Thursday, September 27, 2007

Cisco Catalyst 6500 / Cisco 7600 Series Devices Accessible Loopback Address Weakness

A weakness has been reported in Cisco Catalyst 6500 and Cisco 7600 series devices, which can be exploited by malicious people to bypass certain security restrictions.

The problem is that packets destined for the 127.0.0.0/8 network may be received and processed by e.g. the Supervisor module or Multilayer Switch Feature Card (MSFC). This can be exploited to e.g. bypass existing access control lists.

Successful exploitation requires that systems are running Hybrid Mode (Catalyst OS (CatOS) software on the Supervisor Engine and IOS Software on the MSFC) or Native Mode (IOS Software on both the Supervisor Engine and the MSFC).

The weakness is reported in all software versions on Cisco Catalyst 6500 and Cisco 7600 series prior to 12.2(33)SXH.

Solution:
Update to 12.2(33)SXH.

Provided and/or discovered by:
The vendor credits Lee E. Rian.

Wednesday, September 26, 2007

Cisco rolls out appliance to enhance carrier Ethernet and IPTV

Cisco this week announced a service provider appliance that the vendor says will help carriers better deliver on the promise of what it calls the "connected life," by bringing fibre connectivity to multi-tenant units like apartments.

As service providers continue to jockey back and forth to differentiate themselves by offering new advanced services, Cisco's service provider senior marketing manager Mike Capuano said the focus is really on the end users, who demand connectivity and the ability to create their own mix of services, whether it's video, voice, IPTV or a combination of many.

"The critical competitive element is to deliver a great customer experience," Capuano said. "End users can create their own service mix if they want to."

The appliance, the ME 3400 24FS, is an update to Cisco's Carrier Ethernet portfolio of its IP Next-Generation Network (IP NGN).

According to Capuano, the ME 3400 24FS delivers fibre to multi-tenant units to enable high-density fibre deployments. He claims that providers can install the box in building basements to ensure in-building reach in a pay-as-you-grow fashion. Port options accommodate fibre and copper and visibility and control over bandwidth.

"Using the ME 3400, providers are able to pinpoint troubleshooting, delay-free access to personalised content and advanced entertainment service delivery unrestrained by distance," Cisco said in a statement.

Along with the appliance, Cisco announced enhancements to its IP NGN Carrier Ethernet Design, including 50 ms resiliency from the core to the premise, increased scalability, new instrumentation for measuring customer service-level agreements (SLAs), and increased resiliency and scalability.

Pinpointing trouble on a massive service provider network has been difficult in the past, according to Eve Guilloches, program manager of telecom infrastructure at IDC. And as the Carrier Ethernet market continues to be a growth area, a better understanding of the network end-to-end has become imperative.

Many vendors are making appliances for the core of the telecom network and moving slowly to the edge, Guilloches said. But the inherent problem with Carrier Ethernet is its need to be more reliable, especially as service providers offer new services like IPTV. The ability to manage the network from end-to-end will help ensure that the network is reliable, she said.

"[With Cisco IP NGN Carrier Ethernet] software can go all the way through fibre directly to the customer to understand what's going on at the customer site," she said. "What you want to do is have as much visibility as possible."

Guilloches said service providers want to know exactly where a problem lies -- whether it's in the satellite feed, the core, or at the customer site. Since data traverses a great deal of network infrastructure, it was difficult in the past for service providers to determine just where the problem lay.

"There are a million ways to screw it up," she said. "Now at least they can diagnose the problem to know where it's falling apart."

Ricky Wong, chairman of Hong Kong Broadcast Network, agreed that troubleshooting was difficult, especially with the mass of traffic and the increased use of new, advanced services.

"With the target to cover two million households for triple-play services on our Carrier Ethernet network, quality of experience is of the utmost importance," Wong said in a statement. "Given the growth of traffic and subscribers, working to ensure it is an ongoing challenge."

Cisco Product Rollout Aims To Boost Branch Offices

Cisco Systems on Wednesday rolled out several new products and services designed to give branch offices similar security, wireless, application acceleration, and unified communications capabilities as the home office.
The new products and services include platforms, hardware modules, software enhancements, and new feature sets.

