In a message written on Thu, Jul 28, 2005 at 04:51:18PM -0400, Geo. wrote:
Cisco routers are being sold to every company who connects to the internet, it's one step up from consumer products. You can't expect every company who owns a cisco router to buy an expensive contract or be willing to go thru the gauntlet to get the patches.
Cisco needs to come up with a better way.
In a message written on Thu, Jul 28, 2005 at 08:29:38PM +0000, Christopher L. Morrow wrote:
if it's critical to your business you'd think you'd have a support contract for it, eh? (or you decided that the 'better part of a week' and associated risk was an acceptable cost to your business)
Unfortunately Chris, that doesn't match how (small) business works. I had to hold up Microsoft as an example of being a good corporate citizen, but here it goes. If a 10 person company buys Windows XP and runs it in their office they get free Windows Updates patches for the "life" of the product (typically around 5-7 years). There is no TAC or other system to go through, you just tell the box to update and it does it. Now, I'm not suggesting a large ISP would go with this model, but Cisco has moved out of the core and into small edge and SOHO routers, VOIP phones, and all sorts of other gizmos being bought by home office users and small companies who don't buy support for their other technology items, but get updates. Heck, even digital camera makers and such put free firmware updates on their web site. Expecting all of these users to buy a support contract that costs, what, $350/year for a $2500 box is absurd. Even full tilt talk to a real person with on-site service dell support is only around $120/year. There is a reason all of these boxes are running around unpatched. Look at the percentage of windows boxes, which have auto-update software, and free updates that are patched. Now think about the routers out there, where there is no update software, and no free updates. It should surprise no one that there are thousands of routers on the ends of T1's and DS-3's running code 2-6 years (or more) old, vulnerable to any number of things. Why is Cisco so scared of this one? Well, before now hacking them was low value. You could DDOS a 5 person company off the air, maybe reboot their router with a vulnerability -- which frankly many of them wouldn't notice. However, now they can be added to the zombie army of your choice. From being able to simply trigger a flood ping remotely to being able to upload a remote controllable module it's all possible now. Cisco knows a lot of these small offices don't have support. They don't have someone who knows how to upgrade code on a Cisco. For Cisco to actually upgrade a lot of these boxes (assuming people are informed, and know to demand an upgrade) under their current system means tens of thousands of tac calls from people who've never logged into a router before needing to be walked through downloading code and upgrading a router. Millions, if not tens of millions in support costs. Will all of these people demand it? Who knows. The popular press picking up the issue is a huge step to alerting joe random with a small office and a 2501 in the corner he should pay attention, but it's probably not enough. If a hacker manages to take over twenty or thirty thousand routers though....I suspect a flood of calls Cisco's direction. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org