As Interop 2011 in Las Vegas, a UBM TechWeb event, was winding down I got a chance to speak with Pat Calhoun, vice president and general manager of the security systems unit at Cisco, about the company's efforts to help enterprises secure branch office communications while conserving WAN bandwidth, even as they use more SaaS and cloud-based services. He also discussed ways IT managers will be able to impose policy on the multiple devices connecting to enterprise networks and unify management of wired and wireless traffic.
InformationWeek: What are the significant Borderless Networks announcements coming out of the show for Cisco?
Pat Calhoun: We announced the integration of ScanSafe [Cloud Web Security] in the ISR [Integrated Service Router]. So really it addresses a trend that we're seeing in the industry among enterprises that have a lot of branch remote offices. Currently what they do is send all the traffic through the WAN interface back into corporate, the main campus. The trend that we're seeing is that people really want to be splitting off traffic that's destined to the Internet--the Salesforce.com or other SaaS and cloud-based applications--and go directly to the Internet as opposed to leverage the WAN bandwidth to go back to the campus. But they want to make sure that they're doing the proper level of policy enforcement and security monitoring of all the traffic.
So with the integration of ScanSafe in the ISR, all traffic now gets sent to one of the ScanSafe towers. Through the ScanSafe tower we can do content inspection and a variety of different security capabilities that we can actually provide on the traffic itself. So it now give you peace of mind where you can actually define a single policy on how you want to monitor and enforce your traffic, and it gets enforced for the traffic that goes into the campus and the traffic that goes directly to the Internet from the branch office. From an optimization standpoint of the traffic, it's much better. You don't have to send everything back [to the main data center].
InformationWeek: Because that gets expensive.
Calhoun: Exactly. The second announcement that we did is our new policy management platform called Identity Services Engine. So what we've seen in the industry is there's been a huge push toward securing users, understanding who the users are that are connecting to the network, a desire to have more visibility into what type of devices are connecting into the network. This has been spurred by the introduction of iPads and all the different tablets, [and the fact that] a lot of enterprise customers actually don't have a view into what's connected to the network. Are they enterprise devices, are they consumer devices?
What Identity Services Engine allows you to do is to get that level of visibility and enforcement. So an enterprise can now define a policy that says, "Only corporate assets are allowed on the network. Employee devices are not allowed on the network." Or you can have a policy that says, "If it's a consumer device you're allowed on the network, but there's only certain things that you can do." Perhaps you can't download corporate IP, and maybe you can get your email. We're seeing a variety of different types of policies that are being enforced with these types of capabilities.
The Identity Services Engine is integrating five policy servers that Cisco had: guest server; profiling; posture, which is the ability to set a policy on the health of the device, is it running the right firewall, does it have the right Windows patches, and so on; as well as the actual authentication of the user.
It's really a first in the industry in terms of integration of all those types of capabilities into a single console, a single view.
InformationWeek: Why are customers coming to Cisco for these products?
Calhoun: One driver is compliance. What I'm finding out as I talk to our customers is that most customers have a policy around who is allowed on the network, but very few even have a way to determine who is on their network. There's just thousands and thousands of devices. In fact, one customer that we worked with thought that they had about 75,000 devices. Turns out they had 125,000 devices.
People just want to know: What's on my network, how do I control it, and do I have the tools that I need to be able to report back to my auditors that I'm actually enforcing the policy that I've created?
InformationWeek: How many of the functions that would normally require a specialized mobile device management tool can you take care of here?
Calhoun: Identity Services Engine is more on infrastructure management side, less on the endpoint management side. We do have AnyConnect that's part of our offering. It's basically our endpoint that runs on traditional laptops and well as smartphones. I have it on my iPhone. It's available on Apple [App] Store. But basically what it does is it's a connectivity tool, and it ensures that I'm always securely connected to my enterprise. So it's a VPN client [and] part of our overall solution that hooks back into how Identity Services Engine authenticates the endpoint. But ISE itself is not a device management platform. It's more of a policy management platform.
InformationWeek: You have a wireless background, obviously, from Airespace. What are Cisco's plans around controllers, on how [802.11n] can be a helper technology to 3G/4G and how people are going to make the best use of all that in the enterprise?
Calhoun: CleanAir, which is our offering that now does .11n, has spectrum intelligence, and so on, is radically changing how people are thinking about 802.11 in the enterprise. In part it's because the performance that you get with the platform itself is much greater than what we've seen in the past. But also, it actually provides you with a view into how your spectrum is actually faring. So one of the challenges we've always had as an industry is you have all this RF going on, but you can't really see the RF. And if there's a performance bottleneck, you're not really sure exactly what's causing it. So from a user standpoint, I may be trying to access a video or perhaps even a critical application, and if it's not working very well, the process of trying to troubleshoot is extremely complex. What we've done now is that with CleanAir, by integrating all of these capabilities into the access point, we now have a view into what is radiating RF in the environment.
