Vendor Specific

I thought I’d post up a reference to an interesting article posted on Network World about Cisco’s place in the security market.  It seems that customers now care less about appliance performance and more about overall strategy and product integration.  The data gathered by the IDC shows that customers do not rate Cisco as a “best of breed” vendor” but that they are keen to use Cisco products because of the manner in which they integrate into their network.

If security is of the utmost concern then in my opinion the best solution to the problem should be applied - end of story.  However, with overworked staff and a lack of multi-vendor skills it is easy to see why companies choose Cisco with the similar looking administration GUI’s, CLI’s and the ability to expand appliance capability by using software modules. 

I believe that Cisco are making huge strides in the security market and feel that that although some products may not offer the same performance as others in a certain environment, their products for the most part integrate well into organisations with less administrative overhead if the customer is already a Cisco customer.  I’m trying to stay neutral here and not show a preference either way but I will say that I think Cisco’s layered approach to security is very good.  It is because they have such a wide range of products that slot together well that customers are keen to choose Cisco, in my opinion.  UTM solutions are good for the SMB market but offer little in way of tiered defence.  That said, if I was recommending an appliance for a customer who specified strong security was the priority then performance has to be the deciding factor regardless of vendor.

Anyway, here’s the article -> http://www.networkworld.com/news/2008/111708-cisco-sec.html

Cisco’s new(ish) flagship security event management platform is beginning to make its mark but I wanted to know what it brought to the table that made it different from the rest of the solutions available.

Security Information Management (SIM) platforms are used to provide a central repository for security devices to send any events generated to.  Most SIM offerings have a web front end that allows network security staff access to view all of the logs generated by devices on their network.  SIMs offer excellent benefits to an organization by allowing security events to be viewed from a single source, the SIM will have the necessary disk space to store these events while making them available for analysis and reporting.  Another benefit to us that SIMs provide is that they can correlate event data to show any events received that share certain variables allowing us to recognize trends in the network between reporting devices.  The SIM can be configured to alert administrators if certain events are triggered however it is then up to the administrator to find a way of mitigating whatever is triggering the alerts.

The previous SIMs available before CS-MARS provided some excellent features that enabled network security staff to store, analyse and archive any events generated by devices configured to report to the SIM.  An added benefit is that SIMs can help organizations comply with legislation set out to ensure that companies secure data that is confidential such as in the healthcare sector or online stores that retain personal data of customers.

As you can see SIMs offer us a great deal of functionality but they were lacking in areas that hadn’t been ventured into before by other vendors.  CS-MARS (Cisco Security – Monitoring Analysis Response System) brought us the features that are other vendors lacked.  CS-MARS came about when Cisco purchased Protego Networks for $65M to extend the capability of Cisco’s self-defending network. Protego had embraced the concept of SIM but enhanced this by adding in STM (Security Threat Management) to the MARS product which Cisco has developed much further since acquiring it.  STM brings us new features to the SIM market allowing us to do things such as timely attack mitigation through mitigation advisories.  Also, because of the STM orientated design, MARS has better overall topology awareness which makes other things possible such as end-to-end network awareness to provide session awareness and date reduction by reducing millions of events down to hundreds.  MARS mitigation strategies employ the use of TCP resets, shuns, editing ACLs and rulebases.

In short, CS-MARS demonstrates an impressive range of new and innovative features in one solution that nothing else on the market can compare to.  Security event management, correlation and normalization of events combined with the option for attack mitigation advisories and immediate single click mitigation deployments places MARS in a class of it’s own.

I finally passed the damned thing! :-)  I sat the ISCW exam today and walked away with the CCNP - woohoo!  I’m more happy that I can get back to doing what I enjoy now without having to do any more routing/switching stuff for a while.  The ISCW course focused mainly on VPN technology, ADSL, Cable and secure configuration management.  It was a bit more enjoyable than the other exams but because it’s locked into Cisco products I sometimes feel like the certification track is more like an ongoing advertisement for the vendor. 

I’m not sure what I’ll focus on now, I’ve got to keep my skills sharp and my certifications current because I’m self employed and the industry can be a bit fickle I suppose - make no mistake, hands on experience is what counts.  Whatever it is I intend to do something fun alongside it.  I really fancy doing Remote Exploits Offensive Security course although I may warm up with the BackTrack WiFu course first - the Remote Exploit team are superb -> http://www.remote-exploit.org/

It’s been a few months since I’ve done any meaty Checkpoint stuff so I may just recertify my CCSA in NGX at the same time.  Decisions decisions!  For now I’m just happy that this ones out of the way!

Ian