What are the security threats that Cisco is responding to with this strategy?
Up until now, the idea was that outside of the corporate network, there are viruses that need to be stopped before they enter the enterprise. But it is increasingly easy for an authorized person to walk into a building, plug a laptop in and spread a virus.
One is to clean the end point so the virus is eliminated before it has access to the network. Then, if something does manage to infect the network, the device should be quarantined. That requires a tremendous amount of intelligence in Cisco's products. How far along is Cisco on that path?
The biggest thing that Cisco is working on now is network admission control, which involves identifying the user, ensuring that the device is not infected and determining what to do if the device is infected.
Right now, Cisco is at phase one of that process. Its routers have the ability to quarantine users. Strategically, what comes next?
In the next phase, Cisco will move that ability to its switches and VPN gear. That is an important distinction. It is great to have enforcement points at the router, but when you plug in to the Ethernet jack, you have access to the network with no router between you and the network. Those capabilities need to be resident on the switch. Switches must quarantine users before a virus spreads throughout a business. There is value in what Cisco offers now, but it will be much greater when it delivers switches in 2005.
There will always be point solutions from companies like Symantec Corp. and Check Point Software Technologies Ltd. that you can place in the network. They help not only with prevention and protection, but with quarantining devices on the network. Another thing that companies can do is to deploy a Secure Socket Layer virtual private network internally, so that when users plug into their laptops they access the network as if they were remote users. Unfortunately, it is an expensive approach and requires multiple gateways because of the number of simultaneous users in an enterprise. But wouldn't users be frustrated by using Web interfaces for all of their applications, even when they are in the office?
Most vendors have cleared the applications hurdles with SSL VPNs so that there is not a lot of difference in the user experience. The only issue is that there may be some latency in the connection, so it is not great for voice over Internet Protocol. Is it good for the industry to be folding so much intelligence into the network?
This is a very important place for the industry to get to, but there are still some potential issues. Even if Cisco can deliver its products on time, there is a question about whether the devices can handle the extra functionality without affecting performance.