Cisco Flaw Opens Routers to Attack

Jack writes "Cisco is suffering from a serious flaw in its router operating system, which might allow execution of remote code: 'Cisco has warned of a new flaw in its IOS router operating system which might be used by attackers to launch denial of service attacks or take over IOS-based devices. The flaw causes to buffer overflow due to incorrect handling of user authentication credentials.'"

defcon?

Is this the same attack that didn't exist at defcon?

Re:defcon?

[earnest+murderer]

Is this the same attack that didn't exist at defcon?

No, this is the only existing issue on Cisco brand routers.

The defcon attack isn't scheduled to exist until the patch is published in February.

Re:defcon?

[MightyMartian]

There are no flaws in Cisco's IOS. If there was, no one would be allowed to talk about it, and anyone who did would be threatened and forced to recant. Thusly, there are no Cisco vulnerabilities. The Cisco Inquisition will take care of those who actually dare to question the sanctity of the Church of Cisco, and its most holy IOS. This whole topic is clearly in violation of that most sacred tenet, and thus the Cisco Inquisition has determined that Slashdot advocates heresy. It will be duly noted and CmdrTaco will be forced to recant the very existence of this topic.

Re:defcon?

Gak... it's the Church of the Flying Cisco Monster.

I don't want to believe!

Re:defcon?

[commodoresloat]

CmdrTaco will be forced to recant the very existence of this topic

Yes but then the dupe will be posted, so this will start all over again.

Re:defcon?

Dark Tangent ( founder of Defcon )
was dealing with court order that was brought
upon DC and Blackhats during that time, when I
was there. So it may be they wanna shut the doors on this one.

--skyhigh

Re:defcon?

Eppur si BSOD! -- Galileo

Re:defcon?

[HeliumHigh]

Yes but then the dupe will be posted, so this will start all over again.

Maybe, just maybe this is the dupe!

Either no-one has told me.. or no-one knows!

The Cisco Advisory

[MECC]

Here's a link to the cisco advisory
I noticed the linked article didn't have that link, and its viewable by the Internet public. Let's see how Cisco holds up to the mighty /. effect.

Re:The Cisco Advisory

[ScrewMaster]

Let's see how Cisco holds up to the mighty /. effect.

Well, so far so good.

Re:The Cisco Advisory

[ackthpt]

Let's see how Cisco holds up to the mighty /. effect.

For the full bore, whole hog, bull moose /. effect it's best to post these articles in the morning EST/EDT.

It would be amusing if of all presences on the internet, Cisco couldn't take it.

Re:The Cisco Advisory

[pseudochaotic]

If they get /.ed, maybe now they'll rethink making such fast routers. :)

Re:The Cisco Advisory

[someonehasmyname]

Cisco routers aren't fast compared to Juniper routers. I woudn't use a Cisco router for any pipe > 10 MB/s.

Re:The Cisco Advisory

[CDMA_Demo]

Won't it be shameful if no difference exists between /. and DoS?

Re:The Cisco Advisory

So these routers aren't fast enough huh? Interestingly incorrect opinion you have there.

Re:The Cisco Advisory

[mlsmithjr]

I still don't understand, after about 10 years of buffer overflow problems, how software developers keep writing crappy code like this. It's one thing to cut corner on application software here and there, but OS's and network protocol handlers!?!? I mean -- buffer overflows! What a stupid error to make. It didn't take me more than hearing 2 or 3 security breaches related to this kind of issue before I scrutinized my own code more carefully for such things. It's pretty sad that this problem still occurs.

Re:The Cisco Advisory

[PlasticMetal]

Advisory statement:
Products Confirmed Not Vulnerable
Products that are not running Cisco IOS are not affected
...
So linux is not affected. Happy?

Re:The Cisco Advisory

[bladesjester]

You'd be amazed at the things that you'll screw up on code-wise during a crunch period when you've been up for days on end trying to meet the deadlines that the pointy-hairs have set for you.

We're still human in theory at least, so mistakes will happen and in a piece of software that's *that* big, it's really easy to miss them.

Re:The Cisco Advisory

[tweek]

Actually it depends on the need. Maybe not in the router market all the time but in other markets, yes. It's also all about cost.

I've recently turned into a HUGE Juniper fanboy recently. I was already an HP Procurve fanboy after some Cisco catalyst issues. That and price per port/performance trounces Cisco.

