Archive for the ‘Cisco’ Category

Cisco promises to fix admin backdoor in some routers

Monday, January 13th, 2014

Cisco Systems promised to issue firmware updates removing a backdoor from a wireless access point and two of its routers later this month. The undocumented feature could allow unauthenticated remote attackers to gain administrative access to the devices.

The vulnerability was discovered over the Christmas holiday on a Linksys WAG200G router by a security researcher named Eloi Vanderbeken. He found that the device had a service listening on port 32764 TCP, and that connecting to it allowed a remote user to send unauthenticated commands to the device and reset the administrative password.

It was later reported by other users that the same backdoor was present in multiple devices from Cisco, Netgear, Belkin and other manufacturers. On many devices this undocumented interface can only be accessed from the local or wireless network, but on some devices it is also accessible from the Internet.

Cisco identified the vulnerability in its WAP4410N Wireless-N Access Point, WRVS4400N Wireless-N Gigabit Security Router and RVS4000 4-port Gigabit Security Router. The company is no longer responsible for Linksys routers, as it sold that consumer division to Belkin early last year.

The vulnerability is caused by a testing interface that can be accessed from the LAN side on the WRVS4400N and RVS4000 routers and also the wireless network on the WAP4410N wireless access point device.

“An attacker could exploit this vulnerability by accessing the affected device from the LAN-side interface and issuing arbitrary commands in the underlying operating system,” Cisco said in an advisory published Friday. “An exploit could allow the attacker to access user credentials for the administrator account of the device, and read the device configuration. The exploit can also allow the attacker to issue arbitrary commands on the device with escalated privileges.”

The company noted that there are no known workarounds that could mitigate this vulnerability in the absence of a firmware update.

The SANS Internet Storm Center, a cyber threat monitoring organization, warned at the beginning of the month that it detected probes for port 32764 TCP on the Internet, most likely targeting this vulnerability.

Source:  networkworld.com

High-gain patch antennas boost Wi-Fi capacity for Georgia Tech

Tuesday, November 5th, 2013

To boost its Wi-Fi capacity in packed lecture halls, Georgia Institute of Technology gave up trying to cram in more access points, with conventional omni-directional antennas, and juggle power settings and channel plans. Instead, it turned to new high-gain directional antennas, from Tessco’s Ventev division.

Ventev’s new TerraWave High-Density Ceiling Mount Antenna, which looks almost exactly like the bottom half of a small pizza box, focuses the Wi-Fi signal from the ceiling mounted Cisco access point in a precise cone-shaped pattern, covering part of the lecture hall floor. Instead of the flakey, laggy connections, about which professors had been complaining, users now consistently get up to 144Mbps (if they have 802.11n client radios).

“Overall, the system performed much better” with the Ventev antennas, says William Lawrence, IT project manager principal with the university’s academic and research technologies group. “And there was a much more even distribution of clients across the room’s access points.”

Initially, these 802.11n access points were running 40-MHz channels, but Lawrence’s team eventually switched to the narrower 20 MHz. “We saw more consistent performance for clients in the 20-MHz channel, and I really don’t know why,” he says. “It seems like the clients were doing a lot of shifting between using 40 MHz and 20 MHz. With the narrower channel, it was very smooth and consistent: we got great video playback.”

With the narrower channel, 11n clients can’t achieve their maximum 11n throughput. But that doesn’t seem to have been a problem in these select locations, Lawrence says. “We’ve not seen that to be an issue, but we’re continuing to monitor it,” he says.

The Atlanta main campus has a fully-deployed Cisco WLAN, with about 3,900 access points, nearly all supporting 11n, and 17 wireless controllers. Virtually all of the access points use a conventional, omni-directional antenna, which radiates energy in a globe-shaped configuration with the access point at the center. But in high density classrooms, faculty and students began complaining of flakey connections and slow speeds.

The problem, Lawrence says, was the surging number of Wi-Fi devices actively being used in big classrooms and lectures halls, coupled with Wi-Fi signals, especially in the 2.4-GHz band, stepping on each other over wide sections of the hall, creating co-channel interference.

One Georgia Tech network engineer spent a lot of time monitoring the problem areas and working with students and faculty. In a few cases, the problems could be traced to a client-side configuration problem. But “with 120 clients on one access point, performance really goes downhill,” Lawrence says. “With the omni-directional antenna, you can only pack the access points so close.”

Shifting users to the cleaner 5 GHz was an obvious step but in practice was rarely feasible: many mobile devices still support only 2.4-GHz connections; and client radios often showed a stubborn willfulness in sticking with a 2.4-GHz connection on a distant access point even when another was available much closer.

Consulting with Cisco, Georgia Tech decided to try some newer access points, with external antenna mounts, and selected one of Cisco’s certified partners, Tessco’s Ventev Wireless Infrastructure division, to supply the directional antennas. The TerraWave products also are compatible with access points from Aruba, Juniper, Meru, Motorola and others.

Patch antennas focus the radio beam within a specific area. (A couple of vendors, Ruckus Wireless and Xirrus, have developed their own built-in “smart” antennas that adjust and focus Wi-Fi signals on clients.) Depending on the beamwidth, the effect can be that of a floodlight or a spotlight, says Jeff Lime, Ventev’s vice president. Ventev’s newest TerraWave High-Density products focus the radio beam within narrower ranges than some competing products, and offer higher gain (in effect putting more oomph into the signal to drive it further), he says.

One model, with a maximum power of 20 watts, can have beam widths of 18 or 28 inches vertically, and 24 or 40 inches horizontally, with a gain of 10 or 11 dBi, depending on the frequency range. The second model, with a 50-watt maximum power output, has a beamwidth in both dimension of 35 degrees, at a still higher gain of 14 dBi to drive the spotlighted signal further, in really big areas like a stadium.

At Georgia Tech, each antenna focused the Wi-Fi signal from a specific overhead access point to cover a section of seats below it. Fewer users associate with each access point. The result is a kind of virtuous circle. “It gives more capacity per user, so more bandwidth, so a better user experience,” says Lime.

The antennas come with a quartet of 36-inch cables to connect to the access points. The idea is to give IT groups maximum flexibility. But the cables initially were awkward for the IT team installing the antennas. Lawrence says they experimented with different ways of neatly and quickly wrapping up the excess cable to keep it out of the way between the access point proper and the antenna panel [see photo, below]. They also had to modify mounting clips to get them to hold in the metal grid that forms the dropped ceiling in some of the rooms. “Little things like that can cause you some unexpected issues,” Lawrence says.

Georgia Tech wifiThe IT staff worked with Cisco engineers to reset a dedicated controller to handle the new “high density group” of access points; and the controller automatically handled configuration tasks like setting access point power levels and selecting channels.

Another issue is that when the patch antennas were ceiling mounted in second- or third-story rooms, their downward-shooting signal cone reached into the radio space of access points in the floor below. Lawrence says they tweaked the position of the antennas in some cases to send the spotlight signal beaming at an angle. “I look at each room and ask ‘how am I going to deploy these antennas to minimize signal bleed-through into other areas,” he says. “Adding a high-gain antenna can have unintended consequences outside the space it’s intended for.”

But based on improved throughput and consistent signals, Lawrence says it’s likely the antennas will be used in a growing number of lecture halls and other spaces on the main and satellite campuses. “This is the best solution we’ve got for now,” he says.

Source:  networkworld.com

Cisco fixes serious security flaws in networking, communications products

Thursday, October 24th, 2013

Cisco Systems released software security updates Wednesday to address denial-of-service and arbitrary command execution vulnerabilities in several products, including a known flaw in the Apache Struts development framework used by some of them.

The company released new versions of Cisco IOS XR Software to fix an issue with handling fragmented packets that can be exploited to trigger a denial-of-service condition on various Cisco CRS Route Processor cards. The affected cards and the patched software versions available for them are listed in a Cisco advisory.

The company also released security updates for Cisco Identity Services Engine (ISE), a security policy management platform for wired, wireless, and VPN connections. The updates fix a vulnerability that could be exploited by authenticated remote attackers to execute arbitrary commands on the underlying operating system and a separate vulnerability that could allow attackers to bypass authentication and download the product’s configuration or other sensitive information, including administrative credentials.

Cisco also released updates that fix a known Apache Struts vulnerability in several of its products, including ISE. Apache Struts is a popular open-source framework for developing Java-based Web applications.

The vulnerability, identified as CVE-2013-2251, is located in Struts’ DefaultActionMapper component and was patched by Apache in Struts version 2.3.15.1 which was released in July.

The new Cisco updates integrate that patch into the Struts version used by Cisco Business Edition 3000, Cisco Identity Services Engine, Cisco Media Experience Engine (MXE) 3500 Series and Cisco Unified SIP Proxy.

“The impact of this vulnerability on Cisco products varies depending on the affected product,” Cisco said in an advisory. “Successful exploitation on Cisco ISE, Cisco Unified SIP Proxy, and Cisco Business Edition 3000 could result in an arbitrary command executed on the affected system.”

No authentication is needed to execute the attack on Cisco ISE and Cisco Unified SIP Proxy, but the flaw’s successful exploitation on Cisco Business Edition 3000 requires the attacker to have valid credentials or trick a user with valid credentials into executing a malicious URL, the company said.

