Slashdot Mirror

I regret the lack of attribution on my above quote - it's from Geoff Huston, with full document available here

Burning Karma, but it's late. Cisco FastHUB 300 100 Mbit Hub. These also had a modular port which you could plug in a management module with a 10 or 100 Mbit switched port. I feel so much better now.

To actually be helpful, the parent is correct, a decent managed switch would be good. Actually being able to measure traffic will help to diagnose problems. In fact you might want to setup performance monitor on any existing PCs and duplicate the production traffic, just to see how much bandwidth you'll actually be using.
Additionally, if you're staying with 98 on these machines, consider something like deepfreeze and/or some strong administrative policies. The last thing you want is dead air while bonzi buddy is sending your credit card numbers to Russia.

Is the question some form of backhanded astroturfing or what?

The question seems to be asking for what Microsoft calls Network Access Protection and Cisco calls Clean Access or Network access Control(NAC).

These technologies supposedly prevent network access unless the system meets the network's policy requirements. These requirements include user/system authorization, anti-virus, firewall, software, and many other criteria.

If the question is legitimate, it sounds like you would like a Cisco network with Windows Server 2003 and XP laptops. Slashdot heresy!!

P.S. Prepare to write VERY LARGE checks!

You can achieve similar results using standard 2.4Ghz WiFi

Defaults

IPv6 unicast routing is disabled.

Summary

Cisco Internetwork Operating System (IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.

Defaults

IPv6 unicast routing is disabled.

Summary

Cisco Internetwork Operating System (IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.

So these routers aren't fast enough huh? Interestingly incorrect opinion you have there.

Read the advisory.
The affected subsystem is not the firewall, but the authentication proxies for ftp and telnet. It is doubtful that those features are being used all that much.
The advisory also list a set of ACL that should suffice in most cases until a patch is issued.
If this was a problem in the firewall or ACL subsystem, it would be a bigger issue because many companies use them to place a reduced ruleset for all traffic that should be blocked in all directions like netbios, snmp, etc.

Affected versions include IOS 12.2ZH, IOS 12.2ZL, IOS 12.3, IOS 12.3T, IOS 12.4 and IOS 12.4T. IOS versions that are not vulnerable are IOS XR and IOS versions 12.2 and earlier, including 12.0S. This shouldn't be a problem for those Network Administrators that created access control lists for modifications for the router, however Cisco has issued a patch.

Here's a link to the cisco advisory
I noticed the linked article didn't have that link, and its viewable by the Internet public. Let's see how Cisco holds up to the mighty /. effect.

Like most things in this world, general statements aren't going to cut it. The statement that "there is no point in getting certifications ..." is correct in some situations, and decidedly incorrect in others. Some certifications are a bit more meaningful then others, surely this doesn't come as a surprise to anyone. The idea that an A+ certification and a CCIE certifcation are equally worthless is crazy. Do you have any idea what it takes to get a CCIE? I guess what I'm saying is that this is not a simple question, some certifications are worth while, some are not.

Another point that people may not realize is that there are a lot of jobs that require certifications. For example, good luck signing off on any sort of opinion if you are not a CPA. Is the CPA useless? I don't think so. Another example, Visa is now requiring card processors do undergo an accreditation process. This process includes having a certified vendor perform a Visa audit. Guess what, you can *not* perform that Visa audit until you have received Visa training. You know what else? You can *not* receive Visa training unless you have one of a handful of certifications, including the CISSP and CISA certifications. Not convinced? Let's move on.

There is yet another reason that certifications serve some purpose. They are a statement on at least some level of the competence of an individual. Yes, I know that there are some losers with certifications that are not competent, but think of this from a different light. You are a manager tasked with hiring a person (or company) to perform services for you. Think of how you are going to look if this person or company fails, and hurts your company as a result. At that point, being the one that made the decision, are you going to want to have chosen someone who (however shallow it may be) had some form of legitimacy? I can guarantee that your "certifications are worthless" argument is going to sound a bit feeble when explaining the failure of the project to your boss. If you are a candidate for a job, and on paper and through interviews you are relatively equal, but he has the appropriate certifications and you do not, guess who is going to get the job. This is a particularly true if you are hiring for a position that you yourself are not particularly proficient at.

