Following the disclosure of a serious security flaw in IOS earlier this year, Cisco has been trying to persuade its customers to upgrade to the latest version of its operating system. However, Cisco's chief security officer John Stewart admits that they have been slow to do so, which means a significant proportion of the company's customer base is still vulnerable to attack.
Networking and security experts have said that administrators will remain reluctant to upgrade the operating system in their network hardware while there isn't a simple updating infrastructure. Additionally, the experts agreed that administrators routinely deploy patches for their desktops and servers but are not in the habit of updating the software on their network switches and routers.
Stewart told ZDNet Australia that in the high-end service provider market, Cisco's customers use a version of IOS called IOS XR, which was originally designed only for the company's high-end network hardware. IOS XR took four years to develop and cost around US$500 million and because it was designed in a modular form, it allowed IOS to be updated without having to perform a complete reinstall.
According to Stewart, the modular design will eventually filter down to low end hardware; but he insisted that for now, smaller organisations are still happy to manually update their network hardware when necessary: "The design of IOS XR is a modular-based reload. I get a sense that we will see more of that thinking throughout our product line as time goes on," said Stewart.
However, Bjarne Munch, senior research analyst at Gartner, told ZDNet Australia that a patchable IOS would most likely appeal to smaller companies because it would be more practical: "The lower end, from a practical point of view, would be more confident in upgrading IOS, they wouldn't have as much equipment and wouldn't have the same requirements on availability."
Bjarne believes Cisco is actually focussing on the high end because smaller companies would not be willing or able to pay a premium for the privilege.
"The drawback would be that the lower end of the market would most likely not invest in the patch management infrastructure required but the higher end would be more likely to allocate the funding," said Bjarne.