“Successful exploitation on the Cisco MXE 3500 Series could allow the attacker to redirect the user to a different and possibly malicious website, however arbitrary command execution is not possible on this product,” Cisco said.

Security researchers from Trend Micro reported in August that Chinese hackers are attacking servers running Apache Struts applications by using an automated tool that exploits several Apache Struts remote command execution vulnerabilities, including CVE-2013-2251.

The existence of an attack tool in the cybercriminal underground for exploiting Struts vulnerabilities increases the risk for organizations using the affected Cisco products.

In addition, since patching CVE-2013-2251 the Apache Struts developers have further hardened the DefaultActionMapper component in more recent releases.

Struts version 2.3.15.2, which was released in September, made some changes to the DefaultActionMapper “action:” prefix that’s used to attach navigational information to buttons within forms in order to mitigate an issue that could be exploited to circumvent security constraints. The issue has been assigned the CVE-2013-4310 identifier.

Struts 2.3.15.3, released on Oct. 17, turned off support for the “action:” prefix by default and added two new settings called “struts.mapper.action.prefix.enabled” and “struts.mapper.action.prefix.crossNamespaces” that can be used to better control the behavior of DefaultActionMapper.

The Struts developers said that upgrading to Struts 2.3.15.3 is strongly recommended, but held back on releasing more details about CVE-2013-4310 until the patch is widely adopted.

It’s not clear when or if Cisco will patch CVE-2013-4310 in its products, giving that the fix appears to involve disabling support for the “action:” prefix. If the Struts applications in those products use the “action:” prefix the company might need to rework some of their code.

Source:  computerworld.com

Cisco says controversial NIST crypto-potential NSA backdoor ‘not invoked’ in products

Thursday, October 17th, 2013

Controversial crypto technology known as Dual EC DRBG, thought to be a backdoor for the National Security Agency, ended up in some Cisco products as part of their code libraries. But Cisco says they cannot be used because it chose other crypto as an operational default which can’t be changed.

Dual EC DRBG or Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) from the National Institute of Standards and Technology and a crypto toolkit from RSA is thought to have been one main way the crypto ended up in hundreds of vendors’ products.

Because Cisco is known to have used the BSAFE crypto toolkit, the company has faced questions about where Dual EC DRBG may have ended up in the Cisco product line. In a Cisco blog post today, Anthony Grieco, principle engineer at Cisco, tackled this topic in a notice about how Cisco chooses crypto.

“Before we go any further, I’ll go ahead and get it out there: we don’t use the Dual_EC_DRBG in our products. While it is true that some of the libraries in our products can support the DUAL_EC_DRBG, it is not invoked in our products.”

Grieco wrote that Cisco, like most tech companies, uses cryptography in nearly all its products, if only for secure remote management.

“Looking back at our DRBG decisions in the context of these guiding principles, we looked at all four DRBG options available in NIST SP 800-90. As none had compelling interoperability or legal implementation implications, we ultimately selected the Advanced Encryption Standard Counter mode (AES-CTR) DRBG as out default.”

Grieco stated this was “because of our comfort with the underlying implementation, the absence of any general security concerns, and its acceptable performance. Dual_EC_DRBG was implemented but wasn’t seriously considered as the default given the other good choices available.”

Grieco said the DRBG choice that Cisco made “cannot be changed by the customer.”

Faced with the Dual EC DRBG controversy, which was triggered by the revelations about the NSA by former NSA contractor Edward Snowden, NIST itself has re-opened comments about this older crypto standard.

“The DRBG controversy has brought renewed focus on the crypto industry and the need to constantly evaluate cryptographic algorithm choices,” Grieco wrote in the blog today. “We welcome this conversation as an opportunity to improve security of the communications infrastructure. We’re open to serious discussions about the industry’s cryptographic needs, what’s next for our products, and how to collectively move forward.” Cisco invited comment on that online.

Grieco concluded, “We will continue working to ensure out products offer secure algorithms, and if they don’t, we’ll fix them.”

Source:  computerworld.com

802.11ac ‘gigabit Wi-Fi’ starts to show potential, limits

Monday, October 7th, 2013

Vendor tests and very early 802.11ac customers provide a reality check on “gigabit Wi-Fi” but also confirm much of its promise.

Vendors have been testing their 11ac products for months, yielding data that show how 11ac performs and what variables can affect performance. Some of the tests are under ideal laboratory-style conditions; others involve actual or simulated production networks. Among the results: consistent 400M to 800Mbps throughput for 11ac clients in best-case situations, higher throughput as range increases compared to 11n, more clients serviced by each access point, and a boost in performance for existing 11n clients.

Wireless LAN vendors are stepping up product introductions, and all of them are coming out with products, among them Aerohive, Aruba Networks, Cisco (including its Meraki cloud-based offering), Meru, Motorola Solutions, Ruckus, Ubiquiti, and Xirrus.

The IEEE 802.11ac standard does several things to triple the throughput of 11n. It builds on some of the technologies introduced in 802.11n; makes mandatory some 11n options; offers several ways to dramatically boost Wi-Fi throughput; and works solely in the under-used 5GHz band.

It’s a potent combination. “We are seeing over 800Mbps on the new Apple 11ac-equipped Macbook Air laptops, and 400Mbps on the 11ac phones, such as the new Samsung Galaxy S4, that [currently] make up the bulk of 11ac devices on campus,” says Mike Davis, systems programmer, University of Delaware, Newark, Delaware.

A long-time Aruba Networks WLAN customer, the university has installed 3,700 of Aruba’s new 11ac access points on campus this summer, in a new engineering building, two new dorms, and some large auditoriums. Currently, there are on average about 80 11ac clients online with a peak of 100, out of some 24,000 Wi-Fi clients on campus.

The 11ac network seems to bear up under load. “In a limited test with an 11ac Macbook Air, I was able to sustain 400Mbps on an 11ac access point that was loaded with over 120 clients at the time,” says Davis. Not all of the clients were “data hungry,” but the results showed “that the new 11ac access points could still supply better-than-11n data rates while servicing more clients than before,” Davis says.

The maximum data rates for 11ac are highly dependent on several variables. One is whether the 11ac radios are using 80 Mhz-wide channels (11n got much of its throughput boost by being able to use 40 MHz channels). Another is whether the radios are able to use the 256 QAM modulation scheme, compared to the 64 QAM for 11n. Both of these depend on how close the 11ac clients are to the access point. Too far, and the radios “step down” to narrower channels and lower modulations.

Another variable is the number of “spatial streams,” a technology introduced with 11n, supported by the client and access point radios. Chart #1, “802.11ac performance based on spatial streams,” shows the download throughput performance.

802.11ac

In perfect conditions, close to the access point, a three-stream 11ac radio can achieve the maximum raw data rate of 1.3Gbps. But no users will actually realize that in terms of useable throughput.

“Typically, if the client is close to the access point, you can expect to lose about 40% of the overall raw bit rate due to protocol overhead – acknowledgements, setup, beaconing and so on,” says Mathew Gast, director of product management, for Aerohive Networks, which just announced its first 11ac products, the AP370 and AP390. Aerohive incorporates controller functions in a distributed access point architecture and provides a cloud-based management interface for IT groups.

“A single [11ac] client that’s very close to the access point in ideal conditions gets very good speed,” says Gast. “But that doesn’t reflect reality: you have electronic ‘noise,’ multiple contending clients, the presence of 11n clients. In some cases, the [11ac] speeds might not be much higher than 11n.”

A third key variable is the number of spatial streams, supported by both access points and clients. Most of the new 11ac access points will support three streams, usually with three transmit and three receive antennas. But clients will vary. At the University of Delaware, the new Macbook Air laptops support two streams; but the new Samsung Galaxy S4 and HTC One phones support one stream, via Broadcom’s BCM4335 11ac chipset.

Tests by Broadcom found that a single 11n data stream over a 40 MHz channel can deliver up to 60Mbps. By comparison, single-stream 11ac in an 80 MHz channels is “starting at well over 250Mbps,” says Chris Brown, director of business development for Broadcom’s wireless connectivity unit. Single-stream 11ac will max out at about 433Mbps.

There are some interesting results from these qualities. One is that the throughput at any given distance from the access point is much better in 11ac compared to 11n. “Even at 60 meters, single-stream 11ac outperforms all but the 2×2 11n at 40 MHz,” Brown says.

Another result is that 11ac access points can service a larger number of clients than 11n access points.

“We have replaced several dozen 11n APs with 11ac in a high-density lecture hall, with great success,” says University of Delaware’s Mike Davis. “While we are still restricting the maximum number of clients that can associate with the new APs, we are seeing them maintain client performance even as the client counts almost double from what the previous generation APs could service.”

Other features of 11ac help to sustain these capacity gains. Transmit beam forming (TBF), which was an optional feature in 11n is mandatory and standardized in 11ac. “TBR lets you ‘concentrate’ the RF signal in a specific direction, for a specific client,” says Mark Jordan, director, technical marketing engineering, Aruba Networks. “TBF changes the phasing slightly to allow the signals to propagate at a higher effective radio power level. The result is a vastly improved throughput-over-distance.”

A second feature is low density parity check (LDPC), which is a technique to improve the sensitivity of the receiving radio, in effect giving it better “hearing.”

The impact in Wi-Fi networks will be significant. Broadcom did extensive testing in a network set up in an office building, using both 11n and 11ac access points and clients. It specifically tested 11ac data rates and throughput with beam forming and low density parity check switched off and on, according to Brown.

