Home > Cisco > Two little snippets on Cisco’s Security Strategy

Two little snippets on Cisco’s Security Strategy

February 21st, 2007 Leave a comment Go to comments

It’s no great secret that from a strategic perspective (or a tactical implementation slant, either) I am not a fan of Cisco’s security vision or execution.  Right, wrong or indifferent, I simply don’t believe that Cisco is a security company and just because security can (and will continue to) make its way deeper into the network fabric doesn’t mean it should.


I have consistently focused on the fact that pushing more and more security into the network will lead to a security monoculture and last week’s multiple vulnerabilities across Cisco’s network and security products was further indication that I think we’re heading for a car crash of epic proportions one day soon.  This is where a single vendor’s version of the truth is a bad thing as defense in breadth is not the same as defense in depth.

</doomsday_prediction off>

On a related topic, I think Tim Wilson from Dark Reading also summed up Cisco’s security strategy (or lacking parts thereof) quite nicely:

The takeaway, I think, is that no single tool vendor comes
at security without a bias. You can hardly blame Cisco from approaching
security at the network level, just as Microsoft approaches it from the
desktop level. When you listen to vendors talk about "enterprise
security," then, it pays to read between the lines. Sometimes what they
say is as important as what they say.

But that’s just it — approaching security from the network level only (from the bottom up) without a coherent strategy on how to approach it from the data and application perspective (top down) means you get a disjointed and purely mechanical threat and vulnerability-focused set of security "tools."

I think it’s a fair thing to say that all vendors (even *gasp* me) are biased, but I think Tim’s article nicely summed up how lacking Cisco’s "end-to-end" strategy is:

  • Data/Database Security
  • Portable Device Security
  • Security Research/Threat Analysis
  • Application Security
  • Multi-factor Authentication

I don’t think there is any vendor who has this straight, but for some reason folks have a predilection towards suggesting that Cisco — due mostly to port coverage — does. 

Security is more than an L2 access switch ports or router shipments or n acquisition or ten and a cram-down of commoditizing functions into switches.  I’m not arguing that Cisco doesn’t have a strategy, but can’t we just all admit that bumping around in the dark and "investing" in incoherent and non-consolidated solution sets does not a robust security play make?

Why do I keep harping on this?  Because someone has to and more and more customers are really starting to question the big green monster’s competencies.

Speaking of which, Cisco announced today it’s acquisition of Reactivity — an XML security play the likes of which competes with Datapower and Forum Systems.

Mike R. commented on the deal with the following:

They announced yet another acquisition of Relativity this morning (release here).
Only $135 million for this one, on what is probably minimal revenue.
This continues Cisco’s assault on security, moving up the stack.
Relativity makes an XML gateway (yes, it’s a box) that does some
hygiene on XML traffic (encryption, filtering, authentication,
acceleration, etc.). Of course, this market is really early and there
were only maybe 2 or 3 other players (Forum and Vordel come to mind).
But let’s be very clear, Cisco intends to be a player at the
application layer.
And they are flexing their checkbook to get there.

…a couple of comments:

1) The only thing I think that this is an assault on is the further dilutive effect this will have on the XML gateway "market" as it becomes a feature rather than a market via acquisition.  Up or down the stack, Cisco isn’t early to this game, they are late…by about 2 years.

2) The XML gateway market isn’t early at all.  It’s waning as the "market" becomes a feature and this technology is absorbed into the convergence of the web application firewall (WAF) and application delivery controller (ADC) markets.

The adoption of XML security products at large has been hindered by the complexity of the SOA architectures into which most of these products were/are intended for deployment.  Most security companies (integrators, resellers, consultants) don’t have a clue about how or who to speak to in regards to XML.  Most can barely spell it.

3) Cisco intends to be a player in every market else they wouldn’t enter it.  They’ll just botch it up and stumble their way through mediocrity and claim success as measured by drawing a circle around their feet as victory and a well executed strategy.

However, they’re not infallible and as I’ve said before, just look at the cracks in the armor.  AON — which was supposed to replace the middle tier and collapse the complexity of SOA — has itself collapsed and become absorbed into the fringes of a converged security strategy.

Yeah, yeah, I know.  They’re Cisco.  Get over it Hoff.


Categories: Cisco Tags:
  1. No comments yet.
  1. No trackbacks yet.