Tuesday, February 28, 2006

Microsoft reveals Vista details

U.S. software maker Microsoft Corp. Monday said its soon-to-be released new operating system will come in six versions.

Scheduled for release this year, Windows Vista will come in two versions for businesses, three for consumers and one for emerging markets.

The home versions will be called Home Basic, Home Premium and Ultimate, the company said.

'We live in a digital world that is filled with more information, more things to do and more ways to communicate with others than ever,' said Mike Sievert, corporate vice president of Windows Product Management and Marketing at Microsoft.

'The PC needs to give people the clarity and confidence to handle this `world of more` so they can focus on what`s most important to them. With our Windows Vista product line, we`ve streamlined and tailored our product lineup to provide what our customers want for today`s computing needs."

Tuesday, February 14, 2006

ZoneAlarm - A Perfect Spy?

It seems that ZoneAlarm Security Suite has been phoning home, even when told not to. Last fall, InfoWorld Senior Contributing Editor James Borck discovered ZA 6.0 was surreptitiously sending encrypted data back to four different servers, despite disabling all of the suite’s communications options. Zone Labs denied the flaw for nearly two months, then eventually chalked it up to a “bug” in the software - even though instructions to contact the servers were set out in the program’s XML code. A company spokesmodel says a fix for the flaw will be coming soon and worried users can get around the bug by modifying their Host file settings. However, there’s no truth to the rumor that the NSA used ZoneAlarm to spy on U.S. citizens.

Monday, February 13, 2006

Why security is Cisco's next killer

Cisco looks to grab broader security role.

At the upcoming RSA Conference in two weeks, Cisco plans to debut major security products to help bolster its already strong security portfolio.

Security is categorized as one of the vendor's six Advanced Technologies and already brings in approximately US$2 billion per year in revenue, though routing and switching still account for more than 60 percent of Cisco's revenue.

The company has 1,500 engineers working solely on security products - VPN, firewall, intrusion-prevention, intrusion-detection systems (IPS/IDS) and other technologies. Hundreds more engineers work across its various infrastructure product lines to integrate security features into network gear.

Cisco is slated to announce upgrades to several of its key security products at the event (see more of what to expect at the show, page 8). An upgrade to its Adaptive Security Appliance (ASA) 5500, a VPN/firewall/IPS device, is due. Also on tap are upgrades to Cisco's Integrated Services Routers (ISR) and Monitoring Analysis and Response System (MARS) system, which orchestrates network infrastructure responses to virus/malware threats.

Cisco CEO John Chambers is one of the headliners at the show and is expected to push a theme of more tightly integrating security with infrastructure components.

"If you're going to provide security, Cisco's very uniquely positioned to do that," Chambers said in a recent interview.

Looking at the breadth of Cisco's security portfolio - and its market share in security products - Chambers' statement is hard to refute. The company leads in worldwide sales and shipments for most major security product categories, including VPN equipment and appliances, firewalls, and IPS and IDS, according to Infonetics Research. (But its total share in any of these markets is less than 40 percent; a vast difference from its core routing and switching markets, where it holds 70 percent to 80 percent market share).

Through a series of acquisitions over the last two years, Cisco has spent over a half-billion dollars enhancing its product portfolio to address security in almost every area of a network. It added traffic-anomaly detection with its Riverhead acquisition in 2004, as well as monitoring and client-scanning software from Protego and Perfego. The vendor has since turned these acquired technologies into products, or components of its Network Admission Control (NAC) architecture, which uses scanning technology to block malicious users via routers and switches.

"Security is not done in any one place" or product line, says Richard Palmer, vice president and general manager of Cisco's VPN and security business unit. "We focus on security not just as a set of technologies or functions that are done in one box, but more as a system."
An example of Cisco's multi-product integration of security is its MARS product, which can interpret signals and alerts from IPS gear and react by sending policies to routers and switches. NAC technology is another example, Palmer says. Cisco even reaches into desktops with its Security Agent (part of NAC), which works with third-party anti-virus software and alerts a NAC-enabled infrastructure of potential threats on a client machine.

Cisco says all of these areas will fall under its latest plan for enterprise customers - Service-Oriented Network Architecture (SONA), announced in December. Under the SONA concept, security would be built into every piece of a network infrastructure and would be delivered as a service along with applications, voice and mobility.

Cisco is not alone in chasing the billions of dollars of potential revenue in the market for securing enterprise network infrastructure and applications. Most of Cisco's switch/router competitors - Alcatel, 3Com, HP, Enterasys and Nortel - have products similar to Cisco's NAC and MARS offerings.

