Cisco Needs to Come CleanBy Steven Vaughan-Nichols | Posted 2004-05-19 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
Channel Zone Editor Steven J. Vaughan-Nichols thinks Cisco needs to tell us what really happened to its code and what it's planning on doing about it.Cisco Systems is stonewallingor should I say firewalling, since we're talking networking? But it's pretty darn clear now that the crown jewels of the latest version of its Internetwork Operating System's source code have been swiped. This is bad news.
No, it's not likely, as some have suggested, that some weekend cracker can find serious security vulnerabilities in the 800-or-so MBs of source code. But who says Cisco's code is only going to be examined by script kiddies?
Yes, this is just potential, but it is a real threat. Why do you think the FBI is involved? In part, I'm sure it's because they realize just how damaging an attack on the Cisco-based Internet infrastructure could be.
But there's more. I have never had more trouble chasing a story than this one. Cisco's partners, ISPs and resellers simply don't want to talk about the situation. And I can't blame them in one way.
Cisco has egg on its face thanks to this break-in, but no one wants to admit that the company looks bad. Heck, Cisco's very own Web site still doesn't have a word about the break-in.
One reason why Cisco has achieved its place in the networking community is that it has a reputation for being the absolute best of the best, for building routers and switches that set the industry standard. Well, now we know that Cisco isn't perfect, and a lot of people don't want to talk about it or even face it.
Our customersthe people who don't know what IOS stands for and may not even know what Cisco isdeserve better. Cisco needs to make a statement. It needs to tell the reseller and integrator communities that yes, there was a break-in, but that Cisco will do better next time.
That's a good start, but Cisco also needs to tell us what it's going to do next to protect its products and the Internet.
Traditionally, Cisco never talks about new releases until they're ready to land on the street. It's time to throw that policy out. I understand Cisco IOS 13 was going to come out in June.
Well, is it, Cisco? Are you auditing the code to make sure that any vulnerabilities in the stolen code, IOS 12.3 and 12.3t, are being fixed?
Cisco needs to come out and start making strong statements, because even if there aren't any successful attacks based on the theft, it's not looking good.
Don't think for a second that Juniper Networks Inc., Cisco's biggest rival, won't be telling users, resellers and integrators that maybe Juniper is the more prudent, more secure choice.
Indeed, I already have in front of me an announcement from DeepNines Technologies Inc.
"With this recent theft of code, Cisco is well on its way to becoming the kind of hacker target Microsoft is," DeepNines president and chief operating officer Dan Jackson said in the statement.
"From a market-share standpoint, Cisco and Microsoft aren't all that different, which makes this latest event so potentially disastrous for everyone who owns a Cisco routerthousands of networks could be crippled if that code gets into the wrong hands.
"There's really only one way to protect those networks, and that's to put security in front of the router, which is exactly where our technology sits."
While I don't think Cisco has become the kind of target Microsoft is, I can't argue with DeepNines' approach. Customers who really need 99.9999 percent reliability probably do need this kind of in-front firewall protection now more than ever.
And Cisco, if it wants to keep 99.9999 percent of its supporters happy, needs to talk to its partners and customers now about what's really what with the code theftand what it plans to do about it.
Steven J. Vaughan-Nichols is the editor of Channel Zone and has been covering the channel for more than a decade.