The challenge of Cisco Network Device Patching
We haven't posted something about Ciscogate for quite a while now. However I came across this BlackHat posting dated April 25th 2006 which was quite interesting. It was written by a BlackHat member that works for Gartner.
Traditional, monolithic IOS is a proprietary operating system that runs Cisco routing and most switching devices. It has required an image replacement and reboot to upgrade. IOS is not able be patched while running. The criticality of routers to the operation of a network means that rebooting a router typically takes down the network and severs all connections which can crash applications and have serious consequences for businesses that rely on uninterrupted network connectivity.
The monolithic nature of traditional IOS where a patch required a new binary image resulted in over 850 discrete production builds of IOS over 20-30 product families. This situation raises the complexity of IOS management in most large enterprises. Most enterprises are not able to keep track of which build is running on each of their hundreds or thousands of networking devices. Cisco has gone through a streamlining process to reduce the number of IOS versions about 75% from 850 discrete builds to about 150 discrete builds by YE05. Despite the reduction in IOS builds, most large organizations find themselves running dozens of different IOS versions in their network.
Cisco's modular operating system ION (Q106 planned) makes it easier to patch certain subsystems without a reload but ION will only run on the 6500 series through 2006. ION is an internal name. The external name will be ModularIOS. Cisco is also working on full IOS In-Service-Software-Upgrade (ISSU) functionality to support reloading IOS without service interruption. This is particularly important for upgrading edge routers that point at or within the service provider cloud. Initial deliveries of ISSU, beginning on the Catalyst 12000, are projected by Cisco to be Q206.
Gartner recommends that organizations upgrade to modular IOS over the next year and develop more mature processes to address network device patching. To begin with, enterprises should familiarize themselves with Cisco's disclosure process and subscribe to and review Cisco vulnerability disclosures. This is a shift in perspective for most organizations. Network device patching will likely remain more challenging than server operating system patching but organizations need to move towards improved vulnerability management processes. Some Gartner clients have not upgraded IOS in over 5 years on certain devices. This is unacceptable given the changing threats against IOS, especially on edge routers.
CATEGORIES : 1ciscogate, 1ios, 1vulnerabilities, 1best practices
Traditional, monolithic IOS is a proprietary operating system that runs Cisco routing and most switching devices. It has required an image replacement and reboot to upgrade. IOS is not able be patched while running. The criticality of routers to the operation of a network means that rebooting a router typically takes down the network and severs all connections which can crash applications and have serious consequences for businesses that rely on uninterrupted network connectivity.
The monolithic nature of traditional IOS where a patch required a new binary image resulted in over 850 discrete production builds of IOS over 20-30 product families. This situation raises the complexity of IOS management in most large enterprises. Most enterprises are not able to keep track of which build is running on each of their hundreds or thousands of networking devices. Cisco has gone through a streamlining process to reduce the number of IOS versions about 75% from 850 discrete builds to about 150 discrete builds by YE05. Despite the reduction in IOS builds, most large organizations find themselves running dozens of different IOS versions in their network.
Cisco's modular operating system ION (Q106 planned) makes it easier to patch certain subsystems without a reload but ION will only run on the 6500 series through 2006. ION is an internal name. The external name will be ModularIOS. Cisco is also working on full IOS In-Service-Software-Upgrade (ISSU) functionality to support reloading IOS without service interruption. This is particularly important for upgrading edge routers that point at or within the service provider cloud. Initial deliveries of ISSU, beginning on the Catalyst 12000, are projected by Cisco to be Q206.
Gartner recommends that organizations upgrade to modular IOS over the next year and develop more mature processes to address network device patching. To begin with, enterprises should familiarize themselves with Cisco's disclosure process and subscribe to and review Cisco vulnerability disclosures. This is a shift in perspective for most organizations. Network device patching will likely remain more challenging than server operating system patching but organizations need to move towards improved vulnerability management processes. Some Gartner clients have not upgraded IOS in over 5 years on certain devices. This is unacceptable given the changing threats against IOS, especially on edge routers.
CATEGORIES : 1ciscogate, 1ios, 1vulnerabilities, 1best practices
0 Comments:
Post a Comment
<< Home