Tests showed that 11ac connections with both TBR and LDPC turned on, increasingly and dramatically outperformed 11n – and even 11ac with both features turned off – as the distance between client and access point increased. For example, at one test point, an 11n client achieved 32Mbps. At the same point, the 11ac client with TBR and LDPC turned “off,” achieved about the same. But when both were turned “on,” the 11ac client soared to 102Mbps, more than three times the previous throughput.

Aruba found similar results. Its single-stream Galaxy S4 smartphone reached 238Mbps TCP downstream throughput at 15 feet, 235Mbps at 30 feet, and 193Mbps at 75 feet. At 120 feet, it was still 154Mbps. For the same distances upstream the throughput rates were: 235Mbps, 230M, 168M, and 87M.

“We rechecked that several times, to make sure we were doing it right, says Aruba’s Jordan. “We knew we couldn’t get the theoretical maximums. But now, we can support today’s clients with all the data they demand. And we can do it with the certainty of such high rates-at-range that we can come close to guaranteeing a high quality [user] experience.”

There are still other implications with 11ac. Because of the much higher up and down throughput, 11ac mobile devices get on and off the Wi-Fi channel much faster compared to 11n, drawing less power from the battery. The more efficient network use will mean less “energy per bit,” and better battery life.

A related implication is that because this all happens much faster with 11ac, there’s more time for other clients to access the channel. In other words, network capacity increases by up to six times, according to Broadcom’s Brown. “That frees up time for other clients to transmit and receive,” he says.

That improvement can be used to reduce the number of access points covering a given area: in the Broadcom office test area, four Cisco 11n access points provided connectivity. A single 11n access point could replace them, says Brown.

But more likely, IT groups will optimize 11ac networks for capacity, especially as the number of smartphones, tablets, laptops and other gear are outfitted with 11ac radios.

Even 11n clients will see improvement in 11ac networks, as University of Delaware has found.

“The performance of 11n clients on the 11ac APs has probably been the biggest, unexpected benefit,” says Mike Davis. “The 11n clients still make up 80% of the total number of clients and we’ve measured two times the performance of 11n clients on the new 11ac APs over the last generation [11n] APs.”

Wi-Fi uses Ethernet’s carrier sense multiple access with collision detection (CSMA/CD) which essentially checks to see if a channel is being used, and if so, backs off, waits and tries again. “If we’re spending less time on the net, then there’s more airtime available, and so more opportunities for devices to access the media,” says Brown. “More available airtime translates into fewer collisions and backoffs. If an overburdened 11n access point is replaced with an 11ac access point, it will increase the network’s capacity.”

In Aruba’s in-house testing, a Macbook Pro laptop with a three-stream 11n radio was connected to first to the 11n Aruba AP-135, and then to the 11ac AP-225. As shown in Chart #2, “11ac will boost throughput in 11n clients,” the laptop’s performance was vastly better on the 11ac access point, especially as the range increased.

802.11ac

These improvements are part of “wave 1” 11ac. In wave 2, starting perhaps later in 2014, new features will be added to 11ac radios: support four to eight data streams, explicit transmit beam forming, an option for 160 Mhz channels, and “multi-user MIMO,” which lets the access point talk to more than one 11ac client at the same time.

Source:  networkworld.com

Aruba announces cloud-based Wi-Fi management service

Tuesday, October 1st, 2013

Competes with Cisco-owned Meraki and Aerohive

Aruba Networks today announced a new Aruba Central cloud-based management service for Wi-Fi networks that could be valuable to companies with branch operations, schools and mid-sized networks where IT support is scarce.

Aruba still sells Wi-Fi access points but now is offering Aruba Central cloud management of local Wi-Fi zones, for which it charges $140 per AP annually.

The company also announced the new Aruba Instant 155 AP, a desktop model starting at $895 and available now and the Instant 225 AP for $1.295, available sometime later this month.

A new 3.3 version of the Instant OS is also available, and a new S1500 mobility access switch with 12 to 48 ports starting at $1,495 will ship in late 2013.

Cloud-based management of Wi-Fi is in its early stages and today constitutes about 5% of a $4 billion annual Wi-Fi market, Aruba said, citing findings by Dell’Oro Group. Aruba said it faces competition from Aerohive and Meraki, which Cisco purchased for $1.2 billion last November.

Cloud-based management of APs is ideally suited for centralizing management of branch offices or schools that don’t have their own IT staff.

“We have one interface for multiple sites, for those wanting to manage from a central platform,” said Syliva Hooks, Aruba’s director of product marketing. “There’s remote monitoring and troubleshooting. We do alerting and reports, all in wizard-based formats, and you can group all the APs from location. We’re trying to offer sophisticated functions, but presented so a generalist could use them.”

Aruba relies on multiple cloud providers and multiple data centers to support Aruba Central, Hooks said.

The two new APs provide 450 Mbps throughput in 802.11n for the 155 AP and 1.3 Gbps for the 220 AP, Aruba said. Each AP in a Wi-Fi cluster running the Instant OS can assume controller functions with intelligence built in. The first AP installed in a cluster can select itself as the master controller of the other APs and if it somehow fails, the next most senior AP selects itself as the master.

Source:  networkworld.com

Cisco IOS fixes 10 denial-of-service vulnerabilities

Friday, September 27th, 2013

The vulnerabilities can be exploited by unauthenticated, remote attackers to cause connectivity loss, hangs or reloads

Cisco Systems has patched 10 vulnerabilities that could affect the availability of devices using various versions of its IOS software.

IOS is a multitasking operating system that combines networking and telecommunications functions and is used on many of the company’s networking devices.

All of the patched vulnerabilities can affect a device’s availability if exploited. They affect Cisco IOS implementations of the Network Time Protocol (NTP), the Internet Key Exchange protocol, the Dynamic Host Configuration Protocol (DHCP), the Resource Reservation Protocol (RSVP), the virtual fragmentation reassembly (VFR) feature for IP version 6 (IPv6), the Zone-Based Firewall (ZBFW) component, the T1/E1 driver queue and the Network Address Translation (NAT) function for DNS (Domain Name System) and PPTP (Point-to-Point Tunneling Protocol).

These vulnerabilities can be exploited by remote, unauthenticated attackers by sending specifically crafted packets over the network to IOS devices that have the affected features enabled.

Depending on the targeted vulnerability, attackers can cause the affected devices to hang, reload, lose connection, lose their ability to route connections or trigger other types of denial-of-service (DoS) conditions.

Workarounds for the NTP, ZBFW, T1/E1 driver queue and RSVP flaws are available and are described in the corresponding security advisories released by Cisco this week. To mitigate the other vulnerabilities, users will have to install patched versions of the IOS software, depending on which versions their devices already use.

“The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission,” Cisco said. “Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed.”

The company is not aware of any malicious exploitation or detailed public disclosure of these vulnerabilities. They were discovered during internal security reviews or while troubleshooting customer service reports.

Source:  computerworld.com

Will software-defined networking kill network engineers’ beloved CLI?

Tuesday, September 3rd, 2013

Networks defined by software may require more coding than command lines, leading to changes on the job

SDN (software-defined networking) promises some real benefits for people who use networks, but to the engineers who manage them, it may represent the end of an era.

Ever since Cisco made its first routers in the 1980s, most network engineers have relied on a CLI (command-line interface) to configure, manage and troubleshoot everything from small-office LANs to wide-area carrier networks. Cisco’s isn’t the only CLI, but on the strength of the company’s domination of networking, it has become a de facto standard in the industry, closely emulated by other vendors.

As such, it’s been a ticket to career advancement for countless network experts, especially those certified as CCNAs (Cisco Certified Network Associates). Those network management experts, along with higher level CCIEs (Cisco Certified Internetwork Experts) and holders of other official Cisco credentials, make up a trained workforce of more than 2 million, according to the company.

A CLI is simply a way to interact with software by typing in lines of commands, as PC users did in the days of DOS. With the Cisco CLI and those that followed in its footsteps, engineers typically set up and manage networks by issuing commands to individual pieces of gear, such as routers and switches.

SDN, and the broader trend of network automation, uses a higher layer of software to control networks in a more abstract way. Whether through OpenFlow, Cisco’s ONE (Open Network Environment) architecture, or other frameworks, the new systems separate the so-called control plane of the network from the forwarding plane, which is made up of the equipment that pushes packets. Engineers managing the network interact with applications, not ports.

“The network used to be programmed through what we call CLIs, or command-line interfaces. We’re now changing that to create programmatic interfaces,” Cisco Chief Strategy Officer Padmasree Warrior said at a press event earlier this year.

Will SDN spell doom for the tool that network engineers have used throughout their careers?

“If done properly, yes, it should kill the CLI. Which scares the living daylights out of the vast majority of CCIEs,” Gartner analyst Joe Skorupa said. “Certainly all of those who define their worth in their job as around the fact that they understand the most obscure Cisco CLI commands for configuring some corner-case BGP4 (Border Gateway Protocol 4) parameter.”

At some of the enterprises that Gartner talks to, the backlash from some network engineers has already begun, according to Skorupa.

“We’re already seeing that group of CCIEs doing everything they can to try and prevent SDN from being deployed in their companies,” Skorupa said. Some companies have deliberately left such employees out of their evaluations of SDN, he said.

