Cisco's new security target: consumers

The San Jose, Calif.-based networking giant plans to release products later this year that translate its enterprise-scale technologies to the home, keeping consumers safe as they increasingly get networked and go online, Cisco executives told CNET News.com.

"If you think about what's required in the home, it is a 'mini' version of the enterprise," said Richard Palmer, general manager of Cisco's security technology group. "You have to replicate the broad portfolio of technology solutions that we have in an easy to deploy, easy to buy way that consumers find interesting and are willing to spend money on."

The move positions Cisco to grab a bigger chunk of the security market, which, according to research firm IDC, hit $32 billion in 2005 and is poised for double-digit growth through 2010. It also puts Cisco in competition with security specialists such as Symantec and McAfee, but not in the traditional way. Cisco won't sell software that people install on their PC. Instead, it will add security features and services to its Linksys home-networking gear and Scientific Atlanta set-top boxes.

"We think security is going to be a fundamental requirement for the networked home," Palmer said. Buying security software and loading it onto a PC isn't the way people will be securing their systems in the near future. "That market is being transformed," he said.

Linksys has plans for routers and other gateway devices with a variety of security features, said Mani Dhillon, director of product marketing at the company, which was bought by Cisco in 2003. "We're working very hard to have something we can bring to market this year," he said.

The top of the line would be a device--possibly connected to a service--that scans all Internet traffic as it enters a home network and automatically filters out all malicious traffic, he said.

Somewhat less advanced is the idea of filtering access to Web sites at the router--which allows multiple devices to use the same Internet connection--rather than on the PC itself. Linksys is working with IronPort Systems, a recent Cisco acquisition, to build a service for its routers that would shield people from known malicious sites. At the moment, people who want similar surfing protection have to install tools such as McAfee's SiteAdvisor or Exploit Prevention Labs' LinkScanner.

"By putting some of the functionality typically seen in security applications onto your network, you don't have to go off and individually manage every PC to make sure is up to date," Dhillon said.

The Linksys team is also thinking of ways to use Cisco's network access control features, or NAC, in its consumer routers. This would automatically run a health check every time a device connects to the home network. It would verify whether security patches and other safety settings on the PC are up-to-date.

"Security is very high on our list," Dhillon said. "We think this could hit the sweet spot for a good percentage of our customers, if we position it correctly." One of the challenges for Linksys is making sure its products don't become overly expensive, since additional features will require more powerful hardware, he said. A bottom-of-the-range Linksys home router costs around $50.

Linksys rival D-Link already sells a $99 security device. However, the D-Link "SecureSpot" is not a router or gateway, instead it sits in-between a router and a cable modem. D-Link partnered with McAfee for many of the features, which include antivirus and spyware blocking. "Security is top of mind for consumers and it does make sense for us as networking vendors to offer solutions," said Daniel Kelley, D-Link's director of marketing.

A real challenge?
Cisco's plans make sense and stand to bring the company additional business, but industry analysts disagree on whether its move is a threat to security incumbents.

"Built-in security is exactly what consumers need, and security in the router absolutely makes sense for Cisco," said Forrester Research analyst Natalie Lambert. "However, it is not the be-all-and-end-all for security."

In focusing its security efforts on the hardware, the company is essentially creating a new market, Lambert said. "By not providing software, Cisco is staying out of the way of the traditional security players," she said. "Installing security software on a PC is a necessity. Consumers are not sitting behind their Linksys box at all times--they travel."

However, security software incumbents such as McAfee and Symantec could still lose out, said John Pescatore, an analyst at Gartner. "The amount of money households will spend on security is not infinite, and Cisco will be competing for the same security dollar," he said. "Cisco has a great shot here."

Linksys has already dipped its toe into the water. At one time, it had a parental control feature on some of its routers that required a subscription to stay up to date. It didn't quite work out as the company hoped, but Linksys learned from the experience, Dhillon said.

Cisco won't be the first to deliver enhanced security built into a router. Check Point Software Technologies recently started selling a $150 Zone Alarm brand router that has a beefed-up firewall and antivirus and intrusion detection capabilities built-in. Check Point also borrowed from its enterprise security technologies.

"We agree that this is an important part of the security infrastructure that a home user needs to think about," said Laura Yecies, general manager for Zone Alarm at Check Point. "It is an opportunity to improve the security for home users; they really need the kind of capability that enterprises have."

But security in routers is complimentary to what's installed on the PC, Yecies said. Check Point offers a bundle of its router with the Zone Alarm Internet Security Suite. "I don't think Cisco is going to take away from desktop security," she said.

Symantec and McAfee take similar stances: They don't see Cisco's plans as a threat, but as being only one piece in the security chain.

"Today's security requires defense in depth. You need security at all points in the network," said Rowan Trollope, a vice president in Symantec's consumer group. That means on the PC, on the router and on the networks run by services providers, he said.

Marc Solomon, director of product management for consumer products at McAfee, struck a similar chord.

"Cisco's vision of building security into home routers can add another layer of protection," Solomon commented. "However, it does not address all of the security issues for consumers, especially for those who use portable devices such as laptops, PDAs and mobile phones."

Thinking inside the box
But Cisco's plans do include Scientific Atlanta, the set-top box maker it bought in late 2005. Cable companies that put the boxes inside consumer homes are aiming for them to become the hub of a connected home, Cisco said. Already, Scientific Atlanta has sold more than 1 million set-top boxes with cable modems incorporated in them. The addition of built-in routing and networking capabilities is not far off, the company believes.

"There is a tremendous opportunity there for security solutions and secure storage solutions," said Dave Clark, director of home entertainment products for Scientific Atlanta.

Cisco won't give the security features away for free, and it hopes that beefing up the consumer networking gear and set-top boxes will bring it additional revenue. However, its executives won't say how big they think the market opportunity is, compared with the about $2 billion-a-year enterprise security business it has now.

"Instead of thinking of it as a multibillion-dollar security business in the consumer space, we're thinking of it in the context of the networked home," Palmer said. "The networked home opportunity is much bigger than $2 billion."

The extra revenue would come from pricier hardware and added services, Cisco representatives said. A Linksys or Scientific Atlanta device with security features will cost more than one without them. Also, Cisco may charge a subscription fee for services such as Web filtering, which require regular updates, they said.

In addition to products sold directly to consumers, Cisco has plans to build products aimed at Internet service providers that will let those ISPs offer security services to their customers, Palmer said.

If it sounds like Cisco hasn't really hammered out its plans, that's because the company is looking at trying out a range of product and service packages.

"The way you find out in the consumer space what works is by doing a bunch of experiments, and seeing what flies off the shelves and what doesn't," Palmer said. "You're constantly in an experimental mode because nobody is smart enough to figure this out a priori."