Thursday, September 16, 2004

Cisco Announces New Routers with Focus on Security

Two days ago Cisco announced a new set of Integrated Services Routers, including the 1800, 2800, and 3800 series. For historical comparison, the 2600 was announced in March 1998 and the last enhancements to that line, the 2600XM series and 2691, were announced in June 2002.

The press release shows an interesting bias; emphasis is added:

"Cisco Systems today announced a new line of integrated services routers, the industry's first routers to deliver secure, wire-speed data, voice, video and other advanced services to small and medium-sized businesses (SMBs) and enterprise branch offices, as well as service providers for managed network services offerings. Founded on 20 years of routing innovation and leadership, the new Cisco 1800 Series, Cisco 2800 Series and Cisco 3800 Series integrated services routers are the first to provide customers with an infrastructure that enables fast, secure access to today's mission-critical business applications with optimized security, while establishing a foundation for tomorrow's intelligent networks."

In two sentences we have three references to security, two to speed, and one showing Cisco's attempt to leverage its longevity as a selling point. Cisco doesn't seem to think that routers just need to get packets moved quickly from one node to the next. Now they are security devices. The security features document offers these enhancements:

"Secure connectivity: Provides secure and scalable network connectivity, incorporating multiple types of traffic. Examples include VPN, Dynamic Multipoint VPN (DMVPN), Multi-VRF and MPLS Secure Contexts, Voice and Video Enabled VPN (V3PN), and secure voice.

Threat Defense: Prevents and responds to network attacks and threats using network services. Examples include Cisco Intrusion Prevention System (IPS) and Cisco IOS Firewall

Trust and Identity: Allows the network to intelligently protect endpoints using technologies such as Network Admission Control (NAC), Identity services and AAA.

Network Infrastructure Protection: Protects the network infrastructure from attacks and vulnerabilities, especially at the network level. Examples include control-plane policing, Network-Based Application Recognition (NBAR) and AutoSecure."

Not all of these features, like NBAR, are new. What they all need, however, is lots of memory. The Quick Access Routers Quick Reference Guide (.pdf) for the older series of Cisco routers shows much lower DRAM and Flash figures. With the new 2800 series, for example, the 2811, 2821, and 2851 routers offer 64 MB of Flash and 256 MB of DRAM memory by default. My 2651XM originally had 16 MB Flash and 64 MB DRAM. Notice how the ability of a router to become a VPN concentrator, firewall, IDS, and "IPS" is seen as an improvement.

While all the additional features put more capabilities into a single box, I'm not sure I like the complexity and opportunities for exploitation. As the Cisco router becomes more complex and involved in the network, it will be more likely to be compromised. Since no one usually bothers to monitor traffic to and from routers themselves, I see a bonanza for the likes of Phenoelit who specialize in discovering flaws in "appliances" like routers and printers.

The key future development for the Cisco router franchise will be the modularization of IOS, perhaps built on QNX, already present in the latest CRS-1 Carrier Routing System.

1 comment:

Serg said...

Cisco good routers.
Also reliable D-Link, 3COM and ZyXel