Not everyone thinks the CLI’s days are numbered. SDN doesn’t go deep enough to analyze and fix every flaw in a network, said Alan Mimms, a senior architect at F5 Networks.

“It’s not obsolete by any definition,” Mimms said. He compared SDN to driving a car and CLI to getting under the hood and working on it. For example, for any given set of ACLs (access control lists) there are almost always problems for some applications that surface only after the ACLs have been configured and used, he said. A network engineer will still have to use CLI to diagnose and solve those problems.

However, SDN will cut into the use of CLI for more routine tasks, Mimms said. Network engineers who know only CLI will end up like manual laborers whose jobs are replaced by automation. It’s likely that some network jobs will be eliminated, he said.

This isn’t the first time an alternative has risen up to challenge the CLI, said Walter Miron, a director of technology strategy at Canadian service provider Telus. There have been graphical user interfaces to manage networks for years, he said, though they haven’t always had a warm welcome. “Engineers will always gravitate toward a CLI when it’s available,” Miron said.

Even networking startups need to offer a Cisco CLI so their customers’ engineers will know how to manage their products, said Carl Moberg, vice president of technology at Tail-F Systems. Since 2005, Tail-F has been one of the companies going up against the prevailing order.

It started by introducing ConfD, a graphical tool for configuring network devices, which Cisco and other major vendors included with their gear, according to Moberg. Later the company added NCS (Network Control System), a software platform for managing the network as a whole. To maintain interoperability, NCS has interfaces to Cisco’s CLI and other vendors’ management systems.

CLIs have their roots in the very foundations of the Internet, according to Moberg. The approach of the Internet Engineering Task Force, which oversees IP (Internet Protocol) has always been to find pragmatic solutions to defined problems, he said. This detailed-oriented “bottom up” orientation was different from the way cellular networks were designed. The 3GPP, which developed the GSM standard used by most cell carriers, crafted its entire architecture at once, he said.

The IETF’s approach lent itself to manual, device-by-device administration, Moberg said. But as networks got more complex, that technique ran into limitations. Changes to networks are now more frequent and complex, so there’s more room for human error and the cost of mistakes is higher, he said.

“Even the most hardcore Cisco engineers are sick and tired of typing the same commands over and over again and failing every 50th time,” Moberg said. Though the CLI will live on, it will become a specialist tool for debugging in extreme situations, he said.

“There’ll always be some level of CLI,” said Bill Hanna, vice president of technical services at University of Pittsburgh Medical Center. At the launch earlier this year of Nuage Networks’ SDN system, called Virtualized Services Platform, Hanna said he hoped SDN would replace the CLI. The number of lines of code involved in a system like VSP is “scary,” he said.

On a network fabric with 100,000 ports, it would take all day just to scroll through a list of the ports, said Vijay Gill, a general manager at Microsoft, on a panel discussion at the GigaOm Structure conference earlier this year.

“The scale of systems is becoming so large that you can’t actually do anything by hand,” Gill said. Instead, administrators now have to operate on software code that then expands out to give commands to those ports, he said.

Faced with these changes, most network administrators will fall into three groups, Gartner’s Skorupa said.

The first group will “get it” and welcome not having to troubleshoot routers in the middle of the night. They would rather work with other IT and business managers to address broader enterprise issues, Skorupa said. The second group won’t be ready at first but will advance their skills and eventually find a place in the new landscape.

The third group will never get it, Skorupa said. They’ll face the same fate as telecommunications administrators who relied for their jobs on knowing obscure commands on TDM (time-division multiplexing) phone systems, he said. Those engineers got cut out when circuit-switched voice shifted over to VoIP (voice over Internet Protocol) and went onto the LAN.

“All of that knowledge that you had amassed over decades of employment got written to zero,” Skorupa said. For IP network engineers who resist change, there will be a cruel irony: “SDN will do to them what they did to the guys who managed the old TDM voice systems.”

But SDN won’t spell job losses, at least not for those CLI jockeys who are willing to broaden their horizons, said analyst Zeus Kerravala of ZK Research.

“The role of the network engineer, I don’t think, has ever been more important,” Kerravala said. “Cloud computing and mobile computing are network-centric compute models.”

Data centers may require just as many people, but with virtualization, the sharply defined roles of network, server and storage engineer are blurring, he said. Each will have to understand the increasingly interdependent parts.

The first step in keeping ahead of the curve, observers say, may be to learn programming.

“The people who used to use CLI will have to learn scripting and maybe higher-level languages to program the network, or at least to optimize the network,” said Pascale Vicat-Blanc, founder and CEO of application-defined networking startup Lyatiss, during the Structure panel.

Microsoft’s Gill suggested network engineers learn languages such as Python, C# and PowerShell.

For Facebook, which takes a more hands-on approach to its infrastructure than do most enterprises, that future is now.

“If you look at the Facebook network engineering team, pretty much everybody’s writing code as well,” said Najam Ahmad, Facebook’s director of technical operations for infrastructure.

Network engineers historically have used CLIs because that’s all they were given, Ahmad said. “I think we’re underestimating their ability. ”

Cisco is now gearing up to help its certified workforce meet the newly emerging requirements, said Tejas Vashi, director of product management for Learning@Cisco, which oversees education, testing and certification of Cisco engineers.

With software automation, the CLI won’t go away, but many network functions will be carried out through applications rather than manual configuration, Vashi said. As a result, network designers, network engineers and support engineers all will see their jobs change, and there will be a new role added to the mix, he said.

In the new world, network designers will determine network requirements and how to fulfill them, then use that knowledge to define the specifications for network applications. Writing those applications will fall to a new type of network staffer, which Learning@Cisco calls the software automation developer. These developers will have background knowledge about networking along with skills in common programming languages such as Java, Python, and C, said product manager Antonella Como. After the software is written, network engineers and support engineers will install and troubleshoot it.

“All these people need to somewhat evolve their skills,” Vashi said. Cisco plans to introduce a new certification involving software automation, but it hasn’t announced when.

Despite the changes brewing in networks and jobs, the larger lessons of all those years typing in commands will still pay off for those who can evolve beyond the CLI, Vashi and others said.

“You’ve got to understand the fundamentals,” Vashi said. “If you don’t know how the network infrastructure works, you could have all the background in software automation, and you don’t know what you’re doing on the network side.”

Source:  computerworld.com

Cisco cracks down on security vulnerability

Friday, August 30th, 2013

The vulnerability could allow remote, unauthenticated attackers to take control of the underlying operating system, the company said

Cisco Systems released security patches for Secure Access Control Server (Secure ACS) for Windows to address a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary commands and take control of the underlying operating system.

Cisco Secure ACS is an application that allows companies to centrally manage access to network resources for various types of devices and users. According to Cisco’s documentation, it enforces access control policies for VPN, wireless and other network users and it authenticates administrators, authorizes commands, and provides an audit trail.

Cisco Secure ACS supports two network access control protocols: Remote Access Dial In User Service (RADIUS) and Terminal Access Controller Access-Control System Plus (TACACS+).

The newly patched vulnerability is identified as CVE-2013-3466 and affects Cisco Secure ACS for Windows versions 4.0 through 4.2.1.15 when configured as a RADIUS server with Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) authentication.

“The vulnerability is due to improper parsing of user identities used for EAP-FAST authentication,” Cisco said Wednesday in a security advisory. “An attacker could exploit this vulnerability by sending crafted EAP-FAST packets to an affected device.”

“Successful exploitation of the vulnerability may allow an unauthenticated, remote attacker to execute arbitrary commands and take full control of the underlying operating system that hosts the Cisco Secure ACS application in the context of the System user for Cisco Secure ACS running on Microsoft Windows,” the company said.

The vulnerability received the maximum severity score, 10.0, in the Common Vulnerability Scoring System (CVSS), which indicates that it is highly critical. Cisco Secure ACS for Windows version 4.2.1.15.11 was released to address the flaw.

There are no known workarounds, so upgrading to the patched version of the application is recommended.

Source:  networkworld.com

Cisco responds to VMware’s NSX launch, allegiances

Thursday, August 29th, 2013

Says a software-only approach to network virtualization spells trouble for users

Cisco has responded to the groundswell of momentum and support around the introduction of VMware’s NSX network virtualization platform this week with a laundry list of the limitations of software-only based network virtualization. At the same time, Cisco said it intends to collaborate further with VMware, specifically around private cloud and desktop virtualization, even as its partner lines up a roster of allies among Cisco’s fiercest rivals.

Cisco’s response was delivered here, in a blog post from Chief Technology and Strategy Officer Padmasree Warrior.

In a nutshell, Warrior says software-only based network virtualization will leave customers with more headaches and hardships than a solution that tightly melds software with hardware and ASICs – the type of network virtualization Cisco proposes:

A software-only approach to network virtualization places significant constraints on customers.  It doesn’t scale, and it fails to provide full real-time visibility of both physical and virtual infrastructure.  In addition this approach does not provide key capabilities such as multi-hypervisor support, integrated security, systems point-of-view or end-to-end telemetry for application placement and troubleshooting.  This loosely-coupled approach forces the user to tie multiple 3rd party components together adding cost and complexity both in day-to-day operations as well as throughout the network lifecycle.  Users are forced to address multiple management points, and maintain version control for each of the independent components.  Software network virtualization treats physical and virtual infrastructure as separate entities, and denies customers a common policy framework and common operational model for management, orchestration and monitoring.