In our situation, we had a vpn provider running a single Cisco 3030 concentrator.A maxed out 3030 costs around 25 or 30k and can support 500 nailed down tunnels with 50MB/s of encrypted throughput.

Meanwhile two Netscreen 208s with core plus same day support cost us about 30k total.

Stats on the Netscreen? 1000 nailed down tunnels and 200MB/s of 3DES encrypted throughput.

These can also operate in an active/active setup and double the throughput (but not the tunnels).

Now the question really begs "Should Cisco have bought Netscreen instead of Altiga? In my mind yes. Netscreen's use of ASICs is what really gives them the power.

Since I've not had the experience of dealing with the Juniper routers, I don't have an equivilent model comparison. I do know though that Juniper uses the "pc-based" architecture just like Cisco in the router line. To give Cisco credit, I am pretty impressed with the horsepower boost in the 2800 line over the 2600.

I'm just waiting for Juniper to buy Foundry and be the beast that Cisco needs. That will fill out the product line QUITE nicely.

Re:The Cisco Advisory

Sing it sister! We've done a number of Cisco vs. Juniper evaluations lately (I work for a massive broadband provider) and Juniper beats 'em every time.

We've implemented both the Netscreen stuff for IPSec and Juniper's traditional line for aggregation and services routing. If we had gone with Cisco, our costs would have been substantially higher and we would already be running into scaling issues.

Incidentally, my money is on Extreme for Juniper's next purchase ;)

Re:The Cisco Advisory

[monkeydo]

Believe it or not, Cisco makes many products that don't run IOS.

Re:The Cisco Advisory

[PlasticMetal]

Just wanted to calm down /. crowd, hope they'll sleep better now.

Best Practices 101

[b0r1s]

It's been pretty standard to ACL off authentication methods from unknown or untrusted networks for some time.

If you can only auth from a known network, then an overrun in that auth process still requires access to a restricted location, which will stop 99% of attacks (which are usually automated these days).

Re:Best Practices 101

[b0r1s]

After reading advisory, this actually isn't a hole in the IOS authentication, but in the proxy authentication for FTP and Telnet.

This opens the whole somewhat (ie: it's open to an untrusted userbase by its nature), but the original point still stands as good general practices.

The Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition.

Devices that do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected.

Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not affected.

Re:Best Practices 101

[JPriest]

The key statement there is "and/or Telnet Services". Almost every single Cisco router I have seen is running telnet. Lots of people are still using 12.2 though.

Re:Best Practices 101

[Packet+Pusher]

The title is worded a bit badly. It's for Proxy telnet services not telnet services itself.

Latest Viruses

[ChrisGilliard]

The latest viruses are getting pretty creepy. On the public network where I work, we recently plugged a Windows XP laptop in that had just been installed without anti-virus. There are apparently so many viruses going around on our network that within 10 minutes, the computer had 12 viruses that were picked up just through viruses that connect in remotely through ports that have not been "firewalled". This explains why I use Solaris or Linux for my desktop system.

Re:Latest Viruses

[ackthpt]

The latest viruses are getting pretty creepy. On the public network where I work, we recently plugged a Windows XP laptop in that had just been installed without anti-virus. There are apparently so many viruses going around on our network that within 10 minutes, the computer had 12 viruses that were picked up just through viruses that connect in remotely through ports that have not been "firewalled".

Sounds like your problem isn't the PC, Windows or your network, but your network practices. We're pretty good about stripping attachments, filtering spam and having firewalls in place, but the extra yard is taking a PC off someone's desk and making sure many people around them know just who was doing what to bring the beastie in.

I was having trouble with a connection, last December and disabled my firewall. Within 40 seconds something had already got in. The firewall went back up and I sorted the problems out with it in place.

Re:Latest Viruses

[ChrisGilliard]

In a small company I agree, you can definitly keep track of who is doing what on the network and knowing who brought the virus in. But when you work at a company with more than 30,000 employees that can be difficult. I think the lesson is: go through a hub/switch before plugging into any network.

Re:Latest Viruses

[mzwaterski]

Why would a hub help?

Re:Latest Viruses

[ChrisGilliard]

The viruses attack ports on Windows XP, since your hub or switch is presumably not running Windows XP, you the virus will not be able to take control of your hub. It's sort of like a hardware based firewall.

