“That’ll only stop the ones who actually try
to walk in,” he said as he waved his hand at the door. “All the other
attacks travel over the same wires we use to do our job—and a lot of
them come from inside.”
Nodding at a rack-mounted router, he added, “That’s part of our defense. I wish it’d do more.”
Help may be on the way as two industry
leaders, Cisco Systems Inc. of San Jose, Calif. and Juniper Networks
Inc. of nearby Sunnyvale, battle to provide the best networking
solution. Between them, the two companies account for the majority of
According to figures from information
technology market analysts Gartner Inc., Cisco had at the end of 2003 a
57 percent share of the $2.1 billon annual worldwide market for
service-provider routers. These machines have the largest capacity and
most features. They’re a far cry from the home-office/small-office
routers that Cisco’s Linksys brand sells.
In the service-provider market, Juniper was
number two at 27 percent, but the company’s $179 million in revenue
reported for the last quarter of 2003 represented an almost 25 percent
increase from the previous period. Juniper’s attempt to increase
revenues is succeeding, particularly in the government sector.
“Juniper has won a lot of government contracts lately,” noted Jennifer Liscom, principal analyst with Gartner.
In their contest, Cisco and Juniper are each
being driven by the other and prodded by the marketplace. They’re also
responding to an increasingly hostile world.
According to figures released by the Computer
Emergency Response Team (CERT) Coordination Center, a bastion of
Internet security expertise, there were nearly 138,000 security-related
incidents reported in 2003. That’s a 67 percent jump from the year
before and a 261 percent increase over 2001. The actual number of
affected sites and computers is much higher. Marty Lindner, team leader
for incident handling at CERT, noted that the number of machines
slammed by a single computer worm could be more than eight times the
yearly incident total.
These attacks present a problem in many
different areas. In serving the public, government agencies handling
driver’s license renewals, for example, do so through a website,
leaving them open to assault.
Not Your Father’s Router
That’s where routers come in. As the name
implies, routers send information to the proper place. They tie
together networks and direct traffic appropriately. For the most part,
they do so by examining Internet protocol (IP) data packets and
directing them to the right destination, much the way a letter carrier
puts mail in the right mailbox. Increasingly, everything—from email to
telephone calls to video streams to wireless communications—is running
as IP packets. So routers are handling more and more of the world’s
Stopping threats also requires examination of
flowing data. In this case, the offending traffic stream would ideally
end up in the electronic round file before any harm is done. So in some
ways it makes sense for routers, which are really highly specialized
computers and associated hardware, to handle the chore of halting
malicious data and thwarting attacks.
“That’s really where I believe the next piece
of the battlefield is going to be at: particular products that are able
to provide not just the network capabilities but the security and
policy management,” predicted Miguel Collado, president of Technica
Corp. of Dulles, Va. The company, a Juniper partner, provides
information technology services for such clients as the US military,
the Treasury Department and the Department of Homeland Security.
Currently, routers often incorporate
firewalls. In the past, these sometimes ran on dedicated appliances
that sat in front of the router and looked outward, filtering all
traffic. Wherever they run, firewalls use a checklist, a signature, of
allowed behaviors and connections. If a connection is on the good list,
it’s allowed. Otherwise, it’s refused.
But as Collado noted, a good portion—perhaps
nearing a majority—of intrusions today come from inside a trusted
network. That’s borne out by the 2003 Computer SecurityInstitute/ FBI
computer crime survey, which found incidents from inside and outside
networks about equal.
Inside attacks come in different forms. An
employee may click on an e-mailed attachment and unleash a worm. Or in
a more deliberate act, someone may run a spreadsheet, hook up to a
database and suck out social security and bank account numbers. So
firewall-like technology is increasingly being used inside networks to
control access within the network and to the wider Internet.
Given that, the move by Juniper to acquire
Netscreen Technologies, also headquartered in Sunnyvale, earlier this
year in a stock deal valued at about $4 billion made sense. Netscreen
had the security technology that Juniper needed. This included
firewalls, intrusion detection systems, remote access, virtual private
network (VPN) products and IP security, or IPsec, protocols. The latter
supports the secure exchange of packets and is an important building
block to other uses, such as VPNs.
Any added security capabilities would play
off Juniper’s per-flow and per-session tracking. Juniper’s routers can
filter packets, taking different actions depending on characteristics
of the headers of each data packet. Such information might be the
packet’s source, destination, or precedence.
