News Stay informed about the latest enterprise technology news and product updates.

Cisco network security strategy: Where is it going?

The Cisco network security strategy goes under the microscope as we attempt to move past the FUD and help dubious networking pros understand the future of Cisco security products in a rapidly changing technology world.

As Cisco Systems expands into selling servers and consumer electronics, the company is also abandoning key security products, leaving some customers questioning its overall network security strategy.

Now it's left to be seen whether Cisco's network security strategy has been cast adrift or whether customer concerns amount to little more than a collective case of Fear, Uncertainty and Doubt (FUD).

With $620 million in security revenue earned last quarter, Cisco Systems is one of the largest network security companies in the world. Yet the company makes more news these days talking about data center virtualization, new server technologies, video conferencing and gadgets like the Flip camera and the  Cius tablet.

"The more Cisco diversifies into many areas, the less I feel I can trust their security strategy," said Willis Marti, CISO for Texas A&M University and a Cisco customer. "It's difficult to decide what business Cisco is in. Are they a networking company? An operating system company? A server hardware company? Certainly not a security company. Customers have to guess where Cisco will put its effort and what products will fade away."

I have people questioning Cisco's viability in the market. The other vendors are pouring on the FUD as Cisco pulls out. It seems like they are throwing away market share.

Greg Ferro
Network Architect

The Cisco network security strategy is especially important to networking pros because they can't just turn to a third-party vendor in the way that desktop administrators choose McAfee or Symantec to secure Microsoft Windows. Networking professionals rely on networking vendors such as Cisco, Juniper, HP and Enterasys to deliver integrated security products, since security dollars are hard to come by in a budget.

"It's hard to get corporate to spend money on security at all, and without a clear line of decision-making, even harder," said blogger and freelance network architect Greg Ferro. "I can convince people to buy Cisco security without too much trouble, but buying a third-party product is almost impossible."

Cisco network security strategy includes exit of certain markets

Cisco has already done away with some staple security products, such as the ACE Web Application Firewall, without outlining migration paths for existing customers.

Cisco also no longer recommends its endpoint security product Cisco Security Agent (CSA) or its SIEM product CS-MARS (Cisco Security Monitoring, Analysis and Response System), even though just a few years ago CS-MARS was a core component of its former "Self-Defending Network" (PDF) security strategy.

"I have people questioning Cisco's viability in the market," Ferro said regarding these market departures. "The other vendors are pouring on the FUD as Cisco pulls out. It seems like they are throwing away market share."

Cisco says it's responding to industry transitions with security strategy

Fred Kost, director of security solutions marketing for Cisco, said the perception that Cisco is focused on markets other than security is understandable, given the company's high-profile expansion into new markets.

"You hear us talking about video and collaboration and other businesses that we're entering, which we didn't talk about as much five or six years ago when switching, routing and security were our biggest businesses," Kost said. "But security remains a big business for us. We continue to invest through organic research and development and through acquisition."

Cisco has focused its security strategy onto six core technology areas: firewalls, intrusion protection systems (IPS), virtual private networks (VPNs), Web security, email security, and network access control (NAC). Departures from Web application firewalls, SIEM and client security are strategic, Kost said.

"With that focus comes some decisions: Do we want to be in some of these businesses?" he said. "If you look back some years at our security strategy, we were going to do end-to-end security, and Cisco procured, acquired and invented products to do all of that, from endpoint protection through event correlation. We were doing all these different things even if some of those may not have been the best business decision."

Now, Cisco'sBorderless Networks campaign is central to its network security strategy. That strategy balances user desire to access the corporate network from any device and any location with the IT organization's desire to control and secure that ubiquitous access. The first security product launched under this new brand is AnyConnect Secure Mobility (ASM), a "new take" on SSL VPN.

The new ASM client makes it easier for users to get on and stay on a corporate VPN from anywhere and any device. Now, the user's device, whether corporate or personal, becomes the IT organization's control point for applying policy and security to the user's network access. Cisco's ASM also becomes the point at which Cisco can apply Web and email security via its IronPort and ScanSafe technologies, and it doubles as an 802.1x client, allowing customers to apply network access control (NAC) and identity authentication to SSL VPN-connected devices. Adaptive Security Appliance (ASA) 5500 acts as the termination point to the ASM client.

Cisco's Borderless Networks approach reflects a BYOB network, something pioneered by universities but finding its way into large enterprises, said Andrew Plato, president and principal consultant with the Oregon-based value-added reseller (VAR) Anitian Enterprise Security. The concept centers on a well-defended core infrastructure while allowing users the flexibility to access the network however they want.

"It's an interesting concept: We're going to build a core infrastructure, and we're going to defend that core infrastructure. But beyond that core, as long as you meet basic requirements, we don't care what you have," Plato said. "I think Cisco is latching onto that principle. I don't think anyone has really articulated that principle fully yet, but I'm hearing about it from CIOs. McAfee is talking about it, too, because they're hearing about it from CIOs. I think Cisco is just trying to get ahead of the curve."

Many networking pros confused by Borderless Networks strategy

Regardless of how strong the Borderless Networks strategy may be, Cisco's recent marketing efforts around security have left networking and IT pros perplexed, said Philip Stone, president of Boardwalk Communications, a British Columbian VAR and Cisco partner.

"People are confused around Borderless Networks," Stone said. "What does that mean? It supposedly encompasses security, but it's not a clearly delineated or well-documented strategy. Whereas I look at collaboration, and it's very clear how they're going to execute on that. The same is true with data centers and virtualization."

A clearly articulated, end-to-end Cisco network security strategy may not be critical to midmarket customers who know they just need some firewalls and IPS boxes, Stone said. But larger enterprises that treat security as a critical and strategic part of infrastructure will be much more discriminating.

"I'm sure that the Royal Bank [of Canada] has at least 50 people working on security, and they're going to want to know end-to-end what Cisco's vision is," he said. "If you were a customer asking me to articulate that, I would struggle with it."

Is Cisco innovative enough when it comes to its network security strategy?

Jeff Wilson, principal analyst for Infonetics Research, said Cisco's security vision is fully intact and that the company is following paths on which it knows it can succeed. What's more, some of those paths are innovative.

Wilson admits Cisco lacks some of the high-end security products that competitors have brought to market recently. For instance, the ASA 5500 appliance doesn't match up well with some of the top-line models in Juniper's SRX Services Gateway portfolio. But Cisco is focusing on innovation in other areas.

"One thing they have started to do, which I think is a really good move, is the blending of products and services -- offering security in a hosted model and a hybrid model," he said. "You can buy hosted security for this site's users and then buy appliances and stick them at your other sites and then blend the two. They have hosted-hybrid offerings for mail and Web security. That's a great strategy. I think people want to buy hosted security, but they want that hosted security owned by the vendor and not some service provider."

Networking pros who are trying to figure out where it's safe to spend security dollars with Cisco should look at where the company is doing well today, Wilson said.

"Cisco is best in security when there is a market that is well defined and well understood and there is demand for it," he said. "When everyone has a budget to buy whatever it is, Cisco will either build something or buy something and sell it to them. NAC is a market they tried to create, and it didn't go as they envisioned. Mainstream security markets are the ones that Cisco does well and will continue to do best in."

Let us know what you think about the story; email: Shamus McGillicuddy, News Editor

Dig Deeper on Network Security Best Practices and Products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.