network barometer report 2013 A gauge of global networks readiness to support business

Transcription

1 network barometer report 2013 A gauge of global networks readiness to support business

2 The 2013 edition of Dimension Data s annual Network Barometer Report presents the aggregate data from 233 Technology Lifecycle Management Assessments conducted by Dimension Data in 2012 for its clients around the world. The Report reviews networks readiness to support business by evaluating the lifecycle status of the discovered network devices, potential security vulnerabilities and operating system version management. The metrics provided in this Report are obtained from the automatic, electronic collection of data from these Assessments (not from a survey). The Report is available for download from networkbarometer What you need to know about... Dimension Data Founded in 1983, Dimension Data plc is an ICT services and solutions provider that uses its technology expertise, global service delivery capability, and entrepreneurial spirit to accelerate the business ambitions of its clients. Dimension Data is a member of the NTT Group. It has designed, built and manages over 8,500 IP networks worldwide to enable more than 12.5 million users to connect to their organisations networks. Dimension Data has delivered over 1,200 Technology Lifecycle Management Assessments to date.

3 table of contents 1. Introduction 1 2. Research results Technology lifecycle management Security vulnerabilities Operating system environment Conclusion 17 Appendix A: Sample distribution 18 By geography 18 By industry vertical 20 By organisation size 22 Appendix B: Notes on findings and information 24 Dates and trend information 24 Averages and frequency distributions 24 Data collection and analysis 24

4 list of figures Figure 1 2 The access network 80:20 moving to 20:80 Figure 2 3 Moving to 20:80 how do the costs and benefits compare? Figure 3 5 Percentage of devices beyond EoS, by region Figure 4 6 Percentage of devices beyond EoS, by industry vertical Figure 5 7 Lifecycle milestone distribution of devices at EoS and beyond global Figure 6 9 Percentage of devices with PSIRTs, by region Figure 7 14 PSIRTs identified per year Figure 8 18 Node count by region Figure 9 19 Assessments by region Figure Assessments by country Figure Node count by industry vertical Figure Assessments by industry vertical Figure Percentage of devices with PSIRTs by industry vertical Figure Node count by organisation size Figure Assessments by organisation size Figure Percentage of devices with PSIRTs, by organisation size Figure Percentage of devices beyond EoS, by organisation size

5 list of tables Table 1 4 Cisco s technology lifecycle status milestones Table 2 11 NVD vulnerability severity ratings Table 3 12 Top 10 PSIRTs and their penetration in 2012 Table 4 15 Unique versions of Cisco IOS across networks Table 5 16 Major versions of Cisco IOS across networks

6 1. introduction Disruptive technology trends such as enterprise mobility and cloud computing, combined with the move to ICT outsourcing, are changing the way organisations deliver and consume ICT services. Consequently, the IT infrastructure as we know it will need to undergo a facelift to accommodate these changes. It will be a necessary and radical adjustment, but it won t happen overnight. In fact, many of the changes we predicted in previous years Network Barometer Reports are occurring slower than expected. This could be as a result of either ongoing economic pressure, or a sit-back-and-wait attitude to see how these technology trends and consumption models evolve... or perhaps a combination of both. As Bill Gates once wrote: We always overestimate the change that will occur in the next two years, and underestimate the change that will occur in the next 10. Don t let yourself be lulled into inaction. 1 For example, in the previous Report, we predicted rapid network architecture adjustment in support of the growing bring your own device (BYOD) and enterprise mobility demands. Dimension Data still holds the view that enterprise mobility will inevitably and dramatically change the structure of networks. Today, most campus networks consist of approximately 80% wired ports serving individual users, and 20% wireless LAN (WLAN) ports supporting multiple users. But users simply don t want to be tethered to their desks any longer and, as a result, organisations are under growing pressure to facilitate enterprise mobility. So, the network of the future, which will be accessed predominantly wirelessly, will require most of its ports perhaps every port to support power over Ethernet and gigabit Ethernet. Pervasive wireless access will also have an impact on the uplink environment. Since there will be fewer access switches serving end users, more bandwidth will be required from the access switch into the core network. Yet, today, our results show that just under half of all access switches support power over Ethernet (up slightly from 43% a year ago), while a little under a third support gigabit Ethernet (up slightly from 23% a year ago). More significantly, only 13% of the access switches we discovered support 10 gigabit uplinks. These three requirements will likely compel clients to accelerate the refresh of their networks access layer in order to meet the needs of enterprise mobility and BYOD. We always overestimate the change that will occur in the next two years, and underestimate the change that will occur in the next 10. Don t let yourself be lulled into inaction. Bill Gates 1 Bill Gates, The Road Ahead,

