Cisco confirms Linksys firmware flaw, says only one router

Cisco has confirmed a vulnerability in a Linksys router that would allow a hacker to gain full control of the device used to build home wireless networks.

Security vendor DefenseCode disclosed the flaw last week, saying that it could be in multiple Linksys models. On Thursday, Cisco said the vulnerability was only in the Linksys WRT54GL.

"At this point, no other Linksys products appear to be impacted," Cisco said in a statement. "We have developed and are testing a fix for this issue, and will release it for our customers as soon as possible."

Until a patch is available, Cisco recommended that customers make sure their network is securely configured and that strangers or people who cannot be trusted do not use an Ethernet cable to connect to the router.

[See also: Researcher at RSA: Web page can take over your router]

Neither Cisco nor DefenseCode has provided details of the vulnerability. After being told of Cisco's statement, DefenseCode did a "quick analysis" and found that "at least one other Linksys model is probably vulnerable," Chief Executive Leon Juranic said in an email. In addition, the company has told Cisco about "a few other potential vulnerabilities in the Linksys equipment."

DenfenseCode was also checking to see whether network devices from other manufacturers contained the same flaw.

Earlier this week, DefenseCode said in a blog post that the vulnerability was in the default installation of Linksys routers. The company posted a YouTube video showing a proof-of-concept exploit being used to gain root access to a Linksys WRT54GL running the latest version of firmware, 4.30.14.

A few "shady" third parties offered to buy the exploit, which DenfenseCode refused to do, Juranic said. "We don't sell exploits."

In December, Cisco hired Barclays to find a buyer for Linksys, Bloomberg reported. The network equipment maker is looking to sell the unit as part of its strategy to get rid of its consumer businesses in order to focus on corporate products.

Read more about network security in CSOonline's Network Security section.

Cisco acquires network planning company for $141M

Cisco this week announced its intent to acquire privately held Cariden Technologies, a Sunnyvale, Calif., developer of network planning, design and traffic management software for service providers.

Under terms of the deal, Cisco will pay approximately $141 million in cash and retention-based incentives in exchange for all shares of Cariden.

DEAL MAKERS: Top tech M&A deals of 2012

Cariden develops capacity planning and management tools for IP/MPLS networks. Cisco says it will integrate these products with its own nLight technology for IP and optical convergence so service providers can enhance the visibility and programmability of their converged IP/optical networks.

The combination of these products will enable multilayer modeling and optimization of optical transport and IP/MPLS networks, Cisco says.

The Cariden acquisition also supports Cisco's Open Network Environment network programmability strategy by providing WAN orchestration capabilities across the IP and optical transport layers.

Cariden has partnerships with Cisco rivals Juniper Networks and Big Switch Networks.

The acquisition is expected to close in the second quarter of Cisco's fiscal year 2013. Cariden employees will be added to Cisco's Service Provider Networking Group, reporting to Shailesh Shukla, vice president and general manager of the company's Software and Applications Group.

Jim Duffy has been covering technology for over 25 years, 21 at Network World. He also writes The Cisco Connection blog and can be reached on Twitter @Jim_Duffy.

Read more about lan and wan in Network World's LAN & WAN section.

Cisco's internal security team fights to corral BYOD, malware and Wild West environment

Many organizations have a computer security incident response team (CSIRT) that swoops into action to battle malware outbreaks, other types of cyberattacks and possible insider threats, and at networking giant Cisco, that CSIRT team is made up of about 60 people trying to protect a business with about 75,000 employees.

"We're tasked with monitoring for and investigating policy violations against Cisco," says Matthew Valites, Cisco's CSIRT manager for information security investigations. That means protecting corporate IT assets used directly by employees or the business for processing purposes so that sensitive information isn't compromised. However, since Cisco has embraced a "bring your own device" (BYOD) strategy, policy enforcement matters for Cisco's CSIRT have become more complicated.

IN THE NEWS: Alcatel-Lucent to take on Cisco, VMware in crowding SDN field

"With user-owned devices, enforcement has become an issue," acknowledges Valites, in the course of discussing some of Cisco's security incident response practices. "BYOD is a real problem." In what's regarded as a cost-saving move, Cisco typically doesn't supply smartphones to any employee anymore, expecting them to use their own, unless their job falls under government regulatory restrictions where it's plainly spelled out an employee must be using a corporate-issued device. "This is a really big problem for my team," acknowledges Valites.