"We came out with a branch [office] architecture that allows us to provide our customers with an entire set of service capabilities that they need in the branch office: the routing, the switching, the wireless capabilities, unified communications, voice over IP, and Wide Area Network optimization to drive down latency and improve application performance," said Inbar Lasser-Raab, Cisco's director of network systems, in an interview.

Cisco's 1861 Integrated Services Router, which costs $3,995, comes with built-in security and unified communications capabilities for up to eight users in a branch office. A smaller business can connect its phones to the router for basic voice messaging. A larger business can tie it to a business application for the full unified communications experience, Lasser-Raab said.

The Catalyst 2960 Series Switches with LAN Lite Cisco IOS (Internetwork Operating System) Software are managed switches with entry-level security and quality of service. The switches cost $995.

The Cisco Unified Messaging Gateway is designed for routing messages and exchanging subscriber and directory information among up to 10,000 voice mail systems within a unified messaging network, meaning one that supports an integrated in-box for multiple kinds of messages such as voicemail, e-mail, and fax. It acts as the central hub in a network. The gateway will be available in November, starting at $9,000 for 250 nodes.

The Intrusion Prevention System Advanced Integration Module, which starts at $3,000, is meant to help branch offices defend their networks against attacks and disruptions. The module identifies and stops malicious traffic originating from the Internet.

Cisco's new Performance Routing software monitors Internet traffic, performance bottlenecks, and overall network conditions, while the Wide Area Application Services (WAAS) Network Module (for the Cisco 3800 Series Integrated Services Router) lets branch offices consolidate servers and storage into data centers and centrally deploy new applications.

Additionally, Cisco announced a software upgrade for its Wireless LAN Controller, which now supports the IEEE 802.11n draft 2.0 standard that has the potential of delivering five times the performance of current wireless networks.

"Now customers can give their branches the same level of support and capability as they do in the headquarters," said Lasser-Raab.

Monday, September 24, 2007

Cisco sees security spend surge 20

Security spending is expected to increase by 20 per cent across the globe, including India, due to the increase in usage of wireless and mobile connectivity among employees, says a survey by network solutions provider Cisco.

In India, almost 36 per cent of the respondents predict the increase in security spending to be between 10 and 20 per cent.

The latest research builds on findings released earlier this month, which highlighted the growing trend of mobile employees and the heightened risks for businesses as they connect to corporate networks and carry sensitive information outside office walls.

While the previous survey involved more than 700 mobile employees in seven countries, where wireless and mobility technologies are widely adopted, the additional findings reveal spending plans and business drivers for over 700 IT decision makers, who work in those same nations: the United States, the United Kingdom, Germany, China, India, South Korea and Singapore.

“These figures are significant because a 20 per cent increase in spending on security alone could represent hundreds of thousands to millions of dollars for mid-size and large enterprises,” said Jeff Platon, vice-president of security solutions for Cisco.

Virus containment was the single-largest issue that Chief Information Officers (CIOs) in India found among wireless devices over the past year. A third of respondents in both India and China feel that security incidents will increase in the next year. In India, 41 per cent of respondents are focusing on wireless security, while 42 per cent are focusing on both wired and wireless security.

Almost two-thirds (63 per cent) of IT respondents say more employees are being enabled to work anywhere, anytime with laptops, smart phones, or both.

Germany (74 per cent) leads the pack, followed by China and India (69 per cent), South Korea (66 per cent) and the United States (58 per cent).

Education and awareness among users will be key to the success of any security policy. Many mobile users in the survey say they aren’t always aware of security concerns, and their actions provide proof.

Throughout the seven countries, many mobile employees say they access unauthorised wireless networks in public places and in their neighbourhoods.

Many say they don’t encrypt data on their wireless devices or set passwords to prevent physical access to their information.

And, inevitably, some mobile users lose their devices or are victims of theft.

However, more than half agree that regulatory compliance initiatives are driving attention to wireless security. The countries where this is the biggest driver are India, Singapore and China.

Ben Gibson, Cisco’s director of mobility solutions, said: “The research really provides an opportunity for IT to reassess its relationship with increasingly mobile user bases and consider new ways to minimise spending. If you look at it from all angles — compliance, policies, business needs and human behaviour — technology is only half of the equation. Proactive communication, education and engagement of employees on safe, appropriate online behaviour, especially when they are mobile and remote, can help to ensure solid returns on strategic IT investments that bring the promise of a secure, mobile wireless business to life.”