7 Figure 1: The access network 80:20 moving to 20:80 Current - Traditional wired and wireless access networks wireless networks wired network (100 ( devices) users) cabling (1 cabling (140 point per access point) points) smartphones IP phones Wireless LAN controller 48 Port LAN switches tablets laptops printers video endpoints security systems Future - Predominantly wireless access networks 48 Port LAN switch with built in controller wireless networks ( devices) cabling (1 point per access point) smartphones tablets laptops printers video, etc wired network (10 users) cabling (20 points) video endpoints (some could be wireless) security systems Networks that are predominantly wireless will cost far less to roll out than the traditional, wired networks they ll be replacing. They ll also create a strong foundation for lower operational costs because they ll be easier to manage, provide unified access, and require less power and cooling. We predict that the combination of these factors, in addition to pressure from end users, will eventually turn the 80:20 ratio on its head so that future networks will be 80% wireless and 20% wired. 2

8 Figure 2: Moving to 20:80 how do the costs and benefits compare? Current traditional wired and wireless access networks USD 300,000 Wired network and wireless network for a 5-floor building with 100 users per floor cabling (140 points) plus 10 points for wireless access points 3 x 48-port switches fibre distribution switch (for 5 floors) install and configuration services wireless LAN controller (partial cost) Pros/cons fixed number of ports per switch each port dedicated to a single user Future predominantly wireless access networks USD 120,000 Wireless network for a 5-floor building with 100 users per floor cabling (30 points) including some wired for security systems etc. 1 x 48-port switches (with integrated controller function) fibre distribution switch (for 5 floors) install and configuration services Pros/cons lower power consumption lower cooling lower support costs flexible support due wireless healing secure As this year s Network Barometer Report will show, the percentage of network devices past end-of-sale has increased slightly, continuing the trend we ve seen over the last several years. While these results aren t surprising (as discussed in section 2.1), we believe organisations should be cautious not to forget the network as they plan for major architectural trends. For example, Dimension Data s growth in wireless networking has been more than 30% for the past several years. However, deploying n access points is a necessary, but not sufficient, strategy for delivering enterprise mobility. A thoroughly considered approach to refreshing the underlying routing, switching and security infrastructure is also needed. This is the fifth consecutive year that Dimension Data has published a Network Barometer Report. During the 2012 calendar year, we conducted 233 Technology Lifecycle Management Assessments covering organisations of all sizes, from all industry sectors, and across all geographies. The results of these Assessments are presented in this Report. A review of the sample covered in the Report can be found in Appendix A 3

9 2.1 research results This Report will analyse the information obtained from these Assessments and, where relevant, offer some comparative analysis. In order to draw a year-on-year comparison, where possible, we ve displayed these results alongside the findings of the four previous Reports. The 2013 Report analyses networks readiness to support business by reviewing the lifecycle status of network devices and their security vulnerabilities. The Report also contains a section on the operating system environment and the software versions within it, and its relevance to the overall lifecycle management of a network. The conclusion provides recommendations applicable across all sections, which are based on proven best practice engagement methodologies. 2.1 Technology lifecycle management What you need to know about... The Technology Lifecycle Management Assessment This ICT infrastructure asset assessment service from Dimension Data discovers installed assets on the network, identifies their lifecycle statuses, determines maintenance coverage, and flags potential security vulnerabilities. The Assessment ensures that organisations don t expose themselves to unnecessary risk, by assisting with the alignment of their IT infrastructure to configuration, security and patch management best practices. The Assessment is automated and isn t based on a survey. Click here for more information. What you need to know about... Technology lifecycles In order to establish the age and viability of technology assets, most vendors have standardised end-of-life milestones through which they progress their products towards obsolescence. Cisco uses six technology lifecycle milestones that run from futureend-of-sale (FEoS), which marks the announcement of the lifecycle milestone dates, through to lastday-of-support (LDoS),which is the date after which its Technical Assistance Centre (TAC) will no longer support the product. Technology beyond end-of-sale (EoS) status must be regarded as an ageing asset and will be increasingly unsupportable and exposed to risk as it progresses towards LDoS. All six lifecycle milestones are shown in Table 1. Table 1: Cisco s technology lifecycle status milestones Risk Future-end-of-sale (FEoS): all lifecycle milestones are announced End-of-sale (EoS): date after which you can no longer buy the product End-of-engineering (EoE): date after which no more features will be added End-of-software-maintenance (EoSWM): date after which any new bugs found will not be patched End-of-contract-renewal (EoCR): date after which a renewal contract on that product can t be purchased Last-day-of-support (LDoS): date after which Cisco TAC will no longer support the product Low Low/Medium Medium Medium/High High High 4

