While Juniper Networks has some explaining to do in regard to a security breach on its ScreenOS software for firewalls, Cisco made hay out of Juniper’s misfortune by proclaiming on Monday that it has no similar security issues.
Cisco’s Anthony Grieco, senior director of the security and trust organization, writes in his blog that customers are asking questions about Cisco’s security measures. The fact that a competitor had to issue a security alert to fix a back-door breach, which allowed administrative access to a firewall as well as decrypting the VPN traffic running through it, certainly provides enough fodder for Cisco to get on its security soapbox.
Among other assurances, Grieco writes that Cisco has a “no back door” policy and that it has no indication of unauthorized code in its products. Prior to last week, Juniper probably would have made the same claims.
Perhaps more importantly, Grieco says that Cisco is conducting an additional review of its products to look for similar intrusions, which should be standard operating procedure for other vendors as well.
Vendors, companies, and institutions don’t typically know when they’ve been breached, so its easy to say there’s no problem today.
Or to quote a comment on Grieco’s blog (which was subsequently removed):
Can you confirm that you have not (yet) received any NSL or anything similar to suppress any potential findings? Can you confirm that you have not (yet) received any NSL or anything similar to add any backdoors (or similar) into any device ever shipped by you? Can you confirm that you do not (yet) know of any backdoor ever added to any of your devices, aside from what we know from the Snowden leaks?
For now, Juniper, which is facing an FBI investigation into the breach that goes back three years, is the poster child for increased scrutiny. At some point, another company will take its place.