The report, Cisco Security: Features and Futures, looked at the security features in the networking company's enterprise products and gave them the thumbs-up. Management of security, however, was judged less favourably.
Fred Cohen, principal analyst and author of the report, said Cisco provided many features and was increasingly standardising the security capabilities in and between select products. However, he added that the management of complex Cisco networks for secure operations was increasingly untenable for even the best-run enterprises.
"Cisco's product features are still high-maintenance security offerings and lack the centralised control and comprehensive approach required for large-scale enterprise security controls," he said.
Cohen added that Cisco's networking portfolio offered network managers "point solutions to reduce operational complexity in some cases". But the lack of a comprehensive management system was problematic.
Substantial automation was needed to control a large infrastructure properly and meet all the access control requirements accurately, the report found.
Cohen warned that Cisco's security features, such as firewalls, intrusion and anomaly detection systems, load balancing and redundancy, and audit generation, were not well enough integrated into most enterprise control systems to provide full control.
In most cases the protection is limited by the functional requirements of the network. Managing the configuration too tightly could produce network outages.
Cohen also said Cisco faced a challenge in how it could build systems that would continue to provide security functions without requiring those systems to change dramatically every time there was a new form of attack.
"Cisco will provide the means to rapidly adapt its technology in reasonably flexible ways without allowing that flexibility to cause the network infrastructure that [its] products largely run to collapse," he said.
Running an entire network on a Cisco-based infrastructure is no guarantee of strong security, the report warned. Cohen said many Cisco components did not have encryption and authentication and yet operated over the network infrastructure.
This resulted in a security gap, according to Cohen, as all of the unencrypted links could be subjected to surveillance, denial of service attacks, man-in-the-middle attacks, corruption and unauthorised use.
Responding to the analyst's remarks, Cisco said, "We believe that management is a key issue for the successful deployment of security services and we continue to make it a priority for customers of all sizes.
"We have delivered several significant releases of VMS both for policy configuration performance monitoring and security monitoring."
This was first published in May 2004