10 Figure 3: Percentage of devices beyond EoS, by region 47% 37% 38% 37% 44% 44% 39% 39%40% 40%35% 34% 40% 53% 56% 42% 41% 38% 35% 45% 38% 59% 55% 43% 38% 35% 48% 45% 30% 22% Americas Asia Australia Europe Middle East & Africa Average This year s results show that the number of devices that have progressed to EoS and beyond (Figure 3) has risen by 3% overall from 45% to 48%. This continues the upward trend we ve seen over the last three years. The increase in the percentage of devices past EoS isn t surprising, given the continued sluggish macroeconomic conditions we ve seen globally during As noted in the 2012 Report, the dramatic increase in devices beyond EoS we saw in 2011 from 38% to 45% was driven primarily by Cisco progressing a large portion of its portfolio to EoS to make way for newer products. So, a large portion (70%) of devices that were EoS or beyond was no older than EoS a lifecycle stage that carries a relatively low risk for organisations. For devices at this stage, businesses can expect the same Cisco TAC support and software bug fixes for at least two to three more years. It seems as though this low-risk status, combined with the lack of refresh for architectural reasons, has led to the higher EoS figures this year. (More about the architectural approach later in this section.) Regional results mirror the global figures: every region, except Europe, has shown either the same or higher EoS percentages than last year. Delving deeper into the regional figures, we found that Europe s improvement was due mainly to a single Assessment conducted at a large financial services provider that represented as much as 40% of the European financial services sample. This assessment had an inordinate number of current IP phones, which resulted in a very low EoS of 12%. Removing this Assessment from the European sample (which is reasonable, given that IP phones aren t critical to the functioning of the broader network) puts Europe s EoS figure at a more realistic 44%. This is still an improvement over last year, but it s far less dramatic. 5

11 Figure 4: Percentage of devices beyond EoS, by industry vertical Automotive and manufacturing Business services Construction and real estate Consumer goods and retail Financial services Government, healthcare and education Media, entertainment and hospitality Resources, utilities and energy Service providers and telecommunications Technology Travel and transportation Average 25% 23% 22% 34% 32% 28% 35% 35% 33% 34% 41% 40% 40% 38% 41% 46% 48% 49% 49% 50% 48% 55% 60% 54% 56% 36% 38% 50% 46% 55% 26% 48% 34% 51% 44% 18% 22% 30% 28% 29% 38% 37% 43% 48% 44% 45% 40% 44% 37% 41% 35% 38% 43% 47% 47% 47% 45% 48% 54% 61% In terms of market sectors, the results are mostly consistent with regional outcomes. Most sectors showed either the same amount of, or more, devices at EoS or beyond. The largest increases came from travel and transportation, and consumer goods and retail traditionally, two sectors that are particularly sensitive to economic slowdown and closely tied to reductions in gross domestic product. When times are tough, consumers buy and travel less, which puts pressure on revenues in these businesses, leaving them less to spend on refreshing their network infrastructures. Two sectors did show improvement: financial services, and automotive and manufacturing. Financial services improved slightly from 56% last year to 48% this year. Upon further inspection, however, we discovered that the same Assessment that skewed the regional results for Europe also had an obscuring influence here. This Assessment covered about 10% of the entire financial services sample, and eliminating it from the sample set produced a higher percentage of 51% of devices at EoS or beyond. This is more in line with last year s results, indicating little progress in network refresh in financial services overall. At first glance, one might also find the improved lifecycle status of network devices in the automotive and manufacturing industry surprising. Similar to consumer goods and retail, and travel and transportation, this sector is sensitive to tough economic conditions. But it s important to keep in mind that this improvement comes after two years of lagging behind all other sectors in terms of network refresh. It could be argued, then, that this is less a dramatic improvement in and of itself, and more an indication of automotive and manufacturing finally catching up with the rest of the sectors in refreshing its networks. 6

12 What you need to know about... Selective sweating of assets Organisations sometimes intentionally choose not to refresh certain devices that may have progressed to older lifecycle stages beyond EoS. This may be because they ve assessed that these devices aren t carrying missioncritical traffic, so the risk is low, should the devices break down. This approach, however, requires a high level of visibility over the network estate and a thorough understanding of which devices to sweat in relation to their individual risk profiles. Figure 5: Lifecycle milestone distribution of devices at EoS and beyond global 18% 1% EoS 23% 58% EoE EoCR LDoS Vendor influence It s important to keep in mind that vendors exert a great influence over the lifecycle status of devices. As mentioned before, Cisco prepared for technology trends such as BYOD, enterprise mobility, unified communication and collaboration, virtualisation, and cloud computing, by revamping its entire Borderless Networks portfolio in 2009/10. So it intentionally progressed a larger-than-usual portion of its product models to EoS in order to make way for new and improved versions. This has been the reason for the steady increase in devices at EoS over the past few of years. As a rule of thumb, a device has approximately two to three years from the time it reaches EoS to when it reaches EoE or EoSWM and then another one to two years before it reaches LDoS. This explains why an unusually high percentage (70%) of devices that were EoS and beyond last year were no older than EoS. Figure 5 shows that percentage has dropped slightly to 58% this year as these devices steadily move to LDoS. More importantly, the number of devices that were at the later, riskier lifecycle stages of EoE or EoSWM and LDoS more than doubled from 8% to 23% and from 9% to 18%, respectively. Given that it s been approximately 18 months since Cisco started progressing older devices to EoS, and there s growing pressure to prepare network architectures for disruptive technology trends such as enterprise mobility, BYOD, virtualisation and cloud computing, refresh initiatives should accelerate in the next two to three years. 7

