Web-based management has been touted over the last few years as the greatest thing since sliced bread. Because all management data is presented in a well-understood format, shops have to deploy fewer management tools, users face a shallower learning curve, and even the starkest browser-based interfaces present data more effectively than a Telnet session.
But one hardware vendor is learning the hard way that adding Web services to hardware can leave customers vulnerable.
Cisco, one of the largest manufacturers of networking hardware devices, provided its customers with a nasty surprise in mid-May when the company confirmed the existence of a defect in multiple releases of Cisco's Internetwork Operating System (IOS), the core software component of much of the company's product line. The defect (a description is available online at www.cisco.com/warp/public/707/ioshttpserver-pub.shtml) can cause a switch or router to halt or reload, thus interrupting service.
According to documentation provided at Cisco's Web site, the defect affects virtually all mainstream Cisco routers and switches running Cisco IOS software releases 11.1 through 12.1, inclusive'. (That should get your attention.) Fortunately, as of mid-May Cisco had received no reports that the defect, first posted to the Bugtraq mailing list on April 27, had been maliciously exploited.
Essentially, the problem exists in the software-based HTTP server that presents the management information to a connected user, usually a member of a network management team. Browsing to the address http://
In rare instances, this may require a hardware restart to recover. At best, your device is down for at least two minutes.
There are some bright spots, as any Cisco device not running IOS is automatically immune. If you haven't enabled Web management on your routers and switches running the affected versions of IOS, you're still all right.
To check your devices, log in and issue the Show Version command, which will let you know if you're running an affected release of IOS. Cisco's defect description also includes a matrix of release versions and defect status.
Even if you are affected, there are things you can do.
The easiest is to stop using the Web management features and disable the HTTP service on your routers and switches until you can deploy rebuilt versions of IOS, which are available now, to all devices on your network.
Maintenance releases issued at the end of May or later will incorporate the fix, as will the current cycle of interim IOS releases.
Other temporary fixes you can implement include changing the device's access lists in a couple of ways. You can apply a standard access list to restrict use of the HTTP service itself or use an extended address list to block the traffic in the affected network path.
Because the second method can have unexpected results in extremely complex configurations, you're better off trying a less elaborate approach.
Browser-based hardware management isn't a bad thing at all, but when it's implemented without regard for basic security principles, it can open up a world of vulnerabilities that customers may not be prepared for.
Enhancing your management tools is a great thing, but don't cut yourself doing it.
THE BOTTOM LINE
Denial of service preparation
Business case: whether launched from the inside or perpetrated by an external attacker, DoS attacks can bring your network systems to a screeching halt for a period of minutes to hours, to say nothing of the damage to your company's reputation in the eyes of customers and business partners. Preparing for the eventual likelihood of such an attack puts you in a position to minimise the damage and get systems back on track quickly.
Technology case: many DoS attacks exploit systems that either lack the proper OS patches or are improperly configured. Addressing these issues will only solve part of the problem, because the skill level needed to carry out a DoS attack is pitifully low. Any enterprise where security drills don't include a DoS attack is asking for trouble when it does happen.
+ Proper preparation can put you in position to detect an attack early;+ Possibility of gathering an evidence trail for use in prosecution.
- Forces companies to spend time beefing up security at the expense of business objectives- Requires constant vigilance, as OS updates and patches can open new holes.