Is it me...
Is it me or does it seem like every other week we are patching security flaws in Cisco security products!!!
Cisco has announced a suite of patches against a bug in its Security Assertion Markup Language (SAML) implementation. As is so often the case with a language slip, the bug is inherited by multiple products. In the case of CVE-2018-0229, the affected systems are: Single sign-on authentication for the AnyConnect desktop …
It'a not you. For a while a fellow was keeping a website dedicated to just the Cisco patches to remove hard-coded admin credentials but even he gave up.
And it's not SNAFU (Situation Normal, All F****ed Up.It's SNACFU (Situation Normal, Another Cisco FU).
When I interview people for IT security positions and they proudly tell me about their super-secure Cisco firewalls they lose a bunch of points in m mind. I interviewed at one company and they told me they were about to upgrade their ASA's. I asked "Is there any chance you're could buy real firewalls instead?"
The room went silent for a few seconds and their CISO turned to the network manager who made that comment and said "See? I told you it wasn't just me!" Everybody laughed and they later made me an offer which I declined because it turned out there was no chance.
The answer is of course no.
1) Cisco, Checkpoint, PaloAlto, etc... all run their firewalls on top of Linux distributions which they don't properly maintain. Cisco for example tries to make their own Linux LTS branch but only selectively pull in patches. To be honest, while Linux is great for many things, security is pretty close to the bottom of the list. I still think Linux should be called "hackers den".
2) Most modern firewalls run as virtual appliances, often on VMware. VMware drivers are a rats nest of security holes that simply are not solvable. Their VMXNET3 driver which they ship as the default on the Linux kernel (the one which EVERYONE uses) is so full of security holes it's disgusting. It's extremely problematic when firewalls running on VMware become insecure because you can simply code-inject as much as you'd like before the kernel even knows there's a packet of data. 100% untraceable.
3) PFSense is frigging awesome but doesn't scale at all.
4) Juniper is quite nice but once you get past a 50 user office on an appliance, it's a waste of effort.
As a note, before anyone goes all Palo Alto on my ass. Palo Alto is good as long as you don't touch anything. Just plug it in, make it run passive, set a password, configure your subscription, and that's it. Palo Alto is among the worst firewalls I've ever encountered because they rapidly weaken as you change configuration.
So the answer is simply... no you can't buy a real firewall instead. So, you have to make due with whatever option will give you the best company to sue when you get hacked.
That said... and I REALLY REALLY REALLY don't want to be nice to them. I ABSOLUTELY HATE THESE BUGGERS.... I kinda almost sorta like the solution from McAfee. I don't have that much experience with them, but I find that as they have a great deal of experience in desktop clients and they try to be part of Windows and Mac instead of some half-assed AnyConnect like solution, they do a far better job of integrating for end to end security than anything I've seen from anyone else. Their software is good at keeping itself updated. And their management portal for everything from edge to desktop is actually usable.
But in the end, they are pretty much all shit
Nope, it's you... there's just really no point patching Cisco security products.
Let's keep this simple. If an Internet facing device is not automatically patching itself, it is not a security device.
Security devices download security patches live and deploy them in the background.
Cisco's desktop software panders to network/security engineers who can't work with desktop teams to properly deploy automatic software updates.
For that fact, a core feature of Cisco ISE is to ensure you have all the updates you need or it won't let you in, but it has no subscription service to inform itself of these requirements. As such, no one actually enforces these rules and as such, no one ever upgrades.
Don't worry... ISE is only Cisco's most important security tool in their entire portfolio, but they try to keep it secure by sending 1-2 updates a year. They ignore security bug reports... for example in their impressively insecure SAML implementation in ISE... I mean really... I have never seen such horrible code in a security product. Watch the logs for SAML and see it burn. If you can't hack ISE after watching the SAML logs, you simply are dense, I bet even the sales guy could hack ISE after looking there.
The moral of the story is... Cisco doesn't make security products. They make lots of stuff they sell as security products. And if they fail, it was your fault for not properly maintaining them.