Re:Latest Viruses

[gkuz]

The latest viruses are getting pretty creepy. On the public network where I work, we recently plugged a Windows XP laptop in that had just been installed without anti-virus.

What in the world does this have to do with a Cisco IOS vulnerability?

Re:Latest Viruses

[jerw134]

You obviously failed Networking 101. A hub or switch is nothing like a hardware based firewall. You don't have a clue.

Re:Latest Viruses

[mzwaterski]

I think that you mean a router. A hub doesn't have an address on the network.

Re:Latest Viruses

Next time turn the XP firewall on before connecting to the network. It's just not that hard.

Dupe

[Namronorman]

Dupe! Oh.... Nevermind, it seems like just yesterday a serious flaw was found in CISCO. I hope this doesn't become common place for CISCO

Re: Dupe

[Black+Parrot]

> Dupe! Oh.... Nevermind, it seems like just yesterday a serious flaw was found in CISCO. I hope this doesn't become common place for CISCO

It's getting hard to tell when it's a dupe on Slashdot vs. when it's a dupe at Cisco.

Is this perhaps...

[max99ted]

...some fallout from http://it.slashdot.org/article.pl?sid=05/07/29/185 0234&tid=99&tid=172&tid=123&tid=218

Re:Is this perhaps...

[pbhj]

Yes I guess it could be related to that dudes exploits.

----

>>> Theology is like being in a dark room, looking for a black cat that isn't there and shouting "I found it!"

If it's a completely dark room. How do you know there is no cat in there? Of course randomly shouting "I found it!" is stupid. But just because someone finds the cat and you can't see it ... that doesn't mean it's not there.

HTH

Re:Is this perhaps...

[monkeydo]

Probably not related, other than Lynn's findings explain the obviously cya statement "and potentially an arbitrary code execution attack". which is normally not in their security advisories.

There's no evidence that this vulnerability is exploitable as anything other than a DoS, inflamatory headline notwithstanding.

Re:Is this perhaps...

[Gaurang]

> Theology is like being in a dark room, looking for a black cat that isn't there and shouting "I found it!"

If it's a completely dark room. How do you know there is no cat in there? Of course randomly shouting "I found it!" is stupid. But just because someone finds the cat and you can't see it ... that doesn't mean it's not there.

I completely agree. The onlooker normally is not able to decipher whether the finder actually found the cat or not, because the room is dark. And this room's darkness makes the only way possible to decipher is to experience it yourself.

Re:Is this perhaps...

[fbjon]

Unfortunately, even the person finding the cat can never sure he actually found it, no matter how much he claims so.

Re:Is this perhaps...

[Infamous+Tim]

Unfortunately, even the person finding the cat can never sure he actually found it, no matter how much he claims so.

bullshit.
According to your thinking: If something looks like a duck, feels like a duck, quacks like a duck, behaves like a duck, and even smells like a duck, then ... we still can never be fully 100% sure it's truly a duck.

Re:Is this perhaps...

[fbjon]

Exactly. Just because your external senses tell you something, doesn't mean you can always trust them. And with God, no external sense will tell you anything, it's all in your own mind. Do you trust your own brain to be infallible?

Re:Is this perhaps...

[Gaurang]

Exactly. Just because your external senses tell you something, doesn't mean you can always trust them. And with God, no external sense will tell you anything, it's all in your own mind. Do you trust your own brain to be infallible?

Isnt it your mind that is saying this?

Anyway, look at it this way.

Your trust in external senses more than mind lies in the fact that senses dont lie, while mind can imagine anything it wants to.

But, you will agree, that we are beings of the mind. "We" exist in the mind; we decide, we feel; we think; we judge; whatever we do, culminates in the mind.

If the mind feels something; it is more important for us than anything that external sense or logic can ever provide.

If you beleive in God, and find bliss, then there is nothing else that is important.

My personal experience has been that my highest moments of happiness have come when I was one with God, or completely submitted to him.

YMMV.

is this the flaw Michael Lynn tried to tell about?

[Gruturo]

Is this the flaw Cisco was trying to keep secret and that caused Michael Lynn to resign his job in order to be free to speak about?

Appeared a little over a month ago right here

Small companies?

