Cisco last week introduced software products aimed at letting users squash virus and worm traffic at the front door - incoming LAN switch or WAN router ports.
In a joint product/services launch with Trend Micro, Cisco says it will offer a server-based product that can tell Cisco routers and switches to limit the traffic rate or shut down ports on devices if virus or worm activity is detected on a network. The offering will rely on Trend Micro gear that identifies virus signatures. Cisco also launched several security software updates and security management products.
On the data center front, Cisco released the first re-branded product from its acquisition of InfiniBand switch maker TopSpin Communications , with its Server Fabric Switch and VframeTM software for managing virtualized server images connected to the device.
The security offering consists of Cisco's Incident Control System (ICS) server, software that communicates with a virus/worm updating service from Trend Micro. ICS, which runs on Windows servers, receives updates on the latest malware definitions and signatures from Trend Micro, and communicates with Cisco intrusion-prevention system (IPS ) gear on a network. If the IPS detects virus traffic, the ICS is triggered and distributes access control lists (ACL) to compatible Cisco switches and routers on the network.
For instance, if the ICS receives notice of a worm that uses Port 80 as an attack method, ACLs to rate-limit or block Port 80 traffic can be blasted to all network gear, locking out potential infected traffic.
This system was tested by Simpler-Webb, an Austin, Texas, integrator of Cisco products and a provider of managed services based on Cisco gear.
"Technically, it's very simple to set up," said Jeff Simpler, Simpler-Webb CEO. "It could be a very effective tool for minimizing damage" from attacks such as the recent Zotob worm, because the ICS distributes ACLs to network gear quicker than if administrators had to configure equipment individually.
"There is a question as to whether you'd want to deploy protection-based filtering on a switch," Simpler adds. "Say a worm takes advantage of an application running on a well-known port. Then if you use ICS to filter all traffic on that port, you've just created your own little DoS attack on yourself."
Other security gear in Cisco's launch includes an update to the Cisco Security Monitoring, Analysis and Response System (CMARS), a software management tool for monitoring security events on network gear. The update to the product lets Cisco routers and switches receive signals to activate pre-installed ACLs for certain worms in case that worm activity is detected on a network. This can save time for users by automatically updating network gear, Cisco says.
While ICS and CMARS gear fall under Cisco's Secure Architecture for Enterprises blueprint, Cisco says the technology is not part of its ongoing Network Admission Control (NAC) technology, which uses third-party anti-virus/system-verification software to block unsafe client machines from access to a LAN or WAN.
ICS "would act like a safety net behind [NAC-enabled] switches and routers," says Joel McFarland, a product manager at Cisco's security technology group. While NAC is designed to block harmful machines, ICS deals with bad traffic from machines already on the network, he adds.
However, since Cisco has yet to deliver on Phase 2 of its NAC technology - the ability for LAN switches and wireless LAN (WLAN) access points to block client connections - the safety net analogy for ICS might be premature, observers say.
After its first release of NAC in mid-2004, which let Cisco routers and VPN gear block access by clients with out-of-date virus/operating system software - the company said it would have LAN/WLAN gear support for NAC in early 2005. Cisco now says it will have NAC-related announcements in the next few months but gives no specifics on when NAC support will be added for LAN switches.
In the meantime, competitors have rushed to show their LAN switches support automatic port blocking and quarantining of unsafe network clients. HP ProCurve last week released its Identity Driven Manager software, which works with Funk Software authentication technology to block access by unsafe machines. Enterasys Networks works with verification server products from Zone Labs and Sygate to provide similar capabilities. Nortel supports a similar technology with Sygate. And several vendors outside the LAN switch market, such as ConSentry and Vernier, which make appliances that lock down LAN links, are getting into the act.
Also on tap from Cisco were updates for its IPS device software, and a new version of its IOS software with added security features.
Cisco IPS 5.1 enables a device to monitor activity on up to 255 virtual LANs on a single IPS device port. The ability to load balance IPS devices using Cisco's EtherChannel, proprietary link aggregation technology, is also new.
The new IOS release - 12.4(4)T - includes the ability to inspect packets at a deeper level for recognizing network attacks using packets that are "specially crafted" or "malformed"- terms used in Cisco security advisory nomenclature to identify network attack techniques. Because many network attacks rely on doctored packets using certain protocols - such as MPLS or IPv6 - the new IOS software can inspect incoming packets that might appear different or improperly assembled from normal protocol packets and block access by the packets.
ICS' pricing starts at $9,200. A license for services that provide security updates can range from $1,200 to $5,000. The CMARS, IPS and IOS updates are scheduled to be released later this year.