[c-nsp] Long Uptime

Gert Doering gert at greenie.muc.de
Tue Aug 25 16:43:52 EDT 2009 

Hi,

On Tue, Aug 25, 2009 at 10:46:49AM +0100, Alan Buxey wrote:
> all these emails tell me are there are many devices on which bug fixes
> and security fixes are not being applied on; along with possibly
> the service provider where these might be living. all handy information
> to those who only listen to this list....

The amount of security issues and security related bugs in older IOS
devices is fairly small, and well-understood - and all of them can be
mitigated by not running certain protocols, or carefully filtering the
packets.

Our stance on IOS security issues is

 - put mitigation filters into place *immediately*
 - put a fixed IOS in the flash of the router
 - reload when convenient

due to the bug history of IOS, it was quite good for our overall uptime
to postpone the "reloading" thing until lots of additional bugfixes 
later on - and thus saving not only but sometimes multiple reboots.


The CatOS switches, on the other hand, are pure L2 switches that have
their management IP in a very tightly filtered RFC1918 network segment
- and I wish you good luck in accessing those :-)

> ..some might wonder why routine upgrade/patching windows are not being
> undertaken..a resilient linkage scheme and equipment list should mean that 
> eg a router or switch can be taken out even in middle of day should
> out of hours work be a non-entity :-|

"Real World" networks usually happen to lack some of the "everything is
fully redundant, every server is wired to two different switches, nothing
will ever fail in case a reboot goes wrong" magic.

Reloading one of our core L2 switches would have serious impact on a LOT
of customers (all those directly attached to that switch, plus STP ripples
to those that are dual-attached).

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090825/5c51892a/attachment-0001.bin>

More information about the cisco-nsp mailing list