Thursday, September 20, 2007

Cisco Stops Spam With Increased Performance From Intel

IronPort Systems, a business unit of Cisco, today announced the use of Multi-core Intel Xeon® processors to power IronPort's next generation of email and Web security appliances. IronPort appliances use AsyncOS, a proprietary operating system that is taking full advantage of the significant performance increases made possible by Intel Multi-core technology. This performance improvement helps enterprises, Internet service providers (ISPs) and smaller organizations stay ahead of the never-ending deluge of spam e-mail.



The new generation of email security appliances from IronPort harnesses the power of Multi-core Intel Xeon processors to stay in front of new spammer tactics. The IronPort X1050 uses dual Quad-Core Intel Xeon processor 5300 series. The IronPort AsyncOS operating system is able to take full advantage of all eight cores, yielding system throughput approximately 800 percent greater than a comparable single-core appliance. This increase in processing power allows the IronPort appliance not only to process more spam messages, but also to run more sophisticated rules and analysis to thwart the latest spam techniques.

Spam continues and as a result, spam filters cannot simply rely on faster hardware to keep pace. The work that Cisco and Intel have been doing with multi-core systems is a great example of the new technologies required to stay ahead of spam.

Available Now

IronPort X1050 and all multi-core systems are available now. Visit www.ironport.com for more details.

Cisco outlines next web revolution

"No army can withstand the strength of an idea whose time has come," said Howard Charney, Cisco's senior vice president, borrowing from Victor Hugo to summarise the power of the internet.

Speaking in Brisbane this week, Charney said the world — split into "information-rich" (developed) and "information-poor" (developing) countries — is on the precipice of a major wave of innovation, thanks to the internet, growing urban populations and falling hardware prices.

The combination of the availability of Nicholas Negroponte's so-called "$100 laptop" to two billion people in China and India, and over half the world's population living in cities by 2008, will have a profound effect on both worlds, said Charney.

Greater access to information will improve living standards by removing isolation, which will in turn stem the growing disparity between productivity growth rates of information "poor" and "rich" nations — a gap which has doubled in the last decade according to an OECD report, said Charney.

However, he said his vision is not entirely philanthropic. For developing nations to improve life, they will need networks — Cisco's networks, he hopes, whether it's dark fibre or wireless.

"You know, we're very big," said Charney. "When you're big, you have societal obligations… But are we going to be making profits off [building networks in developing countries]? Yes, there is a business proposition."

IBRS analyst Dr Kevin McIsaac, agreed that "enabling technology" like a laptop will help, but posed the question: "What else will they need?"

"In Bangladesh the [Grameen Bank] lent as little as $5 to women to buy a mobile phone. This was incredibly important to enable the technology for these women to get started. They would rent out the time on the phone, which was enough to live, pay the mortgage and was a vital piece of technology in the village."

Instead of walking two days into the village to sell their produce, the women were able to call local buyers and negotiate better prices, which offered a better outcome than would have been possible under stressed conditions, McIsaac added.

Across the information-rich divide

However, innovation won't simply happen for "information-rich" countries, continued Cisco's Charney.

"Our challenge today is in recognising the potential of new technology and putting it to use faster than before," he said.

"To sustain innovation, we need investment and sometimes that seems like crazed speculation," he said, using Holland's tulip and the US's great llama bust as prime examples.

"This does not mean people should take greater risks," Charney said. "Investment occurs in different ways and sometimes people get caught up in making money and build out business models that don't turn out to work, but that also created investments in dark fibre. Now, we use that for a business model that does."

"That permitted the Indian outsourcing industry to get started. How could companies in the US and Europe outsource to India — which is now worth hundreds of billions of dollars?" asked Charney.

However IBRS's McIsaac warned not to interpret retrospectively good investments for efficient outcomes. "Value has come out of the [dot-com boom], but there was an enormous waste of investment," he said.

"Business needs to take a portfolio view of investments in technology. Five percent should go into blue-sky investments, like wikis and Web 2.0 for knowledge-management projects, but 30 percent should go into keeping IT running and improvements on existing technology."

Cisco to buy Cognio for wireless network management

Cisco Systems Inc. today announced an agreement to buy Cognio Inc., a maker of software for wireless network spectrum analysis and management. Financial details were not disclosed.

