Cisco spreads security over wired and wireless

Cisco has combined its wireless security measures with wired security features, but analysts question whether the end-to-end approach adds much.

"We're taking security features from our wireless products, and applying them across the wider network," said Chris Kozup, manager of mobility solutions at Cisco. Under the Cisco Secure Wireless Solution brand, security benefits will flow in both directions, he said.

The announcement is a software upgrade and a set of guidelines to integrate Cisco security products designed for the wired network with security features from the switched wireless LAN technology which Cisco acquired with Airespace in 2005, and delivered on blades for its major switches. .

The new capabilities are available to any customer with current Cisco software, said Kozup. Customers can use the guidelines themselves to build a security architecture or enlist the help of Cisco's services organisation or third parties.

Wireless clients have had to connect manually to Cisco security products such as the Network Access Control Appliance, but this is changed, said Kozup: "When a user logs in, authentication of that user in the NAC appliance is now handled transparently," said Kozup. "You don't have to log in twice."

The system also makes the RF-level intrusion detection and prevention functions in Cisco's wireless products more powerful by linking them to related application-level features in its wired portfolio. In the wireless world, controllers have used these features to contain "rogue" access points, but now suspicious behaviour picked up by security systems on the wired network can be met by a physical-layer RF response.

"The wireless controller can block a client at the physical RF layer from associating with an access point," said Kozup. "We are combining the ability to detect anomalies at physical layer, with our application layer ability, so the controller can take a more active role in protecting the network."

The combination should help in the overlap between wired and wireless - for instance ensuring that when a laptop is connected by a wired port, its wireless NIC will be turned off automatically to prevent an attacker from using the wireless connection as a path on to the wired LAN.

Wireless LAN vendors including Aruba and Trapeze have been adding security features for some years, with Aruba in particular making it a major part of its IPO pitch, but Cisco's wired expertise and dominance in that market allow it to go one better, said Kozup: "Aruba has the wireless part of this, but it would need to partner with a wired provider. Only Cisco can provide an end-to-end architecture, with client assessment, wireless IDS and IPS down to the software level. If you have five mgt frameworks and five vendors, imagine the headache that is going to cause."

Cisco's new approach may not be significantly more secure than other options, but it can simplify life for IT administrators, said Farpoint Group analyst Craig Mathias. For one thing, it's easier if security for both parts of the network uses a single directory of users, he said.

Others are more sceptical: "This is Cisco assuming the network perimeter needs to be protected right at the every edge, rather than a more centralised approach," said Burton Group analyst Dave Passmore. There are no significant threats to an enterprise LAN that can't be handled from within the wired part of the network, he said

The architecture includes Cisco's NAC, ASA firewall, Cisco Security Agent (CSA), Cisco IPS (Intrusion Prevention System) software, Cisco Secure ACS (Access Control Server) and Cisco Secure Services Client.

Stephen Lawson, IDG News Service, contributed to this report