnose as a security problem. Cisco’s approach to this problem is to first and foremost incrementally build a collection of reliable mechanisms that we can eventually begin linking together into a more complex system. While automated containment of an exploit is intuitively straightforward the implementation is based on a lot of moving parts, some of which remain to be developed. And even if a vendor could develop such a solution in one fell swoop, customers would be reticent to deploy such a solution until they have had a chance to verify the veracity and reliability of the piece parts. As a result Cisco has been incrementally delivering the foundational components so that customers can adopt the various pieces as dictated by their business. And as they become comfortable with each component we see a willingness to then to take on the next aspect of building out a Self-Defending Network. Some customers start by deploying classic Firewall and Intrusion Prevention at their network perimeters, such as our Adaptive Security Appliance (ASA). Others begin with deployments of end-point protection such as the Cisco Security Agent (CSA). Once they begin working with Network Admission Control (NAC) and our Monitor And Response System (MARS) customers are ready to begin automating existing Incident Containment processes.

Nick Lippis: Much of network security today is pioneering and ahead of standards. In particular, messaging between devices to exchange state information or configuration commands is proprietary. Cisco has NAC, Microsoft has NAP and the Trusted Computing Group has TNC. How do you see these protocols evolving into a standard?

Robert Gleichauf: Standards are a very important part of cost of ownership and Cisco has been on record since we announced NAC that all of the components would be released to standards bodies by the end of calendar year 2006. But standardization is a slow and deliberate process. The reality is that hackers do not wait for standards and customers are always clamoring for solutions to deal with the latest types of threats. So the industry needs to adopt a more creative approach that gets solutions in customer hands as quickly as possible and then address the longer term interoperability issues as time goes on. Another reality that cannot be overlooked is that solutions such as NAC contain a lot of moving parts that need to be proven in real world deployments before the mechanisms, protocols, and message schemas can be locked down in a standard. Take the Protected Extensible Authentication Protocol (PEAP). This is a standard that was developed in advance of real deployments. It is already on its third iteration within the IETF because real world implementations have repeatedly uncovered deficiencies in the key exchange methods. Sorting out the admission control components in real world deployments should actually help us converge on standards more quickly.

Nick Lippis: While the concept of a self-defending network is simple, the technology is not and requires a lot of trust from IT management. How will Cisco gain the trust of its customers so they can feel comfortable turning on the auto-pilot switch on their network?

Robert Gleichauf: Please refer to my answer provided two questions back.

Nick Lippis: Implementing a self-defending network will be stage based. Can you provide some guidance as to how best to stage an implementation over time?

Robert Gleichauf: While most of our customers have made it clear they want to implement admission controls across their infrastructure where they chose to initially deploy NAC is as varied as their businesses. Sometimes it is dictated by where they have seen the greatest introduction of misuse into their networks. For some customers this has been a remote office problem and they are deploying NAC on our remote access routers or remote VPN concentrators. In other instances they have seen most of this misuse enter their corporate LAN when employees connect their notebook computers after traveling or working from home and want to enable NAC first on their LAN switches. In other instances first deployments of NAC are coupled with build out of new infrastructure such as Wireless LANs. In all of these examples customers must also come to grips with defining acceptable policies for noncompliant systems. And their capacity to define these rules may also dictate where they choose to first deploy NAC. NAC represents a new way of defending corporate infrastructure and has an impact on not only that infrastructure but also how a company decides to let people in while at the same time trying to run a business. Coming to grips with these policy issues will frequently outweigh the effort required to deploy the technologies.