3 min read

Analysis: Cisco, Microsoft Face Scrutiny Following Barrage Of Security Alerts

Customers are judging the top vendors as much on how they respond to vulnerabilities as whether the vulnerabilities exist.
Different Approaches

Cisco and Microsoft have strikingly different approaches to managing vulnerabilities. Microsoft's monthly Patch Tuesday works for Windows, which can accept a patch even while a PC is in use. Cisco's ability to issue regular patches is limited by the Cisco IOS, which can only be patched if it's taken offline and rebooted.

Because of that complexity, Cisco says, issuing patches for every vulnerability doesn't make sense--instead it often offers customers free software that lets them work around a problem. In response to a flaw found in July in the Internet Key Exchange Protocol used by Cisco's VPN 3000 Series concentrators to enable remote IPsec VPN access, Cisco recommended that customers protect themselves by implementing Call Admission Control for IKE, which caps the number of simultaneous connections on a router.

The most recent crop of Cisco vulnerabilities is "pretty standard stuff," says George Roettger, Internet security specialist at NetLink Services and a Cisco customer. More troubling is the number of vulnerabilities found in Cisco security products, such as the PIX firewall, CS-MARS, and IPS. Says Roettger, "If any product should have been designed for security from the ground up, shouldn't these products represent the best of the best?"

Cisco's general approach is to keep mum unless it has an answer. "Customers don't want to know about a vulnerability just for the sake of knowing," a Cisco spokesman says. "They want to know when they can do something about it."

Summer Blues
Cisco in July issued vulnerability alerts for three products:
>> CS-MARS: Could allow unauthorized access
>> CISCO IPS 5.1: Denial-of-service attacks could stop packet processing and security alerts
>> UNIFIED CALL MANAGER 5.0: A logged-in admin could gain root access privileges and execute code, overwrite files, and launch denial-of-service attacks
Yet just the breadth of Cisco's product portfolio could leave customers feeling insecure. "I don't condone their approach to keeping security-related information bottled up, but they have so many different software versions that run on so many different platforms," says Greg Shipley, CTO of security consulting firm Neohapsis.

The differences between Cisco's and Microsoft's approaches are likely to dwindle over time. A year ago, Cisco started development on modular versions of IOS that would allow it to be patched without a major disruption. Cisco already offers a modular version of its IOS known as IOS XR, which is included in routers sold to service providers. The company's Catalyst 6500 switch can be patched without the system being taken offline. This migration will take years before it covers the majority of Cisco's products. At that time, Cisco plans to determine if customers want a more regular patching schedule, the spokesman says.

Given the impossibility of impenetrable code, customers should focus on how their vendors react as problems arise. Microsoft showed up at Black Hat en force, even providing a series of security sessions related to its upcoming Windows Vista, just to get a feel for the threats it will face when the operating system is released next year. Responding to a demonstration of potential vulnerability in Vista, Austin Wilson, Microsoft's director of Windows product management, said, "This is exactly why we're here." It's an offensive approach, and one Cisco would be wise to adopt.