back to article Sysadmins, here's your weekly Cisco bug-splat

Cisco has patched a bag of bugs in its IOS and IOS XE software, with three denial-of-service bugs and one authentication bypass via SSH. The SSHv2 bug, here, only works if the attacker comes armed with an RSA-configured user ID and public key. Cisco's SSHv2 implementation then allows the attacker to log in with the privileges …

  1. jz879546213

    patch the gibson!

    As a current student of Cisco's CCENT course, I would like to state that network security by design is currently being drilled deeply into my head. Currently working on VLANs, some of their attack vectors, network segregation and port security. While the SSH bugxploit is dangerous, it can be mitigated with planned out VLANs, permission levels, and/or relegating mission critical equipment configuration/modification to console only connections. While inconvenient and probably not an option in many cases ( I can't imagine management would enjoy having to send an admin cross-country to reconfigure a switch or router), security is always inverse to useability/ease-of-access.

    At least the other bugs can only cause a reload of the vulnerable equipment. Yes, that can be damaging in its own way, but attackers don't have the possibility to glean sensitive network information vs the SSH authentication bug. Many of those vulnerable features can be disabled, or segregated, and having a fail-over network setup can minimize the downtime. In my opinion, at this time, a fail-over network should be running, at least the outer edges, equipment from a different vendor, and the internet facing IP should be different with DNS to help the redirection of traffic. How that might ever work in an actual large business network, let alone the acquisition, training, etc, I cannot even guess at. Ultimately if your forward facing Cisco equipment has been compromised in some way, then having a fail-over with the exact same equipment just sounds like tempting fate.

    At the end of the day, a network should be like an ogre. It should have layers. We all should be a bit more concerned with that physical DoS attack wherein high voltage is fed through the Ethernet connector and gets passed around all the devices like some sort of circuit-exploding herpes.

    1. Anonymous Coward
      Anonymous Coward

      Re: patch the gibson!

      The issue is that using separate vendors for the internal and external firewalls more than doubles your cost.

  2. Anonymous Coward
    Anonymous Coward

    Science

    Why is this article in the "Science" category? I would have though "Security" as I didn't read anything sciency...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like