13 An architectural approach... or not? A more detailed analysis of the specific technologies that organisations are choosing to refresh supports our view that businesses aren t taking an architectural approach to refreshing their networks yet. We made this argument in our introduction, stating that enterprise mobility seems not to have been enough of a catalyst for refreshing network access switches thus far. Our results with respect to data centres seem to support a similar conclusion. With an architectural approach, we d expect to see a corresponding growth in the inclusion of device types geared towards accommodating virtualisation for example, Cisco s range of Nexus switches. The Ethernet switch market has fragmented over the last few years, resulting in the emergence of specialist network devices for the data centre. These data centre switches have special features and capabilities, and deliver high performance to support modern application workloads and virtualised data centres. Cisco s Nexus family of products are designed primarily as data centre switches. Of all the network switches we discovered through our Technology Lifecycle Management Assessments, 2.2% were data centre switches. Of these, less than half were from the Nexus family of products. The majority of data centre switches were from older product ranges such as the Cisco Catalyst These older switches don t provide the features and functionality required in tomorrow s data centres. In addition, the majority of older switches have reached EoS and beyond, and are introducing risk into a key area of organisational networks. We predict that the percentage of purpose-built data centre switches will increase rapidly over the coming years as network architectures in data centres evolve to support related organisational needs. Data centre switching solutions comprised one-third of Dimension Data s Ethernet switching revenues over the last 12 months, versus two-thirds from user access switching solutions. Our view is that organisational data centre and campus switching infrastructure will normalise to the same ratio as data centre networks are refreshed. Interestingly, 8% of the specialist data centre switches that were discovered were software virtual switches. This shows a migration from hardware to software switches to enable improved support for virtualised environments. The virtual machine is the building block for virtual data centres and cloud computing, so an important success factor in the transition to these computing models is the ability of the network to support virtual machines. Software virtual switches are one way of enabling the network to treat traffic flowing to and from virtual machines in the same way as it treats traffic from physical servers. This functionality is fundamental to the success of dense server virtualisation and cloud computing projects, and we expect to see exponentially higher numbers of software virtual switches in the years ahead. In summary We saw: For the third year in a row, the percentage of devices past EoS has increased and is now at the highest level in the five years in which Dimension Data has been publishing the Network Barometer Report. Organisations are also selectively sweating more of these devices to reach riskier, older lifecycle stages. Organisations aren t upgrading their networks for enterprise mobility and BYOD environments as aggressively as expected, but this will inevitably change to accommodate the new structure of future networks (see the Introduction). Organisations have started to upgrade their data centre networks, but are still at an early stage of the transition. Upgrades will remain an area of focus as data centre modernisation projects continue to drive the data centre agenda. We advise: Think, plan and budget architecturally, rather than reactively, when refreshing your network. The pressure to provide a more flexible, wireless environment conducive to enterprise mobility and BYOD will only grow stronger in years to come. 8

14 2.2 Security vulnerabilities What you need to know about... PSIRTs PSIRT stands for Product Security Incident Response Team. In the context of this Report, however, the term is used to refer to a software vulnerability that s been identified by Cisco after extensive lab testing and research. Each PSIRT has a unique number and denotes a particular operating system weakness that may also pose a security risk. Hackers may discover and exploit such vulnerabilities in a network. This can lead to a denial of services, or allow the hacker to gain further access. The more PSIRTs identified on a device or in a network, the higher the risk of a security breach based on the increased attack surface available to exploit. Organisations have learnt over the years that only some devices with PSIRTs are worth the effort and disruption to patch. This is in line with Dimension Data s continued advice to ensure the device and its vulnerability are critical enough to remedy. It s simply not practical to patch every PSIRT. It s best to focus these efforts on vulnerabilities that represent the largest threats. For example, the closer a device is situated to the Internet, the higher the risk. Figure 6: Percentage of devices with PSIRTs, by region 85% 80% 65% 55% 46% 67% 52% 82% 76% 66% 80% 74% 73% 72% 33% 68% 69% 61% 50% 27% 74% 59% 84% 89% 78% 73% 38% 73% 75% 67% Americas Asia Australia Europe Middle East & Africa Average

