Cisco in single SSH key security stuff-up A red-faced Cisco has pushed out a patch for a bunch of virtual security appliances that had hard-coded SSH keys. Since the keys are associated with the virty appliances' remote management interface, a successful login would let an attacker waltz through the devices. The Borg has announced that its Web Security Virtual …
This post has been deleted by its author
I don't get the fascination with Cisco routers outside of the datacentre.
I have to say, on the shelf next to me are several Cisco routers that I have refused to install after the various faffing with firmware, closed-off configuration tools that you can't download without support contracts, lots of updates pending on them, hideous configuration methods, etc..
My network, there are Cisco switches and wireless points throughout. They are much nicer to configure because they're aimed at doing so but they're entirely different beasts.
The incoming leased lines etc. all have ISP-managed Cisco stuff that they claim they need on our end for failover, remote configuration, etc. They do nothing more than an Ethernet switch or fibre-convertor would, from what I can see.
But on the boundary, between the two - at our interface between "lots of third-party junk and untrusted Internet" and "trusted internal network that we need to secure", we actually use Linux-based stuff (Smoothwall).
I'm sure if you're an ISP they're great, but I never see anything but people struggling to configure them and keep them up to date and patch against ridiculous things. The failover protocols they use aren't complex or unique in any way.
And no amount of fancy ISP kit disguises the fact that their supplied devices take a fibre or Ethernet at one end and push it to an Ethernet at the other end and do NOTHING to it in the meantime. Some of the configurations that you can pull from such kit (if the kit even ALLOWS you to pull configs back) are so basic as to be worthless. They have to forward all traffic, the incoming fibre/Ethernet only has a limited IP range anyway, it doesn't stop any kind of DDoS or unsolicited traffic coming in (I wouldn't want it to, they'd just break things), it doesn't do any kind of firewalling (my internal router still sees gratuitous attempts to ping, malformed packets, SYN-floods, etc.) and the only "fancy" thing is some HSRP or whatever it's called to let one router ping it's partner and failover if something is amiss. I've literally got ISP-supplied routers here with an IOS config that I could fit in a small screen on notepad. At one point I assumed it was for protecting their network from bad traffic from us, but that doesn't even seem to be true either (and, surely, a Cisco on their other end is their protection against that - I could swap out the in-and-out cables on their routers here in a trice).
I always wonder why they bother for the majority of business lines compared to just "And this is your incoming, unfiltered Internet cable" and leaving it at that.
Last time one of them had to configure a Cisco router, it came pre-configured from the ISP, then needed five engineer visits before it would pass a bit of traffic, then was sent back twice, then had to be manually configured in person on-site (at our insistence) by the head of the technical support, and then they would not configure it for our site needs (e.g. port-forwards, etc.) or license us for the tools to configure it via the GUI (only via telnet in IOS syntax), so they just left it at the point we'd need to put another router on the end of it anyway, That one's still on the shelf beside me, and I just plugged the unfiltered connection into our Linux-based router instead.
I worked for some years on Freesco - a project designed to make a single-bootable-floppy Linux router that run on any PC with network cards (or modems or whatever). It was back in the dial-up, 10Base2 days, but even back then I used to use it as it was more powerful - coupled with some junk of a PC from the rubbish heap - than anything the fancy expensive Cisco routers could manage. pfSense etc. are it's logical successors nowadays but I still battle to find out quite what people expect to get from a Cisco router with only an "in" and an "out" Ethernet port that they couldn't manage with required downstream devices themselves anyway.
Cisco does nothing special.
However it does a few things well, the hardware is stable, (and so is IOS for the most part), they have good documentation, and has lots and lots of features that are/may come in handy, also there is plenty of documentation online, and the method of configuration is pretty much a de-facto standard in the industry. Their switches are bread and butter and an expectation on any large environment.
ISP's do not love Cisco, people who only know Cisco do.
There is still an advantage of command line over the GUI when configuring Cisco equipments. You can calmly prepare and verify the configuration in a text file (usually starting from an existing one) then simply paste or upload it into the device. This gives you the choice of merging the settings with the existing configuration or overwriting it entirely.
Now try doing this in GUI and come back to us and share the experience.
From their description on the "advisory page":
A vulnerability in the remote support functionality of Cisco WSAv, Cisco ESAv, and Cisco SMAv Software could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user.
This is not an accidental vulnerability. They pre-installed SSH keys to allow [someone unknown] to access all of these systems. That's called a back door.
No kidding! Like all but two of us didn't see this coming years ago.
--AC
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