[PtM2300]

Does this mainly just impact smaller companies? I'm not sure if major corporations use routers with the firewall feature set, rather a true firewall instead. If that's the case, there shouldn't be huge consequences for this. I doubt small companies that would use the firewall feature set are hacker targets as much as the larger corps are.

Re:Small companies?

[temojen]

Any internet connected device with a vulnerability is a hacker target. At the least a rooted router can be used to hide the true source of attacks against more interesting targets. A router is much preferable to a desktop for this purpose as it's already designed to do this. Also a router is likely to have a fast, stable connection.

Re:Small companies?

[hal9000(jr)]

Read the advisory.
The affected subsystem is not the firewall, but the authentication proxies for ftp and telnet. It is doubtful that those features are being used all that much.
The advisory also list a set of ACL that should suffice in most cases until a patch is issued.
If this was a problem in the firewall or ACL subsystem, it would be a bigger issue because many companies use them to place a reduced ruleset for all traffic that should be blocked in all directions like netbios, snmp, etc.

old news?

[Chimera512]

i think i remeber reading about the guy that broke this at a confrence a few months back...

Re:old news?

[jd]

I think that was the IPv6 routing bug, which allowed programs to be remotely run, which Cisco admitted to shortly after.

Coral Cache version

[Spy+der+Mann]

This will help them hold up to the mighty /. effect (let's give them a break, no unnecessary burdens)
Advisory

Re:Coral Cache version

[CDMA_Demo]

This service has been spotted crawling at a slower pace than epsilon miles a day.

Affected Versions

[gulfan]

Affected versions include IOS 12.2ZH, IOS 12.2ZL, IOS 12.3, IOS 12.3T, IOS 12.4 and IOS 12.4T. IOS versions that are not vulnerable are IOS XR and IOS versions 12.2 and earlier, including 12.0S. This shouldn't be a problem for those Network Administrators that created access control lists for modifications for the router, however Cisco has issued a patch.

ip auth-proxy

[ctime]

The bug effects systems running ip auth-proxy , I feel bad for anyone that has to run it. I played with it a bit while experimenting wireless security schemes and I found it to be useless (to be fair it wasn't designed for it, either)

If you are someone you know are running any of the following versions of code, please think of the baby seals and upgrade. That is all.

Devices that are running the following release trains of Cisco IOS are affected if Firewall Authentication Proxy for FTP and/or Telnet Sessions is configured and applied to an active interface.
12.2ZH and 12.2ZL based trains 12.3 based trains 12.3T based trains 12.4 based trains 12.4T based trains

Forced admin

Wouldn't it be interesting if a router company (not naming names here) used a flaw in its router software/firmware to justify forced software/firmware upgrades instituted remotely by said router company? And wouldn't it also be interesting if a particular government or governments co-opted that forced patching process to secretly attach surveillance capabilities to various routers?

sssshhhhh

[jshaped]

quiet everbody....
if nobody knows, then nothing's wrong....

Re:sssshhhhh

Interestingly enough, there is some truth to that. Lets face it, if a vulnerability is fixed in a patch before it is announced, then there is going to be less chance to abuse it.

However, many companies for whatever reason seem to take ages to release a patch. At this point, it's a good idea to publicly embarass them by releasing details.

Anyone who releases a proof-of-concept exploit is just completely bloody irresponsible. I got a phishing scam email a while back with a proof-of-concept used in it verbatim. Giving the kiddies the tools they need does not improve the situation.

And now I eagerly await the first idiot who replies to this with the same cliche crap about 'security through obscurity'.

Re:sssshhhhh

[WindBourne]

And yet, it is obvious that you believe in "obscurity is real security" crap.

Re:sssshhhhh

[jshaped]

and yet still, it is obvious you cannot see my sense of humor.

Re:sssshhhhh

Hiding the details of the exploit obviously doesn't completely stop the abuse of it, but it will reduce it. Go on, spout out some slashdot groupthink crap. You know you want to.

Re:sssshhhhh

[WindBourne]

Yours, yes. The ACs, no.

Re:sssshhhhh

[Cervantes]

quiet everbody....
if nobody knows, then nothing's wrong...

Excuse me sir, it's bad form for Cisco employees to post in this story.

Further...

[burtdub]

A Crisco flaw has left the routers open to deep pan frying.

Re:Further...