Meanwhile, start-ups are defining the next generation of Web application firewalls, which protect SOA applications from attack and misuse. Vendors such as NetContinuum, Magnifier (bought by F5) and Teros (purchased by Citrix) offer application-layer security features not yet in Cisco's portfolio.

Network access control vendors EdgeWall, Lockdown Networks, Mirage Networks, Nevis Networks and Vernier are entering the market as Cisco slowly joins the Layer 2 switch network access control market, which it helped create.

Before Cisco gets too far into next-generation security technology, some users of its products say there's plenty to improve upon in its current lines.

"I'm leery of any vendor that says they have the do-everything security solution," says Scott Pinkerton, network services manager at Argonne National Laboratory, a U.S. Department of Energy research center operated by the University of Chicago. "Every organization is so nuanced and different that one-size-fits-all is really hard to do with security. No security solution is easy. . . . They all require more tuning than you'd ever like."

Even with this philosophy, Argonne uses Cisco security gear, from its VPN 3000 concentrator to its PIX firewall and IPS/IDS equipment.

Three areas in which Cisco security gear needs to improve are "integration, integration, integration," Pinkerton says jokingly.

The network staff at Argonne uses a mix of custom scripting, some management tools from Cisco and other software to tie together Cisco firewalls and IDS sensors, allowing Pinkerton to dynamically reconfigure firewall policies when threats are detected. "Today we do that ourselves, but Cisco's security products do not," he says. "Why is that?"

While Cisco tries to make advances on the security products front, it is kept busy by the growing number of reported hackable flaws and vulnerabilities in the very security products it pitches.

The company has released eight new or updated product security advisories so far in 2006, affecting products ranging from its VPN 3000 and MARS to VOIP gear and IOS software.

"There's no vendor out there that's perfect" in terms of product vulnerabilities, says Zeus Kerravala, an analyst with The Yankee Group. "But while Cisco's strength is their installed base, it's their weakness regarding vulnerabilities. "There are far more people that are going to try and hack into a Cisco router than" other network products.

Cisco's Palmer says the company's top priority is to better secure the devices it sells to safeguard customer networks.

Each Cisco product group shares best practices for writing secure code and building hardware that is harder to hack, Palmer says. "We're looking at this in terms of vulnerabilities, in terms of requiring authentication on multiple levels and in terms of securing the control plane along with the [regular] traffic."

Making it easier for users to quickly change, patch or fix flawed gear is another area in which Cisco could improve. "Cisco also needs to do a better job of educating customers on best practices for security on their devices," Kerravala says. "They have to come up with better configuration management tools and best practices to make sure that vulnerabilities are minimized."

He says Cisco has made some strides in making its products more systemic.

"Cisco's whole security product portfolio is made up of a bunch of acquisitions," he says. In that sense, buying Cisco VPN, IPS and firewall gear was more like buying products from three different vendors instead of a single security solution or system.

"The value Cisco can add is to put some kind of management framework on top of it and make it look like a system," Kerravala says. "That's where they put a lot of effort, and where they should put a lot of effort."

"In the emerging areas - such as SSL and IPS - Cisco is never going to be the industry trendsetter," he says. "You've got small dedicated start-ups with an entire company doing nothing but these technologies. Cisco can't maintain product leadership across all categories in all moments in time."

Products from pure-security vendors such as Arbor Networks, Check Point, Cybershield, Internet Security Systems and Sourcefire are still held in higher esteem by some network security aficionados and experts than infrastructure-based offerings from Cisco and its ilk.

Part of the reason Cisco will never dominate security the way it does routing and switching is that security technology is constantly evolving, observers say.

"Cisco is very strong where they have account control and where they have a lot of network equipment," says John Oltsik, an analyst with Enterprise Strategy Group. "Where Cisco's influence is weaker is in any organization where the security department is more dominant in selecting products."

Here, security "pure-play" vendors are more likely to get as much time and consideration as Cisco, as opposed to enterprise network groups that use Cisco gear, and may not look at competitive routers and switches often, Oltsik adds.

Wednesday, February 01, 2006

Purchasing a new router: How, why and which one to buy

Assuming you already have a functional network, there are many reasons why you may want to consider purchasing a new router. Obviously, scalability is one reason. You may have run out of Ethernet ports on your router. Your router may be near its shelf life (perhaps it has been serviced too frequently and is off of warranty and/or support), and you know it is time for a newer model. You may have a new requirement to support a different protocol than you have been using - such as RIP2, BGP, IGMP, HSRP, IGRP or OSPF - and perhaps your existing router does not support this protocol. You might want to implement VLANs into your network. Perhaps you need to work with spanning tree. You may also have a new requirement to provide better failover and redundancy that your existing router just does not provide. Perhaps you want an integrated VPN solution to be part of your router, without having to rely on a firewall. (There are pros and cons of doing it this way, but clearly if there are budget constraints, an integrated packet filtering router that also provides VPN services for remote client connectivity may really help you.)

