Popular network equipment and vulnerability statistics

    According to analytical agencies, the manufacturer of the most popular switching and routing equipment for medium and large enterprises is Cisco Systems (about 64% of the global market). In second place is HP Networking (approximately 9%). This is followed by Alcatel-Lucent (3%), Juniper Networks and Brocade (2.3% each), Huawei (1.8%) and other manufacturers that are less noticeable against the giants, but together occupy, however, about 17 , 6% of the market.

    In Russia, the situation is special. In addition to the products of the manufacturers mentioned above, we have quite common Nortel and Allied Telesis switches. In addition, devices from manufacturers D-Link and NetGear, offering equipment for small and medium-sized enterprises, are often found. Brocade is still a rare bird in domestic open spaces.

    As a result, we can say that the most frequently found equipment in server racks and switch cabinets of Russian companies is equipment from the following manufacturers: Cisco, HP (including 3Com), Juniper, Avaya (including Nortel), Alcatel-Lucent, Huawei, Allied Telesis, D-Link, NetGear

    The question is how secure are the devices on which networks are built. How serious are manufacturers regarding the safety of their products? We will not be guided by the "security class", which was assigned by a certain controlling body to each specific "piece of hardware". Let's try to evaluate manufacturers by the number of known vulnerabilities, for which we will use the following histogram.

    What are these data telling us? Either Cisco and HP Networking have the most insecure devices in the world, or these two companies are more attentive to the rest to search, process and fix vulnerabilities in their products. Let's hope the second is true.

    If the manufacturer does everything right, then events naturally develop as follows.

    The vulnerability was found (it doesn’t matter who! The main thing is that the manufacturer was informed about it). The manufacturer has some time to prepare the fix pack. As soon as the corrections (or another solution) are ready, information is published about the vulnerability and options for its elimination.

    Unfortunately, this does not always happen. The publication of information about a vulnerability is a recognition of one’s own mistake, and not every company is ready to go for it. Often, a manufacturer releases a fix pack without mentioning that it closes a critical vulnerability.

    Not so long ago, for example, Positive Research specialists studied a certain product in the security line of one of the industry giants. Almost all of the configuration of this product is done through a web interface in which multiple vulnerabilities were detected, and one of them was quite serious - 7.0 on the CVSS v scale. 2. We reported it to the manufacturer, and after a while a fix was released, but the manufacturer did not recognize the vulnerability publicly and, accordingly, you will not find a record about it on cve.mitre.org.

    Let's go back to the histogram. As you can see, the gap in the number of vulnerabilities between Cisco with HP Networking and everyone else is huge. However, the fact, for example, that only one vulnerability is visible on the histogram for Juniper equipment, does not mean that in 2011 there were no more. The fact is that there is no information about them on cve.mitre.org, the most accessible and complete resource. Registered users of juniper.net can get comprehensive information about bugs and vulnerabilities, but finding the same information in the public domain will be much more difficult.

    With the equipment of Avaya, Alcatel-Lucent, Huawei, Allied Telesis, D-Link and NetGear, the situation is the same: there are vulnerabilities in the software, but there is little open information about them. If you don’t know about them, maybe someone else knows.
    In other words: don't yawn! If vulnerabilities are not published, this is not a reason to consider equipment inaccessible: no one canceled device hardening. In order not to relax, we present below a summary of statistics on the types of vulnerabilities for 2011-2012 for all the manufacturers mentioned.

    Denial of service, as always, is the most common threat to network equipment, but the vulnerabilities that lead to the possibility of arbitrary code execution in the system (by the way, there were half as many in 2010) are being “tightened”. What will happen next - see.

    Posted by Dmitry Kurbatov, Positive Research Center

    * According to Worldwide Quarterly Enterprise Networks Tracker
    ** According to cve.mitre.org

    Also popular now: