Juniper Partners See Uptick In Customer Concerns About Security Vulnerability; Cisco Throws Jabs

Juniper partners are receiving more calls from customers concerned about the potential impact from Juniper's discovery last week of a major vulnerability in its firewall operating system through which hackers can decrypt virtual private network (VPN) connections.

"We've had a number of clients asked about it and what they need to do about it," said Dominic Grillo, executive vice president of Atrion Communications, a Branchburg, N.J.-based solution provider and longtime Juniper partner. "They're trying to find out if we as Juniper partners have any more information than what Juniper is releasing publicly, but we don't."

On Dec. 17, Juniper revealed it had found "unauthorized code" affecting devices running ScreenOS -- the operating system for its NetScreen firewall devices. The Sunnyvale, Calif.-based company said a hacker could use it to gain administrative access to NetScreen devices and decrypt VPN connections.

[Related: Juniper Partners Sound Off On Security Vulnerability, Stock Slide]

Sponsored post

Although Grillo says he doesn't expect the vulnerability to affect his Juniper business, the news "has definitely got people talking and asking questions."

"We did have one customer that questioned us very hard. Wanted us … to write them a letter ensuing that these things don’t exist in their technology and stuff," said Grillo. "You get some backlash like that."

Partners said Juniper has sent them emails explaining how customers can fix the issue and pointed them toward where they could find more information, but have yet to contact them directly to discuss the matter. Juniper had already released an emergency security patch it created for customers to implement "with the highest priority."

Juniper declined to give any further information regarding the security vulnerability or any guidance it has given to channel partners.

One executive of a solution provider and Juniper Elite partner said his company received only a small numbers of concerns from customers over the past week regarding the Juniper vulnerability, but it heated up Wednesday.

"We've fielded more questions from customers today than any day yet," said the executive, who declined to be identified. "I think since more information keeps coming in, people think it might be getting worse or maybe they're just finding out today about it."

The security vulnerabilities included administrative access vulnerabilities affecting ScreenOS 6.3.0r17 through 6.3.0r20, and VPN decryption vulnerabilities affecting ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.

Because of the Juniper vulnerability disclosure, Cisco says it has started its own code review looking for "similar malicious modification."

"Our additional review includes penetration testing and code reviews by engineers with deep networking and cryptography experience," Anthony Grieco, senior director of Cisco's Security and Trust Organization, in a recent blog post. He added that the investigation was not forced upon Cisco by law enforcement agencies or anyone else, but was Cisco's decision.

The San Jose, Calif.-based networking giant didn't hesitate to throw some jabs at Juniper.

"We have seen none of the indicators discussed in Juniper's disclosure. Our products are the result of rigorous development practices that place security and trust at the fore," said Grieco. "They also receive continuous scrutiny from Cisco engineers, our customers, and third party security researchers, contributing to product integrity and assurance."

Partners said Cisco would "naturally" take some "competitive jabs" at Juniper.

"Even though Cisco might say, 'Hey, we don't implement back doors intentionally' -- one would believe that Juniper may not do that either," said Grillo.

Juniper's stock price took a dive Monday morning, dropping nearly 5 percent, to $27.05. As of 3:30 p.m. Wednesday, shares were slightly up at $27.70.