Bob Gleichauf, VP and CTO of the San Jose, California-based networking company’s security technology group, said imbuing the IPS portfolio of appliances and modules with anomaly detection is key to overcoming the limitations of signature-based inspection in the context of encrypted traffic. I hear lots of dedicated IPS vendors saying how much traffic their products can inspect, but they never mention the fact that they’re forwarding all the encrypted stuff, he said.
Cisco already has anomaly-detection in both its Cisco Security Agent, CSA, software client for host devices (PCs and laptops) and the Cisco Guard DDoS Mitigation Appliances and Traffic Anomaly Detectors it acquired when it bought Riverhead two years ago. The idea now is to add that same expertise to the IPS product line, all the way down to individual ports on the Catalyst switches bearing the modules.
In addition, Gleichauf said CSA will be able to share state with IPS to make what he called service chaining possible. They’ll be able to share state to determine what’s going on in the network, he said, adding that the company wants the Monitoring, Analysis and Response System appliance (the result of the acquisition of Protego Networks in December 2004) to be the authority for regulating [security] policy, with its ability to correlate events and its awareness of the individual network’s topology.