Forgot your password?
typodupeerror
Networking Security Technology

Cisco Security System Shuts Out Third-Party Tools 37

Posted by Soulskill
from the trouble-versus-worth dept.
alphadogg writes "Cisco has finally publicly acknowledged it won't add support for new third-party devices to its security information and event monitoring appliance, ending months of speculation about the future of its Monitoring, Analysis and Response System. Some claim it's the beginning of the end for MARS as a multi-vendor SIEM device. 'MARS customers can expect non-Cisco network device data and signature updates to continue for currently supported third-party systems, but no new third-party devices will be added,' Cisco declared in a statement, noting that 'Cisco MARS continues to focus on supporting Cisco devices for threat identification and mitigation.' Cisco's SIEM competitors this week have eagerly grabbed at the topic of Cisco MARS freezing third-party support because of a Gartner research memo published Oct. 29 in which analyst Mark Nicolett stated, 'Cisco has quietly begun informing its customers of a decision to freeze support for most non-Cisco event sources with its [MARS].'"
This discussion has been archived. No new comments can be posted.

Cisco Security System Shuts Out Third-Party Tools

Comments Filter:
  • This isn't new. (Score:1, Informative)

    by Anonymous Coward

    Cisco only supports Cisco. No Standard interfaces, nothing. Once they get in your shop, you are forced to buy other Cisco devices and Software to work with them.

    • Re: (Score:3, Insightful)

      by Ironsides (739422)

      Cisco only supports Cisco. No Standard interfaces, nothing.

      So, they don't support IPv4, IPv6, RJ-45 or RS-232?

      • Re: (Score:1, Interesting)

        by Anonymous Coward

        Probably only be because they have to.

        • Re: (Score:2, Insightful)

          by Anonymous Coward
          What a bunch of wankers, shutting out third-party tools. Who do they think they are, Microsoft?? Apple?
      • Have you examined that weird pinout they use for RS-232 on RJ-45 connectors? It's the combination of any 2 features that they do oddly.

        • by Myrimos (1495513)

          Have you examined that weird pinout they use for RS-232 on RJ-45 connectors? It's the combination of any 2 features that they do oddly.

          You mean for their console cables? That irritated me to no end, but it's not as bad as the their DB-25 to proprietary 60 pin interface.

  • by chill (34294) on Saturday November 07, 2009 @10:48AM (#30014490) Journal

    Try something that works WITH you as a SECURITY appliance, as opposed to yet another sales opportunity. There is lots of competition that easily beats MARS in functionality, ease of use and comprehensive support. TriGeo [trigeo.com], for one.

  • by girlintraining (1395911) on Saturday November 07, 2009 @10:49AM (#30014494)

    Since SIEM equipment is typically used to consolidate alert and event data from multiple vendor sources...

    Isn't that quaint! All these demands by the government to secure and protect critical "cyber"-resources, and here we have a major vendor basically giving the middle finger to that initative, making it more expensive and difficult to accomplish that objective. Once again two government initatives are at odds with each other: You have the DMCA and copyright advocates on one side, who have made overriding vendor lock-in by creating interoperability illegal, and national security interests on the other side asking ISPs and internet-connected networks to be secure.

    • > You have the DMCA and copyright advocates on one side, who have made
      > overriding vendor lock-in by creating interoperability illegal...

      Wrong. The DMCA explicitly permits "reverse engineering" for the purpose of interoperability.

      • Wrong. The DMCA explicitly permits "reverse engineering" for the purpose of interoperability.

        Did you forget about DeCSS [wikipedia.org]?

        • Re: (Score:1, Offtopic)

          by John Hasler (414242)

          > Did you forget about DeCSS?

          No. The subject is interoperability. Nothing to do with DVDs.

          • DeCSS was reverse engineering for the purpose of interoperability; it allowed you to play DVDs with other software. A side effect was that it could also be used for copyright infringement (you could burn a region-0 version of the DVD), which is what got it into trouble.
  • by overThruster (58843) on Saturday November 07, 2009 @11:11AM (#30014596)

    Cisco doesn't allow legitimate owners of their hardware to apply security patches without an exorbitantly expensive software subscription. I found this out when I purchased some of their hardware on ebay for self-study purposes. Personally, I think that's a bigger issue. It means that many individuals and small businesses out there are probably running outdated, insecure versions of their software. Not good!

    Security patches should be freely available for the good of the whole Internet community.

    • Re: (Score:2, Informative)

      by jgasher (103959)

      Very few vendors allow that. While the hardware can be resold by unauthorized resellers on what Cisco refers to as the "gray market," the software and OS licenses are non-transferable.
      Technically, anyone that buys equipment like that can't legally use it at all because they don't have a valid license for the OS.

