Cisco Systems Inc.'s Internetwork Operating System (IOS) has been under fire recently following a series of new security vulnerabilities. Though they pose limited risk to enterprise networks, experts say it's unlikely that they'll pose major problems.
IOS is the software inside the networking giant's routers and newer switches that allows the devices to be configured and managed. During the past few weeks, IOS has been pummeled by a steady stream of security flaws, including the following:
Cisco spokesman John Noh said all four vulnerabilities were discovered through the vendor's routine testing processes and the company has released patches or offered upgrade options for all affected products.
The vulnerabilities are unrelated, Noh said, but Cisco chose to distribute information on three of them simultaneously last week so customers would have flexibility in determining their upgrade paths and avoid potentially redundant upgrades.
Noh said Cisco does not rank IOS vulnerabilities in terms of severity; instead it advises customers to make their own severity determinations based on the information provided in its advisories.
However, the vulnerabilities highlight how many different ways IOS can be compromised, and calls into question how many as-yet-undiscovered problems may still exist.
Despite the volume of problems, Zeus Kerravala, vice president with Boston-based research firm Yankee Group, said enterprises shouldn't be alarmed. He said as long as companies are monitoring their networks and watching for potential exploitations, networks are a relatively low risk.
"When you have a software system that's as widely distributed as IOS, it's going to have bugs," Kerravala said. "I think this is something we'll see consistently moving forward with IOS maturing, but one thing enterprises can do is move to a configuration management system."
It's common for enterprises to use dozens or even hundreds of different versions of IOS on various devices, as over time Cisco has issued hundreds of subreleases to patch security holes or resolve compatibility issues with network interface cards or IP stacks.
For instance, Posluns said Cisco uses the same code base on many of its products, but when it makes a small addition, the resulting product is given a new subversion number. That's why many subversions are often affected by the same problem.
Since upgrading IOS can be a tedious process, Kerravala said companies often upgrade devices only when a critical issue mandates it, or when Cisco ends support for a particular version.
Kerravala said because device management has become such a burdensome process, there's an opportunity for third-party configuration management vendors -- such as Intelliden Corp., Voyence Inc. and Rendition Networks, which was recently acquired by Opsware Inc. -- to grow their businesses by making the upgrade process easier.
Posluns said despite the flaws, IOS is still one of the better network operating systems available today, and that there's no reason to panic. "I wouldn't see this as a reason to change anything in the way that we do things," he said.
Still, Kerravala said it's unlikely that an enterprise would ever be faced with a network attack that exploits one of the recently announced IOS vulnerabilities, because not only do several specific conditions need to be in place, but also it usually demands knowledge of the inner workings of a network.
"I'm not going to say it would take a perfect storm to exploit one of the vulnerabilities," said Kerravala, "but I think the fact that Cisco is willing to reveal them shows that they're looking for them and troubleshooting them."