15 Figure 6 shows that client networks were only marginally less vulnerable than in the previous two years, with the percentage of devices with PSIRTs dropping from 75% last year to 67% this year. In fact, while last year was statistically better than the year before, we don t see this improvement as significant. All regions except Australia improved in terms of PSIRT penetration. We ve also noticed a strong correlation between EoS and PSIRT percentages: Europe, Asia and Middle East & Africa (MEA) all showed similar or improved EoS figures compared to the previous year, while also reducing their PSIRT penetration. Likewise, Australia declined in both respects. The PSIRT performance by market sector was similar to the regional results with most sectors showing marginal improvements. In particular, automotive and manufacturing, and financial services showed two of the largest improvements in PSIRT penetration, while also being the only two sectors to have improved their EoS percentages. Perhaps more important than a regional or market sector analysis to explain PSIRT penetration, is the fact that there s a single PSIRT that continues to be so prevalent as to serve as a floor through which PSIRT penetration levels struggle to break. Which PSIRT was the most common? PSIRT was the most common PSIRT for the third year in a row. It was present in 66% of all devices in 2010, dropped to 47% in 2011, and rose again to 62% in Why is PSIRT still so persistent, even as a known vulnerability over the last four years? There are a few possible reasons for this: PSIRT occurs in a wide range of Cisco products and across multiple Cisco operating systems. Patches are available in later versions of Cisco s Internet Operating System (IOS), but most devices with software vulnerability revisions remain unpatched. The location of these devices in the network may have an influence. This vulnerability would present more risk in places where the device borders a perimeter, for example, an Internet gateway. The combination of these factors will sustain high PSIRT penetration levels until such time as the IOS versions to which PSIRT applies are progressed to end-of-life and then refreshed. What you need to know about... PSIRT Transmission Control Protocol (TCP) State Manipulation DoS Vulnerability The most common PSIRT in this year s results was first identified by Cisco in 2009 and is present in an unusually high number of devices. This vulnerability allows an attacker to manipulate the state of a connection to the device in a manner that keeps it open past its intended state. This could cause the device to be unable to accept new connections in highly utilised networks, which could, in turn, lead to a denial of service. Denial-of-service conditions can result in the vulnerable device becoming unresponsive to service requests, which may lead to a network outage. In order to restore the network, the device may require a reboot. Cisco has rated this vulnerability with a CVSS score of 7.8 a score that s assigned to many of Cisco s vulnerabilities. (Also see Common Vulnerability Scoring System or CVSS.) Dimension Data recommends applying the security patch, where possible, to address this vulnerability. For more information and links to download the security patch, refer to the Cisco advisory page. What you need to know about... Dimension Data s Technology Lifecycle Management Assessment for Security and PSIRTS Dimension Data s Technology Lifecycle Management Assessment for Security provides PSIRT analysis and prioritisation according to where the devices are positioned in the network. This helps you decide which PSIRTs you should patch, and which can be safely left unchanged without adding risk. Click here to find out more. 10

16 What you need to know about... Common Vulnerability Scoring System (CVSS) The CVSS provides a framework for the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable, accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. CVSS is well suited as a standard measurement system for industries, organisations, and governments that need accurate and consistent vulnerability impact scores. Two common uses of CVSS are prioritisating vulnerability remediation activities and calculating the severity of vulnerabilities discovered on an organisation s systems. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities. NVD suggests severity rankings of Low, Medium, and High in addition to the numeric CVSS scores. Table 2: NVD vulnerability severity ratings CVSS base score Risk Low Medium High After PSIRT , the next three most prevalent PSIRTs have CVSS scores that rank as a High severity (Table 2) and were only announced in the past year. They were also present in a significant percentage of networking devices (20-25%) so that even if PSIRT were removed from the networking environment, PSIRT penetration would probably remain in the 40-50% range. After PSIRT , the next three most prevalent PSIRTs have CVSS scores that rank as a High severity and were only announced in the past year. 11

17 Table 3: Top 10 PSIRTs and their penetration in 2012 Top 10 PSIRTs and their penetration 2012 Count % of total CVSS score Date announced TCP State Manipulation DoS Vulnerability ,115 62% 7.8/6.4 1 September 2009 Cisco IOS Software Command Authorization Bypass null Cisco IOS Software Network Address Translation Vulnerabilities Cisco IOS Software Multicast Source Discovery Protocol Vulnerability null Cisco IOS Software Multiple Features Crafted UDP Packet Vulnerability ,813 29% March ,299 25% September ,187 25% March ,763 22% Cisco IOS Cross-Site Scripting Vulnerabilities ,868 19% February 2009 Cisco VLAN Trunking Protocol Vulnerability ,481 18% November 2008 Cisco IOS Software Multiple Features IP Sockets Vulnerability Cisco IOS Software Tunnels Vulnerability CSCsx ,366 16% 8,823 15% 6.8/ September 2009 What you need to know about... PSIRT Cisco IOS Software Command Authorization Bypass First reported to Cisco by its customers in 2012, this vulnerability allows the potential manipulation of the device to escalate privileges (authorisation levels) for authentication, authorisation, and accounting (AAA) authorisation. A working HTTP or HTTP server must run on the device in order to fully exploit the vulnerability. Abuse of HTTP and HTTPS vulnerabilities can lead to a disruption in service, or unauthorised access to the network. Dimension Data security experts have used HTTP or HTTPS vulnerabilities similar to this to gain sensitive access to the network during simulated penetration tests. Cisco has rated this vulnerability with a CVSS score of 8.5, which represents a significant risk if some mitigation factors aren t implemented. These may include patching the device, disabling the HTTP and HTTPS servers, or implementing access lists so only certain trusted source addresses can access the Web server. Dimension Data recommends disabling HTTP and HTTPS services from border devices such as those that face the Internet. For more information and links to download the security patch, refer to the Cisco advisory page. 12

