Thursday, January 04, 2007

Cisco Security

Its funny I was talking about buying single vendor solutions this morning and security problems then this pops up: http://www.cisco.com/en/US/products/products_security_advisory09186a00807b6621.shtml

A vulnerability in NAC is kind of like buying a bulletproof vest that’s not bullet proof. NAC is suppose to help stop security events and here it seems network admins have to spend time fixing the fix for security problems. It seems like a python feeding on itself...

This is the reason vendors should be pushed to have their products certified by a third party. Not the “we ran a vuln scanner and found nothing” kinda cert, I mean something that takes a disassembler and maybe a screwdriver. Of course no vendor really wants anyone looking that close at anything they do.

"Trust us....its safe" is what they want you to believe. Would you jump from a plane with a parachute packed by someone else you don't know...neither would I.

1 comment:

Augusto Barros said...

Do you guys know about anyone looking into the agent software being used by NAC (is it Cisco Trust Agent?) to see if it really has a decent architecture?

It always seemed to me that a networking device asking a computer if it "is secure" is not a good way to deal with the problem. Maybe they are using some ninja digital signature based technique to reduce the risks from trusting the evaluator to be in the evaluated computer, but even this could be tricked by clever malware.