News Stay informed about the latest enterprise technology news and product updates.

No need to rush network patching for Spectre and Meltdown

Security experts said Spectre and Meltdown pose a low risk to corporate networking gear. Nevertheless, vendor patches should be applied following thorough testing.

The recently discovered security threat in CPUs from nearly a dozen manufacturers poses a low risk to corporate...

networking gear, so operators have time to test vendors' patches thoroughly.

That's the take of security experts contacted by SearchNetworking following the discovery last week of the Spectre and Meltdown vulnerabilities that affect Intel, AMD and ARM chips. In response, Cisco and Juniper Networks have released patches rated medium and low risk, respectively, for a variety of products.

The low risk of Spectre and Meltdown to switches and routers means network managers have the time to thoroughly test the patches to minimize their impact on hardware performance, experts said.

"If you're getting a firmware update, you need to patch," said Rob Westervelt, analyst at IDC. "[But] the issue is whether you just deploy the patch or test it thoroughly and make sure you don't break any applications or anything else."

Roughly 20 CSOs and IT security professionals interviewed by IDC were taking a methodical approach to applying Spectre and Meltdown fixes across all systems.

"While it is top of mind, it's not something that they're immediately jumping on to patch," Westervelt said. "They are using established best practices and testing those patches first."

Network performance at risk

Westervelt warned there is the possibility network performance will suffer. "In some cases, it could be very costly."

If you're getting a firmware update, you need to patch.
Rob Westerveltanalyst at IDC

Indeed, Microsoft reported in a blog post patches for the PC and server versions of Windows would range from minor to significant, depending on the age of the operating system and the CPU. "I think we can expect a similar variety of performance impacts across other [vendors'] products," said Jake Miller, a senior security analyst at IT consulting firm Bishop Fox, based in Tempe, Ariz.

Security pros expect hackers sophisticated enough to exploit the hard-to-reach vulnerabilities to target mostly servers in large data centers that host cloud computing environments. Because of the level of expertise needed to take advantage of the flaws, hackers working for nation states are the most likely attackers, experts said.

Exploiting the CPU holes would involve crafting code that takes advantage of how some processors anticipate features computer users will request next. In preparation for those requests, processors will load into memory valuable data and instructions that hackers can steal.

"The threat is significant, but currently is limited to highly sophisticated attackers and hacking groups with the means to carry out multi-staged targeted attacks," IDC said in a research note. "Financially motivated cybercriminals are more likely to continue to use more accessible, time-tested methods to retrieve passwords and sensitive data."

Nevertheless, even a low risk to networking gear is worth the time needed for fixing. "It's better to be safe than sorry," said Jonathan Valamehr, COO and co-founder of cybersecurity company Tortuga Logic Inc.

Dig Deeper on Network Security Best Practices and Products

Join the conversation

3 comments

Send me notifications when other members comment.

Please create a username to comment.

How is your organization handling patches for switches and routers affected by Meltdown and Spectre?
Cancel
Actually, Spectre can't be used to steal if company uses multi level protection. Meltdown can be better fixed by removing kernel and physical memory from user's memory mapping, which make sense no matter if meltdown exists or not, as such mapping violate basic protection rules. For network devices, these issues can't be exploited in real world, and risk of patches overcome risks of exploiting in 10x. Main risk is for para virtualization clouds, where other VM's and kernels can be in user-s address space. The overall risks are highly overestimated, actually, except for paravirtual public clouds (which must apply fixes ASAP).
Cancel
Thanks for clarifying, so why would anyone apply the patches released by Cisco and Juniper for switches? I assume it's because that platforms for running applications on the switches need to be patched, right?
Cancel

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close