Wireless is another area to consider. Many routers, particularly home-based solutions, offer integrated routers based on wireless solutions, though I would personally recommend a separate access point for your business when doing wireless - one which is optimized for security. Though it clearly works well for home use (and I use one myself at home), I would certainly not purchase a Linksys router/switch/wireless access point for my business.

Support: Some things to consider
When upgrading to a new router, you must make sure that you understand the type of support that you will be getting from your vendor. If you try to go with a low-priced router, it may not have the technical staff to help you deal with the problems that will develop. One must also consider the platforms that WAN engineers typically use, as it will be easier to support your environment with industry-standard products that are fully utilized by the majority of companies, small and large.

For both the enterprise and SMB, it is important to choose a manufacturer that cares enough about their products to educate engineers who are responsible for deploying their solutions (and not just box pushers). For example, Cisco network engineers typically will try to get a CCNA or (if they are really amazing) CCIE certification from Cisco, which showcases their skill sets to employers. Nortel offers an NCA at their highest level, which represents a highly advanced level of technical design and analytical expertise for complex Nortel Networks solutions, also widely acknowledged throughout the industry and regarded a symbol of excellence. Nortel has the greatest telephony experience, having grown up in that world, so I would seriously consider using their infrastructure if you are looking for strong VOIP integration. 3Com also offers certification in their technologies. Their router cert is the 3Com Certified WAN Specialist, which demonstrates skills in designing and implementing 3Com WAN solutions, working with 3Com routers and protocols including OSPF and BGP4.

Product lines: What to expect
Let's look at what a few of the major router vendors offer from their product lines.

For SMBs, Cisco has the 1800 Series, which provides WLAN capabilities along with advanced with advanced security services and management features such as hardware encryption acceleration, IPSec VPN (AES, 3DES, DES), firewall protection, inline intrusion prevention, Network Admission Control, and URL filtering support to allow their smaller customers to implement resilient, scaleable solutions. Cisco helps its clients to optimize networks via a range of products and services, which they offer through their dealer channel. Through their Cisco Registered Partner program, they ensure that their partners are certified annually and have the knowledge and information at their disposal to fully support their customers. 3Com and Nortel also offer similar services. In addition to their SMB routers, Cisco also offers enterprise-wide models, including the 7600 series, their high-end model which offers integrated, high-density Ethernet switching, carrier-class IP/MPLS routing, and 10-Gbps interfaces.

3Com also has a strong product line, and I am particularly impressed with their 6000 series model, as it has every feature you can possibly think of, including fault tolerance and advanced traffic management and control features. I have deployed 3Com-only switch and routing infrastructures with great success in the past.

On the Nortel front, they have teamed with Microsoft to support Microsoft's Network Access Protection (NAP), an extensible standards-based technology that allows users to more securely access their corporate networks and reduce the complexity of network access for IT administrators. They are also working together with other industry-leading security companies to develop industry standards, network designs and products intended to secure critical information by protecting the communications infrastructure as well as user computing devices like desktop and laptop computers. This partnership is important, because despite the fact that many WAN folks hate Microsoft, those people will still need to deal with Microsoft on the PC client side.

Regarding Nortel's product line, I'm impressed with the Nortel Multiprotocol Router 5430, which is being marketed to remote offices that have outgrown smaller branch office routers. It can support concurrent, compute-intensive applications such as IP Quality of Service, IP multicast, compression and VPNs. It also has support for multiple WAN technologies -- including ATM T1/E1 and T3/E3, frame relay, PPP and ISDN.

Cisco has its own propriety product called the Cisco Systems' Network Admission Control (NAC), which will also carefully analyze any PC that wants to attach to your network, to check for the presence and status of antivirus and personal firewall software and report on the configuration of the machine. I feel Nortel has the advantage here, because most desktop clients are Microsoft, and it is to their advantage that unlike Cisco, they have chosen to partner with them, and not develop their own proprietary standards.

In conclusion, I will reiterate that when looking to purchase new routers for the enterprise, one must look for VPN capability, mulit-protocal support, integration with other networks, security enhancements (I.E (3-DES encryption) and direct vendor support. Though I would not hesitate to price out alternate solutions, I prefer industry-standard products for the enterprise.