Cisco Systems Inc. on Tuesday announced a host of new products and services that extend the companys Self-Defending Network security program and protect against so-called “zero day” Internet attacks.
The San Jose, Calif., networking equipment maker announced a new Incident Control System that will combine security intelligence from Trend Micro Inc. with Cisco routers and switches, as well as updates to its IOS (Internetwork Operating System) and IPS (Intrusion Prevention Systems) software that will help prevent malicious code outbreaks.
The new security programs are the first major update to the Self-Defending Network program in months. They address customer demands for new tools that can protect against previously unknown threats and spread protection across an entire network, said Joel McFarland, manager of security product management at Cisco.
The new Incident Control System, or ICS, combines real-time intelligence from Trend Micros TrendLabs with Cisco routers and switches, as well as dedicated IPS appliances and multi-function devices like the Cisco Adaptive Security Appliance.
Cisco customers will use a new piece of middleware called the Cisco Incident Control Server, which uses Trend technology to create security policies that will mandate particular actions based on the Trend intelligence. For example, a new virus or worm that is spreading through a specific communications port would trigger a policy to block that port. The ICS device will transmit that policy to Cisco routers and switches as new ACLs (access control lists) that block the targeted port, McFarland said.
Once a new threat is better understood, an IPS signature can be distributed that identifies and blocks the specific virus or worm traffic, without requiring the port to be closed, he said.
Cisco and Trend Micro already have strong ties. Trend is a member of Ciscos Network Admission Control (NAC) program. Trends worm and virus signatures are also used in Ciscos IPS products, McFarland said.
Also on Tuesday, Cisco unveiled technology that allows companies to centrally control IPS devices on an enterprise network.
Distributed Threat Mitigation for Cisco IPS is a new collaborative system that distributes updated IPS signatures to all Cisco routers when new, active threats are detected. Cisco customers who use an updated version of the companys Security Monitoring, Analysis and Response System (CS MARS) system will be able to push threat mitigation instructions across enterprise networks to Cisco routers that have IPS services enabled.
The Distributed Threat Mitigation is a change from traditional IPS deployments, which focus on blocking threats locally, but dont coordinate attack data with other IPS installations in other areas of the network, McFarland said.
Finally, Cisco is releasing updates to its IOS operating system and IPS Sensor Software.
IPS Sensor Version 5.1 will allow companies to expand the kinds of traffic that can be inspected by the IPS device to include MPLS (multi-protocol label switching) VPN sessions, Internet Protocol version 6.
An updated version of IOS, 12.44t, includes expanded features for creating ACLs. Cisco administrators can now create ACLs that do deep packet inspection, looking at packet header information, code offsets and pattern matching, McFarland said.
Ciscos new ICS and Distributed Threat Management products will be available in October. ICS starts at $9,200, and Distributed Threat Management will be available to CS-MARS customers who have purchased a support contract.
The updated version of Cisco IPS is due out this month. The next update to IOS is due in November, Cisco said.
Simpler-Webb Inc. evaluated the new ICS technology and found that it was useful for pushing out ACL filters to a large number of routers and switches, said Jeff Simpler, CEO of the Austin, Texas-based managed security services and consulting firm.
“Its another way to rollout a specially-tuned signature fast. Youve got one server to go to, versus doing a massive update to all your signatures on all your (IPS) sensors,” he said.
However, the ICS product has some blind spots, Simpler said.
“We dont know how affective it will be when a worm comes out that uses a well-known port like Port 80 [used for Web traffic]. You cant filter that,” he said.
Editors Note: This story was updated to include comments from a Simpler-Webb official.