Above and beyond the BYOD conundrum, the Cisco CSIRT group each day faces the prospect of stopping desktop malware outbreaks, monitoring for unauthorized traffic on the network and guarding against stealthy online attacks from attackers going after key assets. There's also the inevitable spate of things like faulty log-ins but CSIRT's hard job is trying to ascertain unauthorized access.

This all has to be done within the framework for regulatory compliance. "We have a healthcare center in San Jose on premises with nurses and doctors," points out Valites, saying making healthcare professionals available on site is seen as a benefit for employees. And this means that security and privacy policies related to any data associated with it must adhere to federal HIPAA rules, he notes.

Valites says high-level executives at Cisco, not surprisingly, get special attention in terms of whatever computer or network they use since these executives are recognized as being valuable targets for cyber-espionage and the like. In comparison to other employees, "we pay more attention to their assets," says Valites.

And then there are whole groups at Cisco, such as an entire lab, that are known to all too frequently be getting into trouble, breaking with usage policies and their computers erupting with malware. "The labs are a little like the Wild West," acknowledges Valites. With repeat offenders there, Cisco CSIRT has no choice but to clamp down with additional controls, such a blackholing an entire lab on the network so they can't get online or shutting off network segments so they're restricted to an internal LAN.

But the main day-to-day challenge is in getting visibility into security events of any type and quickly deciding when and how to escalate the response. Cisco designed its own incident-response tracking system, where trouble of any type is recorded and pushed toward closure.

When an incident arises, the first task is to associate the computer device in question with its specific owner, says Valites. "We need the asset owners to provide that information to us," and in a large organization of global scope, that can be a challenge. Although lots of technical tools for antivirus, VPN, Web application control, intrusion detection and the like are in use, in the end much often rides on communication between people to share information accurately and quickly.

The CSIRT division also has to be mindful that there's the potential for an insider threat as there would be in any organization. That's the rogue employee or contractor with access to the network willing to steal data or do other damage. It's a prickly situation where escalation would mean reaching out to human resources and legal.

"We have good partnerships there," says Valites, noting that at Cisco, the legal counsel has made it clear about their role in incident response investigation and they want to be involved in the potential investigations into things such as leaks of sensitive information. Investigations of all sorts could require computer forensics, and Cisco's CSIRT is equipped to do that.

As Cisco is a global company, there is the need to coordinate the CSIRT across time zones and continents spanning North America to the Asia-Pacific region. "It's a follow-the-sun model," says Valites, adding that Cisco would benefit from physical security operations centers (SOCs). He says Cisco is now undertaking to construct two such SOCs -- one in San Jose, Calif., and the other in India -- that will make use of technologies of many types, including Cisco's own dedicated TelePresence systems for collaboration.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: emessmer@nww.com.

Read more about wide area network in Network World's Wide Area Network section.

Extreme joins Cisco, Brocade, Huawei at 100G

Extreme Networks this week unveiled 100G and 40G Ethernet modules as well as SDN application support for its BlackDiamond X8 core switch.

Extreme's 100/40G XL modules are designed to help scale BlackDiamond X8 networks for virtualized multi-tenant cloud data centers, Internet Exchanges and data center core deployments. They are capable of scaling to 1 million route entries, and hundreds of thousands of addresses and flows through an upgraded TCAM, and logically segment multi-tenant networks with Layer 2 broadcast domains, Extreme says.

Extreme says they are "ideally suited" for evolving data center interconnect architectures with hardware Layer 2 over Generic Routing Encapsulation (L2GRE), and VXLAN transport with several tens of thousands of multicast groups.

IN DEPTH: Complete guide to network virtualization

Extreme joins Cisco, Brocade and Huawei as suppliers of 100G Ethernet for data centers. Juniper and Alcatel-Lucent, as well as Cisco and Brocade, provide it for service provider core and edge routing.

The four-port 100G module supports non-blocking, wire-speed performance of Layer 2/3 services, support of 100G-SR -- 100meter -- and 100G-OR 10Km optics, and fault tolerance and redundancy with N+1 power support. The 40G modules sports 12 wire-speed QSFP+ ports.

