Aging Enterprise Networks Face Security Risks, Obsolescence

Aging enterprise networks face security risks, obsolescence

The majority of enterprise networks are plagued with , insecure, and improperly configured devices that are ill-prepared for supporting BYOD, VDI, and video technologies, according to a newly released report titled "2012 Network Barometer Report" from ICT services company Dimension Data.

The findings point to a "disproportionate focus" on endpoints such as laptops, tablets, smartphones, and virtual machines as they move to embrace mobility, virtualization, and other bandwidth-intensive projects, according to Raoul Tecala, business development director for network integration at Dimension Data.

"Organizations cannot ignore the basic routing and switching equipment at the core of the network," he said. "Without adequate planning, organizations can expect traffic jams and performance bottlenecks. It's like building a number of new on-ramps onto a motorway, and not adding new lanes to carry the additional traffic."

Endpoint security isn't enough
According to the report -- which covers aggregate data the company collected in 2011 from some 300 organizations worldwide -- 75 percent of all network devices carry at least one known security vulnerability. The most prevalent vulnerability, present on 47 percent of all devices, was one identified by the Cisco PSIRT (Product Security Incident Response Team) in 2009 as No. 10,944. The moderately critical vulnerability (it has a rating between 6.4 and 7.8 out of 10 in terms of severity) gives bad guys an opening for successful DDoS attacks.

Among the remaining top 10 most prevalent vulnerabilities, four are ranked as being highly critical or severe. They include:

  • PSIRT 111458, a multiprotocol label switching packet vulnerability that mostly affects network routers and exposes network environments to denial-of-service attacks
  • PSIRT 111895, a hard-coded SN (Simple Network) vulnerability in Cisco Industrial Ethernet 3000 Series switches that attackers can exploit to gain full access to the affected device
  • PSIRT 110410, a zone-based policy firewall vulnerability related to Cisco devices that process voice and video transmissions that may expose a network to DoS attacks
  • PSIRT 111266, an IPsec vulnerability that (again) can expose a network to DoS attacks

Notably, all of these vulnerabilities can be fixed with already available software updates, according to the report.

Misconfiguration madness
Beyond assessing vulnerabilities, Dimension looked at the number of configuration issues on network devices -- that is, configurations that do not comply with established industry best practices. Overall, the company found the total number of configuration violations per device has increased from 29 to 43 year over year -- and that the number of security-related configuration errors (such as AAA Authentication, Route Maps and ACLS, Radius and TACACS+) also increased. AAA Authentication errors in particular jumped from 9.3 per device to 13.6, making it the most frequently occurring policy violation.

"Without correctly configured AAA -- particularly in larger environments -- it can be difficult to track, manage, and enforce a level of access to the network devices. In addition, events may not be recorded for the purposes of determining access granted, which could hinder incident response or a forensic investigation," according to the report.

Another key finding in the report: Networks are running an average of 5.1 major versions of IOS (Cisco's network-device platform) and 20.3 unique versions of IOS. That points to IOS version sprawl, which makes networking management and troubleshooting more complex and costly.

"Technology upgrades become more complicated when there are multiple IOS versions and each new device has be tested to ensure that it works with legacy equipment," according to the report. "Older versions of iOS may be unable to support newer technologies and communications services, such as video, resulting in network degradation, downtime, and reducing business agility."

The big picture in all this, according to Dimension, is that organizations need to take a more holistic approach to viewing and managing their networks. "In particular, the appearance of four new PSIRTs with relatively high threat scores should be a warning sign for organizations to ensure their IOS patch management processes are comprehensive and that they make full use of administration tools such as AAA to ensure only authorized users have access to their network devices," the report recommends.

802.11n is coming
Insufficient patching and configuration aren't the only problems enterprise networks are suffering. On average, 40 percent of all devices have been past EoS (end of sales) status for the past four years. "Technology past end-of-sale (EoS) status must be regarded as an aging asset and will be increasingly unsupportable and exposed to risk as it progresses toward LDoS (last day of support)," according to the report.

This increasing obsolescence could be attributed to two factors, according to the report: First, companies may be opting to hold on to aging networking gear due to financial challenges as the global economy has struggled. The second factor could be more robust product-development cycles, which can result in an increase in the overall number of products that must go EoS in order to make way for newer platforms.

In clinging to aging equipment, companies may find themselves at a disadvantage if they want to embrace virtualization, video, and mobility. "The last two years has seen a shift from 'product-oriented development' to architectural-oriented development' in order to ensure support for the larger macro-technology trends," according to the report. "The best example of this is within Cisco's Borderless Networks product portfolio where every major routing and switching product family has undergone a refresh in the past two years."

One-third of all access points are 802.11n-capable, nearly triple the amount Dimension in its previous report. 802.11n represent a significant improvement over previous standards: 150MBps to 300MBps as compared to 54Mbps with 802.11g. "Given the market trend toward increased mobility and anywhere, any device, any application end-user demands, it is likely that 802.11n access point penetration will be greater than 50 percent next year," the report predicts. "However, the continued adoption of 802.11n (through new deployments as well as the replacements of existing older access points) will put significant pressure on the network wiring closet. In order to fully leverage 802.11n capabilities, access switches will need -- at a minimum -- to support Gigabit Ethernet to accommodate the 150-300MBPS bandwidth capability and Power over Ethernet to power the devices."

Dimension's overarching recommendation is for organizations to stop neglecting their networks as they embrace bandwidth-intensive applications. Rather, companies should embrace a TLM (technology lifecycle management) approach to carefully and continually assess the state of their networks and ensure they have the infrastructure in place to securely support those services.

This story, "Aging enterprise networks face security risks, obsolescence," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.


Subscribe to the Best of PCWorld Newsletter