At the upcoming RSA Conference in two weeks, Cisco plans to debut major security products to help bolster its already strong security portfolio.

Security is categorized as one of the vendor's six Advanced Technologies and already brings in approximately US$2 billion per year in revenue, though routing and switching still account for more than 60 percent of Cisco's revenue.

The company has 1,500 engineers working solely on security products - VPN, firewall, intrusion-prevention, intrusion-detection systems (IPS/IDS) and other technologies. Hundreds more engineers work across its various infrastructure product lines to integrate security features into network gear.

Cisco is slated to announce upgrades to several of its key security products at the event (see more of what to expect at the show, page 8). An upgrade to its Adaptive Security Appliance (ASA) 5500, a VPN/firewall/IPS device, is due. Also on tap are upgrades to Cisco's Integrated Services Routers (ISR) and Monitoring Analysis and Response System (MARS) system, which orchestrates network infrastructure responses to virus/malware threats.

Cisco CEO John Chambers is one of the headliners at the show and is expected to push a theme of more tightly integrating security with infrastructure components.

"If you're going to provide security, Cisco's very uniquely positioned to do that," Chambers said in a recent interview.

Looking at the breadth of Cisco's security portfolio - and its market share in security products - Chambers' statement is hard to refute. The company leads in worldwide sales and shipments for most major security product categories, including VPN equipment and appliances, firewalls, and IPS and IDS, according to Infonetics Research. (But its total share in any of these markets is less than 40 percent; a vast difference from its core routing and switching markets, where it holds 70 percent to 80 percent market share).

Through a series of acquisitions over the last two years, Cisco has spent over a half-billion dollars enhancing its product portfolio to address security in almost every area of a network. It added traffic-anomaly detection with its Riverhead acquisition in 2004, as well as monitoring and client-scanning software from Protego and Perfego. The vendor has since turned these acquired technologies into products, or components of its Network Admission Control (NAC) architecture, which uses scanning technology to block malicious users via routers and switches.

"Security is not done in any one place" or product line, says Richard Palmer, vice president and general manager of Cisco's VPN and security business unit. "We focus on security not just as a set of technologies or functions that are done in one box, but more as a system."

An example of Cisco's multi-product integration of security is its MARS product, which can interpret signals and alerts from IPS gear and react by sending policies to routers and switches. NAC technology is another example, Palmer says. Cisco even reaches into desktops with its Security Agent (part of NAC), which works with third-party anti-virus software and alerts a NAC-enabled infrastructure of potential threats on a client machine.

Cisco says all of these areas will fall under its latest plan for enterprise customers - Service-Oriented Network Architecture (SONA), announced in December. Under the SONA concept, security would be built into every piece of a network infrastructure and would be delivered as a service along with applications, voice and mobility.

Cisco is not alone in chasing the billions of dollars of potential revenue in the market for securing enterprise network infrastructure and applications. Most of Cisco's switch/router competitors - Alcatel, 3Com, HP, Enterasys and Nortel - have products similar to Cisco's NAC and MARS offerings.

Meanwhile, start-ups are defining the next generation of Web application firewalls, which protect SOA applications from attack and misuse. Vendors such as NetContinuum, Magnifier (bought by F5) and Teros (purchased by Citrix) offer application-layer security features not yet in Cisco's portfolio.

Network access control vendors EdgeWall, Lockdown Networks, Mirage Networks, Nevis Networks and Vernier are entering the market as Cisco slowly joins the Layer 2 switch network access control market, which it helped create.

Before Cisco gets too far into next-generation security technology, some users of its products say there's plenty to improve upon in its current lines.

"I'm leery of any vendor that says they have the do-everything security solution," says Scott Pinkerton, network services manager at Argonne National Laboratory, a U.S. Department of Energy research center operated by the University of Chicago. "Every organization is so nuanced and different that one-size-fits-all is really hard to do with security. No security solution is easy. . . . They all require more tuning than you'd ever like."

Even with this philosophy, Argonne uses Cisco security gear, from its VPN 3000 concentrator to its PIX firewall and IPS/IDS equipment.

Three areas in which Cisco security gear needs to improve are "integration, integration, integration," Pinkerton says jokingly.

The network staff at Argonne uses a mix of custom scripting, some management tools from Cisco and other software to tie together Cisco firewalls and IDS sensors, allowing Pinkerton to dynamically reconfigure firewall policies when threats are detected. "Today we do that ourselves, but Cisco's security products do not," he says. "Why is that?"

While Cisco tries to make advances on the security products front, it is kept busy by the growing number of reported hackable flaws and vulnerabilities in the very security products it pitches.

The company has released eight new or updated product security advisories so far in 2006, affecting products ranging from its VPN 3000 and MARS to VOIP gear and IOS software.

"There's no vendor out there that's perfect" in terms of product vulnerabilities, says Zeus Kerravala, an analyst with The Yankee Group. "But while Cisco's strength is their installed base, it's their weakness regarding vulnerabilities. "There are far more people that are going to try and hack into a Cisco router than" other network products.

Cisco's Palmer says the company's top priority is to better secure the devices it sells to safeguard customer networks.

Each Cisco product group shares best practices for writing secure code and building hardware that is harder to hack, Palmer says. "We're looking at this in terms of vulnerabilities, in terms of requiring authentication on multiple levels and in terms of securing the control plane along with the [regular] traffic."

Making it easier for users to quickly change, patch or fix flawed gear is another area in which Cisco could improve. "Cisco also needs to do a better job of educating customers on best practices for security on their devices," Kerravala says. "They have to come up with better configuration management tools and best practices to make sure that vulnerabilities are minimized."

He says Cisco has made some strides in making its products more systemic.

"Cisco's whole security product portfolio is made up of a bunch of acquisitions," he says. In that sense, buying Cisco VPN, IPS and firewall gear was more like buying products from three different vendors instead of a single security solution or system.

"The value Cisco can add is to put some kind of management framework on top of it and make it look like a system," Kerravala says. "That's where they put a lot of effort, and where they should put a lot of effort."

"In the emerging areas - such as SSL and IPS - Cisco is never going to be the industry trendsetter," he says. "You've got small dedicated start-ups with an entire company doing nothing but these technologies. Cisco can't maintain product leadership across all categories in all moments in time."

Products from pure-security vendors such as Arbor Networks, Check Point, Cybershield, Internet Security Systems and Sourcefire are still held in higher esteem by some network security aficionados and experts than infrastructure-based offerings from Cisco and its ilk.

Part of the reason Cisco will never dominate security the way it does routing and switching is that security technology is constantly evolving, observers say.

"Cisco is very strong where they have account control and where they have a lot of network equipment," says John Oltsik, an analyst with Enterprise Strategy Group. "Where Cisco's influence is weaker is in any organization where the security department is more dominant in selecting products."

Here, security "pure-play" vendors are more likely to get as much time and consideration as Cisco, as opposed to enterprise network groups that use Cisco gear, and may not look at competitive routers and switches often, Oltsik adds.