Cognio, based in Germantown, Md., provides software designed to enhance performance, reliability and security of wireless networks by detecting and reducing sources of radio frequency interference.

In a statement, Cisco said the acquisition would give it access to technology and intellectual property that would complement its existing product lines and help differentiate its offerings from those of its competitors. The networking vendor also said that Cognio's developers would help expand its line of wireless networking products.

Wireless networking is one of six newer technologies that Cisco refers to as a "Cisco Advanced Technology," which is expected to grow in coming years.

The Cognio deal is expected to close in the first quarter of 2008. It would be Cisco's 122nd acquisition, but its first in fiscal 2008.

Tuesday, September 18, 2007

Cisco to buy Cognio

Networking equipment maker Cisco Systems said Tuesday that it plans to buy privately held Cognio, a company that has developed technologies to better manage wireless spectrum.

Financial details of the deal weren't disclosed.

Cisco said Cognio's technology that detects, classifies, locates, and mitigates sources of radio frequency, compliments its existing portfolio of wireless technologies. And it will allow corporate network managers who have deployed Cisco's wireless technologies to better manage their wireless spectrum to minimize interference.

"Wireless spectrum is a strategic asset for our customers, and its management is key to the robust delivery of mobility applications," Brett Galloway, vice president and general manager of Cisco's wireless networking business unit said in a statement. "Cognio's innovation in spectrum intelligence will help ensure Cisco continues to differentiate our ability to deliver our customers rich and dependable end-user mobility experiences."

Cisco said it expects the deal to close in the first quarter of its 2008 fiscal year. Cognio is Cisco's 122nd acquisition, and it's the first one the company has announced this fiscal year, which started in July.

Thursday, September 13, 2007

Cisco IOS Regular Expressions Denial of Service

A vulnerability has been reported in Cisco IOS, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error when handling regular expressions containing repetition operators and pattern recalls. This can be exploited to cause a stack overflow by sending a command with specially crafted regular expressions to the command line interface.

Successful exploitation causes the device to crash and requires a reboot, but requires valid user credentials.

The vulnerability is reported in versions 12.0, 12.1, 12.2, 12.3, and 12.4.

Solution:
Restrict access to trusted people only.

Wednesday, September 12, 2007

IronPort OS Gets Encryption Update

Cisco Systems' IronPort division is perhaps best known for its anti-spam e-mail appliances and technologies. But it wants to be known for more.

That might happen with the new encryption and data-loss prevention (DLP) features it's rolling out in its new AsyncOS operating system 5.5 release. The AsyncOS operating system powers IronPort's e-mail security appliances.

"This is data-loss prevention made easy," Nick Edwards, project manager for IronPort, told InternetNews.com. It takes advantage of investments customers have made in their anti-spam infrastructures and gives them really good tools for data-loss prevention.

Edwards added that AsyncOS started from a FreeBSD kernel on which IronPort developed its own proprietary MTA (mail transfer agent) and other features.

Among the key enhancements in AsyncOS 5.5 is full e-mail encryption. Edwards explained that all encryption takes place at the gateway of the sending organization and can be done by policy.

Once an outbound message has hit the server, an e-mail message is sent to the recipient that says they have a secure message waiting for them and if they go to a specific Web site login, they can retrieve it.

"It provides for a universal approach for deploying encryption without the need for some kind of end-to-end compatibility," Edwards said. "It takes complexity off the table and makes deployment easier."

According to Edwards, the fact that a recipient has to click on a link and go to a Web site to see their encrypted mail has not had any push back from customers.

The new AsyncOS release also helps users more easily tag and identify e-mail that should not be leaving the enterprise. Called "smart identifiers," they help to identify content, such as Social Security and credit-card numbers that should not be in outbound e-mail.

Edwards noted that IronPort had the ability to do custom filters prior to this release, but customers had to do a lot more manual lifting. Smart identifiers are intended to be as easy as point and click.

"The reason why it's called smart identifiers and not just identifiers is we've introduced logic to allow the platform to understand what it's looking at," Edwards explained.

Though the new AsyncOS adds features, existing users shouldn't necessarily expect that it will improve the performance of their e-mail security appliance. Edwards described the performance as "flat" for existing customers for the features they're already using.

