8/21/2007 -- When it comes to security, Cisco Systems Inc. might be best known for its threat-protection products -- including its firewall, virtual private network (VPN) and intrusion detection system (IDS) offerings.

But thanks to ambitious initiatives such as its Self-Defending Network (SDN) effort, Cisco is incorporating security innovations into its core network solutions. The result, analysts say, is that Cisco has become one of the most recognizable names in the security business -- quite aside from its traditional networking expertise.

"Cisco has generated remarkable market interest in network access control and continues to show a strong commitment to its Cisco Network Admission Control...framework. Cisco is now one of the most recognized and respected security companies in the industry," said Charlotte Dunlap, a senior analyst for enterprise security with consultancy Current Analysis.

Nevertheless, Dunlap doesn't think Cisco has all of its security ducks in a row. "While security enhancements continue to occur in appliances and in the IO, switches and ISR, the company needs to show that it can balance its security appliance product position...designs to build security more tightly into the network infrastructure," she said. "The concern is that in aggregate, the Cisco solutions have too many moving parts and that the Self-Defending Network strategy is adding too many layers of complexity to the network."

And that's not all. In a paradoxical sense, Dunlap pointed out, Cisco's success with NAC has come at a cost: NAC has gotten away from it.

"Cisco has been at the forefront of promoting and building demand for network access control solutions. It has been so successful that it has, in effect, let the genie out of the bottle with the result that NAC has now taken on a life of its own," she said.

At the same time, Dunlap said, Cisco continues to add NAC partners, including heavyweights such as Altiris, Qualis and WholeSecurity/Symantec.

"These vendors are described by Cisco as agentless audit partners and they allow NAC customers to interrogate unmanaged devices through the NAC framework. This capability eliminates a major weakness in the original NAC framework," Dunlap said.

Elsewhere on the NAC front, Cisco continues to build bridges between its own NAC vision and those of its competitors.

"One of the unsettled questions regarding NAC, however, is how it will fit into competing initiatives such as Microsoft's NAP and Trusted Computing Group's TNC," Dunlap said. "Cisco is making significant progress in aligning with NAP, but the company should be more forthcoming with this progress. It should also make a strong public effort to align with TCG, a group that includes Microsoft."

Finally, Dunlap concluded, Cisco should consider building more intelligence into its networking devices.

"Cisco needs to focus on bringing more behavioral analysis and LAN security intelligence to the switch port, so that it depends less on desktop agents and overlay IPS solutions," she said. "Cisco's best value proposition is realized when the network itself is truly self-defending, rather than depending on an overlay of security blades and appliances to achieve network security and compliance goals." --Stephen Swoyer