A Matter Of Time
There hasn't been a successful large-scale attack on Cisco gear. But the exploitation of a major networking vulnerability in an unpatched system will happen, perhaps within a year, now that more people are aware of the type of hack Lynn described, predicts George Roettger, Internet security specialist for regional Internet service provider NetLink Services Inc., which serves Ohio and surrounding areas. "You could now wipe a router clean or reroute traffic through it," he says.
Patching IOS is part of the answer, but it's not exactly easy. "To fix it, you have to put a whole new image on a device and restart it," says John Pescatore, VP for Internet security at IT advisory firm Gartner. Cisco generally updates the operating system twice a year, including any new patches, but there's no set schedule for either those releases or individual patches. Competitors 3Com and Juniper Networks tend to issue updates for their less-complex router operating systems as often as four times a year. Still, customers affected by any vulnerability that Cisco discloses are entitled to a free IOS upgrade even if they don't own a maintenance contract, which can run about 20% of the cost of a router.
Cisco has taken steps to make patches and upgrades less of a hurdle. Last year, Cisco introduced IOS XR, a modular version of IOS designed specifically for the Cisco CRS-1 Carrier Routing System. IOS XR and CRS-1 took Cisco four years to develop and cost about $500 million. IOS XR, created to support the CRS-1's multi-CPU distributed architecture and the requirements of telecom service providers for highly reliable voice and data packet infrastructures, also has been available on the Cisco XR 1200 Series carrier-grade routers since April. This modular design eventually will filter down to other Cisco hardware, including its enterprise-class routers, though the company won't say when.
Complexity in IOS keeps low-level hackers from attacking Cisco's systems, Laidlaw's Turner says.
Photo by Austin Walsh
Despite the concerns about IOS, or maybe because of them, Cisco's network-security business is booming. The company has expanded its security technology group, which in 2004 reported more than $1 billion in revenue, to include more than 1,500 engineers. In the past year, Cisco has spent $148 million to buy network appliance maker FineGround Networks, security and VPN software provider MI Secure, and Protego Networks, a provider of security-monitoring and threat-management appliances. Such moves have broadened Cisco's portfolio of security products and given customers the option of buying layers of security they previously had to get from other vendors.
The rapid growth of Cisco's security business seems to indicate that customers haven't lost faith in Cisco's ability to keep their networks safe. That's even after incidents like the episode in August when Cisco reported that a vulnerability in the search tool on Cisco.com could be exploited to expose passwords for the company's employees, customers, and business partners. The company was forced to reset passwords to remedy the situation.
Even the theft of its operating system code last year didn't shake some customers. "Almost every vendor has an incident with code being stolen if they have enough people working for them," Lukas says.
Cisco's solid reputation overrides any lingering concerns among some customers. The company last year won a contract for the National Law Enforcement Telecommunication System, an interstate law-enforcement network that connects 18,000 local, state, and federal agencies, to replace an aging bisynchronous transmission-based network infrastructure with IP-enabled Cisco routers, switches, and firewalls, as well as an intrusion-prevention system. "I think there's a little bit of concern, but at the same time I believe in Cisco as a company," says Bill Phillips, the network's security specialist.
Cisco's recent bouts with security reinforce the need for constant vigilance--layered security, patch-mindedness, and careful monitoring for unusual patterns that could tip off a security threat. Expect the unexpected, then don't be surprised when it happens.
The 'Unthinkable' Becomes Possible