"But if someone is going to deploy encryption, which is pretty CPU intensive, it depends on their rollout and how much mail they will encrypt," Edwards said. "We're not in the business of promising customers that they'll never experience a performance decline, but we are committed to giving them parity for their existing feature set release to release."

The release is the first made by IronPort since being acquired by Cisco (Quote) earlier this year for $830 million. Though it's still relatively early in the integration, Edwards noted that there are a lot of interesting opportunities for IronPort to interoperate with Cisco.

"Cisco has a ton of products all across the network infrastructure and many look interesting to us to deploy our security technology on."

HP targets Cisco dominance with core switch

HP ProCurve has launched a core switch that it hopes will challenge Cisco's market dominance.

The 8212zl, launched on Monday, is a scalable chassis core switch platform with 692Gbps switch capacity and 10Gb Ethernet connectivity. It is also hot-swappable and has redundant management, fabric and power capabilities.

The platform is based on HP's ProVision ASICs, and it links in with ProCurve's security strategy, according to Paul Congdon, ProCurve's chief technology officer. The switch has behavioral-analysis capabilities and can tunnel suspicious traffic to threat-management devices. The switch also accepts plug-in modules, HP said.

The 8212zl is targeted at both medium and larger-sized businesses, according to Congdon. "For mid-market customers, traditionally core products are really expensive, making those customers shy away. Now they have that capability (and they) don't have to deal with the intricacies of dealing with Cisco," he said.

Congdon added that, for larger enterprises, a common configuration is to have a Cisco core with ProCurve at the edge of the network.

John McHugh, ProCurve's managing director, said, "ProCurve has got to a size where the only way to continue to add to the market is to run into our competitor (Cisco). The bulk of our competitive motion will be against that company."

McHugh said that the 8212zl comes with a lifetime warranty--and he said that a product would typically last 12 to 15 years. "This is the first high-availability core with redundant capabilities that has a lifetime warranty," he said.

He claimed that ProCurve has sold more than 100 of the products to beta customers. Customers who have so far expressed an interest in purchasing the switches include the University of Westminster and organizations in the construction and manufacturing, health-care and local government verticals. The product in its basic form costs £14,102 (or about $28,519).

ProCurve on Monday also launched the Wireless Edge Services zl Module, which is a wireless LAN controller. Controllers manage a wireless network in terms of maintaining security policies and governing RF propagation.

The module includes a secure guest portal with guest-account administration and integrated Radius and DHCP services. Security features include an integrated stateful packet-inspection firewall and wireless-intrusion detection.

Thursday, September 6, 2007

Cisco Adaptive Security Appliance Password Logging Weakness

A weakness has been reported in Cisco Adaptive Security Appliance (ASA), which can be exploited by malicious people to disclose sensitive information.

The weakness is caused due to Cisco ASA not correctly sanitising log messages of the "test aaa-server" command before sending them to syslog. This can lead to the disclosure of sensitive information like usernames and passwords.

The error occurs when a user with privilege level 15 or above executes the "test aaa-server" command and logging level 5 (notifications) is activated.

Solution:
Update to 8.0.2.11 for the 8.0 train, 7.2.2.34 for the 7.2 train, 7.1.2.61 for the 7.1 train, and 7.0.7.1 for the 7.0 train.

Cisco Video Surveillance IP Gateway and Services Platform Authentication Bypass

Some vulnerabilities have been reported in Cisco Video IP Gateway and Services Platform, which can be exploited by malicious people to bypass certain security restrictions and compromise a vulnerable system.

1) The telnet service of the Cisco Video Surveillance IP Gateway video encoders and decoders does not authenticate connecting users. This can be exploited to gain administrative shell access by connecting to the vulnerable service.

2) The Cisco Video Surveillance Services Platform and Integrated Services Platform devices contain a default password for the "sypixx" and "root" accounts. This can be exploited to gain administrative shell access by connecting to the vulnerable service, but requires knowledge of the default password.

The vulnerabilities are reported in:

* Cisco Video Surveillance IP Gateway Encoder/Decoder (Standalone and Module) firmware version 1.8.1 and earlier
* Cisco Video Surveillance SP/ISP Decoder Software firmware version 1.11.0 and earlier
* Cisco Video Surveillance SP/ISP firmware version 1.23.7 and earlier

Cisco Catalyst Content Switching Modules Denial of Service Vulnerabilities

Two vulnerabilities have been reported in the Cisco Catalyst Content Switching Modules (CSM) and Cisco Catalyst Content Switching Module with SSL (CSM-S), which can be exploited by malicious people to cause a DoS (Denial of Service).