Warrior then went on to tout the benefits of the Application Centric Infrastructure (ACI),

a concept introduced by Cisco spin-in Insieme Networks at the Cisco Live conference two months ago. ACI combines hardware, software and ASICs into an integrated architecture that delivers centralized policy automation, visibility and management of both physical and virtual networks, etc., she claims.Warrior also shoots down the comparison between network virtualization and server virtualization, which is the foundation of VMware’s existence and success. Servers were underutilized, which drove the need for the flexibility and resource efficiency promised in server virtualization, she writes.

Not so with networks. Networks do not have an underutilization problem, she claims:

In fact, server virtualization is pushing the limits of today’s network utilization and therefore driving demand for higher port counts, application and policy-driven automation, and unified management of physical, virtual and cloud infrastructures in a single system.

Warrior ends by promising some “exciting news” around ACI in the coming months. Perhaps at Interop NYC in late September/early October? Cisco CEO John Chambers was just added this week to the keynote lineup at the conference. He usually appears at these venues when Cisco makes a significant announcement that same week…

Source:  networkworld.com

Don’t waste your time (or money) on open-source networking, says Cisco

Monday, August 26th, 2013

Despite a desire to create open and flexible networks, network managers shouldn’t be fooled into thinking that the best way to do achieve this is through building an open-source network from scratch, according to Den Sullivan, Head of Architectures for Emerging Markets,Cisco.

In a phone interview with CNME, Sullivan said that, in most cases, attempting to build your own network using open-source technologies would result in more work and more cost.

“When you’re down there in the weeds, sticking it all together, building it yourself when you can actually go out there and buy it, I think you’re probably increasing your cost base whilst you actually think that you may be getting something cheaper,” he said.

Sullivan said he understood why network managers could be seduced by the idea of building a bespoke network from open-source technologies. However, he advised that, in practical terms, open-source networking tech was mostly limited to creating smaller programs and scripts.

“People have looked to try to do things faster, try to automate things. And with regards to scripts and small programs, they’re taking up open-source off the Web, bolting them together and ultimately coming up with a little program or script that goes and does things a little bit faster for their own particular area,” he said.

Sullivan said he hadn’t come across anyone in the Middle East creating open-source networks from scratch — and with good reason. He said that the role of IT isn’t to create something bespoke, but to align the department with the needs of the business, using whichever tools are available.

“How does the IT group align with that strategy, and then how best do they deliver it?” he asked. “Ultimately, I don’t think that is always about going and building it yourself, and stitching it all together.

“It’s almost like the application world. Say you’ve got 10,000 sales people — why would you go and build a sales tool to track their forecasting, to track their performance, to track your customer base? These things are readily available — they’re built by vendors who have got years and years of experience, so why are you going to start trying to grow your own? That’s not the role of IT as I see it today.”

Sullivan admitted that, for some businesses, stock networking tools from the big vendors did not provide enough flexibility. However, he said that a lot of the flexibility and openness that people desire could be found more easily in software-defined networking (SDN) tools, rather than open-source networking tools.

“I see people very interested in the word ‘open’ in regards to software-defined networking, but I don’t see them actually going and creating their own networks through open-source, readily available programs out there on the Internet. I do see an interest in regards to openness, flexibility, and more programmability — things like the Open Network Foundation and everything in regards to SDN,” he said.

Source:  pcadvisor.com

VMware unwraps virtual networking software – promises greater network control, security

Monday, August 26th, 2013

VMware announces that NSX – which combines network and security features – will be available in the fourth quarter

VMware today announced that its virtual networking software and security software products packaged together in an offering named NSX will be available in the fourth quarter of this year.

The company has been running NSX in beta since the spring, but as part of a broader announcement of software-defined data center functions made today at VMworld, the company took the wrapping off of its long-awaited virtual networking software. VMware has based much of the NSX functionality on technology it acquired from Nicira last year.

The generally available version of NSX includes two major new features compared to the beta: technical integration with a variety of partnering companies, including the ability for the virtual networking software to control network and compute infrastructure hardware providers. Secondly, it virtualizes some network functions like firewalling, allowing for better control of virtual networks.

The idea of virtual networking is similar to that of virtual computing: abstracting the core features of networking from the underlying hardware. Doing so lets organizations more granularly control their networks, including spinning up and down networks, as well as better segmentation of network traffic.

Nicira has been a pioneer in the network virtualization industry and last year VMware spent $1.2 billion to acquire the company. In March, VMware announced plans to integrate VMware technology into its product suite through the NSX software, but today the company announced that NSX’s general availability will be in the coming months. NSX will be a software update that is both hypervisor and hardware agnostic, says Martin Casado, chief architect, networking at VMware.

The need for the NSX software is being driven by the migration from a client-server world to a cloud world, he says. In this new architecture, there is just as much traffic, if not more, within the data center (east-west traffic) as than the data traffic between clients and the edge devices (north-south traffic).

One of the biggest advancements in the NSX software that is newly announced is virtual firewalling. Instead of using hardware or virtual firewalls that would sit at the edge of the network to control traffic, instead NSX’s firewall is embedded within the software, so it is ubiquitous throughout the deployment. This removes any bottlenecking issues that would be created by using a centralized firewall system, Casado says.

“We’re not trying to take over the firewall market or do anything with north-south traffic,” Casado says. “What we are doing is providing functionality for traffic management within the data center. There’s nothing that can do that level of protection for the east-west traffic. It’s addressing a significant need within the industry.”

VMware has signed on a bevy of partners that are compatible with the NSX platform. The software is hardware and hypervisor agnostic, meaning that the software controller can manage network functionality that is executed by networking hardware from vendors like Juniper, Arista, HP, Dell and Brocade. In press materials sent out by the company Cisco is not named as a partner, but VMware says NSX will work with networking equipment from the leading network vendor.

On the security side, services from Symantec, McAfree and Trend Micro will work within the system, while underlying compute hardware from OpenStack, CloudStack, Red Hat and Piston Cloud Computing Co. will work with NSX. Nicira has worked heavily in the OpenStack community.

“In virtual networks, where hardware and software are decoupled, a new network operating model can be achieved that delivers improved levels of speed and efficiency,” said Brad Casemore, research director for Data Center Networks at IDC. “Network virtualization is becoming a game shifter, providing an important building block for delivering the software-defined data center, and with VMware NSX, VMware is well positioned to capture this market opportunity.”

Source:  infoworld.com

Next up for WiFi

Thursday, August 22nd, 2013

Transitioning from the Wi-Fi-shy financial industry, Riverside Medical Center’s CSO Erik Devine remembers his shock at the healthcare industry’s wide embrace of the technology when he joined the hospital in 2011.

“In banking, Wi-Fi was almost a no-go because everything is so overly regulated. Wireless here is almost as critical as wired,” Devine still marvels. “It’s used for connectivity to heart pumps, defibrillators, nurse voice over IP call systems, surgery robots, remote stroke consultation systems, patient/guest access and more.”

To illustrate the level of dependence the organization has on Wi-Fi, Riverside Medical Center calls codes over the PA system — much like in medical emergencies — when the network goes down. “Wireless is such a multifaceted part of the network that it’s truly a big deal,” he says.

And getting bigger. Besides the fact that organizations are finding new ways to leverage Wi-Fi, workers have tasted the freedom of wireless, have benefited from the productivity boost, and are demanding increased range and better performance, particularly now that many are showing up with their own devices (the whole bring your own device thing). The industry is responding in kind, introducing new products and technologies, including gigabit Wi-Fi (see “Getting ready for gigabit Wi-Fi“), and it is up to IT to orchestrate this new mobile symphony.

“Traffic from wireless and mobile devices will exceed traffic from wired devices by 2017,” according to the Cisco Visual Networking Index. While only about a quarter of consumer IP traffic originated from non-PC devices in 2012, non-PC devices will account for almost half of consumer IP traffic by 2017, Cisco says.

Cisco Visual Networking IndexIT gets it, says Tony Hernandez, principal in Grant Thornton’s business consulting practice. Wi-Fi is no longer an afterthought in IT build-outs. “The average office worker still might have a wired connection, but they also have the capability to use Wi-Fi across the enterprise,” says Hernandez, noting the shift has happened fast.

“Five years ago, a lot of enterprises were looking at Wi-Fi for common areas such as lobbies and cafeterias and put that traffic on an isolated segment of the network,” Hernandez says. “If users wanted access to corporate resources from wireless, they’d have to use a VPN.”

Hernandez credits several advances for Wi-Fi’s improved stature: enterprise-grade security; sophisticated, software-based controllers; and integrated network management.

Also in the mix: pressure from users who want mobility and flexibility for their corporate machines as well as the ability to access the network from their own devices, including smartphones, tablets and laptops.

Where some businesses have only recently converted to 802.11n from the not-too-distant past of 802.11a/b/g, they now have to decide if their next Wi-Fi purchases will support 802.11ac, the draft IEEE standard that addresses the need for gigabit speed. “The landscape is still 50/50 between 802.11g and 802.11n,” Hernandez says. “There are many businesses with older infrastructure that haven’t refreshed their Wi-Fi networks yet.”

What will push enterprises to move to 802.11ac? Heavier reliance on mobile access to video such as videoconferencing and video streaming, he says.