Finally, as a person in a hiring position, I do not consider them at all, and am definitely prejudiced against someone who puts them on their resume. Are you kidding me? "Yes, Sir, I know that our latest Network Administrator, the one that I hired, has cost us thousands due to incompetence, but see, they were the only one *without* their MCSE, so it's not like I had much of a choice." Good luck with that.

So in conclusion, ... yes, certifications are worth while. Some are certainly worth more while then others, and some are arguable worthless, but certifications, in general, are worth while.

It depends on which Cisco certification you're talking about. They have quite a few now. See http://www.cisco.com/web/learning/le3/learning_car eer_certifications_and_learning_paths_home.html for details.

Your CCNA is going to be a very basic written test. If you've got a basic knowledge of networking (can you subnet?), you can probably read some documentation and pass without a problem. The CCNP is going to be harder. You've got four exams to pass, each getting pretty detailed in a specific area of routing or switching. You can still pass it through books only, but it's going to really help if you've got experience with the equipment.

The CCIE, on the other hand, is a written exam as well as a lab exam. And the pass rate for successfully completing the lab on your first attempt is pretty low. Most people who pass the lab require two or three attempts. There's fewer than 7000 active CCIEs around the world right now.

As for access to Cisco documentation, just hit http://www.cisco.com/ and look around. They have a lot available for free.

It depends on which Cisco certification you're talking about. They have quite a few now. See http://www.cisco.com/web/learning/le3/learning_car eer_certifications_and_learning_paths_home.html for details.

Your CCNA is going to be a very basic written test. If you've got a basic knowledge of networking (can you subnet?), you can probably read some documentation and pass without a problem. The CCNP is going to be harder. You've got four exams to pass, each getting pretty detailed in a specific area of routing or switching. You can still pass it through books only, but it's going to really help if you've got experience with the equipment.

The CCIE, on the other hand, is a written exam as well as a lab exam. And the pass rate for successfully completing the lab on your first attempt is pretty low. Most people who pass the lab require two or three attempts. There's fewer than 7000 active CCIEs around the world right now.

As for access to Cisco documentation, just hit http://www.cisco.com/ and look around. They have a lot available for free.

Not all certifications are woth the same

Well honestly, certs dumb. I'm not a fan about the way IT professionals are supposed demonstrate competence by their ability to memeorize things. Then again you gotta play the game and in the inerst of full disclosure, i'm about to get the CCNA done...

http://www.cisco.com/univercd/cc/td/doc/product/wi reless/cb21ag/acau01/auappb.htm

We have 11 channels in the US, there are 14 in Japan and 13 in the EU.

And what company wants to make 3 chips when they can make one? If you make 3 chips, then you have a stocking problem. what happens when you have 1,000,000 EU chips on hand and someone wants to buy 1,000,000 JPN chips? If they're all the same, you don't have a problem. But if they're different.

And then the company that makes the product with the chips has to make 3 different versions and has their own stocking problem.

Finally, due to how frequencies are generated, it is difficult in hardware to truly keep people from generating improper frequencies. Remember how much work Intel and AMD do to limit overclocking (and how unsuccessful they are in the end).

Finally, in 802.11, it is the device that creates the network that picks the frequency. So your laptop can easily be universal, accepting and responding on any frequency that is legal anywhere in the world, assuming that the base stations in an area will only be on legal frequencies. But base stations aren't as universal.

All in all this really sounds like a "problem you don't understand".

Check here.

Hmm although this may make some technical sense, I think that you need to consider the companies....

Nokia's Overview shows it to be an old Finish company that moved from a Cable Works company into mobile phones as the market grew.

Cisco's Overview shows it to be a 20 year old company that was set up by a group of American university hackers.

Cisco's got about $19b in the bank. Yahoo Finance is wrong for some reason.

http://www.cisco.com/en/US/about/ac49/ac20/ac19/ar 2004/financial_review/index.html

I'm willing to bet that the 7920 wireless phones we use in our office are made by Nokia:

Check them out here.

Maybe Cisco wants to push their wireless VOIP to the next level. It makes sense. Imagine every Nokia product being 802.11 VOIP capable right out of the box.

-ted

Chloe: How did this happen? Mr. Buchanan, the network security monitor lit up. Someone on the outside is trying to jam our satellite servers.

