Your Firepower is on fire!!!!

icecream-guy · March 31, 2016, 07:15:28 AM

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160330-fp

LOL

When will these idiot types of things take Cisco down ?

...improper input validation of fields in HTTP headers...

GeorgeS · March 31, 2016, 09:06:55 AM

cisco at the moment is one of the worst vendors in these things in my opinion and generally their fw models are far behind from the competition and i am even a cisco guy! Is amazing how many critical bugs have the last years and not just the firewalls, nexus or the 65xx series are full of bugs(all kind of bugs).

But again maybe this is the reason i have a work

mmcgurty · March 31, 2016, 09:23:24 AM

I couldn't agree more GeorgeS! I think someone on here said that 3 days into March and Cisco already had 13 major vulnerabilities. That is absurd. We are considering brining on a contract position where I work just to handle upgrades of things because we can't keep up patching with the normal day-to-day work and projects.

deanwebb · March 31, 2016, 09:28:28 AM

HTTP headers... that's like, one of the easiest things to hack.

Don't worry, though, Cisco assures me that they make secure products.

Reggle · April 01, 2016, 01:19:48 AM

Agreed with GeorgeS. I'm happy working with Cisco switches, routers and wireless. But any security stuff should not be left to them anymore.

wintermute000 · April 02, 2016, 04:31:12 AM

to be fair Palo is pretty buggy as well but there's a difference between bugs and sec vulnerabilities, plus the palo upgrade routine is super painfree

code quality is definitely on the nose though for the last 3-4 years. The spaghetti code + Cisco organisational bloat / dev teams not cooperating / only running automated testing in isolation is definitely starting to bite. Bet you aspiringnetworker is lurking somewhere with that lovely Arista diagram where all their modules point back to a central sysdb vs the cisco spaghetti module mess

Dieselboy · April 04, 2016, 01:16:56 AM

FFS Cisco!

I updated to 6.0.1 a few days after it was available as it had a fix for something else.

Quote
Source
This vulnerability was found and reported to Cisco by Dikla Barda, Liad Mizrachi, and Oded Vanunu from Check Point Security Team.

Might start looking into going back to Checkpoint firewalls,then.

deanwebb · April 04, 2016, 11:50:10 AM

(Looks at source of reports...)

Well done, Checkpoint. Well done.

GeorgeS · April 05, 2016, 03:14:01 AM

Actually CP have 2 problems.
1)hard disks, if you have a very busy firewall and we speak for a big model ( 100k-200k+ concurrent connections with an average of day 70-100k approx) you should expect issues with the hard disks, cp are writing everything on their hard disks and after some time you will need to replace them, be prepared for that as we know that usually these things do not end well

. Bluecoat for example has similar issues but the hot swappable on them works like charm. But cp is getting a lot better also, but have in mind that.
2) they need refresh, once per year is good to be rebooted. Many zombies process and goes on. Again the busiest rule applies

.

To be honest i strongly believe that all devices should be rebooted once per year, at the end of the day you always have a problem and someone (non-networking-related) is pointing that the issue is with my fw, lets failover (no change of course), lets reboot, even though you are 100% that is not the fw and they are too lazy or whatever, are always pointing you like "we had again that issue and it was the fw" "check it again" ...... So you reboot and the issue persists and after some times, Ooo is the server what a surprize.

To go back to your cp comment, always depends if we speak for a site or a big DC.

deanwebb · April 05, 2016, 08:18:40 AM

There's also Palo Alto. I'd rather go with Palo than CP, based on user experiences alone.

GeorgeS · April 05, 2016, 08:31:10 AM

have worked a bit with palo alto and their PANOS 5, now they are at 6 and i havent touched one for some time. I was really impressed, are miles ahead of the competition. IF we speak for small sites are the best, but they are not so fast as advertised. But overall i agree, they should be the 1st choice of everyone now or one of the 1st choices.

Dieselboy · April 06, 2016, 01:53:57 AM

I guess after 1 year without a reboot would there be an increased potential for bugs to be exhibited?
To be honest, after 1 year you've probably got a whole load of security vulnerabilities discovered anyway.