By Jonathan Yarden
When it comes to Internet security, one of the more difficult tasks can be distinguishing between what is a security risk and what isn't. When I read about Cisco's recent source code leak, I found myself contemplating the potential long-term implications of this incident.
Cisco is to routers and switches what Microsoft is to operating systems and office application software. There's an almost 100 percent chance that your organization's Internet connectivity depends somewhere on a device that has Cisco stamped on it.
While plenty of other network router and switch companies exist, Cisco claims the most market share for Internet routers and switches. And the majority of Cisco Internet equipment uses Cisco IOS.
One could even argue that Cisco IOS "runs" the Internet. And it's basically just become "open source."
Considering Cisco's popularity, the source code leak could potentially have serious ramifications. Like any software, Cisco IOS has its own vulnerabilities and problems, and it requires maintenance and updating just like any other software.
But while a good portion of the source code has leaked to the Internet, I'm not overly concerned. I don't fear a "doomsday" exploit that could completely kill the Cisco-based routers and switches on the Internet. If that occurred, we would all be in the same boat, and we'd find a way to get things working again.
But what does concern me is the lack of information security on a day-to-day basis. Corporations and individuals have larger information security problems to solve than the Cisco source code leak.
The Cisco leak isn't the problem—the problem is the expectation of software security from those who know little about the nature of computers or software. Unfortunately, like Microsoft Windows, companies typically install Cisco IOS, configure it, and forget it.
The vulnerable, poorly configured, and outdated Cisco IOS versions out there pose more threat to the Internet than the source code leak of the latest version of IOS. While the theft certainly has a touch of irony—Cisco is increasingly positioning itself in the security solutions market—this incident doesn't imply that IOS is insecure or that companies should find Cisco alternatives.
Frankly, most companies couldn't stop using Cisco products even if they wanted to. Cisco is a ubiquitous presence on the Internet, even if your company doesn't use Cisco equipment. You can't mitigate that risk, so stop worrying about it.
But if you do use Cisco equipment, this is the time to begin taking a more conscientious approach to security. Check the IOS versions you're running, and update and configure them to be more secure if necessary.
While you're at it, why not check every other computer or network device on your network? There are plenty of already vulnerable versions of applications and servers out there running Linux, Windows, AIX, Solaris, Novell, and more. Companies can accomplish a lot more by fixing the security problems in their own backyard than worrying about whether to stop using Cisco IOS.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.