Cisco executives Richard Palmer and Dave King describe the evolution of network security
AS A MAJOR force in networking, Cisco focuses on all things related to security and VPNs. In an interview with InfoWorld Editor in Chief Michael Vizard, Cisco executives Richard Palmer, vice president and general manager of Cisco's VPN and security business unit, and Dave King, the unit's director of marketing, talk about how network security will evolve as the issue becomes more intertwined with every aspect of enterprise computing.
InfoWorld: How is the hardware model that we use to deploy security software evolving? Are we moving to an appliance model, or is this software ultimately going to be embedded into every device on the network?
Palmer: I think you'll see both models. The first trajectory is movement away from a workstation, or general-purpose CPU platforms running software, to an appliance model. That's something that we've believed in for the last three or four years. But we also believe that, in order to deploy security throughout a network infrastructure, it makes sense to integrate those security capabilities into network infrastructure elements. One notable example is the intrusion-detection blade that we announced last fall that's embedded in our Catalyst 6500 systems. This obviously is important in enabling intrusion detection to scale in places in the network where it's closer, for instance, to Web server farms and other high-gigabit Ethernet environments.
InfoWorld: Why is it that security tools remain difficult to deploy and maintain? And do you see this process getting any easier?
Palmer: I think that's changing. When security was the separate province of a special group within the enterprise, it was walled off from the rest of IT. In many cases it was the province of a group of people whose mission in life was to say no to what other people wanted to do. We see security now being much more integrated into the mainstream of IT activities, particularly as it's seen as a fundamental component of any e-business infrastructure. Second, we believe that, increasingly, people are looking at security as not something just to be deployed, for instance at the perimeter, but something that has to be pervasive throughout the e-business and network infrastructure. For that reason security has to be looked at as the total system. Finally, I would say that people have a much more accurate view of security today. It's not something that you can do with one product or a set of products; it's not something that you can arrive at 100 percent. It's something that is probabilistic. It's something that has to be part of every single network design. It's something that has to be ingrained in both the design of the network and [the network's] operations. We think we're playing a major role in making that happen.
InfoWorld: What's the relationship between security at the network level and at the application level? And what role does Cisco play across both?
Palmer: We think that the relationship, at least as a first cut, needs to be done in terms of providing event correlation and a sort of a holistic view of what's going on. We provide network appliance intrusion-detection systems, but we've included in our security ecosystem a number of companies that provide host and application-based intrusion detection. We have also worked with our management ecosystem partners to make sure that there is a consistent view of what's going on across all of those perspectives.
InfoWorld: How does that happen?
King: The idea behind our Safe Security Blueprint iis that nobody had really addressed security from a comprehensive or holistic perspective. We wanted to try and look at the enterprise network and see how that extended to small branch offices or to extranet partners and consider all the security elements that you need and where they should go and why. The blueprint has all elements in it from Cisco as well as our partners to try and make an overall robust security infrastructure.
InfoWorld: Your competitors like to argue that your approach to security is Cisco-centric. How do you respond to that criticism?
Palmer: I think that that's not true in the sense that the ecosystem partners that we work with can manage and monitor multiple systems from almost anybody. In many cases there are hybrid networks with a variety of systems not including ours. That's also the case in managed security services environments. Our approach to this is, instead of trying to build a closed system that we market that does only Cisco products, [we] work with our ecosystem partners to try to enable those management players to be able to manage our stuff as well as other people's. We do believe it's important to have an open system for management.
InfoWorld: What role will managed service providers play in this space?
King: As you mentioned earlier, security has historically been this arcane area of networking that folks had trouble addressing. I think even for large enterprises that have diligent security staff that are very good, it's still very difficult to stay ahead of the hackers. So you always have a situation where the defenses may lag behind, either in staffing or in some cases the solutions. I think the bigger one that needs to be addressed here, and the issue that the managed services folks are trying to meet, is the skills gap. There just aren't enough qualified security administrators, and there's not enough cash probably to pay them all to support your needs. Clearly, the small to midsize business market is especially ill equipped to address the security needs that they have in their environments. That's where these managed service providers I think will probably play the greatest role. I think you'll see a lot of the large service-provider organizations and infrastructure players starting to launch new services or enhancing the ones that they already have. You've probably noted over the past year that there have been at least a half-dozen startups who have received somewhere between $15 million and $25 million of funding to address this market specifically. The reason why is because folks out there are just ill-equipped to manage things on their own.
InfoWorld: Is Cisco going to provide those services?
Palmer: We're going to work with partners. We think there are a number of excellent partners. We think there's an excellent opportunity on the part of our channel partners who are selling VPN networking and security solutions to small and midsize businesses to make additional revenue and margin by providing the management for those devices that they provide. We're basically going to be enabling them to provide those managed services. At the large-enterprise level, we still think that the vast majority will do a significant chunk of their security themselves. Part of that's based on this notion that security has got to be embedded throughout the network and it's got to play well with all of the other major networking initiatives that our enterprise customers are engaged in.
InfoWorld: Why do people seem to have issues trying to resolve incompatibilities among firewalls and VPN products?
Palmer: I don't think this is a particularly big deal. You need to be able to configure the things appropriately for what you're trying to achieve from an application point of view. But to deploy VPNs to the tune of thousands of remote sites, either from telecommuters working at home or from small offices, we thinnk there needs to be a management solution that's based on providing policy, configuration, and push from a central site. That's what we've done with our unified VPN client, which is shipping now. And also a hardware VPN client that operates in the same way.
InfoWorld: As we move forward with ever-increasing bandwidth, do you worry about firewalls being able to keep pace with their processing speeds?
Palmer: Historically, we have generally not had that problem. We just introduced our gigabit firewall in December, and we have a series of developments under way that will continue to scale our firewall and performance. We haven't run into any performance bottlenecks in any environment that we've been exposed to.