Popular network equipment and vulnerability statistics
According to analytical agencies, Cisco Systems is the manufacturer of the most popular switching and routing equipment for medium and large enterprises (about 64% of the global market). In second place is HP Networking (approximately 9%). This is followed by Alcatel-Lucent (3%), Juniper Networks and Brocade (2.3% each), Huawei (1.8%) and other manufacturers, which are less noticeable against the background of giants, but together occupy, nevertheless, about 17 , 6% of the market.
In Russia, the situation is special. In addition to the products of the above-mentioned manufacturers, Nortel and Allied Telesis switches are quite common. In addition, devices from D-Link and NetGear manufacturers offering equipment for small and medium-sized enterprises are often found. Brocade on domestic spaces is a rare bird.
As a result, it can be said that the most frequently used in the server racks and switching cabinets of Russian companies are the equipment of the following manufacturers: Cisco, HP (including 3Com), Juniper, Avaya (including Nortel), Alcatel-Lucent, Huawei, Allied Telesis, D-Link NetGear.
The question is how secure are the devices on which the networks are built. How serious are manufacturers for the safety of their products? We will not be guided by the “security class”, which has been assigned by a certain supervisory authority to each specific piece of hardware. Let's try to evaluate manufacturers by the number of known vulnerabilities, for which we use the following histogram.
What do these data tell us? Either Cisco and HP Networking have the most insecure devices in the world, or these two companies are more careful than anyone else to search, process and fix vulnerabilities in their products. Let's hope the second one is true.
')
If the manufacturer does everything correctly, then events naturally develop as follows.
Vulnerability is found (it doesn’t matter - by whom! The main thing that was reported to the manufacturer). The manufacturer has some time to prepare a patch package. As soon as the fixes (or other solution) are ready, information about the vulnerability and ways to fix it is published.
Unfortunately, this is not always the case. Publishing vulnerability information is a recognition of one’s own mistake, and not every company is willing to go for it. Often, a manufacturer releases a patch package, without mentioning that it thereby closes a critical vulnerability.
Not so long ago, for example, Positive Research experts studied a certain product in the security line of one of the industry giants. Virtually all configuration of this product is done via a web interface, in which multiple vulnerabilities were discovered, one of which was quite serious - 7.0 on the CVSS v scale. 2. We reported it to the manufacturer, and some time later a fix was released, but the manufacturer did not recognize the vulnerability publicly and, accordingly, you will not find a record on cve.mitre.org.
Let's return to the histogram. As you can see, the gap in the number of vulnerabilities between Cisco with HP Networking and everyone else is gigantic. However, the fact, for example, that only one vulnerability for Juniper equipment is visible on the histogram, does not mean that there were no more in 2011. The only thing is that there is no information about them on cve.mitre.org, the most accessible and complete resource. Registered users of juniper.net can get comprehensive information about bugs and vulnerabilities, but it will be much more difficult to find the same information in free access.
With Avaya, Alcatel-Lucent, Huawei, Allied Telesis, D-Link and NetGear equipment, the situation is the same: there are software vulnerabilities, but little information about them. If you do not know about them, perhaps someone else knows.
In other words: do not yawn! If vulnerabilities are not published - this is not a reason to consider equipment inaccessible: nobody canceled device hardening. In order not to relax, we give below a generalized statistics on the types of vulnerabilities for 2011–2012 for all the manufacturers mentioned.
Denial of service, as always, is the most common threat to network equipment, but those vulnerabilities that lead to the possibility of executing arbitrary code in the system (by the way, in 2010 there were two times less) are slowly catching up. What will happen next - we'll see.
Author: Dmitry Kurbatov, Research Center Positive Research
* According to Worldwide Quarterly Enterprise Networks Tracker
** According to cve.mitre.org
In Russia, the situation is special. In addition to the products of the above-mentioned manufacturers, Nortel and Allied Telesis switches are quite common. In addition, devices from D-Link and NetGear manufacturers offering equipment for small and medium-sized enterprises are often found. Brocade on domestic spaces is a rare bird.
As a result, it can be said that the most frequently used in the server racks and switching cabinets of Russian companies are the equipment of the following manufacturers: Cisco, HP (including 3Com), Juniper, Avaya (including Nortel), Alcatel-Lucent, Huawei, Allied Telesis, D-Link NetGear.
The question is how secure are the devices on which the networks are built. How serious are manufacturers for the safety of their products? We will not be guided by the “security class”, which has been assigned by a certain supervisory authority to each specific piece of hardware. Let's try to evaluate manufacturers by the number of known vulnerabilities, for which we use the following histogram.
What do these data tell us? Either Cisco and HP Networking have the most insecure devices in the world, or these two companies are more careful than anyone else to search, process and fix vulnerabilities in their products. Let's hope the second one is true.
')
If the manufacturer does everything correctly, then events naturally develop as follows.
Vulnerability is found (it doesn’t matter - by whom! The main thing that was reported to the manufacturer). The manufacturer has some time to prepare a patch package. As soon as the fixes (or other solution) are ready, information about the vulnerability and ways to fix it is published.
Unfortunately, this is not always the case. Publishing vulnerability information is a recognition of one’s own mistake, and not every company is willing to go for it. Often, a manufacturer releases a patch package, without mentioning that it thereby closes a critical vulnerability.
Not so long ago, for example, Positive Research experts studied a certain product in the security line of one of the industry giants. Virtually all configuration of this product is done via a web interface, in which multiple vulnerabilities were discovered, one of which was quite serious - 7.0 on the CVSS v scale. 2. We reported it to the manufacturer, and some time later a fix was released, but the manufacturer did not recognize the vulnerability publicly and, accordingly, you will not find a record on cve.mitre.org.
Let's return to the histogram. As you can see, the gap in the number of vulnerabilities between Cisco with HP Networking and everyone else is gigantic. However, the fact, for example, that only one vulnerability for Juniper equipment is visible on the histogram, does not mean that there were no more in 2011. The only thing is that there is no information about them on cve.mitre.org, the most accessible and complete resource. Registered users of juniper.net can get comprehensive information about bugs and vulnerabilities, but it will be much more difficult to find the same information in free access.
With Avaya, Alcatel-Lucent, Huawei, Allied Telesis, D-Link and NetGear equipment, the situation is the same: there are software vulnerabilities, but little information about them. If you do not know about them, perhaps someone else knows.
In other words: do not yawn! If vulnerabilities are not published - this is not a reason to consider equipment inaccessible: nobody canceled device hardening. In order not to relax, we give below a generalized statistics on the types of vulnerabilities for 2011–2012 for all the manufacturers mentioned.
Denial of service, as always, is the most common threat to network equipment, but those vulnerabilities that lead to the possibility of executing arbitrary code in the system (by the way, in 2010 there were two times less) are slowly catching up. What will happen next - we'll see.
Author: Dmitry Kurbatov, Research Center Positive Research
* According to Worldwide Quarterly Enterprise Networks Tracker
** According to cve.mitre.org
Source: https://habr.com/ru/post/142479/
All Articles