NSS Solutions

Well we’re putting in a couple of Nexus 7000′s and the big question is will they live up to the hype?  We’ve done some initial testing on them and the packet forwarding is incredibly fast.  Over the next two weeks we will be doing some extensive testing on the Nexus lines, to include the In Service Upgrade, power failures, and all the normal testing.  I will put our test results up here so that you can get an idea of how they preform.

Please feel free to add any tests you would like to see in the comments and we’ll be sure to add them.

http://www.cisco.com/warp/public/707/cisco-sr-20080516-rootkits.shtml

Cisco Response

This is the Cisco PSIRT response to an issue that was disclosed by Mr. Sebastian Muniz of Core Security Technologies at the EUSecWest security conference on May 22, 2008.

No new vulnerability on the Cisco IOS software was disclosed during the presentation. To the best of our knowledge, no exploit code has been made publicly available, and Cisco has not received any customer reports of exploitation.

Cisco has analyzed the available information and recommends following industry best-practices to improve the security of all network devices. Specific recommendations are available in the Additional Information section of this Security Response.

Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports. We would like to thank Mr. Sebastian Muniz and Core Security Technologies for working with us towards the goal of keeping Cisco networks and the Internet, as a whole, secure.

Additional Information

The security of Cisco IOS devices consists of multiple factors, including physical and logical access to the device, configuration of the device, and the inherent security of the software being used. The security configuration of a device, specifically in relation to device security, is conveyed using documented best practices. The document entitled “Cisco Guide to Harden Cisco IOS Devices” (available at http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml), represents one collection of those best practices.

The integrity of the software used on Cisco IOS devices, in this case Cisco IOS software, is also important to device security. Depending on severity, security issues in Cisco IOS software are communicated to customers using Security Advisories, Security Responses, or Cisco bug release notes. Further details are documented in the Cisco Security Vulnerability Policy, available at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.

It is possible that an attacker could insert malicious code into a Cisco IOS software image and load it onto a Cisco device that supports that image. This attack scenario could occur on any device that uses a form of software, given a proper set of circumstances. This Security Response will describe best practices that network administrators can use to reduce the risk that malicious code is installed on Cisco IOS devices. Additionally, this response will offer some methods that administrators can use to mitigate the risks of introducing malicious code into the network.

Networking giant Cisco has published a total of 7 security advisories for its Internetwork Operating System (IOS) software. Each advisory lists one or more vulnerabilities and includes information about the updates that correct them. The vulnerabilities relate to various functions and protocols, such as IPSec, NAT, SIP, MPLS, H.323 and TCP. A summary table has been published with links to additional documents with instructions on work arounds and classifications for each issue. The highest rated vulnerabilities (CVSS 10) allow the execution of injected code when parsing SIP packets and exposure to a denial of service in the SIP Message handling.

For those of us that are crazy enough to run firewalls at our home it can be tough to get port translations through on a pix.

The easiest way is to get a ftp or http connection through to is to add a statement like the following

static (inside,outside) tcp interface ftp 172.30.20.23 ftp netmask 255.255.255.255 0 0

What that does is translate the ftp request on my outside interface to the IP 172.30.20.23 for ftp. You can do this with any port ie 80 for web of 443 for https. SSH remember will be connecting into the ASA or Pix. If you want to ssh to a system at your house I would recommend changing the ssh port.

Stay tuned for that article.