[superpulpsicle]

I have a close friend who worked at Cisco for a while. The company had massive layoffs in 2001, followed by countless little series of layoffs in 2002, 2003. Tons of good engineers were supposedly let go. You wonder if the lack of engineering resources is beginning to catch up with them. All these years in the trenches shorthanded will leave the product more vulnerable than ever.

Re:Further...

[Halvy]

haha, i thought your sig was an advertisment for some new generic Sun OS product.. so i bit! (u but whole) lol ;)

It applies to most Cisco IOS-based equipment

[postbigbang]

And so, if you have an IOS object, it might be a good idea to read the advisory, that is, if your network is still up.

Cisco IOS Firewall Authentication Proxy

[RaZ0r]

article text
Summary

The Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition.

Devices that do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected.

Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not affected.

Only devices running certain versions of Cisco IOS® are affected.

Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.

This means that only equipment that is configured to act as an authenticatoin proxy for FTP and/or telent are affected.

I work with cisco equpment every day and this is not a normal service to have configured. This exploit probably isn't as big of a deal as its being made out to be. Just my 2 cents...

Re:Cisco IOS Firewall Authentication Proxy

[PtM2300]

Amen Brotha

Re:Cisco IOS Firewall Authentication Proxy

[bizitch]

Thank you - I mean this is an extremely grainular hole in an otherwise rock solid piece of software.

That headline really scared the crap out of me at first.

Re:is this the flaw Michael Lynn tried to tell abo

[LarsG]

Lynn's presentation wasn't about any specific vulnerability (I think he did mention one vulnerability, which was patched some time before the presentation). It was generally thought that most Cisco vulnerabilities could only hang or reboot IOS. Lynn showed that you could inject code. Which makes vulnerabilities like this one a lot more dangerous, as an attacker can Own the router instead of just crashing it.

Re:is this the flaw Michael Lynn tried to tell abo

No, it is not. The Lynn/Cisco flaw had to do with IPv6, and this (From RTFA = Cisco Security Advisory link not the BS link provided in the parent post) has no such dependancy.

Yes... I have seen the slides, and it opened up my mind. I saw the slides (old song... Ace of Base) ;-)

Re:is this the flaw Michael Lynn tried to tell abo

pffft! I'm not concerned. Call me when they pwn my router... or maybe pwntz0r it...

Details and Mike Lynn

[Effugas]

No. Mike's "first cut" was against the link-local IPv6 parser (a fact not disclosed publically by Mike, but by Cisco). Once in, he actually figured out how to execute arbitrary code -- something way harder than even Mike's slides describe.

He could get into pretty much any Cisco router w/ his attack, whereas this proxy attack isn't going to affect anything on the global net.

Re:Details and Mike Lynn

[monkeydo]

He could get into pretty much any Cisco router w/ his attack...

Except all the routers not running IPV6.

Re:Details and Mike Lynn

[Effugas]

Active by default.

Mike's attack was significant another front too -- getting an attack vector is one thing, actually using it is such a PITA that Jim Duncan of Cisco PSIRT (someone I know and highly respect) actually reacted with ... ahem ... "unexpectedly strong disbelief" when Mike said he could exploit the box using what he'd found.

Re:Details and Mike Lynn

[monkeydo]

No, it isn't:

Defaults

IPv6 unicast routing is disabled.

And furthermore, the exploit only works if you can generate packets local to the router:

Summary

Cisco Internetwork Operating System (IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.

Thus, your assertion that Lynn could succesfully attack "pretty much any router" appears to have no basis in fact.

Re:Details and Mike Lynn

[Effugas]

Routing is disabled. Doesn't mean the box doesn't parse IPv6 before trashing 'em.

As for the link-local -- the point of Mike's attack wasn't that he could take out arbitrary hosts, it was that shellcode on IOS was possible. The nasty thing is, on 100% Cisco networks (go look up Cisco Powered Network), you break the first hop, then the next, then the next, then the next...everything is link local when every hop is vulnerable.

Re:Details and Mike Lynn

[monkeydo]

The Cisco advisory for the link-local parser vulnerability states very clearly that if IPV6 routing is turned off, the router is not vulnerable. I even pasted that part of the advisory into the message you are replying to. Have you not read the advisory, or do you have evidence that it's wrong? If it's wrong, a lot of people would be interested in seeing it, since most people who aren't running IPV6 haven't patched for this vulnerability. I guess whoever modded your post informative has access to this same secret information, too.

