If you're using older, vulnerable Cisco small biz routers, throw them out If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great. First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its …
A BSD box and a couple of network cards.
Sadly, not available pre-packaged for a reasonable price. There is the tier of OpenWRT soho landfill material, Dinosaurs from the 90's like cisco, and overpriced but nice cloud stuff that stops working when the internet goes down (which is why cisco bought Meraki).
Or build it yourself and forget about it until your ancestors realize it was walled in 15 years ago and not rebooted since and no-one noticed.
I've documented in comments on past articles my own frustration with using Cisco for small business and particularly with them ceasing software updates for vulnerabilities when you have a support contract and well before the EOL date.
My current strategy is to migrate to small appliances designed to run open source Pfsense or Netgate/Pfsense+
Anyone here use these?
edit: I'm not using any of the particular cisco devices mentioned in this article, but ASA's and Branch routers
Essentially, if you are going to have a connection to the Internet then you need a separate firewall - lots of machines are safe when you write rules that only allow their specific access ports. It needs to be a separate hardware firewall like pfSense etc ...
"For their next act, they'll no doubt be buying a firewall running under NT, which makes about as much sense as building a prison out of meringue." -- Tanuki on ASR about 30 years ago ... getting hacked is nothing new these days.
This post has been deleted by its author
Hold on: if I bought a new car and a major flaw was discovered three years later then I could reasonably expect it to be recalled by the makers and have this addressed. I don't expect three year old core hardware to be treated as disposable by my network vendor.
A cynic could argue Cisco is making a strong case for renting this kind of hardware in the future rather than buying it so the end user isn't left hanging out to dry. A realist might see this as a strong case to only buy from vendors who offer more reasonable support for their core equipment.
suggestions? I've struggled to find anyone so I'm looking at small appliances designed to run open source Pfsense or Netgate/Pfsense+
edit: I'm not using any of these particular devices, but ASA's and Branch routers, and I've had the same problem with Cisco refusing to patch critical security vulnerabilities despite us having support/TAC and the model not being anywhere near EOL
If you want a designed-for appliance, with vendor support, you're on the right track with Netgate & pfSense.
If you're confident in your DIY chops, I'd say you're still on the right track with pfSense, but you have to be willing to invest a little effort in figuring out your hardware config.
These may well be at the cheap and cheerful end of Cisco's range but they were sold as suitable for business use. As such, they should have business class support.
They might only be supporting a satellite office of three/four people but that's as much of (if not more) a security risk than leaving a hole in corporate HQ.
What next? Throw the medium level switches and routers to the wolves because they couldn't be bothered to patch them? Perhaps Cisco should define how many people need to be connected via their hardware before they can be classed as 'business users' so admins can do a better risk analysis.
The were "junk" rated well before this occurred. The RV110 not only didn't have any firmware updates for YEARS prior to this event, they were 10/100 Ethernet, meaning that if you wanted modern business-level broadband...tough luck, the router would be a hardware limiter.
Their only saving grace was VPN endpoint, which was indeed a business-level unusual feature for a modest priced unit at the time of their introduction. Not any more.
"...cheap and cheerful variety..."
This does not matter, Ciscco should hold the name Cisco with as much integrity as they still can. At the very least it's an exercise in software and/or hardware security. Cisco proves time and time again they have no interest in what their name stands for, so the next time you goto purchase, maybe their name should be forgotten.
"3 year old core infrastructure".
You're over-egging it a bit there. It's hardware that's 10 years old now, was linksys like quality and cheap even then, and it's no more core infrastructure than my home router is.
For an office you need a SOHO router like the old 800 or newer 900series as a minimum.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
