Learn from Microsoft's mistakes: Cisco told

Learn from Microsoft's mistakes: Cisco told

Summary: Cisco Systems should follow Microsoft's example and create a streamlined patching system for fixing vulnerabilities, according to IT specialists. The networking giant has been under fire after security researcher Michael Lynn last week outlined how to attack its Internetworking Operating System (IOS) to gain control over and shut down a router.

SHARE:
Cisco Systems should follow Microsoft's example and create a streamlined patching system for fixing vulnerabilities, according to IT specialists.

The networking giant has been under fire after security researcher Michael Lynn last week outlined how to attack its Internetworking Operating System (IOS) to gain control over and shut down a router.

Lynn's disclosure was based around a flaw in IOS that was patched in April. On Tuesday, AusCERT advised all companies to upgrade their Cisco routers with the latest version of the operating system.

Neal Gemassmer, Patchlink Asia-Pacific vice president, told ZDNet Australia that although patching routers and network hardware is usually far more "labour intensive" than updating desktops and servers, it could be made easier if companies like Cisco developed a Windows Update-type infrastructure and vulnerability reporting mechanism.

"It would be good to have something similar to what Microsoft has done, which is to be more open when vulnerabilities are assessed, having databases against that and having a streamlined way of providing updates. Microsoft has done very well in streamlining the process," said Gemassmer.

Gartner senior research analyst Bjarne Munch concurred with Gemassmer, and believes Cisco will have to make a "concerted effort" to create a robust and integrated patching infrastructure.

"They could learn from the experience Microsoft has gone through -- I don't think anyone would say Microsoft has really solved all the problems either [yet] but they are trying.

"The big difference is Microsoft today and Microsoft of five or ten years ago. They realised that this is a key issue and is making a concerted effort ... Cisco is going to have to make the same effort," Munch said.

Shing Quah, associate telecommunications analyst at research group IDC, said that patching network hardware is currently a "technical challenge".

"With a WAN (wide area network) infrastructure it is possible [to add patches and software upgrades] but it is much more intensive. It's not like software where you can download a patch and then push it out to all users. It's much more time consuming and a bigger technical challenge," said Quah.

On Wednesday, following an alert from AusCERT, ZDNet Australia reported that most organisations rarely patch or update the software on their network hardware, which could result in a significant proportion of vulnerable Cisco routers.

This is especially worrying since after his now infamous presentation, security researcher Lynn said he risked the legal wrath of Cisco and his former employer ISS (Internet Security Systems) because he believed the vulnerability was dangerous.

"It is very serious because right now the mindset is such that nobody really considered this possible -- so nobody had a plan. What is really important is that we get the problem fixed before it is at the level where somebody can write a worm," said Lynn at a press conference in Las Vegas the day after his Black Hat presentation.

Lynn explained that a worm could be designed to "destroy hardware".

"This could actually destroy the routers ability to turn on again ... certain instructions in certain parts of memory in the router tell it how to turn on .... It is one of those rare cases where software can destroy hardware," said Lynn.

Gartner's Munch emphasised that it's not just vendors that should take the blame for the lack of a network hardware patching system because enterprises should be taking the matter more seriously.

"A lot of enterprises have got to look inside as well because they haven't placed a lot of focus on patch management -- you can't say it's just Cisco or Microsoft. These enterprises don't even have their processes in place yet and that is an even more significant issue," said Munch.

Cisco declined to comment when contacted.

Topics: Networking, Cisco, Enterprise Software, Hardware, Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Are you daft?!

    A microsoft style rollout of software updates? Are you daft!? The last thing we need is another reason for sloppy code. Too many companies rely on software update technology to save their bacon. They rollout software as fast as possible and rely on the updates to push out fixes to their rushed mistakes.
    Cisco has over the years proven to be quite good at security... but everyone must realize that nothing is completely secure. Cisco will fix the issue and make updated IOS software available. We will test and install the updated IOS during a predetermined maintainence window and not when the device feels like downloading an update.
    The last thing I want to see is 50 routers going to cisco.com to check for updates. Bah!
    anonymous
  • No need to auto-update

    Who said anything about devices going out and checking for update automatically? I doubt any network engineer would implement such a system. But where's the tool where you can download a patch, test it against all of your known configs, (either in lab or on virtual router), make sure that no used commands have been deprecated, then at the click of a button deploy them? I've over sitting up late at night to telnet into a dozen routers and tftp up an IOS update.
    anonymous
  • No need to auto-update

    Who said anything about devices going out and checking for update automatically? I doubt any network engineer would implement such a system. But where's the tool where you can download a patch, test it against all of your known configs, (either in lab or on virtual router), make sure that no used commands have been deprecated, then at the click of a button deploy them? I've over sitting up late at night to telnet into a dozen routers and tftp up an IOS update.
    anonymous