Resilient Infrastructure

Fortifying Your Digital Foundation

Redefining Default Security for a Stronger Future

Cisco is setting a new standard for resilient infrastructure by hardening networks against AI-era threats through stronger defaults, the removal of legacy vulnerabilities, and advanced security measures.

Overview

What this means for you

 Cisco is raising the baseline security of our products. Across upcoming software releases default protections will increase, insecure legacy features will be retired, and new security capabilities will be added. Most changes apply to new installations, but some will require action on the systems you run today. We're committed to making this transition as seamless and non-disruptive as possible and will continue to update this page for the latest guidance and resources.

While these changes are ongoing, here’s what you can do today:

Check your lifecycle

Inventory your products against their End of Vulnerability Support (EoVSS) and Last Day of Support (LDOS) dates and plan upgrades to current releases.

Harden what you have

Apply the relevant Cisco hardening guide today to reduce your attack surface now and smooth the path to future hardened releases.

Retire insecure features

Identify and stop using features slated for deprecation. Subscribe to security and end of life notices to stay prepared.

 

Read below for planned enhancements to help you continuously raise your security posture.

Introducing Cisco Live Protect

Reduce exposure on supported Cisco products while your teams test and deploy the permanent patch. Cisco Live Protect uses Cisco-provided, Cisco-validated runtime protections to help close the operational gap between advisory disclosure and patch completion.

Quantum-Safe Computing

We’re committed to delivering quantum resilient infrastructure to protect your data today and prepare your network for the quantum challenges of tomorrow.

Feature deprecation

Phasing out insecure capabilities

A core tenet of resilient infrastructure is disabling unused features by default and requiring customers to explicitly enable desired features. To reduce your attack surface and protect sensitive data, insecure features and protocols will be systematically deprecated and eventually removed from identified Cisco products. Our phased removal strategy is planned to span three feature releases to minimize disruption:

Warning

You will receive warnings when configuring key insecure features. We strongly recommend discontinuing their use immediately.

Restriction

In subsequent releases, key insecure features will be disabled by default or require explicit administrator action to enable. Existing deployments will continue to function, but new installations will require intentional enablement. Some features on specific platforms may not have a restriction phase, with only warnings continuing for several releases before removal.

Removal

Obsolete features are planned to be removed entirely from future software releases. The timing of removal will vary based on user impact and adoption (e.g., widely adopted features like SNMPv2 will phase out slower than less-used ones).

Secure defaults

Reducing risk, enhancing posture

We’re enforcing more secure-by-default settings to significantly reduce your attack surface and improve security posture. This includes disabling services like web servers, SNMP, and guest shell by default.

Understanding what’s changing and your role:

  • Enable Only What's Needed: As detailed in our hardening guides, enable only the services you truly need and apply appropriate safeguards, such as restricting management traffic to defined networks. Implementing these practices today is vital for immediate security and will streamline your upgrades when future releases enforce these secure defaults.

  • Best Practices Enforced: It is essential to generate strong cryptographic keys, use robust encryption for credentials, and disable exploitable features like proxy ARP. Future releases will enforce these and other critical best practices by default, with less secure options (e.g., weak ciphers) eventually removed.

  • Minimizing Disruption: Most default changes will apply primarily to new installations. Upgrade and downgrade considerations will be well documented, with communication plans informing you of impacts. 

  • Prepare Today: The most effective way to prepare is to actively follow the guidance in Cisco’s hardening guides now. 

This page will be updated as these changes are released across the product portfolio, giving you time to prepare for these developments.

Logging and monitoring

Enhanced visibility for rapid response 

To help customers detect and respond to threat actors, this initiativeeffort significantly augments logging and monitoring capabilities across various products, generating richer telemetry for enhanced threat detection, forensic analysis, and compliance auditing.

Key enhancements include: 

  • Default Logging Changes: Adjustments to default settings and new messages for security-significant events (e.g., critical configuration modifications like AAA or logging settings).

  • Best Practice Warnings: New logs to alert you when security best practices are not followed (e.g., insecure RADIUS/TACACS+ or unauthenticated NTP). 

  • Expanded Visibility: Increased insight into guest shell environments and low-level operating system events.

  • Secure Time Synchronization: Enhancements to secure NTP, including support for Network Time Security (NTS), for accurate timestamps critical to effective logging. 

Securing device authentication

Fortifying access management

Authentication protocols like TACACS+ and RADIUS are increasingly targeted by threat actors. Legacy implementations, relying on MD5 and pre-shared keys, are vulnerable. To counter this, Cisco is significantly enhancing device authentication security:

  • Modernizing Authentication Protocols: We plan to add support for TACACS+ over TLS 1.3 across the Cisco portfolio and promote the use of TLS or DTLS (RadSec) for secure RADIUS traffic. These advancements combat weaknesses and enhance operational security.
  • Enhanced Device Access: New features will include support for FIDO2 over SSH and the ability to use SSH public key authentication with TACACS+ to provide a way to use SSH public keys at scale.

Infrastructure hardening

Reduce your attack surface today 

You can act today as we rollout product enhancements. Hardening guides provide detailed recommendations and best practices to protect sensitive data and enhance device resilience.

These are actions can and should be taken by customers today to protect your network  and prepare for upcoming changes.

Stay secure with the latest software

Cisco strongly recommends running the latest software releases to ensure the strongest security. Avoid using products near or past their End of Vulnerability Support (EoVSS), as no new security fixes are provided beyond this point, leaving your systems exposed. The Last Day of Support (LDOS) marks the final date for any updates or support. Proactive patching and lifecycle management are essential to keep your environment protected.