back to article Life's certainties: Death, taxes, and Cisco patching more serious vulnerabilities

Cisco has issued an update to address security flaws in three of its networking and security offerings. Switchzilla's latest security bundle includes fixes for 18 CVE-listed vulnerabilities in the firmware for the Adaptive Security Appliance, Firepower Management Center, and Firepower Threat Defense lines. Administrators are …

  1. aaaa
    FAIL

    Still no updates for in-contract non-EOL cisco devices

    So I switched from HP gear to Cisco a few years ago, but recently discovered that our in-contract hardware, with an EOL of 2022 is no longer receiving security updates, even though that's exactly what the service contract promises.

    https://community.cisco.com/t5/small-business-security/asa5505-software-update-to-9-4-to-resolve-security-advisory/m-p/3918845/highlight/true#M7158.

    For now I'm willing to suspend disbelief and assume left hand hasn't quite understood what right hand has done. Waiting to hear back from their legal dept. If they don't start issuing security updates for in-contract hardware, then there is no way I'll ever get permission to buy any cisco kit ever again - and I'm quite sure I'm not the only one. Up until now it was one advisory - now with this latest set it's 3, but curiously the 'new' list includes one actually fixed for ASA5505 in IOS 9.2.4.8, so I don't know how that affects my theory...

    1. Anonymous Coward
      Anonymous Coward

      Re: Still no updates for in-contract non-EOL cisco devices

      You purchased a low end (<£500) product 1+ years after the replacement product was announced and have been caught by Cisco EoLing the software before the hardware. You may have even paid less as it was nearing its end of sales and resellers were looking to clear their inventory.

      The writing was on the wall for the 5505 in 2012 when the majority of the ASA range was replaced by the ASA-X models. I believe Cisco were hoping to kill off the 5505 and migrate users to larger, slightly more expensive units (rack mounted 5512X ~£1k), but the 5505 proved more popular than expected leading to the eventual announcement of the 5506X in 2014 (two years before you purchased the 5505) and the 5506X was available in February 2015 (1+ years before you purchased the 5505).

      While this sucks, ff the purchase was via a reseller, they should have pushed you towards the 5506X and maybe willing to offer you a heavily discounted replacement 5506 - if you ordered via a website with no direct interaction with a salesperson for advice, its likely a case of buyer beware.

      1. elaar

        Re: Still no updates for in-contract non-EOL cisco devices

        Okay, so take the 5506X (that I have), any updates now disable Firepower because it requires 8G memory. So a product that is quite some time away from being EOL can't be updated further without losing the main functionality you bought it for. You can't upgrade the ram, so you're stuck with it and any bugs/vulns.

        So your argument of them pushing for a 5506X (with the only main benefit over the 5505 being Firepower) would have led down a similar path.

        We've had so many issues with Firepower, and bugs/vulns, for kit that isn't cheap, it's no wonder they're rapidly losing market share.

        1. Anonymous Coward
          Anonymous Coward

          Re: Still no updates for in-contract non-EOL cisco devices

          I'm not going to argue over Firepower - in my experience it is still 1-2 years away from being a usable product in Enterprise environments. The 5506X is underpowered (both RAM and CPU) to handle new Firepower versions and was quickly replaced (along with the 5515X) with faster models. Given that most of the old Firepower versions are broken or feature incomplete, its hard to stick with them.

          There is still usable ASA code - while it maybe light on the next-gen firewalls feature side compared to it's competition, as a swiss army knife of features for requirements where deep packet inspection isn't required and you are combining multiple functions, it is still useful.

          If you want to start calling out hardware manufacturers for low-/mid-range products not really doing what they are supposed to, I have a long list of network and storage products that we can add...

  2. Anonymous Coward
    Anonymous Coward

    Hmm, choices, choices

    I'm in Europe and I want less spying gear that's moderately safe. Huawei or Cisco, hmmm.

    No guesses, Huawei it was. I trust those who reviewed the gear.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hmm, choices, choices

      I assume you also checked the NSA Shadow Brokers leaks, saw that not only was Cisco affected but also Huawei (and other vendors) and realised that you would need to rely on good operational practices (i.e. installing known good firmware) rather than just trusting the vendor badge?

      Ref: https://www.huawei.com/uk/psirt/security-notices/2016/huawei-sn-20160823-01-shadowbrokers-en

      1. Anonymous Coward
        Anonymous Coward

        Re: Hmm, choices, choices

        Oh, you're right, always - framework, process, practices and never, EVER take a supplier at their word.

        We also do frequent traffic checks. Just because.

  3. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019