Automatic Security Leak

Clearly, keeping firmware current is not an easy task. Routers and switches have their own operating systems that handle the various networking, security and configuration features of the box. Most of Cisco's gear, for example, runs on its own IOS, while others make use of embedded Web servers and can be configured via browsers. With so many intricacies, solution providers have built up good businesses keeping firmware current for their clients.

"The point is to create a better user experience where they did not need to do hideous system administration," says William Jolitz, manager at a managed service provider.

So what could be so bad about automatic updates, especially for those network administrators who don't have the time to keep their routers and other core networking gear up-to-date with the latest patches and fixes? Windows, Macintosh and Unix operating systems, after all, have had this capability for years. Two main issues exist:

• The first drawback is the firmware significantly changes the interface and arrangement of the menus and features. That means a VAR will have to be trained to find the locations of the new options and where the old choices have been moved to continue to support and understand the product. Also, the more changes that are made to a smoothly running network, the harder it is for an administrator to troubleshoot and fix something that breaks. All told, automatic changes make it more difficult to document your client's network.
• Jolitz says it is also important to understand what you are changing on your network. "Our project made the distinction between functional, operational and feature changes from the start--you actually would start the process of feature deployment long before actual use, and there was a roll forward/back mechanism, so if it didn't work out, you'd still be able to maintain integrity."
• The second issue is far more insidious. It has to do with opening up a security back door to your client's network. The trick is being able to authenticate the router to the update site and making sure that no malicious code is downloaded in place of the vendor's. That isn't always easy.
• Tom Henderson, managing director of Indianapolis-based ExtremeLabs, who has worked as a networking solution provider, calls auto-updates "potential suicide." The problem is vendors not testing their updates before they're distributed. "Take as an example that Microsoft has recalled more than two dozen patches in the past two years because they weren't baked," he says.

The authentication issue is also foremost in Henderson's mind. "None of the auto-updates that I've seen perform mutual authentication prior to the cycle of download and implementation," he says. "I wouldn't in 1,000 years under current circumstances let any vendor auto-update anything. It's tough enough for me to let Symantec update virus files, but they perform authentication. Very few others do. And you know what happens when a Trojan walks in your network."

The best defense against this problem is to institute proper change-control procedures when you introduce something new on your network. "A lot of people have fairly strict change-control procedures," says Bill Pennington, CTO of White Hat Security, based in Santa Clara, Calif. "Any patch should go through this process."

Auto-updates aren't the answer for everything. "The trick is to always test something before putting it into place in your production environment, and see how it will impact your network infrastructure," Pennington says. "There are just so many areas where this can fall apart and cause problems."