Following the disclosure of a serious security flaw in IOS earlier this year, Cisco has been trying to persuade its customers to upgrade to the latest version of its operating system. However, Cisco's chief security officer John Stewart admits that they have been slow to do so, which means a significant proportion of the company's customer base is still vulnerable to attack.
Networking and security experts have said that administrators will remain reluctant to upgrade the operating system in their network hardware while there isn't a simple updating infrastructure. Additionally, the experts agreed that administrators routinely deploy patches for their desktops and servers but are not in the habit of updating the software on their network switches and routers.
Stewart told ZDNet Australia that in the high-end service provider market, Cisco's customers use a version of IOS called IOS XR, which was originally designed only for the company's high-end network hardware. IOS XR took four years to develop and cost around US$500 million and because it was designed in a modular form, it allowed IOS to be updated without having to perform a complete reinstall.
According to Stewart, the modular design will eventually filter down to low end hardware; but he insisted that for now, smaller organisations are still happy to manually update their network hardware when necessary: "The design of IOS XR is a modular-based reload. I get a sense that we will see more of that thinking throughout our product line as time goes on," said Stewart.
However, Bjarne Munch, senior research analyst at Gartner, told ZDNet Australia that a patchable IOS would most likely appeal to smaller companies because it would be more practical: "The lower end, from a practical point of view, would be more confident in upgrading IOS, they wouldn't have as much equipment and wouldn't have the same requirements on availability."
Bjarne believes Cisco is actually focussing on the high end because smaller companies would not be willing or able to pay a premium for the privilege.
"The drawback would be that the lower end of the market would most likely not invest in the patch management infrastructure required but the higher end would be more likely to allocate the funding," said Bjarne.
I'm sure most of Cisco's larger customers are all paid up on their maintenance, however Cisco make it a nightmare to get an IOS update if you are not paid up. Even though Cisco advertise on their site that updates for security flaws are free, i wonder if anyone at Cisco has ever tried to obtain such a patch?
I recently tried to, as my CCO login was not working, and i desperately needed a newer IOS to get a WIC to work. So i went to their vulnerabilities site, got a doc ID, and rang their TAC (as per instructions) to obtain a newer IOS due to security vulnerabilites in the version i was running.
Well what a nightmare, nobody knew what the hell i was talking about, and once i pointed them to their website, none of the 1st level guys knew how to actually process the update internally so they could send me the image. Luckily their higher-level guys know their stuff, but most uneducated customers would never have got their.
Cisco also make upgrading an IOS painfull - while not a real issue doing it to a couple of routers, increase that to dozens or hundreds of devices, and it's suddenly a nightmare to manage.