They allow the BlackDiamond X8 to scale to 32 100G ports and 98 40G ports. Extreme also has a 24-port 40G module that enables the switch to scale to 768 10G and 192 40G ports.

Separately, Extreme says it is supports OpenFlow startup Big Switch Networks' SDN applications for network virtualization and visibility. Extreme says its ExtremeXOS switch operating system can support Big Switch's Big Tap applications for traffic monitoring and network visibility with flow filtering; and Big Virtual Switch application for network virtualization.

Big Switch just debuted these applications this week.

Customer trials of the 12-port 40G and 4-port 100G XL modules begin next year, Extreme says. The 40G module costs $6,000 per port and the 100G module costs $35,000 per port.

Jim Duffy has been covering technology for over 25 years, 21 at Network World. He also writes The Cisco Connection blog and can be reached on Twitter @Jim_Duffy.

Read more about lan and wan in Network World's LAN & WAN section.

Cisco replaces collaboration group head again

Cisco has named a former Symantec executive to head its struggling collaboration group, which saw three different leaders in less than a year.

Rowan Trollope is Cisco's new senior vice president and general manager of the collaboration business. He succeeds O.J. Winge, the former Tandberg executive who assumed leadership of the group earlier this year from former collaboration head Barry O'Sullivan.

HEADING FOR THE EXITS: 10 Cisco executive departures over the past year

Winge (pictured left) is leaving Cisco for "personal reasons," according to this blog post by Marthin De Beer, senior vice president, of Cisco's video and collaboration group.

At Symantec, Trollope was most recently group president of the company's Symantec.cloud business unit where he oversaw product development, strategy, product sales, and marketing teams. He also oversaw the consumer, enterprise and small and mid-sized business segments.

"Rowan brings to Cisco an excellent track record in the software-as-a-service (SaaS) market; vital experience of end-user product development expertise, and a proven background in security and category leadership," De Beer states in his blog.

At Cisco, Trollope will assume responsibility for the Cisco collaboration portfolio, including TelePresence, Unified Communications Manager and WebEx. In addition, he will oversee collaboration software, devices, infrastructure and services that enable video and social collaboration, unified communications, customer contact centers, conferencing, mobility, and desktop virtualizationtechnologies, according to the De Beer post.

Trollop's new duties are effective Nov. 12 and he will report to De Beer.

Winge joined Cisco with its 2009 acquisition of videoconferencing leader Tandberg. He succeeded O'Sullivan last summer as head of the collaboration business, according to CRN.

Cisco's collaboration business has been hampered by execution issues and declining sales. Thebusiness was flat in Cisco's third quarter with TelePresence hit by decreased spending in public sector and enterprise.

In the fourth quarter, collaboration saw an 8% decline.

Jim Duffy has been covering technology for over 25 years, 21 at Network World. He also writes The Cisco Connection blog and can be reached on Twitter @Jim_Duffy.

Read more about lans and routers in Network World's LANs & Routers section.

Cisco's new management system simplifies control of thousands of servers

Cisco this week unveiled a new management system for its UCS servers that is designed to simplify management of thousands of servers spread across geographies and data centers, from a single pane of glass.

UCS Central lets IT managers control a globally distributed UCS infrastructure comprised of multiple domains, with the ability to ensure service and configure service profiles, ID pools, policies and firmware, Cisco says. UCS Central also has an XML API for integration with third-party systems management and cloud orchestration tools.

DIRECTION: Guide to Cloud Management Software

Cisco's existing UCS Manger product governs a single domain, made up of UCS Manager and all the UCS server and network access components it manages. UCS Central requires UCS Manager for local domain management while UCS Central provides tiered management for the global infrastructure.

UCS Central also aggregates server inventory, fault information and notifications across multiple domains to facilitate service assurance of the UCS infrastructure. The XML API also integrates Cisco's Intelligent Automation application with UCS Central for the creation of global UCS service profile templates across data centers.

Third parties writing to the UCS Central API include Compuware, for control of application performance across data centers, private, public, and hybrid clouds; Cloupia, for the ability to replicate between multiple sites for disaster recovery; Zenoss, for discovery, monitoring and managing UCS performance and capacity utilization; ScienceLogic, for surveillance of multi-tenant data centers; and Splunk, for gleaning operational intelligence from Big Data generated by thousands of UCS servers.

