Guillaume FORTAINE gfortaine at live.com
Sat Mar 20 15:06:25 CDT 2010

> If I was such a clever 15 year old I would go to Google and enter 
> "contacting cisco ios security"
> which would lead me to ->
> http://www.cisco.com/en/US/products/products_security_advisories_listing.html 
> which would lead me to ->
> http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html 
> Same exercise can be repeated for most vendors you can choose.

I would counter argue by quoting this article :


Cisco Becomes The Weakest Link In National Infrastructure Security

Last week Cisco released patches in their semi-annual security 
announcement. The publication includes 11 advisories that address 12 
individual vulnerabilities. Ten of the advisories address 
vulnerabilities in Cisco IOS and one advisory addresses a vulnerability 
in Cisco Unified Communications Manager. Together these can affect 
routers and switches that not only use the Cisco Unified Communications 
Manager, but any device relying on the Cisco IOS operating system. To 
put it bluntly, this means a ton of devices critical to any network, and 
these vulnerabilities leave businesses and government agencies exposed 
to a barrage of attacks including denial-of-service (DDoS) or policy bypass.

Much has been written about the announcement of the vulnerabilities. 
However, details are lacking and there are more questions than answers. 
This lack of information leads me to believe Cisco does not take 
security seriously and continues to not know how to work with the 
security community. Considering the lack of details and opinions, I 
thought I would provide a few of my own.

1) Twice A Year Is Not Enough

The number of vulnerabilities patched by Cisco is not the issue. It is 
the potential danger these vulnerabilities pose. One of the IOS 
vulnerabilities allows unauthenticated attackers to bypass access 
control policies when the “Object Groups for Access Control Lists 
(ACLs)” feature is used. Your company is most likely protecting your 
critical components by leveraging ACLs, now imagine they are no longer 
in place. The human resources database with all that W-2 information? 
Hackers now have your salary, your direct deposit account, your medical 
history and of course your social security number. To make matters 
worse, replace that HR database with our government’s nuclear secrets; 
don’t you think Iran is aware of the Cisco vulnerabilities?

Scary stuff, for sure, but how long has the vulnerability been around 
and recognized. The answer is unknown. The only fact we have is that 
each of these eleven vulnerabilities may have been around for at least 
six months. That is an eternity in the security space and has given 
hackers too much time to walk in through an open door.

Microsoft is often a punching bag when it comes to vulnerabilities and 
it is sometimes warranted, but let’s be honest, the company does a good 
job of patching issues on a regular basis. With Microsoft, you know that 
you are going to get a patch each month and important details that help 
you make an informed security decision. Cisco should examine its 
patching schedule in light of the September 24th announcement; every six 
months is not acceptable.

2) Updating Routers and Switches is Now Critical

You can never diminish the importance of a switch or router to your 
network infrastructure. They are the core to any network whether in a 
home, a large Enterprise or the Federal Government. If one fails you 
know it. However, if a vulnerability let’s people through due to a hack 
do you know it? While everyone remembers to patch their Mac or Windows 
laptop, how often do they patch the router, firewall or switch?

To see how up-to-date folks are with their Cisco firmware I ran a quick 
test. During a 1-hour scan of the Internet I found 420 responding 
systems and NONE were patched with any fixes from this cycle or the 
last. That means 420 systems, at a minimum, are susceptible to a years 
worth of vulnerabilities.

Microsoft had enough of people not patching and now it force feeds the 
patches. While I’m not a fan of that solution, it does work. Cisco needs 
to apply the same method to its products. It is irresponsible for Cisco 
to run its business in a way that could cause mass disruption to 
critical network infrastructures including government and military services.

Cisco is not the only one to blame in this mess, the people responsible 
for getting their routers, switches and other network equipment 
up-to-date also must be held accountable. How many of you updated with 
the patches on September 24th, the day of the announcement? The quick 
scan I did is telling me not many. Kelly Jackson Higgins of Dark Reading 
put it best, “The dirty little secret about patching routers is that 
many enterprises don't bother for fear of the fallout any changes to 
their Cisco router software could have on the rest of the infrastructure.”

3) Testing, Testing, Testing

In this case we have a great example of why every network device needs 
to be realistically tested under a variety of scenarios, both security 
and performance driven. Obviously, testing must occur at the NEMs level 
throughout the product lifecycle, but the enterprise must also test this 
equipment before it is deployed and after updates like these are made. 
Having the ability to quickly test equipment and the network after 
making updates is critical.

There is no room for excuses anymore. We have been able to become more 
adept at updating and testing equipment and software that are given more 
regular patches. Just look at how Microsoft Tuesday has become a habit. 
Other vendors have realized that this approach, ultimately, is better 
for everyone. I would encourage manufacturers of any network equipment 
to do the same.

The reason this is important is because the United States is currently 
fighting in two wars, heavily dependent on network technologies. The 
Department of Defense and other military agencies have concluded that 
the next major war will be waged, in great part, in cyberspace. If Cisco 
and other vendors guilty of the same security concerns do not get their 
act together it will be a war we cannot win.

Until March 24, 2010, when the next Cisco bulletin is due.

More information about the NANOG mailing list