I know what Mike's point was, but I'm not sure what your point was when you said, "He could get into pretty much any Cisco router w/ his attack, whereas this proxy attack isn't going to affect anything on the global net." Mike's attack works on local routers, and yes, in theory could hop from router to router. But to be a useful attack against a remote target, you would need an chain of vulnerable routers from you to the target network. Add the fact that both attacks require a feature that isn't running on most routers in the public Internet and it makes the practicality of Mike's attack about equal (meaning very, very low) to this one.

I guess Cisco is just the current popular FUD target.

Slashdot sensationalism

[libra-dragon]

I can't believe this article is getting this level of attention. After reading the advisory on Cisco.com (BTW, not linked to the article) I agree it's a serious flaw in IOS/FW, but there's probably less than 50 sites in the whole world using this feature.

Additionally, the referenced article on IT Observer is the editorial equivalent of a steaming pile of dog crap.

"Symantec has raised the vulnerability threat level and advised to disable firewall and authentication until their IOS is patched."

Not only is the paraphrasing blatently ignorant of _Cisco's_ mitigation advice, they're making reference to Symantec.

It's a Mitzvah

[putko]

This SHOULD happen.

It's a Mitzvah that this befalls Cisco. As previously mentioned here, they have no trouble ruining the lives of those who attempt to help make a more secure world by improving their product.

A pox on their house.

It is allowed that hackers make worms that exploit Cisco hardware and disrupt the businesses of those who stupidly subsidize such misanthropic activities.

Re:It's a Mitzvah

You do realize that the post you just made probably had to pass through a Cisco router before it arrived here, right?

Re:My complaint about Cisco...

[gkuz]

I don't know what's funnier, this troll or the fact that somebody actually modded it "Informative".

doesn't bother me

I've been running a Cisco-free network for years.

My Bay Networks router has NEVER failed, nor been compromised. It does everything I want it to do and then some. Paid for long ago. Just keeps running.

There are LOTS of alternatives to Cisco. People just need to think and look. Funny, it will probably also cost less, and you won't have to deal with the obnoxious, arrogant, know-it-all Cisco field people, either.

Re:doesn't bother me

[Vorondil28]

I am an obnoxious, arrogant, know-it-all Cisco field person, you insensitive clod!

Nobody to sue?

[HermanAB]

What I'd like to know is who Cisco is going to sue over this bug... ;-)

I'll pray for you...

[HermanAB]

Geezo, that piece must come from an incredibly bad Psychology text book. I'll pray for the poor students that have to suffer through those classes...

Take a look at Cisco's mischief and wrongdoing

What, you thought they were angels?

http://malfeasance.50megs.com/

Oh, Cisco!

[ScrewMaster]

Oh, Pancho!

Who suffers?

Cisco isn't suffering from this flaw, IT administrators and end users are.

Hunting Routers

[netrangerrr]

Shhhhhhhhh - - be vewy vewy quiet. I'm hunting wouters....

Are VLANs out of style?

[Anti-Trend]

Doesn't anybody use VLANs anymore? Maybe I'm ignorant here (it's a big world and all), but why should Windows clients be allowed to talk to eachother on the network? Especially if there are VPN nodes and/or soft-spots in the network implementation? Simple VLANs and the usage of DMZ's for outward-facing servers have worked for us so far; any virus infections have been localized to a PC at a time. There's always the ol' email entry point, but that's what clamav is for, right? ;)

Thanks,

-AT

Re:Are VLANs out of style?

Doesn't anybody use VLANs anymore? Maybe I'm ignorant here (it's a big world and all), but why should Windows clients be allowed to talk to eachother on the network?

Would you please describe your VLAN solution that prevents Windows clients from talking with each other on the netowrk while allowing them to talk to various servers. Please address how the solution scales to support implementaitons with tens of thousands of clients, as well. I'm geniounely curious.

Re:Are VLANs out of style?