Buchanan: Could this just be high network load?

Chloe: No, it's definitely a denial of service attempt. What do you want me to do?

Buchanan: Did it do any damage yet?

Chloe: No, the Cisco system is self defending.

Video at http://www.cisco.com/now/24/indexSecurity.html

http://www.cisco.com/univercd/cc/td/doc/product/ca ble/cab_rout/cmtsfg/ufg_cmon.htm Cisco Snooping

http://www.cisco.com/univercd/cc/td/doc/product/ca ble/cab_rout/cmtsfg/ufg_cmon.htm Cisco Snooping

SecurID (the original SDTI) algorithm is flawed, as it was demonstrated by atStake, and the ACE Server protocol also has some issues. (I've collected notes about it). May be, sonsidering OATH OTP will solve the issues with the SDTI problems, but anyway perely coded Web applications (like those on the http://tools.cisco.com/ will always be a security hole.

Cisco doesn't use plain text passwords for CCO. They use RADIUS authentication, more than likely back to their CNS product. The question is, if those passwords were stored in a database on a *nix server behind the firewall what exactly got comprimised here?

Looks like they should have used self defending networks......

http://www.cisco.com/en/US/netsol/ns478/networking _solutions_white_paper0900aecd801dfec7.shtml

• Cisco has determined that Cisco.com password protection has been compromised.
• As a precautionary measure, Cisco has reset your password. To receive your new password, send a blank e-mail, from the account which you entered upon registration, to cco-locksmith@cisco.com. Account details with a new random password will be e-mailed to you.
• If you do not receive your new password within five minutes, please contact the Technical Support Center.
• This incident does not appear to be due to a weakness in Cisco products or technologies.

Here is the Cisco information on the bug and patches

But this particular bug may not be the real news. The real news is running shell code on Cisco via an exploit. Or as Cisco puts it "Upon successful exploitation, the device may reload or be open to further exploitation." If this technique is not tied to this specific exploit but to architectural problems in IOS, Cisco worms could become a problem.

Given that Cisco had source code stolen, there is almost no limit to what a worm could do. Spyware on routers would be much more efficient.

Announcement is here. It includes instructions on how to get a fix, but it does not appear to be available for download.

So where is Cisco in all of this? Have they released patches yet? I am hoping they will do a wide sweep of patches for all users (even those without support contracts) as they did back in 2004.

Juniper is looking better all the time.

The article states:

Cisco recently came under fire when author Ethan Gutman revealed the company was aggressively marketing mobile police-networking equipment to Chinese law enforcement agencies.

Export constraints passed in the wake of the 1989 Tiananmen Square massacre block U.S. companies from selling "any crime control or detection instruments or equipment" to China

I think this may have something to do with the recent request by shareholders.

Cisco Internetwork Operating System (IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.

Crafted IPv6 packet vulnerability.

http://www.cisco.com/warp/public/707/cisco-sa-2005 0729-ipv6.shtml

http://www.eweek.com/article2/0,1759,1841669,00.as p

Upshot is that if you aren't running IPv6 on the router, this doesn't affect you.

While the requirement for unique connectors remains, the regulations for certification of antennas have changed with the new rules introduced in October 2004. These new regulations permit any user to install any antenna that is of the same family or style, and equal or lower gain, than any certified antenna. For example: if a 10-dBi patch antenna is certified for use with a specific WLAN transmitter, any patch antenna with a gain of 10 dBi or less may also be used, regardless of its manufacturer. Or if a Yagi directional antenna with a gain of 13.5 dBi is certified with a transmitter, any Yagi antenna with 13.5 or less gain may be used with that transmitter.

The FCC staff clarified that under the Communications Act, the FCC has exclusive authority to resolve matters involving RF interference (RFI) when unlicensed devices are being used, regardless of venue. The FCC also affirmed that the rights that consumers have under the FCC rules to install and operate customer antennas one meter or less in size apply to the operation of unlicensed equipment, such as Cisco and Linksys Wi-Fi access points.

This means that local municipalities, cities, or neighborhood groups cannot impose restrictions on installations of 802.11 WLAN products on property controlled by a user, except where public safety is a concern.

