The message now being "upgrade your damn hardware('s firmware)". Security / stability upgrades are made for a reason. Use them, or possibly suffer the consequences.
Easier said than done. In the ideal network, sure, you'd have extra network hardware to test the update on, to make sure it didn't break your configuration. You might also have failover network equipment so that the network would stay up while you upgraded it in pieces.
Of course even with few resources, you should still strive to make updates, maybe during the middle of the night (hope your customers don't need to access your network until morning), and be prepared to roll back if things don't go according to plan.
That is, if you even knew there was an update. Unlike Windows, your router isn't going to keep popping up little bubbles to tell you to update.
So yes, it is your responsibility as an IT admin to keep the network secure, but there are still a lot of obstacles that means that overloaded admins will forget or procrastinate. I don't know much about the vuln, but it appears to affect telnet. If that was the only thing patched in that update (or I didn't care about the other features that were being patched at the same time), I would just make sure telnet was closed and leave it be.
EDIT: Ok, looked more into the vuln, apparently any open ports make it vulnerable, as it is a problem with how they handled the tcp headers. Only reasonable solution here is to patch.
"That is, if you even knew there was an update. Unlike Windows, your router isn't going to keep popping up little bubbles to tell you to update."
And if your company values its security at all, they should be certain that their IT people are checking for such things. They know the hardware, so they know the websites where exploits / updates are listed. Have a folder of bookmarks, and check it once a week, and you wouldn't be caught off-guard by (relatively) ancient exploits. The alternative is equivalent to a company using the oldest version of XP, expecting there to be no security problems because they aren't looking, and don't want to risk updating to a more secure system. Bring on the viruses / script kiddies!
I'll agree that upgrades can cause troubles, sometimes extreme, but they should be expected at some point in the future. Expecting otherwise is expecting your hardware / software to be eternally flawless, which is ludicrous. Even something as simple as a light switch sometimes needs to be repaired / replaced, and that's just a physical switch, almost literally as simple as it can be. If you continued using a light switch that sparked and smoked every time you switched it for a year, and your house burns down, you really only have yourself to blame. Sure, replacing it means calling in an electrician, or doing it yourself, both of which bring their own dangers, but when the alternative is relatively likely catastrophic failure eventually, it's probably worth it.
7 comments
[ 4.0 ms ] story [ 21.4 ms ] threadIn short, we fixed this particular problem about 350 days ago.
http://forums.theregister.co.uk/forum/1/2010/01/07/juniper_c...
Of course even with few resources, you should still strive to make updates, maybe during the middle of the night (hope your customers don't need to access your network until morning), and be prepared to roll back if things don't go according to plan.
That is, if you even knew there was an update. Unlike Windows, your router isn't going to keep popping up little bubbles to tell you to update.
So yes, it is your responsibility as an IT admin to keep the network secure, but there are still a lot of obstacles that means that overloaded admins will forget or procrastinate. I don't know much about the vuln, but it appears to affect telnet. If that was the only thing patched in that update (or I didn't care about the other features that were being patched at the same time), I would just make sure telnet was closed and leave it be.
EDIT: Ok, looked more into the vuln, apparently any open ports make it vulnerable, as it is a problem with how they handled the tcp headers. Only reasonable solution here is to patch.
Perhaps the router maker(s) should give you an app that'll do that, seems like a very useful thing to me.
And if your company values its security at all, they should be certain that their IT people are checking for such things. They know the hardware, so they know the websites where exploits / updates are listed. Have a folder of bookmarks, and check it once a week, and you wouldn't be caught off-guard by (relatively) ancient exploits. The alternative is equivalent to a company using the oldest version of XP, expecting there to be no security problems because they aren't looking, and don't want to risk updating to a more secure system. Bring on the viruses / script kiddies!
I'll agree that upgrades can cause troubles, sometimes extreme, but they should be expected at some point in the future. Expecting otherwise is expecting your hardware / software to be eternally flawless, which is ludicrous. Even something as simple as a light switch sometimes needs to be repaired / replaced, and that's just a physical switch, almost literally as simple as it can be. If you continued using a light switch that sparked and smoked every time you switched it for a year, and your house burns down, you really only have yourself to blame. Sure, replacing it means calling in an electrician, or doing it yourself, both of which bring their own dangers, but when the alternative is relatively likely catastrophic failure eventually, it's probably worth it.