1) An unspecified error exists when processing certain TCP packets that were received out of order. This can be exploited to cause a high CPU load or a device reload due to a FPGA4 exception with icp.fatPath length error by sending specially crafted TCP packets to a vulnerable system.

2) An unspecified error exists within the "service termination" option, which can be exploited to cause a PGA4 exception 1 IDLE error under a high network load by sending specially crafted TCP packets to a vulnerable system.

Vulnerability #1 is reported in CSM 4.2 prior to 4.2.3a and CMS-S 2.1prior to 2.1.2a. Vulnerability #2 is reported in CSM 4.2 prior to 4.2.7 and CMS-S 2.1 prior to 2.1.6.

Solution:
Apply updated versions. See vendor advisory for details.

Provided and/or discovered by:
Reported by the vendor.

Wednesday, September 5, 2007

Cisco fortifies 802.11n market

Cisco has announced enterprise solutions based on the 802.11n standard. Cisco's backing of the specification could give firms more confidence about deploying the technology in the interim until the standard on which systems are based – 802.11n – is ratified by the Institute of Electrical and Electronics Engineers (IEEE).

Increased speed and performance are two key benefits of the technology Cisco Scotland chief technology officer Richard Moir said, "Organisations deploying 802.11n kit could see a five to ten-fold increase in data transfer speeds and a 2-fold increase in the range at which users could connect to their wireless networks." He added that any changes to the specification would be included in future software updates. "Any changes to the actual 802.11n standard will be addressed", he said.

Butler Group analyst Mark Blowers said that firms could benefit in many ways from the N specification. "Where firms need to have many people wirelessly connected, this technology would be a benefit. There have been reports of 802.11n capabilities eventually leading firms to think about removing wired connectivity at the edge of their networks – 802.11n makes this scenario a lot more feasible" he explained.

The Cisco offering uses its Catalyst 6500-based wireless LAN controller together with the Unified Wireless Network release 4.2 firmware, with 802.11n functions being delivered using new Cisco Aironet 1250 series access points (APs).

The new Aironet 1250 series AP will be available next month priced around £650 + VAT, with Power-over-Ethernet support using Cisco's Catalyst switches scheduled for launch later this year. Cisco's Unified Wireless Network release 4.2 firmware will be available this October.

Monday, September 3, 2007

Cisco Turns to Trend Micro for Router Security

Cisco Systems Thursday unveiled plans to add content security services to its routers via an extended partnership with Trend Micro.
The San Jose, Calif.-based networking vendor plans soon to integrate Trend Micro technology into the operating system of its Integrated Services Routers (ISRs), adding services such as content filtering to its family of branch office routers, said Tom Russell, senior director of Cisco's Security Technology Group.

The new offering, which will be available "in the near future," will make it easier for channel partners to build layered security solutions, as the ISR family already supports several integrated security options, Russell said. It will also help push content security out to remote locations, he added.

"You need to have content security at the central site, but you also have to distribute it to all of the points in the network," he said.

Cisco and Cupertino, Calif.-based Trend Micro have been working together since 2004. Trend Micro content security technology is already incorporated into Cisco's Adaptive Security Appliance family of unified threat management wares.

Trend Micro is also a partner in Cisco's Network Admission Control initiative and offers its own Damage Cleanup Services for the Cisco MARS (Mitigation, Analysis and Response System) platform.

Cisco playing network defence

Cisco's six-year-old Self-Defending Network strategy for securing converged networks remains a work in progress: Acquisitions and internal developments are moving it forward even as customers push Cisco to go above and beyond its initial plans.

Cisco spends US$400 million annually - roughly 10 percent of its total R&D budget - on security. The company's aim with SDN is to integrate security into all aspects of a converged data, voice and video network with a focus on secure connectivity, threat defence, and trust and identity management.

In June, Cisco provided its most recent update on SDN after its acquisition of IronPort Systems, a privately held developer of email and web security products. Cisco said IronPort ushered in Version 3.0 of SDN (Version 1.0 involved Cisco's recognition that security is more than point products, like firewalls, VPN concentrators and intrusion-detection systems; Version 2.0 comprised building those capabilities into Cisco products.)

