2/21/2006 -- It was at last year's RSA security confab that Cisco Systems Inc. kicked off its extreme security makeover. There, you'll remember, Cisco chief John Chambers outlined an ambitious new security strategy during his keynote, and Cisco itself announced 10 new security-related products, enhancements and services.

At this year's RSA Conference 2006 event, Cisco once again made headlines -- this time for revamping its SSL VPN portfolio, tweaking SSL VPN licensing, and augmenting its SSL VPN stack with new Anti-X capabilities.

For the record, Cisco announced a new Content Security and Control security services module (CSC-SSM) for its Cisco Adaptive Security Appliance (ASA) 5500 Series. The CSC-SSM provides Anti-X services (anti-virus, anti-spyware, anti-spam, anti-phishing, content, file and URL blocking and filtering) and was developed in tandem with anti-virus specialist Trend Micro Inc.

The new SSL VPN services (available on the ASA 5500 and on Cisco's IOS routers) are available for a single concurrent user license fee. The SSL VPN features are licensed in 10-, 25- and 100-user increments for $30 per user.

Analysts say Cisco's SSL VPN refresh is something of a mixed bag. "[T]hese new features are critical for Cisco to be competitive in the evolving market for remote access and unified threat defense," writes Joel Conover, a principal analyst for enterprise infrastructure with consultancy Current Analysis.

For one thing, Conover notes, the new SSL VPN features help Cisco make good on its promise to bring full SSL VPN functionality to the ASA-5500 platform; what's more, they expand on this promise by delivering a subset of SSL VPN functionality on IOS-based routing platforms from Cisco's 800 series through the 7200 series. "The new SSL VPN functionality also comes with a price. SSL VPN is no longer a free feature on Cisco platforms; instead, it is now a licensed feature. Cisco also introduced Anti-X services for the ASA-5500 platform via a new content security module on the ASA platform. However, this functionality is mutually exclusive of Cisco's advanced IDS support, diminishing the competitive impact in the highly competitive UTM market," Conover writes.

Cisco's SSL about-face also contradicts its own long-standing position, Conover notes. "Cisco spent a great deal of time educating the market [that] SSL was just another form of transport for remote access, and that it should be a ‘free' feature of remote access platforms. Its recent change in product licensing for SSL VPNs is a 180-degree shift from that messaging, and gives competitors an open license to attack Cisco's tactics," he points out.

Finally, changes Cisco has made to the licensing of its SSL VPNs could negatively impact some existing ASA owners, Conover concludes. "While the SSL VPN feature set is now complete on the ASA, a small subset of that functionality was already available on the ASA platform, and that existing functionality was available for use at no charge." -Stephen Swoyer