Hi, On Tue, Aug 25, 2009 at 10:46:49AM +0100, Alan Buxey wrote: > all these emails tell me are there are many devices on which bug fixes > and security fixes are not being applied on; along with possibly > the service provider where these might be living. all handy information > to those who only listen to this list....
The amount of security issues and security related bugs in older IOS devices is fairly small, and well-understood - and all of them can be mitigated by not running certain protocols, or carefully filtering the packets. Our stance on IOS security issues is - put mitigation filters into place *immediately* - put a fixed IOS in the flash of the router - reload when convenient due to the bug history of IOS, it was quite good for our overall uptime to postpone the "reloading" thing until lots of additional bugfixes later on - and thus saving not only but sometimes multiple reboots. The CatOS switches, on the other hand, are pure L2 switches that have their management IP in a very tightly filtered RFC1918 network segment - and I wish you good luck in accessing those :-) > ..some might wonder why routine upgrade/patching windows are not being > undertaken..a resilient linkage scheme and equipment list should mean that > eg a router or switch can be taken out even in middle of day should > out of hours work be a non-entity :-| "Real World" networks usually happen to lack some of the "everything is fully redundant, every server is wired to two different switches, nothing will ever fail in case a reboot goes wrong" magic. Reloading one of our core L2 switches would have serious impact on a LOT of customers (all those directly attached to that switch, plus STP ripples to those that are dual-attached). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgptgvzTAfJ8I.pgp
Description: PGP signature
_______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/