Transcript 12.2 (4) T

Cisco IOS Naming Conventions
and Versioning
Presentation Intro
Cisco IOS Naming Conventions
and Versioning
Presented by: Ross Barrett
[email protected]
Reverse Engineer and Developer
Vulnerability and Exposure Research Team (VERT)
nCircle Network Security
Presented to: TASK (Tuesday, March 27, 2007)
http://www.task.to/events/past.php
© Toronto Area Security Klatch 2007
www.TASK.to
Outline
 Introduction
 Cisco IOS History and Major Versions
 Understanding Complex Version Strings
 Relating a version string to a Cisco Security
Advisory
 Summary and References
© Toronto Area Security Klatch 2007
www.TASK.to
Introduction
What is Cisco IOS?
Cisco IOS or simply “IOS” is the brand name for
Cisco Systems’ Internetwork Operating System.
Cisco IOS is the software running most Cisco
networking products.
Since the 90’s Cisco has released more than 1500
revisions of IOS.
As a result, the IOS naming scheme has grown quite
complex.
© Toronto Area Security Klatch 2007
www.TASK.to
IOS 12.1 and 12.2 Release Trains
© Toronto Area Security Klatch 2007
www.TASK.to
IOS Security
IOS Security
Cisco has issued more than 100 security advisories
relating to IOS.
Correctly relating the IOS versions present on your
network to Cisco advisories enables security
administrators to:
 Identify “at risk” systems
 Avoid false positives
© Toronto Area Security Klatch 2007
www.TASK.to
Basic IOS Versioning
Each Cisco IOS release is uniquely identified by:
Major Revision Number
Release Train
12.2 (4) T
Maintenance Revision
Mainline releases do not have a release train letter.
© Toronto Area Security Klatch 2007
www.TASK.to
IOS Release Trains
Consolidated Technology Early Deployment (CTED)
Release Train “T”, branched the from mainline
Specific Market Early Deployment (SMED)
Release Trains identified by a single letter other than “T” (“S”, “E”, “B”,
etc.), branched the from mainline
Specific Technology Early Deployment (STED)
Release train has two letters, (e.g. BA, BB, BC), branched from “T”
train.
Experimental Early Deployment (XED)
Release train has two letters. First letters is “X”, “Y”, or “Z”.
Increments from XA for each major release. Branched from “T” train.
© Toronto Area Security Klatch 2007
www.TASK.to
Complex IOS Version Strings
12.3(10e)
The 5th rebuild (represented by ”e”) of the 10th revision of IOS 12.3
main line.
12.3(14)YM8
The 8th revision of the 39th XED train branched from the 14th revision
of IOS 12.3
12.2(15)MC2c
The 3rd rebuild (“c”), of the 2nd revision of the 3rd release (“C”) in the
“M” STED train branched from the 15th revision of IOS 12.2.
12.2(17d)SXB5
The 5th revision of the 2nd XED train branched from 12.2(17d)S.
© Toronto Area Security Klatch 2007
www.TASK.to
IOS Security Advisories
The flaw is fixed in 12.3(11)T10 but still exists in
12.3(14)T6
© Toronto Area Security Klatch 2007
www.TASK.to
Conclusion
Running a main line release is not necessarily
any more secure then an XED release.
 XED releases may contain undisclosed flaws.
Comparing versions with different major
revision numbers or release trains is
comparing apples and oranges.
There are exceptions to the naming
conventions. (e.g. version 12.0(2)W5 where
“W5” is the release train)
© Toronto Area Security Klatch 2007
www.TASK.to
References
Cisco IOS Releases: The Complete Reference
Author Mack M. Coulibaly, Cisco Press, 2000
Related paper:
http://www.cisco.com/en/US/tech/tk869/tk769/tech
nologies_white_paper09186a00800a998b.shtml
The IOS roadmap (c 2004):
http://www.cisco.com/warp/public/620/roadmap.sh
tml
© Toronto Area Security Klatch 2007
www.TASK.to
QUESTIONS?
Summary
- IOS is widely deployed and runs critical network infrastructure.
- There have been more than 1500 revisions of IOS in the past decade.
- Every version of IOS has a major release identifier, a revision
number, and a release train.
- Cisco has released more than 100 security advisories relating to
IOS.
- The relationships between IOS versions can be difficult to
understand because they do not follow a single linear progression.
- It is important for security and network administrators to correctly
relate the security advisories to the versions of IOS running on their
network.
- Cisco security advisories generally identify vulnerable major release
version and release trains and provide a migration path to the next
version where the flaw is fixed and functionality has been
maintained.
- Correctly interpreting security advisories relating to IOS allows
admins to identify “at-risk” systems and avoid F+.
© Toronto Area Security Klatch 2007
www.TASK.to