Former Cisco boss launches upstart to rattle old employer's cage Tech veteran John Chambers says he wants to take on Cisco, the business he built into a multibillion-dollar beast, by launching a startup that intends to remove humans from the network management equation. Branded as Nile, the business stumbled into the sunlight yesterday after exiting stealth mode. It has the backing of …
No one has yet found backdoors in Huawei kit and they provided source code. Don't forget the backdoors in Cisco's own kit. Lots of people have moved away from Cisco not just because of the cost, but because other companies, including Huawei, make better products.
I have seen all of Huawei code at a particular time in the past and although a little out of date in style, I could not find any backdoors.
Juniper were also mainly helpful, with a much more modern style of coding.
Cisco were just plain obstructive. There was much of their code I could not see.
Despite Huawei and China's attempts to deflect, distract, and reframe the theat, the security concerns are well founded.
The code audit they submitted was a publicity stunt. While if it had found every device had a backdoor, that would have certainly been a smoking gun, the lack of a backdoor in the master image of the firmware is exactly what you'd expect. The case of the very real attacks carried out using Cisco kit clearly show why. A savvy attacker will only modify equipment they are targeting, not everything that ships.
Just like Cisco kit, Huawei kit can be loaded with modified firmware at any point before it's installed. In addition there is nothing in either companies kit preventing their company from issuing new firmware with attack code that was not present in the previously audited versions. So unless the entire firmware stack is open source, and your auditing every patch and release, you still have to trust the manufacturer. Auditing every release and update for closed source code just isn't feasible at the scale of global buisness.
I think it is a fair point that China and Chinese companies have no more(and possibly less) reason to trust Cisco kit as western companies have to trust Huawei gear. So each client base has to decide where there are natural alignments of interest with the supplier. Cisco has too much to lose co-operating with the US government for industrial espionage inside the US and would suffer catastrophic liability under US law. China doesn't NEED to backdoor the networking gear in it's domestic market. It could, but in can also just order the installation of any arbitrary thing in any part of the nations telecom infrastructure, and largely already has. None of that hold true for Cisco kit in China or Chinese kit in the US.
At that level I am as concerned about Foxconn and Apple gear as Huawei.
Love the way this is downvoted... Yet nobody offers their differing view.
But I'd reckon its pretty much spot-on, the UK's GCHQ and other major European countries, had dedicated teams whose sole job was to tear apart Huawei kit, to look for exploits and backdoor, and not once in its 15+ years of operation did they find anything.
https://www.wired.co.uk/article/huawei-gchq-security-evaluation-uk
The sole reason they got ejected from West was, they were offering comparable products, cheaper, and the likes of Cisco, Nokia, Siemens wouldn't compete.. So they complained to the politicians.
Then Trump chucks his toys out the pram, tries to piss off the Chinese, who just ignore it, so he tries a different tactic, of threatening allies... Citing risk. To national security and infrastructure, and even to this day, not one iota of credible evidence had emerged, no smoking gun.
Then more recent cently, it came out, this was all about the money.. Its in an article somewhere, if I can find the link, I'll post it.
"The intent is to deliver an out-of-the-box Zero Trust network with "no network operations required"
Once it's widely adopted, there'll soon be nobody with the expertise to cope when it goes wrong (that that doesn't just mean "breaks" - it also means when it makes bad decisions that stop work in its tracks). This is yet another exemplar of the theory that replacing people with machines automatically improves performance. While this may be valid where the people are not more than average performers, it certainly doesn't when they're the best. But of course the best people are expensive, so that's probably the primary incentive for replacing them with machines. However, in real emergencies where it's not obvious what's going wrong, only an expert human can take the holistic view and use inference to arrive at corrective action. Every "intelligent" automaton we've created so far has essentially been a one trick horse, but what's needed in such emergencies is flexibility - a broad appreciation of all the facets of the entire situation (even sometimes the seemingly irrelevant). That takes lots of human experience, intuition and attention to detail - attributes of the human mind at its best.
I took a different view - it would be replacing the average people rather than the top tier people. There's a lot of average people out there who only need to be average because the needs of their network are average.