From http://www.cisco.com/en/US/products/hw/wireless/ps 469/products_white_paper0900aecd801c4a88.shtml

This is not a trivial issue. Observe . . .

Cisco devices, both IOS and CatOS based, use the 'summertime' command to compensate for daylight saving time (example). This means that a change in the DST setup would force you to upgrade code. For organizations with thousands of devices, this is less than easy.

Why upgrade to avoid an annoyance you ask? Because it's way more than an annoyance. Many cisco installations use kerberos to authenticate user logins (not just for management sessions, some RAS as well). Kerberos uses synchronized timestamps as a pre-qualifier for authentication, allowing for a clock drift of five minutes before denial. Without an IOS/CatOS upgrade The offset caused by this change would lock any and all Cisco administrators out of their network devices until someone could either remotely disable AAA via SNMP or worst case, locally knock the device off of the network to force a password-fallback (if thats not denied out of paranoia already).

Won't someone please think of the network engineers?

No, speed does NOT necessitate that drivers run in the kernel. A GOOD microkernel architecture like QNX Neutrino is a perfect example. QNX powers Cisco's CRS-1 Carrier Routing System - a router which Guinness World Records has certified as the highest capacity internet router ever developed. It can handle up to 92 terabits/sec total throughput.

Also, the Mac OS X kernel, XNU, contains code which is based on Mach, but it isn't Mach - I.E. it's not a true microkernel.

Doesn't use signatures, doesn't produce false positives. Combine anomaly-detection technology with an information source like NetFlow, and you have a scalable and flexible detection system.

You can't do POE with 1000TX though.

http://www.cisco.com/en/US/tech/tk389/tk214/tech_d igest09186a0080091a86.html

So, there is that downside.

A cisco 6509-E chassis can supply ~1,000 devices with the full 350mA input power @ 42V described in the 802.3af spec. In other words you can fully populate the chassis with 8x96 port blades and it will provide full power to all of them. Info obtained from here which also has some useufull primer info on how 802.3af works as well a cisco pre-spec PoE.

Cisco's IP phones can be powered by PoE, and they have giant displays on the front. We've been using them for a couple of years now. PoE for VoIP phones is nothing new.

how wonderfully clandestine public PR industry operatations are nowdays:


For more information on CDP, visit http://cisco.com/en/US/tech/tk648/tk362/tk100/tech _protocol_home.html

Hmmmmmmmm... and the ./ editors will be the first ones to bite.

As for physical objects, someone posted a link where a company selling a physical object (some sorta woodworking tool) has a EULA for it when you buy it. And per the EULA you can't sell the object without getting written permission from the company.

As for Cisco, yeah. Check thier page:
http://www.cisco.com/warp/public/csc/refurb_equipm ent/swlicense.html
"My company would like to re-sell or re-lease a used Cisco product that runs software that is no longer sold by Cisco. Can I purchase a license in this case?

Cisco will only sell licenses for current versions of software. This means that to use Cisco software in conjunction with the equipment to be transferred, a license for the current version must be purchased"
Some info here:
http://www.infoworld.com/article/03/04/11/15gripe_ 1.html
"He also said companies that buy used Cisco gear from authorized channels have an easier time getting software licensing and support because they are included with the sale of a Cisco Authorized Refurbished Equipment product.

"If I go out and buy a box off of eBay, not only am I ineligible for a Cisco warranty, I have to buy a software license and pay for a Cisco inspection to make sure the box is in working order," before support can be purchased, Karmin said."
From: http://www.findarticles.com/p/articles/mi_qa3649/i s_200405/ai_n9439262
"Blanket prohibitions against licence transfer have been standard language in software licence agreements for many years. Only after the dotcom bust did it occur to hardware manufacturers that they could try to enforce them. IT managers report that Cisco Systems in particular has been aggressive in its demands for relicence fees."
"I made the mistake of showing a visiting Cisco rep the 2611 router I'd purchased on eBay for $1200," says Mark Payton, director of IT at the Vermont Academy. "Not only are they asking me to pay to relicense the software, but they are expecting me to get a one-year SmartNet maintenance agreement and to pay an inspection fee."

