As the Pentagon shakes off last week's e-mail-based attack that forced the Defense Department to take about 1,500 computers offline, Cisco Systems on Monday introduced its strategy for shutting down these types of attacks.

The company revealed Monday that it's going to add new malware- and spam-inspection capabilities to its firewalls, both standalone and embedded in other network devices. It will use the Web and e-mail inspection technologies it bought in an $830 million deal for IronPort Systems, which closed Monday. Given Cisco's claim that one out of every three firewalls being used in business today was made by Cisco, it's a development worth noting, particularly as the security space continues its relentless consolidation. Tech providers including Cisco, Hewlett-Packard, and IBM are scrambling to weave additional security into their products and services, and to do it as quickly as possible.

Cisco's got big plans for IronPort's technology. They include setting up communication between Cisco firewalls and IronPort e-mail and Web gateways in order to pre-emptively stop IT security threats at the network perimeter. Cisco wants to use IronPort's SenderBase service, a database that collects information from more than 100,000 ISPs, universities, and companies around the world, to further Cisco's "self-defending network" strategy.

By early 2008, Cisco expects to enable IronPort e-mail and Web gateways to communicate with Cisco network firewalls and create security benefits that improve the efficacy of network traffic inspection. Cisco firewall customers -- the company claims it owns 38% of the firewall market -- will be able to take advantage of this new IronPort integration through software upgrades, rather than having to purchase new firewall appliances, routers, or switches.

Cisco will start by enabling SenderBase to communicate with Cisco ASA Series firewalls, but eventually the company wants all of the firewalls it sells, including those embedded in routers and switches, to have access to SenderBase data. "This takes the concept of the self-defending network to the next level," says Richard Palmer, senior VP and general manager of Cisco's Security Technology Group. "It's the distributed sharing of information about bad senders."

SenderBase determines the reputation of different IP addresses by scrutinizing the behavior of network traffic originating from those addresses. It scores these addresses according to factors such as how long they've been in existence, whether they're sending a consistent volume of e-mail or other network traffic over a period of time, whether the IP address can receive e-mail traffic (spammer IP addresses generally can't), and whether the IP address has ever been on a blacklist. "Anomaly tracking is the best thing we have to defend our networks against new threats," says Scott Weiss, former CEO of IronPort and now general manager of the IronPort business unit reporting to Palmer. These SenderBase scores tell the network security devices the level of resources they should exert in examining a piece of network traffic.

SenderBase measures more than 110 parameters for any active e-mail or Web server on the Internet in order to determine whether an e-mail, instant message, or stream of Web traffic could pose a security threat. The database receives more than 5 billion queries per day from IronPort gateway appliances installed at its customers' facilities.

IT executives waiting for HP and IBM to wade deeper into the security pool have gotten their wish, as HP last week said it plans to buy Web application security provider SPI Dynamics and IBM recently announced plans to boost its Web app security offerings through the purchase of Watchfire.