Cisco plans to port IronPort's SenderBase reputation services onto Cisco Adaptive Security Appliance firewalls by the first half of 2008. Cisco also plans to port SenderBase to other key security or routing platforms, such as the Integrated Services Routers and Mitigation Analysis and Response System. Integration with Cisco and third party network admission control (NAC) products also is expected.

"If they can now get email security, Web security - basically all the secure messaging technologies - into that mix they've got a bigger story," says Charlotte Dunlap, senior analyst of enterprise security at Current Analysis.

Dunlap is keeping an eye on how Cisco might take advantage of an existing relationship between IronPort and Vontu, a developer of software that analyzes content and authorizes user access at endpoints to protect against data leakage.
"I'd really like to hear their data-leakage story," says Dunlap, who compares Cisco's purchase of IronPort to Secure Computing's acquisition of CipherTrust last year. "[IronPort does not offer] the level of depth that the data-leakage prevention providers do."

Cisco intends to maintain IronPort's ties to Vontu and exploit the relationship for inclusion in the SDN architecture, according to Jeff Platon, vice president of security marketing at Cisco.

"I think of that as a part of the solution but I do see a variety of other parts of the portfolio that are also being enhanced to be able to participate in a more comprehensive data-leakage solution," Platon says. "It's a tough problem -- you can't just rely on one methodology."

An announcement last week by Cisco and Intel might help. Intel enhanced its vPro processor technology with a Cisco-certified "embedded trust agent" that offers Cisco customers the ability to manage systems without lowering the security on IEEE 802.1x networks and Cisco SDN products.
Nielsen says PG&E hasn't been briefed yet on Cisco's road map for that. But where SDN currently fits is in spots where PG&E is installing new Cisco infrastructure.

"Where we've had problems is where we have legacy systems," Nielsen says. "If a company buys into the Cisco solution and they buy all of the pieces, it works great; but you've got to have all of the pieces there. You can't do clean access NAC on a Catalyst 1900 switch that was built six or 10 years ago; it just doesn't work."

Nielsen notes that this issue is industrywide, not Cisco-specific.

Mobile workers don't care about security

Many remote workers are uninterested in security, according to a new study by Cisco. It found that as companies increase workers' usage of laptops and smartphones, the security risks increase as a result of unsafe and sometimes reckless end-user behaviour.

The survey, carried out in conjunction with the US National Cyber Security Alliance (NCSA), questioned 700 mobile employees based in the US, the UK, Germany, China, India, South Korea, and Singapore.

Researchers found that almost three of every four (73%) mobile users claimed that they are not always aware of security threats and best practices when working remotely.

Although many said they are aware "sometimes", more than a quarter (28%) admitted that they "hardly ever" consider security risks and proper behaviour.

When asked why they were lax in their security behaviour, many mobile users offered reasons such as, "I am in a hurry", "I am busy and need to get work done," and "it is IT's job, not mine".

Almost half (44%) of all mobile users surveyed said they open emails and attachments from unknown or suspicious sources.

In the UK, China and India, more than half of users admitted to this behaviour. More than three quarters (76%) said it is more difficult to identify suspicious emails and files on PDAs and smartphones than on laptops, because the screens are much smaller.

With recent research from Korn/Ferry International revealing that, globally, 81% of executives are constantly connected via mobile devices, Cisco says the survey's findings are a cause for concern.

One of the issues contributing to a lack of security when the workforce becomes mobile is the end-user perception that corporate mobile devices are also personal devices and that there is little risk involved in some practices.

Fred Kost, Cisco security adviser, said: "Mobile devices have real access to real data. The perception is that it's a personal device – 'I'm on my device.' "

Mobile workers polled said they often use unauthorised wireless connections. Either hijacking a neighbour's wireless network connection or an unauthorised connection in a public place, one third of mobile users said they use unauthorised wireless. Such activity is illegal in the UK.

China had the most extreme cases, with 54% saying they've used an unauthorised wireless network.

Ron Teixeira, executive director of NCSA, said: “While this study shows mobility provides businesses with new risks, so do other internet services and new technologies. Mobility and the internet can be used securely and safely if businesses institute a culture of security within their workforce by providing their employees with continuous cyber security awareness and education programs.”