Although Cisco is only asking Payton for slightly more than $300 each for the software relicensing and the SmartNet agreement, the inspection fee alone is more than $850. Payton is still negotiating with Cisco. "If my sales rep can't get some of those costs waived, the total cost to me for the 2611 router is over $2700. Brand new through CDW without my additional discounts, I could get this same unit today with one year of SmartNet for $2300."
From: http://www.infoage.idg.com.au/index.php/id;9035707 40;fp;4;fpid;675408222

I'm sure there's more info on the net if you want to search around.
Essentially Cisco says its a liscense you are getting (not the ownership of your copy of the software) so they can control it anyway they want.

As part of that, when one does a software upgrade on these, I've been trying to talk to the developers (hardware) that fast boot times are actually important. Take a typical Juniper router for example. The "Routing Engine" is a Intel processor running their own flavor of OS. This means when the system boots, it still has to do all those booring POST checks, wait for the disks to seek, run any option roms, etc.. They generally know what the box is going to do, boot from one of the 3 media choices (LS, CF, Disk). If your network is down for a software upgrade of some routing/switching device, and you can't get to your local WoW server (unless it's during a maint window ;-) ) or dial 911 on your cool VoIP phone, it starts to make a difference. The OS can generally decide the best way to bring your hardware online these days, we're not dealing with IRQ conflicts anymore.

Saving 2-3 minutes in router boot time is valuable. While the individual value of a node within the network it may be hard to see where that 2 mins is, if your kernel panics or something else ReallyBad(tm) happens, those 2 mins help in getting the routing protocols back up that much faster..

Indeed

Oh, btw, other than that I agree with your original poster, it's more a play on words to say there's no firewall.

But, according to him, this is required to escape the actual mentality of the almighty firewall.

trough NBAR.

Altough bittorrent is included in the last 12.4 release only, you could add specific (custom or cisco) definitions to previous versions as well.

In the Cisco line, the GSR is not the most expensive of any.

That honor would belong to the Cisco CRS-1...

http://www.cisco.com/en/US/products/ps5763/

I've been working in the network security field for most of my career and advocate the layered/defence in depth approach, but I suggest anyone relying on router ACL's consider their requirements first. Personally I prefer firewalls on the edge of the network with lots of application layer filtering (i.e. proxies, SMTP scanning etc) to keep all the nasty stuff away, and simple (to keep maintenance easy and processing overhead low)ACL's for any internal segregation. Naturally I look at host based security as well, but that's for another post in the future.

I'm only 6 months out of college and I've seen 3 Cisco switches die (none of which I was responsible for).

The number 3 is unrepresentative of anything without saying how switches that's out of. In the past six months, I've probably seen more than three Cisco switches fail. However, that's in a deployment of close to two thousand Cisco devices... from the cheapest of the cheap to the most expensive of any. That said, devices usually fail for a reason. Maybe the closet has poor cooling (common) or maybe there's a lot of power spikes and dips (also common), or maybe you're just unlucky (you do have a service contract, right?).

Cisco, like most big companies, will try to scare anybody who doesn't know much into buying their stuff when it really isn't necessary.

As with anything, if you don't know what you're buying, you have no business purchasing it.

I'm only 6 months out of college and I've seen 3 Cisco switches die (none of which I was responsible for).

The number 3 is unrepresentative of anything without saying how switches that's out of. In the past six months, I've probably seen more than three Cisco switches fail. However, that's in a deployment of close to two thousand Cisco devices... from the cheapest of the cheap to the most expensive of any. That said, devices usually fail for a reason. Maybe the closet has poor cooling (common) or maybe there's a lot of power spikes and dips (also common), or maybe you're just unlucky (you do have a service contract, right?).

Cisco, like most big companies, will try to scare anybody who doesn't know much into buying their stuff when it really isn't necessary.

As with anything, if you don't know what you're buying, you have no business purchasing it.

Cisco products that run Cisco IOS® and that have PMTUD enabled, either by default or because they have been explicitly configured to do PMTUD, are affected. All versions of IOS are impacted. The severity of the exposure depends upon the protocols and applications that rely on specific ICMP messages to perform PMTUD. IOS is not vulnerable to attacks that make use of ICMP "hard" error or "source quench" messages.

Yeah, I remember DECnet. The coolest thing about it is that it required you to have a special DECnet MAC address for every Ethernet port on each host. The good news is that this led to widespread Ethernet MAC reprogrammability...