Cisco customers making themselves vulnerable

Companies are refusing to update their router operating systems even though they contain known vulnerabilities, leaving their network full of security holes, according to Cisco's top security exec.

Companies are refusing to update their router operating systems even though they contain known vulnerabilities, which leaves their network full of security holes, according to Cisco's top security exec.

"The fragile nature of our networks are at an all-time high," said John Stewart, chief security officer of Cisco, in his day two keynote at the AusCERT 2008 security conference on the Gold Coast.

Stewart claims that many of Cisco's customers are still running Internetwork Operating System (IOS) version 10.3, which was released on 13 April 1995. The current release is version 12.4.

Over the past few years, a number of serious vulnerabilities have been discovered in older versions of IOS. In 2005, AusCERT issued an alert to its members warning of serious flaws in IOS and recommended they upgrade their router operating system immediately.

Stewart said these warnings are falling on deaf ears.

"I can give them the list of known vulnerabilities, but customers still don't want to touch it because it's working ... I think there's a certain level of 'well it's working, don't touch it, because it's fragile, it might break'. I understand that, however I don't find it acceptable," he said.

The problem is nothing new. In 2005, Stewart told ZDNet.com.au that Cisco customers had a "hygiene problem" because they were failing to update their router OS.

"When you actually tell your customers they have hygiene problems, then that's not exactly going over very well. But the key point I wanted to bring up again, is that network infrastructure is rarely upgraded," said Stewart today.