Aging Enterprise Networks Face Security Risks, Obsolescence
The majority of enterprise networks are plagued with , insecure, and improperly configured devices that are ill-prepared for supporting BYOD, VDI, and video technologies, according to a newly released report titled "2012 Network Barometer Report" from ICT services company Dimension Data.
The findings point to a "disproportionate focus" on endpoints such as laptops, tablets, smartphones, and virtual machines as they move to embrace mobility, virtualization, and other bandwidth-intensive projects, according to Raoul Tecala, business development director for network integration at Dimension Data.
"Organizations cannot ignore the basic routing and switching equipment at the core of the network," he said. "Without adequate planning, organizations can expect traffic jams and performance bottlenecks. It's like building a number of new on-ramps onto a motorway, and not adding new lanes to carry the additional traffic."
Endpoint security isn't enough
According to the report -- which covers aggregate data the company collected in 2011 from some 300 organizations worldwide -- 75 percent of all network devices carry at least one known security vulnerability. The most prevalent vulnerability, present on 47 percent of all devices, was one identified by the Cisco PSIRT (Product Security Incident Response Team) in 2009 as No. 10,944. The moderately critical vulnerability (it has a rating between 6.4 and 7.8 out of 10 in terms of severity) gives bad guys an opening for successful DDoS attacks.
Among the remaining top 10 most prevalent vulnerabilities, four are ranked as being highly critical or severe. They include:
- PSIRT 111458, a multiprotocol label switching packet vulnerability that mostly affects network routers and exposes network environments to denial-of-service attacks
- PSIRT 111895, a hard-coded SN (Simple Network) vulnerability in Cisco Industrial Ethernet 3000 Series switches that attackers can exploit to gain full access to the affected device
- PSIRT 110410, a zone-based policy firewall vulnerability related to Cisco devices that process voice and video transmissions that may expose a network to DoS attacks
- PSIRT 111266, an IPsec vulnerability that (again) can expose a network to DoS attacks
Notably, all of these vulnerabilities can be fixed with already available software updates, according to the report.
Beyond assessing vulnerabilities, Dimension looked at the number of configuration issues on network devices -- that is, configurations that do not comply with established industry best practices. Overall, the company found the total number of configuration violations per device has increased from 29 to 43 year over year -- and that the number of security-related configuration errors (such as AAA Authentication, Route Maps and ACLS, Radius and TACACS+) also increased. AAA Authentication errors in particular jumped from 9.3 per device to 13.6, making it the most frequently occurring policy violation.
"Without correctly configured AAA -- particularly in larger environments -- it can be difficult to track, manage, and enforce a level of access to the network devices. In addition, events may not be recorded for the purposes of determining access granted, which could hinder incident response or a forensic investigation," according to the report.
Another key finding in the report: Networks are running an average of 5.1 major versions of IOS (Cisco's network-device platform) and 20.3 unique versions of IOS. That points to IOS version sprawl, which makes networking management and troubleshooting more complex and costly.
"Technology upgrades become more complicated when there are multiple IOS versions and each new device has be tested to ensure that it works with legacy equipment," according to the report. "Older versions of iOS may be unable to support newer technologies and communications services, such as video, resulting in network degradation, downtime, and reducing business agility."
The big picture in all this, according to Dimension, is that organizations need to take a more holistic approach to viewing and managing their networks. "In particular, the appearance of four new PSIRTs with relatively high threat scores should be a warning sign for organizations to ensure their IOS patch management processes are comprehensive and that they make full use of administration tools such as AAA to ensure only authorized users have access to their network devices," the report recommends.