Customer Recommendations: Securing Your Network

Introduction

On 13 May 2014, a new book about the U.S. National Security Agency (NSA) was released. It includes allegations that the NSA has intercepted and tampered with technology products in transit from U.S. technology providers to customers, potentially including products intended for Cisco customers.

We take these allegations very seriously, and our Chief Executive Officer has communicated directly with leaders in the U.S. government to express our deep concern.

Our commitment to our customers is clear: as a matter of policy and practice, Cisco does not work with any government, including the U.S. government, to weaken or compromise our products. This document has been prepared to help you assess, secure, and manage your network.

Trustworthy Systems

We are proud of our global reputation as a trustworthy vendor, and we take industry-leading measures to safeguard the integrity, security, and reliability of our equipment.

Cisco's Trustworthy Systems initiative focuses on four key areas during product development:

  • Cisco's Secure Development Lifecycle is a repeatable company-wide methodology for secure product development to mitigate the risk of vulnerabilities and increase product resiliency
  • Deploying Trust Anchor Technologies to assure customers that they are using genuine hardware and software and offer increased physical security protection for their networks
  • Use of Next-Generation Encryption to promote improved security, enhanced performance, and consistency with global standards
  • Participating in government and international standards bodies to define and implement certifications, ensuring our customers have an objective measure of security

It also includes our interlocking practices and procedures to embed physical and logical security throughout our supply chain. At each node of the supply chain, we apply some combination of:

  • Physical security — Component-to-finished good traceability, real-time transport tracking, security checkpoints, segregation of high-value materials, and role-based access control
  • Logical security (rules-based) — Encrypted data transmission, material reconciliation, and data destruction, and scrap handling processes
  • Security technology — Anti-counterfeiting chips, insertion of immutable identity during test, data extracting test beds, and tamper resistant labeling and packaging

We also validate supplier adherence to our security requirements in multiple ways, including physical audits, information security assessments, and embedding security into supplier ratings. The intended result of this validation process is continuous feedback, remediation, and enhancement.

The Cisco Product Security Incident Response Team (PSIRT) also operates an industry-leading security vulnerability disclosure program, while maintaining strong relationships with our customers, security researchers, and CERT organizations around the world.

Additional Resources

Cisco Assessment

Cisco has reviewed the most recent allegations, said to be sourced from a “June 2010 report from the head of the NSA's Access and Target Development department.” This document alleges that the NSA “intercepts and tampers with routers and servers manufactured by Cisco to direct large amounts of Internet traffic back to the NSA's repositories” through the installation of “beacon implants.”

Having reviewed this information, Cisco has concluded:

  • No information about specific Cisco products was included
  • No information about interdiction or implant techniques was included
  • No new security vulnerabilities were identified or disclosed

Customer Recommendations

Based on the generic information published, we recommend that Cisco customers focus on two areas: network infrastructure hardening, and monitoring and analysis of network telemetry.

Network Infrastructure Hardening

We recommend:

Monitoring and Analysis of Network Telemetry

We recommend:

  • Implementing supplemental instrumentation, focused on high-value network segments, devices, and individuals, to oversee network devices and enable traffic monitoring (Telemetry-Based Infrastructure Device Integrity Monitoring)
  • Categorizing network segments and IP address ranges based on the types of devices and expected network traffic (e.g. networking equipment, user workstations, servers or wireless networks)
  • Implementing Cisco IOS NetFlow for visibility into traffic flows emanating from each portion of the network, for evaluation against expected traffic
  • Monitoring AAA log information for unauthorized and unexpected access, and commands on all network devices
  • Monitoring network device event logging to identify unexpected network device-level activity

Support for some of these efforts may be available as part of a Cisco Advanced Services contract. You may also consider:

Cisco's Brand Protection program is focused on the protection of your investment in Cisco technology. Learn more about more about avoiding the introduction of counterfeit products and unnecessary risk into your network on the Brand Protection website.

For More Information

If you discover an anomaly or suspicious network activity, we recommend:

All vulnerability-related information reported to Cisco will be investigated, managed, and disclosed in accordance with our Security Vulnerability program.

If you would like additional information about Cisco services focusing on product and network security, please contact your Cisco account team or the Cisco PSIRT.

Additional Resources

Revision History

Revision Date Comment
Revision 1.2 2014-July-17 Added a link to network integrity resources on the Cisco Security Intelligence Operations Portal.
Revision 1.1 2014-July-16 Included a link to the Cisco IOS XE Software Integrity Assurance white paper in the "Network Infrastructure Hardening" section and added a link to the Telemetry-Based Infrastructure Device Integrity Monitoring white paper in the "Monitoring and Analysis of Network Telemetry" section.
Revision 1.0 2014-May-16 Initial version.

 


This document is part of Cisco Security Intelligence Operations.

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top

Cisco Security Intelligence Operations