18 What you need to know about... PSIRT Cisco IOS Software Network Address Translation Vulnerabilities First identified by Cisco in 2011 during internal testing, this set of vulnerabilities may result in a denial-of-service condition on the device when Network Address Translation (NAT) is used in conjunction with a number of protocols including Lightweight Directory Access Protocol and Session Initiation Protocol. Denial-of-service conditions can result in the vulnerable device becoming nonresponsive to service requests, which may lead to a network outage. Cisco has rated this vulnerability with a CVSS score of 7.8 a score that s assigned to many of Cisco s vulnerabilities. There are a number of workarounds to remediate this issue besides applying a security patch. These involve disabling the translation of embedded IP addresses in the payload of IP packets; however, these workarounds are subject to the protocols affected. Dimension Data recommends applying a security patch, where possible, to address this vulnerability, especially where NAT is used. For more information and links to download the security patch, refer to the Cisco advisory page. What you need to know about... PSIRT Cisco IOS Software Multicast Source Discovery Protocol Vulnerability First identified by Cisco in 2012 during troubleshooting of customer service requests, this vulnerability may result in the device configuration being reloaded when a multicast protocol is used on devices which are configured as part of a multicast group relationship. Similar to PSIRT , this advisory may also lead to a denial-of-service condition, which can result in the vulnerable device becoming unresponsive to service requests, and a network outage. Cisco has rated this vulnerability with a CVSS score of 7.1. It s considered a lower risk than command authorisation bypass and NAT vulnerabilities. In addition, multicast configurations are typically not as prevalent and widespread in a network and should, therefore, present a lower risk, especially in highly protected network areas. There are a number of workarounds to remediate this issue besides applying a security patch to the device. These involve enabling the device to ignore multicast announcements, or removing untrusted peers. Dimension Data recommends applying the security patch where possible to the address this vulnerability. For more information and links to download the security patch, refer to the Cisco advisory page. 13

19 Figure 7 illustrates again as in past Reports that PSIRTS arise every year, requiring organisations to be vigilant and implement a process for constantly evaluating, prioritising and patching network vulnerabilities. Figure 7: PSIRTs identified per year Operating systems and vulnerability The lion s share of devices with at least one PSIRT (24,000 of the 38,000 devices) ran Cisco IOS version This is roughly the same percentage as in the previous year. It also correlates with the fact that IOS version 12.2 is the most prevalent operating system, running on 44% of all devices in 2011 and 40% in So, it would seem that, once version 12.2 reaches end-of-life and newer versions of Cisco IOS are released, the percentage of PSIRTs should drop in the short run. In summary We saw: Network devices are slightly less vulnerable this year 67% had PSIRTs. For the third year running, the most common vulnerability was PSIRT it was linked to 62% of all devices. Its continued ubiquity and difficulty to remedy create a floor through which PSIRT penetration levels struggle to break. Cisco IOS version 12.2 is particularly prone to PSIRTs and is a popular version of Cisco IOS as well. We advise: Even though networks currently seem to have fewer vulnerabilities and the most prevalent of PSIRTS is practically impossible to remedy new vulnerabilities are identified each year, so it s unwise to be complacent. It s expensive, disruptive and impractical to patch every PSIRT rather focus your efforts on vulnerabilities that pose the greatest risk, for example, devices closest to the Internet. 14

20 2.3 Operating system environment What you need to know about... Cisco IOS IOS stands for Internet Operating System and refers to the software used in the vast majority of Cisco network devices. There are multiple versions of this software, and the more there are in a network, the more complex the organisation s environment becomes. More versions of Cisco IOS usually means more challenging planning and remediation processes, more security vulnerabilities, more configuration errors and a more varied lifecycle status across all network devices. For the purposes of this analysis, a major version of Cisco IOS is a version denoted with only one digit following the decimal of the version number. For example Cisco IOS version 12.1 is a major version. If there are any further digits (for example Cisco IOS version ) the version is deemed minor or unique. Generally speaking, a minor or unique version has been customised from a major version to suit a client s particular environment. Table 4 illustrates the level of Cisco IOS standardisation in client networks by showing the number of unique versions of Cisco IOS found through our Technology Lifcecycle Management Assessments. The data shows a remarkable consistency with that of the past couple of years where approximately 40-45% of discovered devices were part of networks containing fewer than 30 unique versions of Cisco IOS. Table 4: Unique versions of Cisco IOS across networks Unique versions of IOS % of total Devices covered % of total Assessments Assessments % of total Devices covered % of total % 17,323 24% % 14,868 25% % 11,636 16% 39 17% 12,361 21% % 19,109 26% 29 13% 8,677 15% % 16,740 23% 14 6% 15,892 27% % 7,358 10% 4 2% 6,934 12% 15

