The Register recently reported on a Cisco security advisory about vulnerabilities in its Network Building Mediator product, which is used to integrate and remotely control a buildings HVAC and physical security systems over a network:
Multiple vulnerabilities exist in the Cisco Network Building Mediator (NBM) products. These vulnerabilities also affect the legacy Richards-Zeta Mediator products. This security advisory outlines details of the following vulnerabilities:
- Default credentials
- Privilege escalation
- Unauthorized information interception
- Unauthorized information access
NBM is part of a Cisco push to convince enterprises to run everything, including HVAC and physical access controls systems, over a single enterprise network. Sort of the way the HAL computer controlled everything in the spaceship in the movie “2001: A Space Odyssey”…
Gartner analyst Joe Skorupa recently published a research note “”Myth: A Single FCoE Data Center Network = Fewer Ports, Less Complexity and Lower Costs” pointing out a lot of the overhype around converged networks:
- Don’t assume that a single converged Fibre Channel over Ethernet (FCoE) network is desirable, or even feasible.
- Standards for building large, scalable, Layer 2, converged Ethernet backbones are at least a year away. Products proven to be interoperable are much further off.
- Combining storage area network (SAN) and local-area network (LAN) traffic on a single backbone network increases costs and complexity.
- Organizational issues often dwarf the technical issues surrounding network convergence.
- Staff reductions are unlikely to be feasible even if physical networks are converged.
- Maintaining two separate data center networks doesn’t mean you can’t use the same technology for both.
From a security perspective, segmentation and zoning have enormous and constantly proven advantages. In many cases, logical segmentation is fine but in the real world there are still a lot of good reasons for physical separation as well – not the least of which is the continuing stream of serious software vulnerabilities such as Cisco has announced. What looks elegant on the brochure isn’t always what leads to business benefit, let alone reasonable risk.
Category: Uncategorized Tags: