Well there's your problem
You didn't use Cisco equipment, that can only be backdoored by the NSA.
Five critical remote code execution vulnerabilities in millions Aruba and Avaya devices can be exploited by cybercriminals to take full control of network switches commonly used in airports, hospitals, and hotels, according to Armis researchers. The security firm discovered the bugs, collectively called TLStorm 2.0, and said …
But GCHQ did an analysis and showed that it was Huawei's poor programming that led to security vulnerabilities and so it should be banned from UK networks.
It's only in America that Huawei's super cyber-ninja programmers were able to hide undetectable backdoors which couldn't be found even when you analysed the source code.
-> But GCHQ did an analysis and showed that it was Huawei's poor programming that led to security vulnerabilities and so it should be banned from UK networks.
Do you actually believe that nonsense? Huawei was banned in the UK because the American overlord said 'ban it'. Johnson replied 'how quickly do you want it banned, oh great one?'
Part of the problem is the wrong belief that everything should have a web interface and should be super-easily remotely-accessible.
Our now-old Avaya phone switch used direct serial connections to the computers used to administer it. Those computers were in a physically-secured location, and did not have access to or from the Internet. Remote admin was via callback modems.
Sjeesh, you pay good money to license a SSL software stack and they screw it up just the same.
It makes you wonder, why are we paying for software anyway? There are open-source and free alternatives for almost everything, yet companies insist on paying people money so they can get "support" which consists of nothing more than someone answering the phone and listening to their lamenting the poor quality of the software.
Wow. I mean, it's not like open source software has bugs, izzit? And just because a very large chunk of the open source community lives in la-la land with the belief that 'the community' (meaning somebody else) is carefully checking all the source out there, doesn't make it so.
Why are we paying for software (in comparison to free or open source software)? It's because we can ring somebody up and say 'please fix this bug in your code', rather than saying 'the community will fix it'.
You would have to find somebody competent to do it. The reason why some people pay mechanics to change the oil in their car is because they don't know how to do it themselves. It's the same with software, and even more so with software related to security.
I don't know how cheap of expensive nanoSSL is, nor if they make any more claims about security than any other software provider. But unless you write all the software yourself (see point about competency), you will be buying it in or using free or open source somewhere along the way.
The reason corporate entities spring for paid-for kit is not just that you can ring up and get "support", it is so that someone else warrants the fitness of the item concerned.
Most businesses cannot afford to rely on in-house s/w checking - why should they if they are a hospital, or an airport? They should be doing due diligence on suppliers and then relying on THEIR resources to guard against nasties (and to fix sh1t when it goes wrong).
The support consists of a patch whilst you have millions of routers and switches in the field you need to update? Most of those switches have been out of support for years.
Software this critical simply needs to be bug-free. You cannot afford to have to update it many years later. Worst case the company that supplied the software folded or moved on into other fields and isn't interested in supporting it anymore.
A major part of "safe" is to restrict the surface area of the attack.
The support staff at our MSP just could not get their head around why I insisted that the remote support web page for our Internet firewall be either disabled or locked to a couple of specified IP addresses and not just left open to the public Internet. Their claim was that "it is protected with a strong password" was their reason for their blinkered naive concept of safety... different supplier but these exploits take place before the supply of a password.