Cisco fights to keep No. 1 spot in network security
- 18 November, 2008 08:49
Cisco's the king of network security, commanding almost a quarter share of the worldwide US$6.8 billion network security market, according to IDC. But can it hold the fort?
Tops in selling firewalls, VPNs, intrusion-protection systems and unified threat management (UTM) gear, Cisco nonetheless fights an ongoing battle to be recognized as best-of-breed as it jousts against Juniper and a host of pure-play security vendors, including Fortinet, McAfee and TippingPoint.
Complicating matters is the fact that Cisco sells a substantial portion of its security wares not as purpose-built standalone gear, such as appliances, but as software integrated-services modules that are installed inside Cisco routers and switches.
While all customer networks have different traffic patterns, there's growing doubt about how well these firewall, VPN and IPS modules hold up trying to handle process-intensive security functions.
"It presents a tremendous bottleneck," says Vik Phatak, chair and CEO of NSS Labs, which has just completed an extensive round of tests of security gear, including that from Cisco, Juniper, IBM, McAfee, and TippingPoint, in its labs.
NSS Labs will publish its findings about firewalls, IPS and UTM early next year, but Phatak says he has concluded that there are clearly performance drawbacks to using the Cisco security functions in routers and switches.
"Using IPS in your router can turn a 60G router into a 5G one or even a 100M bit/sec device," says Phatak. "There are performance bottlenecks." He adds that sometimes security functions simply can't keep up when speeds are high.
But Phatak also points out that the tests of Cisco's standalone security appliances fared quite well against its rivals' equipment in the NSS Labs environment, which included simulation of perimeter, internal network and e-commerce. "TippingPoint, McAfee, Juniper, Cisco and IBM are all 'Grade A,' " Phatak says.
Cisco says the effectiveness of the software-based security modules in routers and switches depends on the use case, and it helps customers work out any problems that crop up. Cisco indicated its network security sales are split fairly evenly between the modules and appliances. And there are no plans to change the integrated security services strategy.
Page Break"We're making security part of the fundamental services in routing, wireless and switches," says Bob Gleichauf, CTO of Cisco's Security Technology Group. "Customers should be pushing the envelope with us."
Cisco's prominence as a network provider has contributed to its success in the security market, say several analysts, a statement with which Cisco agrees. "We're an end-to-end vendor," Gleichauf says. "If customers have a problem, we'll show up."
Strategic vendor vs. best-of-breed
Cisco's prominence in security reached a turning point this year, according to an annual survey by Nemertes Research of security professionals at about 80 companies who were asked if they preferred to have a "strategic security vendor" or "best-of-breed."
For the first time the majority indicated that they were looking to have a strategic vendor in security, and Cisco was the first choice -- the second being Microsoft.
"In 2007 and 2008, a shift occurred here," says Andreas Antonopoulos, senior vice president at Nemertes, noting the annual survey includes in-depth interviews with respondents. "Up to 2008, the answer to the security vendor question was 'best of breed.' "
With best-of-breed, though, you may end up with 15 different "point solution" vendors for IPS, antivirus and so forth, says Antonopoulos. "Security is one of the most fragmented industries."
Security managers today don't appear to be as inclined to go through the laborious process of evaluating best-of-breed security products, Antonopoulos says. In greater numbers they're opting for Cisco largely because of the perception that they gain operational efficiencies.
"Operationalizing security is as good as having best-of-breed," says Antonopoulos. "Why Cisco? Because they integrate security features on top of the network, QoS and switching."
Though not all observers view Cisco as both best-of-breed and strategic in security.
"Cisco does not have a best-of-breed security product," says Richard Stiennon, analyst with consultancy IT-Harvest. "Cisco's weak underbelly is their lack of good security products. Best-of-breed would be Fortinet in UTM or TippingPoint in IPS."
Page BreakStiennon says Cisco's security is not actually "integrated, except on the purchase order, because for years and years they haven't delivered on an effective central management platform for the enterprise." Customers are stuck managing the security functions from different consoles anyway even if it's inside the switch or router, he says.
Some security managers in organizations with large Cisco networks are searching for the middle ground, open to using products from Cisco or the pure-play security vendors competing in IPS, UTM, firewall/VPNs and also network-access control.
James Perry is executive director of IT security and information security officer for the University of Tennessee. Cisco routers and switches provide the university's network foundation, but the five main campuses each went their own way in choosing a network security path. A variety of Check Point, Juniper, TippingPoint, Cisco appliances co-exist on the Cisco router and switch network, and logged security data is consolidated through an ArcSight system.
The Knoxville campus a few years ago tried testing the Cisco firewall services module when it was still new, but Perry says it didn't work well at the time for the data center, so the university decided on the Juniper NetScreen 5400 instead.
That's not to say Perry is opposed to services modules or Cisco security gear, and other campuses at the school use Cisco's multipurpose Adaptive Security Appliance, which combines security functions.
"It all depends on the goals of your project," says Perry, who's starting a network access control evaluation for the university to enforce policy-based access for students and staff. Candidates with NAC-style options under review are TippingPoint, Juniper, Cisco and Microsoft, among others.
Cisco's success in the security market is unlikely to abruptly slow down, says Andrew Hanson, associate research analyst for network security and endpoint security at IDC. But he notes that the firewall market, where Cisco dominates, is expected to start declining this year, possibly displaced by multipurpose UTM-style products.
Will Cisco be able to hold the security fort? "Cisco is a giant and is always going to be a player," Hanson says.