“You could choose to accept a packet if it
had those characteristics, discard a packet if it had those
characteristics or sample a packet if it had those characteristics,”
explained Andrew Ramsey, director of systems engineering for Juniper
That information can be used for everything
from ensuring priority for real-time applications such as voice or
video to intrusion detection to billing to forensic data analysis. Most
importantly, because the main function of routers is to route packets,
this filtering should be done without impacting device throughput or
line bit rates. According to Ramsey, Juniper accomplishes this because
the router chips, which the company designs itself, have the capability
built in from the beginning. Thus, it’s not added at a later time,
which might mean taking a performance hit.
One characteristic of Juniper routers that
impacts security indirectly is the fact that a single software binary
image runs on all platforms. Achieving this requires Juniper’s software
engineers to build different bits of microcode and different drivers so
that the software can control the different underlying pieces of
hardware. But that means customers don’t have to worry about tracking
which routers are running which version of code, making it easier to
keep all routers current with the latest software, noted Ramsey.
“It makes things a little bit more
complicated for us internally from a development point of view, but we
think that the advantage to the customers outweighs all that,” he said.
Juniper’s latest routers also support IPv6,
the next-generation protocol that offers extra features and security.
The Department of Defense and other government agencies are requiring
all products support IPv6 so that a changeover can be made at a later
date. In the case of the DOD, this is supposed to take place in 2008.
Huge and fast
In 2002, Juniper and its T640 router
leapfrogged Cisco at the high end of the market. However, Cisco was not
content to let its rival upstage it. After years of hush-hush
development and an expenditure of $500 million, the networking giant is
now rolling out its latest high-end product. Dubbed the CRS-1, it is
being tested by various carriers before it becomes widely available in
July. The CRS-1 provides 1.2 terabits per second routing capacity,
reportedly twice that offered by Juniper’s T640. As many as 72 of
Cisco’s new routers can be hooked together so that rates as high as 92
terabits per second can be achieved.
In officially announcing the new router in
late May, Cisco also said that routers could be added and removed from
the cluster without having to turn off the entire system. Juniper’s
product also can be interconnected, but not in anywhere near as large a
On the other hand, the CRS-1 reportedly has
some problems. Its first incarnation requires a non-standard rack
width. It also doesn’t—at least initially fully support IPv6. These
problems are supposed to be corrected in later hardware and software by
the end of 2006.
Another complication is the product’s use of
the company’s latest Internetwork Operating System (IOS). This version
of IOS, called XR, is based on a modular design and should improve
reliability and management. But, like a new version of Windows or MacOS
in the desktop world, the new IOS may cause unexpected problems and
Also, instances of theft of IOS code have
been reported, the latest in May of this year. Just how much was stolen
and which versions of IOS are affected is being investigated and for
now is information Cisco is keeping under wraps. Reports put the total
code swipe at 800 megabytes; if true, this could expose the software
innards of Cisco routers to all sorts of attacks. In an official
statement, the company said it believed the publication of the
information on a foreign website did not increase customer
vulnerability and that it was working with the FBI and other
law-enforcement agencies on the theft.
The fact that Cisco runs different binary
images may, in this case, turn out to be a plus since the stolen
information might not affect all the images. But the company doesn’t
run multiple images as a protection against thieves, according to Cisco
senior director of product marketing Jeffrey Platon. Instead, he said
that some customers wanted the most advanced features, while others
insisted on the greatest stability.
“Our customers actually are asking for
different levels of features depending on the kind of environment
they’re in,” Platon said. “This is an issue we face all the time, and I
don’t think it’s ever going to go away. So we have to provide multiple
trains, literally, to meet customer requirements.”
On the security front, Cisco, like others, is
attempting to move beyond signature-based solutions. Such systems,
whether in firewalls or antivirus software, mean that somebody must
actually encounter and suffer a particular bug before a signature can
be developed. The preferred solution is to stop threats before they
start by keying off of some particular aspect, such as attempts to move
files rapidly across a network. That, however, requires a different
approach—one that works by rules instead of signatures. For Cisco, this
means developing software to run on more than routers.
“We’ve moved into the security software agent
business both for desktops and servers, as well as looking at
behavioral anomalies in the network traffic,” Platon said. Such agents
are part of what Cisco describes as the self-defending network.
