Systemwide Security: Network security has evolved from independently deployed products such as firewalls into system-wide solutions such as self-defending networks.

---

from Cisco Systems Inc.

Thanks in part to a Cisco® advertising campaign to introduce the Cisco Self-Defending Network (such as the TV commercial in which a young girl unknowingly downloads a virus onto her father's computer), many consumers are becoming aware of the need for integrated network security.

But can a network really defend itself?

The short answer is, "Yes, it can." Network security has evolved from independently deployed products such as firewalls into the realm of system-wide solutions. And Cisco Systems® is at the forefront of the technology development that is making self-defending networks a reality.

The reason is simple: For today's companies, especially in this era of regulatory activity, preserving the integrity, confidentiality and longevity of corporate information is critical to success. As we move further into an information-driven global economy, the value of information, and controlled access to that information, has never been greater. The goal of IT infrastructure therefore is to create systems that can detect and protect against unauthorized access while providing timely access to legitimate users. Simply denying access in the face of an attack is no longer acceptable. Today's networks must be able to respond to attacks in ways that maintain network availability and reliability and allow a business to continue to function. In many respects, the goal of security is to make networks more resilient by making them more flexible. Rather than succumb, networks must be able to absorb attacks and remain operational, much in the same way the human immune system allows us to keep functioning in the presence of viruses and related bacterial infections.

This paper outlines the rational for the Cisco Self-Defending Network, its foundation, and the incremental approaches Cisco Systems has adopted to deliver these capabilities.

The Changing Landscape of Security
Whether we like it or not, the future of security technology has changed more in the last three years than it did in the prior 10. The extent of these changes, as well as the rate of change, has made it difficult for security IT departments to keep up. Before we can regain control, we must better understand this changing landscape.

The Secure Network Perimeter—Perhaps one of the greatest changes to the industry's approach to network security has resulted from the changing nature of the network itself. No longer can a network be secured by simply securing the network perimeter; as corporations have consolidated their data centers, converged internal networks, and embraced the Internet, what was once a self-contained, controlled environment is now typically open to partners through business-to-business extranets, retail outlet connections, and home-based employees, to name but a few examples. Extending the corporate network in this way extends the trust boundary across untrusted intermediate networks and into uncontrolled environments. Devices that connect into the corporate network through these pathways are frequently not in compliance with corporate policies. And devices that are compliant frequently are used to access other uncontrolled networks prior to connecting into the corporate network. As a result, devices on these external networks can become conduits for attacks and related misuse.

Wireless and Mobility—Tied to the notion of a secure perimeter, the wireless and mobile network within enterprises now supports laptop PCs, personal digital assistants (PDAs), and mobile phones that have more than one network connection. These multihomed hosts are capable of establishing ad-hoc wireless networks to enable peer-to-peer communication. In addition, packets can effectively be forwarded across devices at the application level. As a result, where a network boundary begins and ends becomes much more ambiguous. Corporations need to be able to extend a control point onto these mobile devices in order to manage secure system and maintain network availability.