Cisco also enhanced the single-domain UCS Manager with a new version of the product. Release 2.1 of UCS Manager allows for more simplified connectivity of Cisco C-series rack servers by adding features previously available only to blade form factors, such as reduced cabling and rapid application deployment, Cisco says.

UCS Manager 2.1 with the Cisco Virtual Interface Card (VIC) 1225 reduces the number of cables for virtual servers from nine down to two, Cisco says. The number of switches and adapters can also be reduced, the company says.

UCS Manager 2.1 also gives customers new storage topology choices, Cisco says. It supports multi-hop FCoE, for consolidation of LAN and SAN. FibreChannel zoning in UCS Manager 2.1 provides incremental scaling path with "pod" deployments requiring no SAN switches, Cisco says. And NetApp storage users can consolidate FCoE, iSCSI and NAS traffic on the same port and cable, the company says.

As of August 2012, there are more than 15,800 UCS customers, and more than half of the Fortune 500 have invested in the product, Cisco says.

Lastly, Cisco also enhanced its Intelligent Automation for Cloud management software with release 3.1. The 3.1 version of IAC features CloudSync, for cloud infrastructure discovery and resource tracking so administrators can assess resources and make necessary changes to optimize service delivery.

Another feature is Virtual Data Centers, designed for self-service provisioning and management of multiple virtual data centers -- not just virtual machines. These data centers span virtual and physical compute, through UCS Manager, and networking resources, and can be provisioned according to infrastructure consumption limits.

Version 3.1 also includes Network Services Manager, which lets customers order network resources -- like VLANs -- from a self-service portal. Cisco says NSM provides the foundation for network-as-a-service in future releases of IAC.

Version 3.1 of IAC is consistent with Cisco's intent to manage multiple cloud environments such as OpenStack, Amazon EC2 and VMware vCloud Director.

Read more about data center in Network World's Data Center section.

Cisco said to cut ties with China's ZTE

Cisco has reportedly cut ties with Chinese telecom vendor ZTE after allegations that ZTE sold Cisco gear to Iran.

In June, a Reuters story revealed that Cisco, HP and Oracle gear was being sold to an Iranian mobile operator despite U.S. government sanction on such sales. Cisco conducted an internal investigation into ZTE's practices and as a result, recently ended a longstanding relationship with the Chinese company, according to a Reuters story published this week.

MORE SHANANIGANS: Breast enhancement courtesy of Cisco

The Cisco/ZTE situation comes amid a report due today from the U.S. House Intelligence Committee that states that equipment from ZTE and fellow Chinese telecom company Huawei pose a securitythreat to the U.S. The report, which follows a year-long investigation, recommends the U.S. block any attempts by ZTE and Huawei to make acquisitions or mergers in America, and encourages U.S. firms to procure equipment from other sources.

A ZTE spokesperson said of the Cisco action that the company is "highly concerned" and "communicating" with Cisco, according to Reuters. The spokesperson also said ZTE is cooperating with the U.S. government on its investigation into sales to Iran.

Cisco did not comment by the time this story was posted. But in June, Cisco said it "... complies with all U.S. export laws and requires our business partners to expressly acknowledge that they too must abide by these laws. Products such as these, which are not subject to individual export licenses, can be purchased from distributors and resold without Cisco's knowledge or control. We continue to investigate this matter, as any violation of U.S. export controls is a very serious matter."

According to this week's Reuters story, ZTE's general counsel at its Texas-based subsidiary alleged that the parent company plotted a cover-up of the sale of Cisco gear to Iran, including possibly shredding documents. The FBI has launched a criminal probe into the allegations, the news service reports.

ZTE has continued to do business in Iran while American-made technology has been subject to U.S. sanctions. A parts list dated July 2011 for an equipment contract between ZTE and an Iranian telecommunications company included several Cisco switches, Reuters reports. ZTE later agreed to sell five Cisco switches to another Iranian firm, according to the news service.

Cisco and ZTE partnered for the past seven years. Cisco viewed ZTE as a means to combat Huawei, which had been beating out Cisco in emerging markets by offering significantly cheaper products, according to Reuters.

