Rapidly deploying fixes for known security vulnerabilities is a key aspect of any sound security strategy. But consistently meeting that challenge is no mean feat, especially in networks with tens of thousands of devices.

Startup Ponte Communications claims to offer the solution, in the form of its Network Security Control (NSC) platform. NSC enables users to centrally manage configuration and policy on thousands of devices throughout an enterprise network, from firewalls and routers to virtual private network (VPN) appliances. The product is intended to ensure that all devices are configured accurately and consistently. It also allows users to deploy firmware and software updates - such as patches for security holes - on all devices from a central console.

Ponte, which means "bridge" in Italian, was founded in 1998 as a consulting company. The current incarnation of the firm, based in Mountain View, Calif., was born out of software the founders wrote for a Wall Street firm that needed to manage security for a growing number of devices. In November 1999 the company shifted gears to commercialize that software, turning it into what is now NSC.

NSC consists of two main components. The Control Server is the central console that runs on a Sun Solaris server. It stores all information about devices being managed, schedules changes, tracks change requests and houses the Network Knowledge Store, which is a repository for all historical device data, including logs of changes and actions.

Data from the Knowledge Store can be helpful for audit purposes, such as those conducted by insurance companies. "It's big for proving to insurance companies that you are reducing risk," says Alan Norquist, vice president of marketing for Ponte.

The other main NSC component is Control Point software, which runs on commodity Intel hardware. Control Points attach to the network devices being managed and execute the functions dictated by the Control Server. The devices also promote scalability of the NSC system. For example, they can accept a software update once from the Control Server and distribute it to all VPN appliances in a rack or a region, says Mark Epstein, Ponte's chief technology officer.

Control Points communicate with network devices in their native language, so no software is required on the device itself. Device Modules, which are plug-ins to the Control Server, handle the translations that enable this capability.

Currently, Ponte has Device Modules for VPN equipment from NetScreen, Nokia and Nortel, firewalls from Check Point, Cisco and SonicWall, and broadband customer premises equipment (CPE) from Alcatel, Efficient Networks and Netopia. The system can be customized to support any vendor's equipment, Epstein says.

The translation feature means the same security policy can be applied to devices from any vendor for which a Device Module is supported. "That means the same security policy works across lots of types of devices, without the NSC knowing what they are," he says.

Ponte is focused on security for the network fabric, meaning devices and appliances, as opposed to applications and application servers. Norquist acknowledged it would be helpful for users to use NSC to likewise update servers, such as to apply security patches. The company is exploring that possibility, he says.

NSC pricing depends on configuration, but Norquist says a Fortune 1000 company that gradually rolls the system out across the enterprise can expect to spend between $3 million and $5 million over time.