Popular Network Equipment and Vulnerability Statistics
According to analytical agencies, Cisco Systems is a manufacturer of the most popular switching and routing equipment for medium-sized and large-scale enterprises (about 64% of the global market). HP Networking holds the second place (approximately 9%). Then follow Alcatel-Lucent (3%), Juniper Networks and Brocade (each 2.3%), Huawei (1.8%) and other manufacturers less outstanding in comparison with the giants but still holding together almost 17.6% of the market.
There is a specific situation in Russia. Besides the products of the abovementioned manufacturers, Nortel and Allied Telesis switches are widely spread in this country. Moreover, devices of such manufacturers as D-Link and NetGear offering equipment to small and medium-sized enterprises are quite frequent. Brocade is still a rare bird in the territory of Russia. Finally, we can say that equipment of the following manufacturers is the most frequent in server racks and wiring closets of Russian companies: Cisco, HP (including 3Com), Juniper, Avaya (including Nortel), Alcatel-Lucent, Huawei, Allied Telesis, D-Link, NetGear.
The point at issue is to which degree those devices, on which networks are built, are safe. How seriously do manufacturers treat their product safety? We won’t follow a ‘security class’ assigned by an inspection body to each specific gadget. Let’s try to evaluate manufacturers in accordance with the number of well-known vulnerabilities, wherefore the following diagram will be used.
What is this data indicating to us? Either Cisco and HP Networking manufacture the least secure devices in the world or these two companies are the most attentive when searching, processing and patching vulnerabilities in their products. We hope it is the second statement which is true.
If a manufacturer does everything right, events develop naturally as follows:
A vulnerability is detected (no matter by whom, it is important that the manufacturer has been informed of it). The manufacturer has some time to prepare a patch package. As soon as the patches (or another solution) are ready information on the vulnerability and variants of its elimination is published.
Unfortunately, this procedure is not always followed. Publication of vulnerability information is acceptance by a company of its own mistake, and not every company is ready to do this. Very often a manufacturer releases a patch package not mentioning that it is intended to close a critical vulnerability.
Recently, for example, specialists of Positive Research have been studying a security line product of one of the industry giants. Practically the whole setup of the product is carried out through a web interface, in which multiple vulnerabilities were detected. And one of them was quite serious – 7.0 in accordance with CVSS v. 2. We informed the manufacturer of it and the patch was released a little bit later, but the manufacturer did not publicly acknowledge this vulnerability and therefore you won’t be able to find any entry of it on cve.mitre.org.
Let’s return to the diagram. As we can see the gap in the number of vulnerabilities between Cisco along with HP Networking and all others is rather huge. However, though the diagram displays only one vulnerability for Juniper equipment, it does not mean that the number of vulnerabilities wasn’t bigger in 2011. The thing is that there is no information about them on cve.mitre.org, one of the most available and complete resource. The registered users of juniper.net can obtain exhaustive information about bugs and vulnerabilities, but it is more difficult to find the same data publicly available.
The same with Avaya, Alcatel-Lucent, Huawei, Allied Telesis, D-Link and NetGear equipment: there are vulnerabilities in software but there is little public information about them. If you don’t know about them, somebody else may know. In other words, keep your eyes open! If vulnerabilities are not published this is not a reason to consider equipment inaccessible: there is still device hardening. To stay on the guard, below is the generalized statistics in accordance with the types of vulnerabilities for 2011-2012 for all mentioned manufacturers.
Denial of service, as usual, is the most wide spread threat to network equipment, but those vulnerabilities which make it possible to execute an arbitrary code in a system are slowly moving closer (by the way, there were twice fewer of them in 2010). Let’s wait and see what will happen.