But ZTE wanted to expand into the U.S. and Cisco did not want that, according to the Reuters report, which quoted "a former Cisco executive with knowledge of the matter."

Read more about lan and wan in Network World's LAN & WAN section.

How Cisco moved along to PaaS

Having on-demand virtual machines for employees is one thing, but that wasn't enough for networking giantCisco, says Rodrigo Flores, an enterprise architect in the company's intelligent automation business unit.

Last year Cisco launched what Flores calls one of the most advanced private cloud networks in the world, giving Cisco's 60,000 employees access to a shopping cart of virtual machine types. This infrastructure as a service (IaaS) cloud has offerings ranging from mirco instances of anywhere from one to five VMs to jumbo instances of 250 VMs, with 500 CPUs and up to 1TB of RAM. After launching the Cisco IT elastic infrastructure services, code-named CITEIS, Flores says there was a collective thinking internally of, "What's next?" For Cisco, it was platform as a service (PaaS).

DR IN THE CLOUD: Vendors jump in, enterprises wade

MORE CLOUD: OpenStack releases Folsom with heavy dose of virtual networking baked in

Some say the future of cloud computing is not on the infrastructure http://www.networkworld.com/supp/2012/enterprise2/040912-ecs-iaas-companies-257611.html (IaaS) layer, but instead on the platform as a service http://www.networkworld.com/slideshow/32927 (PaaS) layer, where enterprises can build and launch applications that are run in the cloud.

But PaaS hasn't quite seen the market adoption that the IaaS and software as a service (SaaS) layers have. Gartner http://www.networkworld.com/news/2012/091812-gartner-cloud-market-262546.html estimates PaaS is a $1.2 billion market compared to the $14 billion SaaS market and $6 billion IaaS market.

Flores says that's because many of the PaaS offerings on the market today are what he calls "Silicon Valley PaaS" vendors, who provide a place for organizations to build and construct new applications in the vendor's cloud. That's great for developers who don't want to worry about the underlying infrastructure the apps need, because it's all provided by the PaaS provider. Microsoft Azure, Heroku and AppFog provide such services, a literal platform for developers to build and launch applications in the cloud.

But Cisco already has infrastructure to run its apps on. Flores says the company has built its IaaS using its own hardware, the Cisco Intelligent Automation series, which includes the Cisco Cloud Portal and Cisco Process Orchestration, running VMware vCloud Director. Cisco is "drinking its own champagne," Flores jokes. But just having VMs that employees can spin up doesn't do anything for new applications that would run on that cloud. "(Silicon Valley PaaS) is great if you're starting from scratch," he says. Cisco needed a private-PaaS.

The company turned to rPath, a PaaS provider that offers a framework for application development, allowing organizations like Cisco to leverage their current infrastructure while automating the cumbersome aspects of application development. In this model, Cisco employees can now not only request and spin up a range of VMs, but have a platform available to just as easily order an Apache web server or Oracle Web Logic platform.

The PaaS layer sits above the infrastructure and automates the provisioning of operating systems, databases, application servers and configurations needed to build apps. "Apps don't run on infrastructure, they run on a platform," rPath CTO Brett Adams says.

MORE PAAS: Tips on a successful PaaS rollout http://www.networkworld.com/supp/2012/enterprise1/022712-ecs-paas-tips-255940.html

Since rolling out the rPath PaaS, Cisco has become a reference customer for rPath and in turn rPath has created a tour discussing the Cisco implementation, which it now calls an enterprise cloud adoption framework.

Adams says there are a few keys to ensuring this process works. An important one is having an image library. This is a place to store virtual images of apps and the supporting software stacks that they run on. This gives users a "shopping cart" of features that can be plugged into an app, just as there is a shopping cart of VM instances that users can choose from on the IaaS layer. Users also need the ability to create their own software images, such as third-party applications that can be leveraged by the app developer.

Adams says the takeway is that enterprises with an IaaS internal private cloud can automate the next layer above infrastructure in the cloud. Doing so, with tools like an rPath or from any other number of providers, such as http://www.networkworld.com/news/2012/092412-apprenda-262722.html Apprenda, give employees the speed tto create custom-built apps at their service.

Network World staff writer Brandon Butler covers cloud computing and social collaboration. He can be reached at BButler@nww.com and found on Twitter at @BButlerNWW.