Crash of the downloads

David Heckaman, vice president of technology development at luxury hospitality chain Mandarin Oriental Hotel Group, remembers the exact moment he knew Wi-Fi had gained an equal footing with wired infrastructure in his industry.A company had booked meeting room space at one of Mandarin Oriental’s 30 global properties to launch its new mobile app and answered all the hotel’s usual questions about anticipated network capacity demands. Not yet familiar with the impact of dense mobile usage, the IT team didn’t account for the fallout when the 200-plus crowd received free Apple iPads to immediately download and launch the new app. The network crashed. “It was a slap in the face: What was good enough before wouldn’t work. This was a whole new world,” Heckaman says.

Seven to eight years ago, Wi-Fi networks were designed to address coverage and capacity wasn’t given much thought. When Mandarin Oriental opened its New York City property in 2003, for example, IT installed two or three wireless access points in a closet on each floor and used a distributed antenna to extend coverage to the whole floor. At the time, wireless only made up 10% of total network usage. As the number climbed to 40%, capacity issues cropped up, forcing IT to rethink the entire architecture.

“We didn’t really know what capacity needs were until the Apple iPhone was released,” Heckaman says. Now, although a single access point could provide signal coverage for every five rooms, the hotel is putting access points in almost every room to connect back to an on-site controller.

Heckaman’s next plan involves adding centralized Wi-Fi control from headquarters for advanced reporting and policy management. Instead of simply reporting that on-site controllers delivered a certain number of sessions and supported X amount of overall bandwidth, he would be able to evaluate in real-time actual end-device performance. “We would be able to report on the quality of the connection and make adjustments accordingly,” he says.

Where he pinpoints service degradation, he’ll refresh access points with those that are 802.11ac-enabled. As guests bring more and more devices into their rooms and individually stream movies, play games or perform other bandwidth-intensive actions, he predicts the need for 802.11ac will come faster than anticipated.

“We have to make sure that the physical link out of the building, not the guest room access point, remains the weakest point and that the overall network is robust enough to handle it,” he says.

Getting schooled on wireless

Craig Canevit, IT administrator at the University of Tennessee at Knoxville, has had many aha! moments when it comes to Wi-Fi across the 27,000-student campus. For instance, when the team first engineered classrooms for wireless, it was difficult to predict demand. Certain professors would need higher capacity for their lectures than others, so IT would accommodate them. If those professors got reassigned to different rooms the next year, they would immediately notice performance issues.

“They had delays and interruption of service so we had to go back and redesign all classrooms with more access points and more capacity,” Canevit says.

The university also has struggled with the fact that students and faculty are now showing up with numerous devices. “We see at least three devices per person, including smartphones, tablets, gaming consoles, Apple TV and more,” he says. IT has the dual challenge of supporting the education enterprise during the day and residential demands at night.

The school’s primary issue has revolved around IP addresses, which the university found itself low on as device count skyrocketed. “Devices require IP addresses even when sitting in your pocket and we faced a terrible IP management issue,” he says. IT had to constantly scour the network for unused IP addresses to “feed the monster.”

Eventually the team came too close to capacity for comfort and had to act. Canevit didn’t think IPv6 was widely enough supported at the time, so the school went with Network Address Translation instead, hiding private IP addresses behind a single public address. A side effect of NAT is that mapping network and security issues to specific devices becomes more challenging, but Canevit says the effort is worth it.

Looking forward, the university faces the ongoing challenge of providing Wi-Fi coverage to every dorm room and classroom. That’s a bigger problem than capacity. “We only give 100Mbps on the wired network in residence halls and don’t come close to hitting capacity,” he says, so 802.11ac is really not on the drawing board. What’s more, 802.11ac would exacerbate his coverage problem. “To get 1Gbps, you’ll have to do channel bonding, which leaves fewer overlapping channels available and takes away from the density,” he says.

What he is intrigued by is software-defined networking. Students want to use their iPhone to control their Apple TV and other such devices, which is impossible currently because of subnets. “If you allowed this in a dorm, it would degrade quality for everyone,” he says. SDN could give wireless administrators a way around the problem by making it possible to add boatloads of virtual LANs. “Wireless will become more of a provisioning than an engineering issue,” Canevit predicts.

Hospital all-in with Wi-Fi

Armand Stansel, director of IT infrastructure at Houston’s The Methodist Hospital System, recalls a time when his biggest concern regarding Wi-Fi was making sure patient areas had access points. “That was in early 2000 when we were simply installing Internet hotspots for patients with laptops,” he says.

Today, the 1,600-bed, five-hospital system boasts 100% Wi-Fi coverage. Like Riverside Medical Center, The Methodist Hospital has integrated wireless deep into the clinical system to support medical devices such as IV pumps, portable imaging systems for radiology, physicians’ tablet-based consultations and more. The wireless network has 20,000 to 30,000 touches a day, which has doubled in the past few years, Stansel says.

And if IT has its way, that number will continue to ramp up. Stansel envisions a majority of employees working on the wireless network. He wants to transition back-office personnel to tablet-based docking systems when the devices are more “enterprise-ready” with better security and durability (battery life and the device itself).

Already he has been able to reduce wired capacity by more than half due to the rise of wireless. Patient rooms, which used to have numerous wired outlets, now only require a few for the wired patient phone and some telemetry devices.

When the hospital does a renovation or adds new space, Stansel spends as much time planning the wired plant as he does studying the implications for the Wi-Fi environment, looking at everything from what the walls are made of to possible sources of interference. And when it comes to even the simplest construction, such as moving a wall, he has to deploy a team to retest nearby access points. “Wireless does complicate things because you can’t leave access points static. But it’s such a necessity, we have to do it,” he says.

He also has to reassess his access point strategy on an ongoing basis, adding more or relocating others depending on demand and traffic patterns. “We always have to look at how the access point is interacting with devices. A smartphone connecting to Wi-Fi has different needs than a PC and we have to monitor that,” he says.

The Methodist Hospital takes advantage of a blend of 802.11b, .11g and .11n in the 2.4GHz and 5GHz spectrums. Channel bonding, he has found, poses challenges even for .11n, reducing the number of channels available for others. The higher the density, he says, the less likely he can take full advantage of .11n. He does use n for priority locations such as the ER, imaging, radiology and cardiology, where users require higher bandwidth.

Stansel is betting big that wireless will continue to grow. In fact, he believes that by 2015 it will surpass wired 3-to-1. “There may come a point where wired is unnecessary, but we’re just not there yet,” he says.

Turning on the ac

Stansel is, however, onboard with 802.11ac. The Methodist Hospital is an early adopter of Cisco’s 802.11ac wireless infrastructure. To start, he has targeted the same locations that receive 802.11n priority. If a patient has a cardiac catheterization procedure done, the physician who performed the procedure can interactively review the results with the patient and family while he is still in the recovery room, referencing dye images from a wireless device such as a tablet. Normally, physicians have to verbally brief patients just out of surgery, then do likewise with the family, and wait until later to go over high-definition images from a desktop.

Current wireless technologies have strained to support access to real-time 3D imaging (also referred to as 4D), ultrasounds and more. Stansel expects better performance as 802.11ac is slowly introduced.

Riverside Medical Center’s Devine is more cautious about deploying 802.11ac, saying he is still a bit skeptical. “Can we get broader coverage with fewer access points? Can we get greater range than with 802.11n? That’s what is important to us,” he says.

In the meantime, Devine plans to deploy 20% to 25% more access points to support triangulation for location of equipment. He’ll be able to replace RFID to stop high-value items such as Ascom wireless phones and heart pumps from walking out the door. “RFID is expensive and a whole other network to manage. If we can mimic what it does with Wi-Fi, we can streamline operations,” he says.

High-power access points currently are mounted in each hallway, but Devine wants to swap those out with low-power ones and put regular-strength access points in every room. If 802.11ac access points prove to be affordable, he’ll consider them, but won’t put off his immediate plans in favor of the technology.

The future of Wi-Fi

Enterprise Strategy Group Senior Analyst John Mazur says that Wi-Fi should be front and center in every IT executive’s plans. BYOD has tripled the number of Wi-Fi connected devices and new access points offer about five times the throughput and twice the range of legacy Wi-Fi access points. In other words, Mazur says, Wi-Fi is up to the bandwidth challenge.

He warns IT leaders not to be scared off by spending projections, which, according to ESG’s 2013 IT Spending Intentions Survey, will be at about 2012 levels and favor cost-cutting (like Devine’s plan to swap out RFID for Wi-Fi) rather than growth initiatives.

But now is the time, he says, to set the stage for 802.11ac, which is due to be ratified in 2014. “IT should require 802.11ac support from their vendors and get a commitment on the upgrade cost and terms before signing a deal. Chances are you won’t need 802.11ac’s additional bandwidth for a few years, but you shouldn’t be forced to do forklift upgrades/replacements of recent access points to get .11ac. It should be a relatively simple module or software upgrade to currently marketed access points.”

While 802.11ac isn’t even fully supported by wireless clients yet, Mazur recommends keeping your eye on the 802.11 sky. Another spec, 802.11ad, which operates in the 60GHz spectrum and is currently geared toward home entertainment connectivity and near-field HD video connectivity, could be — like other consumer Wi-Fi advances — entering the enterprise space sooner rather than later.