How many small (< 500 employees) companies out there who need to plug in desktops and some servers, some VPNs, and a couple of uplinks? How many even smaller companies (< 100 employees) with similar but more limited needs are there?
I agree though that having people around for when things go wrong (as they inevitably will) is important. I would not want a network with no network people around.
" I would not want a network with no network people around"
A mojor problem will be maintaining the expertise even of the best. The more that is automated, the less exposure even the experts have to day to day normality. Consequently, when the abnormal starts to happen it's less obvious and they're out of practice so the response will be slower and less effective. We have to keep getting our hands dirty to stay skilled.
"How many small (< 500 employees) companies out there who need to plug in desktops and some servers, some VPNs, and a couple of uplinks"
Lots of us, probably. I'm not a networking expert. I'm happy to tinker with my LAN until it goes titsup and I have to load the last router backup, but that's as far as it goes. Every so often I tell myself I'll read up on it and set up my NAS as a mail server, surveillance centre, website, etc. but until I understand it well enough I won't do anything that opens my LAN to the outside world. I certainly wouldn't trust a set of plug-an-play boxen to do it for me automatically and if I needed such a set up tomorrow I'd pay a pro to set it up for me.
The premise that this can do more than automate run of the mill default configurations is cracked.
That would only be possible if Nile had enough pull to force changes in both client companies and major manufacturers, including their competitors. This startup is not just going to walk into M$ or Apple HQ and start ordering their engineers to start changing code. Those companies don't want to work together. They active sabotage each others efforts.
Unless the client hardware (that Nile neither creates nor controls) implements the needed interfaces, and generally in a consistent and stable fashion, what they are suggesting ISN'T POSSIBLE. And getting one of them on board will likely cause the others to block the effort. Anyone remember Kerberos? Only broadly adopted on windows, then blocked for a decade or so till it was no longer considered essential of all that relevant, then grudgingly included after the fact due to a hard to configure open source project?
That's probably how this ends too.
The assumption that zero-trust will work for everything is a bit strange. Yes, you can make an automaticity configured network router if you can assume that all devices fall in to a specific category of use/authentication, and that all use-cases are basically along the same lines.
Still, will be interesting to see how it pans out in real life when someone wants to fit one to a complex legacy environment.
This quagmire of marketroid hype distills down a few simple points.
They want you to replace your "I own it" network with a "They own it" network that you don't even have fixed costs over. Those costs will of course be significantly higher of course, at least after the usual blitz to undercut the competition and get people locked in. See what Cisco did with their Meraki acquisition for clues.
They justify the first obvious trap by setting the second, a glittering lie that the system can self deploy into a workable, fully locked down zero-trust system. While the bar for improvement is pretty low in an industry driven by command line administration, 90's era orchestration tools and GUIs that were clearly build by programmers, this is a pipe dream. You can't do zero trust automatically because you can't do zero conf automatically, and those to are also mutually excursive to some degree. So this boils down to a different set of default settings, and necessary adjustments for everything that's left.
In addition, their pretention to overturn the whole world of procurement, deployment, and configuration is itself a deterrent to broad uptake in established organizations, where rearchitecting the core network is not a project to be taken lightly, involves many stakeholders, and careful consideration.
I'm putting my dollar on Nile being a company nobody has herd of a decade from now, not the new Cisco. I also suspect that Cisco isn't going to be what it is for another decade. While a new upstart may take their place, I would be less surprised if it is a wireless player that expanded into networking than a "Network as a service play"
Maybe it would be more appropriate that All corporate mobile PC systems should be made to sync up automatically instead of leaving it to the time stressed staff to just ignore or put it off ( till they lose or get their device wiped by mistake) losing all data.
JC knows all about this. (Any relevant NDA's regarding an historical event have now fully expired)
I have believed for many years that the TCO is way to high for nework management. Unfortunately Cisco was one of the worst offenders. The Cisco IoS is interface is outdated. Before you had to know what features were available for a particular network hardware you were configuring. Cisco tried on several occasions to come up with good network management. The Cisco works was a klugely bloated application. It is really a shame that Cisco did not focus more on network management when John Chambers was there.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