21 This result is also consistent in terms of major versions of Cisco IOS: 56% of all devices in the sample were part of networks with up to seven major versions of Cisco IOS, compared with 50% last year as displayed in Table 5 below. Table 5: Major versions of Cisco IOS across networks Major versions of IOS Unique versions of IOS % of total Devices covered % of total Unique versions of IOS Assessments Assessments % of total Devices covered % of total % % % % % % % % % % % % % % % % Given that there are marginally more devices at EOS or beyond across all networks, and slightly fewer PSIRTs across all devices, it follows that Cisco IOS version management would stay relatively constant. So it seems as though the year 2012 could be characterised as one in which organisations networks were deemed good enough to meet their current requirements, especially against the backdrop of sluggish economic growth. Looking at their networks, businesses may have realised that, while many devices are approaching obsolescence, they could still sweat several years of useful life from these devices, particularly given that most are no older than EoS. So organisations saw no urgent need to refresh and standardise. In fact, neither obsolescence nor architectural considerations are currently driving refresh cycles with any level of significance, as organisations seem satisfied with the less-than-perfect status quo. However, over the next few years, as devices move towards LDoS and the requirements for enterprise mobility and cloud or virtualisation become even more pressing, we expect accelerated refresh rates. Organisations would be well served by using the refresh cycle as an opportunity to analyse and further standardise their Cisco IOS environment in order to minimise deployment and operational issues when new services and architectures are implemented. In summary We saw: There s no great move towards standardisation of Cisco IOS versions this year, as the figures pertaining to both unique and major software versions have remained fairly stable from the previous year. These results, in conjunction with the slightly higher number of devices at EoS and beyond, plus the slightly lower number of PSIRTs, seem to indicate that organisations are still adopting a wait-and-see approach to refreshing and standardising their networks. We advise: Fewer versions of Cisco IOS in your network is still better, even though it s impossible to standardise 100%. 16

22 3. conclusion The 2013 Network Barometer Report has shown that today s corporate networks contain fewer devices that have been refreshed recently and are only slightly less vulnerable in terms of security. Networks are also at more or less the same level of software standardisation as last year. We question whether organisations are following an architectural approach to preparing their networks for disruptive technology trends particularly enterprise mobility and BYOD, and virtualisation or cloud computing which exert ever-growing pressure on organisations to change, worldwide. Effective infrastructure management and network planning ensure that IT is able to meet the needs of the organisation at a tactical and strategic level, with additional benefits in terms of cost, asset optimisation and security. Dimension Data concludes that a technology lifecycle management approach will address key architecture, security and configuration issues. We recommend that this approach include six stages: Initiate: determine the impact of the network technology lifecycle. The first stage involves a business discussion about the network s technology lifecycle, and the organisation s existing and best-fit longer-term network architecture, considering risk, cost and strategic factors. Discover: gather network data. This stage incorporates business and technical reviews with stakeholders to ensure the relevant information is collected. An asset list is required at this stage and if the organisation doesn t have an up-to-date list, a network scan will be required to create one. Dimension Data recommends a Technology Lifecycle Management Assessment to help identify lifecycle milestones as well as security and configuration issues. Construct: perform a gap analysis and develop recommendations. Here, the discovery data is analysed against security, configuration and end-of-life databases as well as checked for maintenance coverage status. There are automated tools to perform this task and the Technology Lifecycle Management Assessment service achieves this for Dimension Data clients. A technology roadmap will be created, based on the prioritised recommendations from the analysis. This will include configuration remedies as well as security and maintenance recommendations. Recommend: consult and present the recommendations and roadmap. This consultative stage includes a formal report, sharing the findings and recommendations, based on risk, cost and strategic factors, with shareholders. A collaborative discussion follows to develop an action plan based on this information. Execute: execute the plan, based on recommendations. IT operations will then execute the plan by allocating resources or working with a third party to address the security and network remedies that are required, reviewing maintenance and support contracts, and/or planning for equipment upgrades. As this is a multi-year planning approach, some steps are likely to be taken in future financial periods as the organisation s needs dictate. Improve: execute this discipline on an ongoing basis. Networks and markets are dynamic. Configurations will drift from best practice standards over time and additional deployed products will enter the manufacturer s obsolescence lifecycle. In order to ensure the benefits of this approach over time, repeat Assessments should be considered. 17

23 appendix a: sample distribution This appendix provides details about the sample data set used for the information in this report. Dimension Data conducted 233 Technology Lifecycle Management Assessments during 2012, covering 59,837 devices. By geography Combining the Australian figures with those of Asia Pacific, we saw a larger representation from this broader region, which had 42% of devices, compared with last year s 24%. This is mainly due to Dimension Data conducting more Technology Lifecycle Management Assessments in Australia during When combining European figures with those of the Middle East & Africa to form EMEA, this year s results show a slight drop in representation from this geography (56% versus 50%). Representation from the Americas has reduced significantly (20% to 8%). Overall, these figures indicate that the trend towards a more even spread between the East and the West, seen over the previous two years, has continued in In the first few years of the Report, the data was more heavily weighted towards EMEA. Figure 8: Node count by region 19% 8% 17% America 31% 25% Asia Australia Europe Middle East & Africa 18