Source:  networkworld.com

Cisco patches serious vulnerabilities in Unified Communications Manager

Thursday, August 22nd, 2013

The vulnerabilities can be exploited by attackers to execute arbitrary commands or disrupt telephony-related services, Cisco said

Cisco Systems has released new security patches for several versions of Unified Communications Manager (UCM) to address vulnerabilities that could allow remote attackers to execute arbitrary commands, modify system data or disrupt services.

The UCM is the call processing component of Cisco’s IP Telephony solution. It connects to IP (Internet Protocol) phones, media processing devices, VoIP gateways, and multimedia applications and provides services such as session management, voice, video, messaging, mobility, and web conferencing.

The most serious vulnerability addressed by the newly released patches can lead to a buffer overflow and is identified as CVE-2013-3462 in the Common Vulnerabilities and Exposures database. This vulnerability can be exploited remotely, but it requires the attacker to be authenticated on the device.

“An attacker could exploit this vulnerability by overwriting an allocated memory buffer on an affected device,” Cisco said Wednesday in a security advisory. “An exploit could allow the attacker to corrupt data, disrupt services, or run arbitrary commands.”

The CVE-2013-3462 vulnerability affects versions 7.1(x), 8.5(x), 8.6(x), 9.0(x) and 9.1(x) of Cisco UCM, Cisco said.

The company also patched three denial-of-service (DoS) flaws that can be remotely exploited by unauthenticated attackers.

One of them, identified as CVE-2013-3459, is caused by improper error handling and can be exploited by sending malformed registration messages to the affected devices. The flaw only affects Cisco UCM 7.1(x) versions.

The second DoS issue is identified as CVE-2013-3460 and is caused by insufficient limiting of traffic received on certain UDP ports. It can be exploited by sending UDP packets at a high rate on those specific ports to devices running versions 8.5(x), 8.6(x), and 9.0(x) of Cisco UCM.

The third vulnerability, identified as CVE-2013-3461, is similar but only affects the Session Initiation Protocol (SIP) port. “An attacker could exploit this vulnerability by sending UDP packets at a high rate to port 5060 on an affected device,” Cisco said. The vulnerability affects Cisco UCM versions 8.5(x), 8.6(x) and 9.0(1).

Patched versions have been released for all UCM release branches affected by these vulnerabilities and there are no known workarounds at the time that would mitigate the flaws without upgrading.

All of the patched vulnerabilities were discovered during internal testing and the company’s product security incident response team (PSIRT) is not aware of any cases where these issues have been exploited or publicly documented.

“In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release,” Cisco said. “If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.”

Source:  networkworld.com

Cisco releases security patches to mitigate attack against Unified Communications Manager

Friday, July 19th, 2013

Cisco Systems released a security patch for its Unified Communications Manager (Unified CM) enterprise telephony product in order to mitigate an attack that could allow hackers to take full control of the systems. The company also patched denial-of-service vulnerabilities in its Intrusion Prevention System software.

The Cisco Unified CM is a call processing component that extends enterprise telephony features and functions to IP phones, media processing devices, VoIP gateways, and multimedia applications, according to Cisco.

At the beginning of June, researchers from a French security consultancy firm called Lexfo publicly demonstrated an attack that chained together multiple “blind” SQL injection, command injection and privilege escalation vulnerabilities in order to compromise a Cisco Unified CM server.

The demonstration also revealed that all versions of Cisco Unified CM use a static hard-coded encryption key to encrypt sensitive data stored in the server’s database, including user credentials.

“The initial blind SQL injection allows an unauthenticated, remote attacker to use the hard-coded encryption key to obtain and decrypt a local user account. This allows for a subsequent, authenticated blind SQL injection,” Cisco said Wednesday in a security advisory.

“Successful exploitation of the command injection and privilege escalation vulnerabilities could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with elevated privileges,” the company said.

Cisco has released a security patch in the form of a Cisco Options Package (COP) called “cmterm-CSCuh01051-2.cop.sgn” that addresses some of the vulnerabilities used in the attack, including the one allowing the initial blind SQL injection.

Customers can download the file from Cisco’s website and install it as a temporary solution until the company releases new and patched versions of the Unified CM software.

The COP file mitigates the initial attack vector and reduces the documented attack surface, Cisco said. However, some other vulnerabilities used in the attack remain unpatched.

The remaining vulnerabilities are still being investigated and no workarounds are available for them yet, the company said.

Versions 7.1.x, 8.5.x, 8.6.x, 9.0.x and 9.1.x of the Cisco Unified CM are affected by the publicly demonstrated attack. Version 8.0 is also affected, but is no longer supported. Customers using this version are advised to contact Cisco for assistance in upgrading to a supported version.

Other possible threats

The company is also investigating the possibility that some of its other voice products are affected by one or more of the individual vulnerabilities used in the attack. These products are the Cisco Emergency Responder, Cisco Unified Contact Center Express, Cisco Unified Customer Voice Portal, Cisco Unified Presence Server/Cisco IM and Presence Service and Cisco Unity Connection.

On Wednesday, Cisco also advised customers about several denial-of-service vulnerabilities affecting the software running on some of its Intrusion Prevention System (IPS) products.

Products affects by one or several of those vulnerabilities are the Cisco ASA 5500-X Series IPS Security Services Processor (IPS SSP) software and hardware modules; Cisco IPS 4500 Series Sensors; Cisco IPS 4300 Series Sensors; the Cisco IPS Network Module Enhanced (NME) and the Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Module.

The company has released patched versions of the Cisco IPS Software for those products, except for the Cisco IDSM-2. A workaround for the vulnerability affecting Cisco IDSM-2 was made available.

Source:  pcworld.com

Cisco fixes serious vulnerabilities in email, Web and content security appliances

Monday, July 1st, 2013

The vulnerabilities could allow attackers to inject commands and crash critical services

Cisco Systems released security patches for its email, Web and content security appliances in order to address vulnerabilities that could allow attackers to execute commands on the underlying OS or disrupt critical processes.

The vulnerabilities affect different versions of the Cisco IronPort AsyncOS operating system that’s used in the Cisco Content Security Management Appliance, the Cisco Email Security Appliance and the Cisco Web Security Appliance.

Releases 7.1 and prior, 7.3, 7.5 and 7.6 of the software in the Cisco Email Security Appliance are affected by three vulnerabilities, one that allows remote attackers to inject and execute commands with elevated privileges through the Web interface and two that could be used to crash the management graphical user interface (GUI) or the IronPort Spam Quarantine service and cause other critical processes to become unresponsive.

Exploiting the command injection vulnerability requires authentication via the Web interface with at least a low privilege account, but the denial-of-service vulnerabilities can be exploited remotely without authentication.

Users of the 7.1 branch should upgrade to version 7.1.5-016 or later, users of the 7.3 branch should upgrade to version 8.0.0-671 and users of the 7.5 and 7.6 branches should upgrade to 7.6.3-019 or later, Cisco said in a security advisory published Wednesday. Releases in the 8.0 branch are not affected.

Branches 7.2 and prior, 7.7, 7.8, 7.9 and 8.0 of the Cisco Content Security Management Appliance software are affected by the same command injection and denial-of-service vulnerabilities as the Cisco Email Security Appliance software.

All of the vulnerabilities are patched in versions 7.9.1-102 and 8.0.0-404, Cisco said in a separate advisory. Users of 7.2 and prior, 7.7 and 7.8 branches are advised to upgrade to version 7.9.1-102 or later of the software. The 8.1 versions are not affected.

Releases 7.1 and prior, 7.5 and 7.7 of the Cisco Web Security Appliance software are vulnerable to two authenticated command injection vulnerabilities and one management GUI denial-of-service vulnerability. Some of the vulnerabilities are the same as those affecting the Cisco Email Security Appliance software.

The software releases that include fixes for all three Cisco Email Security Appliance vulnerabilities are 7.5.1-201 and 7.7.0-602. Users of the 7.1 and prior versions are advised to upgrade to 7.5.1-201 or later.

Source:  computerworld.com

Cisco delivers “monster” Catalyst switch in major product refresh

Tuesday, June 25th, 2013

Programmable and optimized for 10/40/100G, Cisco Catalyst 6800 line still does not yet retire the decade-old Cat 6500

Cisco this week will significantly update its enterprise network line-up with programmable campus and branch switches and routers designed to tightly bind applications to network hardware and services.

The new products include the Catalyst 6800 backbone switching line, a new supervisor engine for Cisco’s 4500-E chassis-based access switch, a new high-end ISR branch router and application performance extensions to the ASR 1000 edge router.

Cisco 6800

Cisco 6800

“Cisco has…delivered a monster Catalyst,” says Bill Carter, senior business communications analyst at value-added reseller Sentinel Technologies in Springfield, Ill. “This gives customers a core switch with 10G/40G/100G with the feature set required in the campus.”

The company, which this week hosts its Cisco Live event in Orlando, says its new products fit within an Enterprise Network Architecture under which applications, network services software and hardware networking functions all work together.

Much of this synergy is facilitated by Cisco’s ONE API framework for programmable networking and associated ASICs optimized for Cisco ONE programmability. Cisco ONE and its onePK API set is Cisco’s response to software-defined networking (SDN), in which many of the functions of network behavior are divorced from hardware and centrally administered by software controllers.

