Network Infrastructure Hardening
Monitoring and Analysis of Network Telemetry
For More Information
On 13 May 2014, a new book about the U.S. National Security Agency (NSA) was released. It includes allegations that the NSA has intercepted and tampered with technology products in transit from U.S. technology providers to customers, potentially including products intended for Cisco customers.
We take these allegations very seriously, and our Chief Executive Officer has communicated directly with leaders in the U.S. government to express our deep concern.
Our commitment to our customers is clear: as a matter of policy and practice, Cisco does not work with any government, including the U.S. government, to weaken or compromise our products. This document has been prepared to help you assess, secure, and manage your network.
We are proud of our global reputation as a trustworthy vendor, and we take industry-leading measures to safeguard the integrity, security, and reliability of our equipment.
Cisco's Trustworthy Systems initiative focuses on four key areas during product development:
- Cisco's Secure Development Lifecycle is a repeatable company-wide methodology for secure product development to mitigate the risk of vulnerabilities and increase product resiliency
- Deploying Trust Anchor Technologies to assure customers that they are using genuine hardware and software and offer increased physical security protection for their networks
- Use of Next-Generation Encryption to promote improved security, enhanced performance, and consistency with global standards
- Participating in government and international standards bodies to define and implement certifications, ensuring our customers have an objective measure of security
It also includes our interlocking practices and procedures to embed physical and logical security throughout our supply chain. At each node of the supply chain, we apply some combination of:
- Physical security — Component-to-finished good traceability, real-time transport tracking, security checkpoints, segregation of high-value materials, and role-based access control
- Logical security (rules-based) — Encrypted data transmission, material reconciliation, and data destruction, and scrap handling processes
- Security technology — Anti-counterfeiting chips, insertion of immutable identity during test, data extracting test beds, and tamper resistant labeling and packaging
We also validate supplier adherence to our security requirements in multiple ways, including physical audits, information security assessments, and embedding security into supplier ratings. The intended result of this validation process is continuous feedback, remediation, and enhancement.
The Cisco Product Security Incident Response Team (PSIRT) also operates an industry-leading security vulnerability disclosure program, while maintaining strong relationships with our customers, security researchers, and CERT organizations around the world.
Cisco has reviewed the most recent allegations, said to be sourced from a “June 2010 report from the head of the NSA's Access and Target Development department.” This document alleges that the NSA “intercepts and tampers with routers and servers manufactured by Cisco to direct large amounts of Internet traffic back to the NSA's repositories” through the installation of “beacon implants.”
Having reviewed this information, Cisco has concluded:
- No information about specific Cisco products was included
- No information about interdiction or implant techniques was included
- No new security vulnerabilities were identified or disclosed
Based on the generic information published, we recommend that Cisco customers focus on two areas: network infrastructure hardening, and monitoring and analysis of network telemetry.
Network Infrastructure Hardening
- Implementing a regular and periodic software upgrade routine using current software versions obtained from Cisco.com
- Ensuring the ongoing integrity of software images in use on the network (Cisco IOS Software Integrity Assurance, Cisco IOS XE Software Integrity Assurance, and Cisco IOS Image Verification)
- Securing network devices using documented best practices available for IOS, IOS-XR and NX-OS
- Using centralized authentication, authorization and accounting (AAA) to permit, deny and log access to all network devices
- Properly secure SNMP access to protect the confidentiality, integrity, and availability of network data and the network devices through which it transits
- Leveraging a structured process for receiving, evaluating, and acting promptly on published Cisco Security Advisories and Alerts
Monitoring and Analysis of Network Telemetry
- Implementing supplemental instrumentation, focused on high-value network segments, devices, and individuals, to oversee network devices and enable traffic monitoring (Telemetry-Based Infrastructure Device Integrity Monitoring)
- Categorizing network segments and IP address ranges based on the types of devices and expected network traffic (e.g. networking equipment, user workstations, servers or wireless networks)
- Implementing Cisco IOS NetFlow for visibility into traffic flows emanating from each portion of the network, for evaluation against expected traffic
- Monitoring AAA log information for unauthorized and unexpected access, and commands on all network devices
- Monitoring network device event logging to identify unexpected network device-level activity
Support for some of these efforts may be available as part of a Cisco Advanced Services contract. You may also consider:
- Using the Partner Locator Tool to identify and work with only authorized Cisco partners
- Engaging Cisco Services to determine the suitability of Cisco's traffic and threat-based products and services
Cisco's Brand Protection program is focused on the protection of your investment in Cisco technology. Learn more about more about avoiding the introduction of counterfeit products and unnecessary risk into your network on the Brand Protection website.
If you discover an anomaly or suspicious network activity, we recommend:
- Executing your company incident response plan
- Engaging local law enforcement
- Informing Cisco PSIRT through the Cisco Emergency Response process
All vulnerability-related information reported to Cisco will be investigated, managed, and disclosed in accordance with our Security Vulnerability program.
If you would like additional information about Cisco services focusing on product and network security, please contact your Cisco account team or the Cisco PSIRT.
- Network integrity resources on the Cisco Security Intelligence Operations Portal
- Blog Post — Mark Chandler: Internet Security Necessary for Global Technology Economy (13 May 2014)
- Blog Post — John Stewart: Cisco Chief Security Officer on President Obama's Data Collection Speech (17 January 2014)
- Blog Post — John Stewart: Comment on Der Spiegel articles about NSA TAO Organization (29 December 2013)
|Revision 1.2||2014-July-17||Added a link to network integrity resources on the Cisco Security Intelligence Operations Portal.|
|Revision 1.1||2014-July-16||Included a link to the Cisco IOS XE Software Integrity Assurance white paper in the "Network Infrastructure Hardening" section and added a link to the Telemetry-Based Infrastructure Device Integrity Monitoring white paper in the "Monitoring and Analysis of Network Telemetry" section.|
|Revision 1.0||2014-May-16||Initial version.|
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.