But even with all the innovations from Cisco
and Juniper, there are those who feel that routers can’t supply the
needed security—yet. New York-based Aspire.net Managed Systems Inc.
runs a Cisco-powered network serving legal firms on the East Coast. As
such, the company must maintain strict confidentiality and also must
ensure that it’s not a conduit for worms into and other attacks on its
clients. Aspire.net uses an appliance, a rule-based device, before the
router to ensure this. Sam Collier, CEO of Aspire.net, noted that this
said more about the state of today’s routers than his dealings with
“While our experience with Cisco was
positive, we never—forget about the brand or the product—we never saw
just ending our edge with a router as a good security option,” he said.
“You need something more intelligent.” HST
Hank Hogan is an Austin, Texas-based writer who has covered technology, data centers and security. His work has appeared in New Scientist, Air & Space, Smithsonian, Information Security and a number of other magazines.
Cisco – www.cisco.com
Juniper – www.juniper.net
CERT – www.cert.org/stats/cert_stats.html
CSI/FBI computer crime survey – www.gocsi.com/
The Juniper drive
In the battle between Cisco and Juniper,
Juniper’s secret weapon is a slim, scrappy and energetic vice president
for federal systems, Dubhe Beinhorn.
Beinhorn’s 24-year sales career is a history
of the American information technology industry, including the likes of
Xerox, Harris, American Satellite Co. (Contel), Netrix Corp. and NET
She came to Juniper three years ago and wrote
the business plan that led to the establishment of Juniper’s Federal
Systems Group. Now she heads the group, expanding its reach beyond its
previous tight circle of intelligence customers.
Beinhorn has set her sights on the Department
of Homeland Security (DHS), and homeland security in general, as a
“We’re targeting homeland security as one
area and we want to make sure they understand our technology,” she
said. “It’s an organizational challenge for them to collapse 22
agencies into one. From our perspective, Cisco has a hundred people on
DHS, so we’re trying to be very smart and very clever.”
In that regard, Beinhorn is touting the
filtering capabilities, security, scalability and ease of use of
Juniper routers. She hopes to build on Juniper’s success with the
Defense Information Security Agency to increase its market share in
“I think if you look at our history and look
at our movement now and compare, what you’ll see is a company that
evolved based on superior technology,” Beinhorn pointed out. “We took
on Cisco, which is daunting, they’re a very viable competitor that we
have enormous respect for. But we introduced a product, the M40, which
was our first product to the service provider community five years
ago.” Today, Juniper is used by 23 of 25 global service provider
“There’s a reason for that,” Beinhorn
emphasized. “The reason is that the technology was measured against
what Cisco could offer and it was deemed that we were a better fit.”
Juniper will continue to roll out new,
cutting-edge products, Beinhorn vowed: “We are, in fact, looking out to
the whole communications requirement and I think that you’ll see
Juniper maintain its aggressive posture with respect to best-of-breed
A Cisco view from top
To hear Greg Akers tell it, Cisco did homeland
security before it was cool. Akers should know. After starting his
career as a networking engineer at Cisco, he’s now the senior vice
president and chief technology officer for Cisco’s Global Government
Solutions Group. The group works with governments around the world. In
the United States, Akers noted, Cisco did business with the agencies
that currently make up DHS prior to the department’s formation.
That commitment continues today, as the
company is active in a number of security areas. Cisco CEO John
Chambers wasappointed by President Bush to serve on the National
Infrastructure Advisory Council.
“We also have groups within Cisco that are
completely dedicated to working homeland security issues,” Akers said.
As an example, he cited the company’s internal Homeland Security team,
which supports DHS and other agencies. He also noted that well before
Sept. 11, 2001, the company established another internal effort, the
Critical Infrastructure Assurance Group, to work with other companies
in the industry, as well as colleges and universities in research and
education on security-related topics.
Akers’ familiarity and Cisco’s involvement
with government security concerns is evident in his command of the
acronyms and programs under his purview, including InfraGuard, PCIS
(Partnership on Critical Infrastructure Security) and IT-ISAC
(Information Sharing Analysis Center). In 2002, Akers served as
president of IT-ISAC, an Arlington, Va.-based industry organization
that provides a forum for sharing information about network
vulnerabilities and effective solutions.
As for the direction of Cisco’s
government-related efforts, Akers pointed to the growing number of
router applications involving voice and wireless. He added that
securing all the functions of a router involves protecting key
components, as well as having well-understood security policies and
Akers summed up the situation and Cisco’s
overall approach: “There is not just one technology that addresses the
need,” he said, “but several solutions that are important in this