SDN makes network functions less reliant on specific hardware and operating systems, and more accommodating to commodity switching and open source software. It threatens Cisco’s dominance and fat profits in routers and switches.

Cisco is combating the SDN trend by attempting to tightly link software programmability of network infrastructure to custom-developed ASIC hardware and hardware-specific operating systems, and defending its incumbency and massive installed base. These new products are instantiations of that strategy.

Cisco says it will support onePK across its entire enterprise routing and switching portfolio within the next 12 months, beginning with the ISR 4451-AX and ASR 1000-AX routers announced this week, which will support onePK in late summer/early fall.

The Catalyst 6800 is an outgrowth of the ubiquitous – and 10+ year old – Catalyst 6500. The 6800 is targeted at campus backbone 10/40/100Gbps services. In addition to network programmability, the 6800 is supervisor- and line card-compatible with the 6500, Cisco says, adding that there is still no date set for retiring the 6500.

“I see the Cat 6800 as a natural evolution of the 6500 platform,” says IDC analyst Rohit Mehra. “While scale and performance are going to be important, so will the need for providing agility and deploying programmable platforms. That’s what the 6800 brings to the table with added simplicity, while maintaining operational consistency and continuity with the 6500 product suite.”

Sources say Cisco still has a vibrant roadmap for the Catalyst 6500, including a 10Tbps supervisor engine in the works. Cisco confirmed that a 10T supervisor engine is planned for both the 6500 and 6800 switches. The company would not say when it’s coming.

The 6800 lines include the 6807-XL, the 6880-X and the 6800ia. The 6807-XL is a modular campus backbone switch with a seven-slot, 10RU chassis. It supports up to 880Gbps per slot and 11.4Tbps of switch capacity. It will go head-to-head against HP’s 11Tbps 10500 switch, and Juniper’s EX8200 and EX9200 switches in Virtual Chassis configurations.

By contrast, the Catalyst 6513-E with the Supervisor 2T supports 80Gbps per slot but that bandwidth can be doubled in a Virtual Switching System configuration. The Sup 2T can work in the new 6807-XL chassis, as can 6700, 6800 and 6900 series line cards for the Catalyst 6500-E, Cisco says.

The 6807-XL is optimized for 10/40/100G Ethernet switching, while the 6500-E is optimized for 10G.

The 6880-X is a 3-slot, 4.5RU switching with a fixed supervisor engine – it cannot be changed. It supports up to 80 10G ports or 20 40G ports, and is targeted at mid-market/mid-sized campus deployments. The supervisor sports 16 10G ports, and the switch’s four half slots house optional 10G and 40G line cards.

The Catalyst 6800ia “Instant Access” switch is designed to support automated deployment and provisioning through “one touch” programming, Cisco says. It allows IT departments to virtually consolidate access switches across the campus into one extended switch.

The 6800ia sports 48 Gigabit Ethernet ports and two 10G uplinks. The switch is analogous to Cisco’s FEX fabric extension architecture with the Nexus 7000 data center switching systems, analysts say.

“It does fill out the Cisco 6800 family for enterprise campuses that may require a fixed form factor, adjunct to a broader 6800 deployment, with a common operational and management model,” says IDC’s Mehra. “What Cisco will need to do though, will be to carefully position and differentiate from its (Catalyst 2000 and 3000) platforms to ensure its channels and partners are clear where to deploy each.”

The new Supervisor Engine 8E for the Catalyst 4500-E modular access switch includes Cisco’s new programmable UADP ASIC for wired and wireless convergence, which was unveiled early this year. It is designed to unify wired and wireless policies and management. The 8E works with existing Catalyst 4500-E chassis and line cards, Cisco says.

For large branch deployments, Cisco’s new ISR 4451-AX router features up to 2Gbps forward performance with native Cisco WAAS-based WAN optimization, and “LAN-like experience” at the branch, Cisco says.

Complementing that is the ASR 1000-AX WAN edge router, which integrates Cisco’s Application Visibility and Control and AppNav capabilities with virtual WAAS WAN optimization for providing application control and services on WAN links aggregated from branch sites.

The Cisco ISR 4451-AX is available now with prices starting at $18,000. The ASR 1000-AX and 4500-E Supervisor Engine 8E are scheduled to be available in July, at starting prices of $45,000 and $28,000, respectively.

The Catalyst 6800 switch series is scheduled to be available in November, at a starting price of $40,000.

Source:  networkworld.com

Cheat sheet: What you need to know about 802.11ac

Friday, June 21st, 2013

Wi-Fi junkies, people addicted to streaming content, and Ethernet-cable haters are excited. There’s a new Wi-Fi protocol in town, and vendors are starting to push products based on the new standard out the door. It seems like a good time to meet 802.11ac, and see what all the excitement’s about.

What is 802.11ac?

802.11ac is a brand new, soon-to-be-ratified wireless networking standard under the IEEE 802.11 protocol. 802.11ac is the latest in a long line of protocols that started in 1999:

  • 802.11b provides up to 11 Mb/s per radio in the 2.4 GHz spectrum. (1999)
  • 802.11a provides up to 54 Mb/s per radio in the 5 GHz spectrum. (1999)
  • 802.11g provides up to 54 Mb/s per radio in the 2.4 GHz spectrum (2003).
  • 802.11n provides up to 600 Mb/s per radio in the 2.4 GHz and 5.0 GHz spectrum. (2009)
  • 802.11ac provides up to 1000 Mb/s (multi-station) or 500 Mb/s (single-station) in the 5.0 GHz spectrum. (2013?)

802.11ac is a significant jump in technology and data-carrying capabilities. The following slide compares specifications of the 802.11n (current protocol) specifications with the proposed specs for 802.11ac.

(Slide courtesy of Meru Networks)

What is new and improved with 802.11ac?

For those wanting to delve deeper into the inner workings of 802.11ac, this Cisco white paper should satisfy you. For those not so inclined, here’s a short description of each major improvement.

Larger bandwidth channels: Bandwidth channels are part and parcel to spread-spectrum technology. Larger channel sizes are beneficial, because they increase the rate at which data passes between two devices. 802.11n supports 20 MHz and 40 MHz channels. 802.11ac supports 20 MHz channels, 40 MHz channels, 80 MHz channels, and has optional support for 160 MHz channels.

(Slide courtesy of Cisco)

More spatial streams: Spatial streaming is the magic behind MIMO technology, allowing multiple signals to be transmitted simultaneously from one device using different antennas. 802.11n can handle up to four streams where 802.11ac bumps the number up to eight streams.

(Slide courtesy of Aruba)

MU-MIMO: Multi-user MIMO allows a single 802.11ac device to transmit independent data streams to multiple different stations at the same time.

(Slide courtesy of Aruba)

Beamforming: Beamforming is now standard. Nanotechnology allows the antennas and controlling circuitry to focus the transmitted RF signal only where it is needed, unlike the omnidirectional antennas people are used to.

(Slide courtesy of Altera.)

What’s to like?

It’s been four years since 802.11n was ratified; best guesses have 802.11ac being ratified by the end of 2013. Anticipated improvements are: better software, better radios, better antenna technology, and better packaging.

The improvement that has everyone charged up is the monstrous increase in data throughput. Theoretically, it puts Wi-Fi on par with gigabit wired connections. Even if it doesn’t, tested throughput is leaps and bounds above what 802.11b could muster back in 1999.

Another improvement that should be of interest is Multi-User MIMO. Before MU-MIMO, 802.11 radios could only talk to one client at a time. With MU-MIMO, two or more conversations can happen concurrently, reducing latency.

Source:  techrepublic.com

Cisco acquires big piece of its plan to ease IT

Thursday, June 20th, 2013

Composite Software virtualizes data from all sources

Cisco this week said it would acquire privately held Composite Software, a provider of data virtualization software and services, for $180 million.

Composite’s software makes data collected from across the network appear as if it’s in one place. This logical representation is intended to speed and improve decision making, Cisco says.

Composite will play a key role in Cisco’s plan to develop an IT simplification platform. This platform appears to also include Cisco’s Unified Computing System (UCS) server and associated components, and technology from another recently acquired company, SolveDirect.

“Cisco’s strategy is to create a next generation IT model that provides highly differentiated solutions to help solve our customers’ most challenging business problems,” said Gary Moore, Cisco president and COO, in a statement. “By combining our network expertise with the performance of Cisco’s Unified Computing System and Composite’s software, we will provide customers with instant access to data analysis for greater business intelligence.”

Cisco also says a combination of Composite and SolveDirect’s process integration platform will provide cross-domain data and workflow integration for real-time business operations.

Composite will join a Cisco services group that is led by both Mala Anand, senior vice president of Cisco Services Platforms Group, and Mike Flannagan, senior director and general manager of the Integration Brokerage Technology Group. The acquisition is expected to close in the first quarter of Cisco’s fiscal year 2014, which closes in late October.

Source:  networkworld.com

Cisco releases security advisories

Friday, April 26th, 2013

Cisco has released three security advisories to address vulnerabilities affecting Cisco NX-OS-based products, Cisco Device Manager, and Cisco Unified Computing System. These vulnerabilities may allow an attacker to bypass authentication controls, execute arbitrary code, obtain sensitive information, or cause a denial-of-service condition.

US-CERT encourages users and administrators to review the following Cisco security advisories and apply any necessary updates to help mitigate the risks.

Source:  US-CERT