[Floody]

Doesn't anybody use VLANs anymore? Maybe I'm ignorant here (it's a big world and all), but why should Windows clients be allowed to talk to eachother on the network? Especially if there are VPN nodes and/or soft-spots in the network implementation? Simple VLANs and the usage of DMZ's for outward-facing servers have worked for us so far; any virus infections have been localized to a PC at a time. There's always the ol' email entry point, but that's what clamav is for, right? ;)

vlans don't inhibit broadcast or unicast traffic on the same vlan, so unless each workstation is on a separate vlan (which I can't imagine, as it wouldn't scale), vlans aren't useful for isolating workstations from each other. They are, of course, useful for isolating workstations from other network devices.

re: small companys?

[Halvy]

What do you consider a true firewall?

I mean, I'v never seen or heard that term.

From my understanding a firewall is ANY procedure that directs (ie allows/disallows) and detects traffic on a network.

Do you mean a 'hardware' (cisco's) as opposed to 'software' ONLY?

If so, cisco's (is all FIRMWARE), as in SOFT-WARE, ie. embeded in hardware permanently (unless flashed by user).

Or am I missing something here.

I don't meen to start a pissing contest or anything.. it is just that there is sooo much to learn and confusion out there.. that when I see a term I am not familiar with, I investigate :)

Re:Is this perhaps..& ok I'll feed Mr. Troll.

[Halvy]

Theology is like being in a dark room, looking for a black cat that isn't there and shouting "I found it!"

Science is like being in a dark universe, looking for a black hole that isn't there and shouting "I found it!".

lol ;)

i hope the slashdot crowd isnt as slow as the post

Cisco Issues Fixes for Vulnerable Web Routershttp://www.eweek.com/article2/0,1895,185649 7,00.asp/
Seeing as it the patch was issued yesterday, or even the day before.

read between the lines

[timmarhy]

look at the hidden meaning here. cisco censor a security researcher, and now they have a new vunerability on their hands. get ready for an avalanche of these has angry hackers make an example of cisco.

Re:is this the flaw Michael Lynn tried to tell abo

[sonictheboom]

actually he showed that you could get root shell. this is why Cisco tried so hard to stop him. this was very very major. the presentation is available in the free (from Bush) world.

It's a shame...

[ChePibe]

What a pity that Think Geek stopped selling those "I am Enabled" shirts. Sounds like the market for those is about to increase... ;-)

Use the hole to close itself up

[pestilence669]

Since a vulnerability exists that lets you run remote code, why not make use of that vulnerability to patch itself? It's almost elegant if you think about it... a problem that becomes the solution to end itself. Under the right circumstances, this isn't an impossible thing to do.

When I'm up against a serious bug, remote code execution for instance, I write a test case to consistently reproduce it. I do a full analysis on the affected code and any dependencies. Before I fix the problem, I know everything about it. I might be wrong, but I think that Cisco probably does this too.

I'm trying to say is that Cisco probably builds usable exploits before firmware updates. You need some form of an exploit to test if the fix actually worked. The professional software companies that I've come across all require test cases for bug fixes. I can't imagine that Cisco is any different.

Even if I'm wrong about their software development processes, they could still do it if they wanted to. It is very possible with the right vulnerability. I could see a company run by software engineers pulling it off.

Wait, never mind. This is a horrible idea. You'd be giving script kiddies code to attack the holes of slow adopters. Eek. Scratch this one. At least the idea sounds cool.

I blame it on...

[Andy_R]

My leds are always flashn'
And it wouldn't be a bad thing
But I don't get no packets
And thats no lie

We spent the night in Cisco
At every kind of distro
From that night I kissed
Our data goodbye

Chorus:
Don't blame it on sunshine
Don't blame it on moonlight
Don't blame it on good times
Blame it on the router

Don't blame it on sunshine
Don't blame it on moonlight
Don't blame it on good times
Blame it on the router

The nasty virus bugs me
But somehow it has drugged me
Outbound ports get me
On my feet

I've changed my life completely
I've seen the data leave me
My baby just can't take
Her PCs offline

Chorus:
Don't blame it on sunshine
Don't blame it on moonlight
Don't blame it on good times
Blame it on the router

I just can't
I just can't
I just can't control my ports...

The Best Part About the Article

[SenFo]

Symantec has raised the vulnerability threat level and advised to disable firewall and authentication until their IOS is patched."

Sure, I'll get right on disabling my firewall so the world can take over the even more insecure [unfortunate] 95% Windows network at my work.

Aw, aren't the trolls cute, they feed each other..

I gotta calls'm as I sees'm.