Until today, many Cisco security appliance customers relied on their own local devices to protect against security threats. Now, the networking giant isn’t only looking to take over that role itself, it’s expanding its protection to cloud scale — drawing on the knowledge of hundreds of thousands of devices to protect enterprises.
It’s all part of a new security push from Cisco (NASDAQ: CSCO) that includes new Cisco Security Cloud Services, Intrusion Prevention System (IPS) 7.0 software and Adaptive Security Appliance (ASA) 8.2 software with botnet detection software.
By tapping into the cloud, the company is expanding an effort from which its IronPort e-mail security customers already benefited, using an IronPort technology formerly known as Senderbase. The idea is that by sharing and correlating information from a global base, threats can be found faster. Expanding the global threat correlation approach to Cisco’s intrusion prevention customers will have dramatic impact on security, it said.
“What we’re seeing is this is literally providing a 100 percent increase in efficacy of IPS systems,” Tom Gillis, vice president and general manager of Cisco’s security technology business unit, told InternetNews.com. “Because you’re dealing with a huge network of sensors — something like 750,000 devices — that are participating, when a new threat comes out, our sample size and ability to detect a new threat is a function of the footprint we draw data from.”
Gillis argues that in the past, Cisco engineers could have spent a year or more working on specific improvements in IPS to improve efficiency — yielding only improvements in the range of 10 to 20 percent each time.
“Having IPS participating in shared infrastructure marks the transition from network-based IPS to global, cloud-based IPS,” Gillis said.
It also marks the evolution of IronPort technology into Cisco wider infrastructure. Cisco acquired IronPort in 2007 for $830 million. Gillis noted that IronPort SenderBase has now been renamed to sensor base to reflect the fact that Cisco now has a large set of IPS devices acting as sensors for global threat correlation.
The new IPS 7 and cloud-based security offering will improve threat detection on Cisco’s existing IPS devices, including its flagship IPS 4270, which was released in December of 2007.
“The technique of doing global threat correlation allows us to block traffic at perimeter prior to inspection,” Gillis said. “And we do see a meaningful increase in performance.”
Cisco is also boosting its ASA 5500 appliance software with the 8.2 release, including a new botnet detection capability. The ASA 5500 hardware lineup first debuted in 2006 and its top-end model, the ASA 5580, was released in January of 2008.
The idea with the botnet traffic filter is to help enterprises identify if they have a botnet running within their infrastructure. In some ways, the new botnet filter for the ASA is an overlap with what Cisco is trying to do with its new IPS release: both detect malicious traffic. Still, there’s a unique role for each, Gillis said.
“The advantage to having [botnet detection] in the firewall is that firewalls are often deployed much more broadly and have access to traffic that an IPS doesn’t always have access to,” he explained.
While the ASA 5500 series is a key firewall platform for Cisco, other Cisco appliances, including the Integrated Services Router (ISR) and its Aggregation Services Router (ASR) also have firewall components. Gillis noted that over time, the idea is to make the botnet filter capabilities available across a wider number of Cisco security devices.
Self Defending Network 5?
Longtime Cisco-watchers will recall that the company’s brand for its overall enterprise security efforts, the Self Defending Network, had for years received release numbers of its own.
But now in its fifth year, the effort’s no longer getting a version number update.
“We’re not at the point where we’re changing numbers, although it probably would warrant it,” Gillis said. “We just stopped the nomenclature because we think it was confusing customers because they thought it was a software release.”
Still, Gillis argued that the new releases are advancements that users will notice in terms of better threat detection and accuracy.
“We think this is a big step forward for the self-defending network,” Gillis said.