24 Figure 9: Assessments by region 13% 6% 27% America Asia 33% Australia Europe Middle East & Africa 21% Figure 10: Assessments by country Australia Belgium Brazil China Czech Republic France Germany Hong Kong India Indonesia Italy Japan Luxembourg Malaysia Mexico Netherlands New Zealand Philippines Singapore South Africa Spain Switzerland Taiwan UK US Thailand 19

25 By industry vertical There hasn t been a significant change in the breakdown by industry vertical the top four verticals by device count are the same for the second year running: consumer goods and retail (22%), financial services (20%), automotive and manufacturing (14%) and government, healthcare and education (13%). Figure 11: Node count by industry vertical Automotive and manufacturing 6% 5% 4% 14% Business services Construction and real estate 7% 0% 5% 4% Consumer goods and retail Financial services Government, healthcare and education 13% Media, entertainment and hospitality 22% Resources, utilities and energy 20% Service providers and telecommunications Technology Travel and transportation Figure 12: Assessments by industry vertical Automotive and manufacturing 7% 10% 5% 12% 8% 3% Business services Construction and real estate Consumer goods and retail Financial services 7% 2% 10% Government, healthcare and education Media, entertainment and hospitality Resources, utilities and energy 20% 18% Service providers and telecommunications Technology Travel and transportation 20

26 Figure 13: Percentage of devices with PSIRTs by industry vertical Automotive and manufacturing Business services Construction and real estate Consumer goods and retail Financial services Government, healthcare and education Media, entertainment and hospitality Resources, utilities and energy Service providers and telecommunications Technology Travel and transportation Average 9% 29% 39% 53% 54% 55% 66% 63% 84% 80% 78% 73% 72% 80% 92% 27% 29% 29% 39% 38% 40% 37% 49% 43% 40% 38% 47% 55% 65% 61% 73% 73% 74% 71% 76% 67% 70% 67% 63% 67% 65% 83% 81% 80% 75% 77% 85% 74% 75% 81% 67% 73% 73% 75% 67% 82% 75% 89% 91% 91% By organisation size What you need to know about... Organisation size Dimension Data classifies organisations as follows: small fewer than 100 users medium greater than 100, but fewer than 500 users large greater than 500, but fewer than 2,500 users enterprise greater than 2,500 users Broken down by organisation size, this year s results are once again weighted towards large and enterprise organisations, which reflects Dimension Data s target client base. 21

27 Figure 14: Node count by organisation size 5% 1% Enterprise Large Medium 94% Figure 15: Assessment by organisation size 11% Enterprise 30% Large 59% Medium 22

28 Figure 16: Percentage of devices with PSIRTs, by organisation size 100% 71% 74% 75% 67% 77% 63% 71% 70% 64% 74% 75% 59% 55% 60% 80% 73% 73% 75% 67% 47% 38% 22% 17% Enterprise Large Medium Small 0% Average Figure 17: Percentage of devices beyond EoS, by organisation size 45% 46% 48% 41% 35% 44% 41% 39% 38% 33% 37% 41% 48% 34% 50% 43% 48% 45% 43% 38% 35% 25% 17% 18% Enterprise Large Medium Small 0% Average

29 appendix b: notes on findings and information Dates and trend information The information published in the 2013 Network Barometer Report was gathered during the 2012 calendar year through Technology Lifecycle Management Assessments Dimension Data conducted for 233 clients around the world. Information from previous year s reports (the Network Barometer Report 2009, 2010, 2011, 2012) was gathered during the 2008, 2009, 2010 and 2011 calendar years. Averages and frequency distributions In most of the charts that are presented, the percentages given are: the average across the sample, or the average across a segment of the sample Charts will include headers such as Percentage of devices and Average number of... to indicate this. Data collection and analysis The Technology Lifecycle Management Assessment is a highly automated service that uses technology tools to scan clients networks and a centralised portal to analyse the information gathered from these scans. All information is gathered and analysed using a standardised process and analysis framework. 24

30 Middle East & Africa Asia Australia Europe Americas Algeria Angola Botswana Congo Burundi Democratic Republic of the Congo Gabon Ghana Kenya Malawi Mauritius Morocco Mozambique Namibia Nigeria Oman Rwanda Saudi Arabia South Africa Tanzania Uganda United Arab Emirates Zambia China Hong Kong India Indonesia Japan Korea Malaysia New Zealand Philippines Singapore Taiwan Thailand Vietnam Australian Capital Territory New South Wales Queensland South Australia Victoria Western Australia Belgium Czech Republic France Germany Italy Luxembourg Netherlands Spain Switzerland United Kingdom Brazil Canada Chile Mexico United States For contact details in your region please visit