      • > Technically, anyone that buys equipment like that can't legally use it at all
        > because they don't have a valid license for the OS.

        Not true in the USA. Copyright law explicitly grants the owner of a legitimate copy of any piece of software the right to use it: permission of the copyright owner is not required. When you purchase a piece of equipment with software installed on it you are buying a copy of the software (a copy in copyright law is a physical, tangible object: in this case some sort of n

    • Re: (Score:3, Insightful)

      You didn't do a quick google before throwing down money on a used security device? This is similar to picking up a used spam appliance for $100 and demanding a free subscription to updated signatures.

      Sorry dude, those signatures aren't written by the signature writing security fairy on top of twinkle toe mountain. People are paid to do it and that money has to come from a stable business model.

      Don't like it? Build up something using open source and roll with it, nobody is going to stop you and you should pr

      • In the case of a spam appliance I could agree, but you can forgive a guy for buying a switch (or something else that doesn't need constant updates just to function effectively) and expecting to be able to download firmware updates for it...unless he was familiar with Cisco's history as a special company, in which case he should have done the smart thing and stayed the hell away from Cisco.
    • by amorsen (7485) <benny+slashdot@amorsen.dk> on Saturday November 07, 2009 @12:34PM (#30015188)

      Cisco doesn't allow legitimate owners of their hardware to apply security patches without an exorbitantly expensive software subscription.

      This is actually not true. Security patches are available without a subscription. Read the security advisories published by Cisco.

      Taking advantage of the offer is sufficiently inconvenient so I don't think very many do.

      • by bertok (226922)

        Can you expand on this?

        I've never seen a 'free' IOS download on Cisco's site, anywhere, ever.

        • by thomasdz (178114)

          I use this all the time for equipment that isn't covered under any maintenance contract. You call Cisco, give them the equipment model & serial number, quote the security advisory URL, and voila...they give you download access for the most recent code for your switch/router/firewall... NOTE: You sometimes have to be on hold for an hour or more...but it DOES work...I've done it in the last 3 months for an old 28xx router.

          For example: http://www.cisco.com/en/US/products/products_security_advisory09186 [cisco.com]

    • Actually that's not quite true. If there's a security update for your version of IOS you can get the fixed version for the asking from them, no contract necessary. You have to specifically say "I have version 12.2(10) and bug report xxxxxx metions a IP DOS attack vector, I'm requesting 12.2(24)" or whatever. This includes taking you up to a new major or minor version if whatever you're on is deprecated, but again, only if it's a security related patch as opposed to a bugfix. You're stuck with whatever f

  • MARS is a joke (Score:5, Informative)

    by vvaduva (859950) on Saturday November 07, 2009 @11:47AM (#30014794)

    I've been a MARS admin/user for a few years and this is not a surprise at all. I have first generation hardware - right after the purchase, Cisco announced that they no longer provide software updates for 1st gen machines, trying to push new hardware down customers throats, so for about a year I was unable to patch or update my environment. Finally they gave in last year and started supporting both 1st and 2nd generation hardware again (I assume because customers were running away from their sinking MARS ship).

    This announcement is not a surprise at all since they've been pushing netflow like crazy, however a true event management solution should not be vendor centric to begin with. It's a pain to get MARS to take in events from Windows machines for example, or accept and manage events from other sources, so the announcement that that will no longer continue the non-existent support they had before is a non-sequitur.

    Apparently the mentality at Cisco now is that if they paint a box green and write Cisco on it, people will buy it.

    • Obviously you've never been a HP Openview operator/admin. This stuff takes a dozen dedicated programmers to work correctly. I believe that's why they call it a 'frame work" because you need a main frame to get it to work.

    • Apparently the mentality at Cisco now is that if they paint a box green and write Cisco on it, people will buy it.

      As a longtime Cisco competitor, I can tell you that that is their mentality, and they are right. There are a huge number of IT departments that buy Cisco just because it says Cisco, and refuse to consider anything else. Whether it's for purchasing convenience, politics, job protection, or just reasons of laziness, there are people who just buy what their Cisco rep wants them to buy. If you manage to actually get into a bakeoff test at these places, network engineers will actively try to sabotage the non-

  • by Anonymous Coward

    Cisco is not "shutting out third party tools," they are simply stopping official support of third party (non Cisco) devices and applications - they are not shutting anyone out.

    However, this does cause some issues as SIEM platforms are meant to be multi-vendor, multi-platform security management solutions and the fact that Cisco will not support third party devices any longer does not bode well for their customers or the long term viability of the MARS offering.

    A SIEM platform or any other security or perfor

  • SenSage (Score:1, Informative)

    by Anonymous Coward

    Cisco has partnered with SenSage to cover the non-Cisco log sources. DISA is implementing this solution as we speak.

Nothing happens.

Working...