Tuesday, January 09, 2007

Cisco Stuff...again

This posted started as a reply to a comment but kind of took on a life of its own…

Its funny you mention this. Cisco is an odd duck in the security space for a few reasons with the first being that they really don’t want anyone to have information on their vulnerabilities. This is different than a lot of other vendors who belong to information sharing groups and such and will work with security vendors to help make sure that there is as much protection as you can get for a vulnerability. They do this by sharing details and even some times packet caps of vulnerabilities to make sure protection can be quickly and accurately crafted.

They claim this is for “national critical infrastructure” reasons and what not. Responses are pretty general, “a single router exploit could bring down the internet and countless government and military installations.” (Note to readers: Cisco makes my point about buying single vendor solutions for me with these kinds of responses. If you are planning disaster recovery strategies do your security officer a favor and make sure it’s a diverse solution).

I do not doubt their claims, but they seem to imply that sharing information with other vendors is the equivalent of handing it to hackers. You want to know the real reason they don’t share? Ever been in a Cisco sales pitch? I sure have and this is what I heard:

“If you have a Cisco shop you HAVE to buy Cisco security products. We don’t release details to any other security vendor so if you want to be able to protect against threats to Cisco gear you need to buy Cisco security gear!”

Cisco will not be giving up a competitive advantage like that any time soon and if any one tells you they would, look at them like they have just grown a second head. What’s the point of all this you may be asking… Because Cisco likes to keep their technology closed and they don’t share things like security information with any third party how can you even be sure they fixed a problem?

What is the solution for this problem? 3rd parties that can reverse Cisco security updates and provide that information to interested parties. So to answer the initial question, yes we are looking at Cisco products.

2 comments:

George said...

Yup, that's Cisco alright and I can attest to your experience. Competitive advantage is what it's all about. Besides, most companies I know don't bother patching their Cisco gear. We're lucky if they patch the Internet facing gear. Sure we never hear about these kind of break-ins because the type of people that hack routers aren't trying to rack up a few points on Zone-H.org so they can brag to their friends. He who owns the router is god because they redirect DNS requests and redirect email. If you can redirect email you can easily make requests for digital certificates for putting up fake SSL servers or even get a code signing certificate.

George said...

Yup, that's Cisco alright and I can attest to your experience. Competitive advantage is what it's all about. Besides, most companies I know don't bother patching their Cisco gear. We're lucky if they patch the Internet facing gear. Sure we never hear about these kind of break-ins because the type of people that hack routers aren't trying to rack up a few points on Zone-H.org so they can brag to their friends. He who owns the router is god because they redirect DNS requests and redirect email. If you can redirect email you can easily make requests for digital certificates for putting up fake SSL servers or even get a code signing certificate.