So I’m back for round 2, much later than I thought I would be. Let’s just say that having a 4 week old infant in the house and trying to start the Internet’s most rockin’ infosec and “in the trenches” IT blog isn’t easy.
So today I want to gripe a little about Cisco, the company sysmins everywhere love to hate. I guess it was easy for them during the Internet boom; They could build networking hardware that was difficult to configure and manage because they were the only game in town. I’m sure this was great when the Internet mostly consisted of Gopher connected to university libraries and about a dozen dinosaur pictures on the web. People didn’t mind waiting 3 days for their connections while the engineers got approval to pay Cisco’s huge phone support fees to figure out why their interface wouldn’t come up or trying to sort whether the problem was with the telco, the hardware, the engineer, the janitor, or Monica Lewinsky.
Fast forward to today. I went to install an 1801 router bridged to a DSL connection. Pretty easy day 1 stuff right? Not anymore. I start configuring the device, logging in with the default username and password of cisco and cisco, and figure “hey, I’ll change it later after I get the connection up”. I walk away to take a lunch break after doing about 20 minutes of good solid programming, returning to find that you can use the cisco ID ONCE. If your session times out and you didnt’ change it, time to go back to defaults. Thank goodness I hadn’t written my changes to flash yet, or I would have gone through the long, arduous ROMMON defaulting process, costing my customer more time and money. a quick reboot to the router and I was ready to start over.
This time I changed the user ID and password having learned from my previous mistake. I assigned my public static IP and my default route to the appropriate FastEthernet interface and was ready to start configuring my internal connectivity. I try to assign an IP to one of the 8 other interfaces on the unit, only to be greeted by an error stating this was a Layer 2 port and couldn’t be assigned an IP. Of course! Why would I want a router that could be attached to TWO networks at once? Isn’t the basic definition of a router to route traffic between TWO or more networks? A quick trip to Experts Exchange revealed you have to take a port and place it in a separate VLAN, assign that VLAN an IP, and change the access mode of the port. I’m sure this is all in the name of security, to prevent traffic from the outside hitting your other internal hosts attached to the router, but to me this seems like trying to cram features that should be performed on the firewall into the router. Cisco makes firewalls…Good ones too…why would they want to discourage people from buying them???
So after that snafu, I finished my setup and tested my configuration. Worked like a charm on the first try. I decided to ahead and enable telnet access so I could pop back into the router from the internal network later and finish a few things (Yes I know I should be using SSH but I need a quick and dirty solution that I can hit from any workstation). I did the usual line vty 0 4 config and added a login statement. Swing and a miss! Seems now Cisco adds an access list by default preventing telnet traffic from hitting the router.
The point of all this…Cisco owes me one for putting up with this crap. Yes I applaud them for trying to make their products more secure, but security is an all or nothing game. If they’re so worried about security they are making things take twice as long to set up, why not use a more regular patching cycle to plug gaping security holes faster? I encourage everyone to check out this article. Notice the HUGE gap between patch releases. Can you imagine the chaos this is going to cause when admins try to apply 6 months worth of fixes to their hardware at once? It’s more incentive to NOT do it (Are you listening Oracle???).
In addition Cisco owes me $375 for failing the CCNA 3 times. In what real world scenario could you possibly be expected to program routers at 4 sites with automatic routing updates in under 7 minutes? Despite the fact that I have designed complex voice routing, connectivity, and failover solutions using cisco hardware, I can’t call myself a qualified technician because I can’t meet the purely ridiculuous requirements of their exam. If it was just me I could buy that I’m just a crappy test taker (despite having passed all my MCSE exams, Security+, Linux+, and CEH tests on the first try), but EVERYONE has problems with this test, including guys who are a lot smarter than me.
So in conclusion, these are my arguments that Cisco owes the IT community as a whole better products. The next time a vendor comes peddling cisco, take a look at some of the other options on the market before taking the plunge.
