As the saga of Nortel Networks winds down to its messy endgame, managers of networks using the company’s switching equipment need to start thinking very carefully about security implications. Will their networks be more vulnerable? How will they be vulnerable? And what must they do in the short and longer terms to protect themselves? We asked analysts and consultants and heard a range of answers. But all agreed there is cause for grave concern. New threats to enterprise network infrastructure do not arise as frequently as threats to servers and desktops. “Once every six months as opposed to every six minutes,” says Richard Stiennon, founder and principal at IT-Harvest, a research firm in the US that focuses on IT security. If you look only at direct threats to the switching gear itself, they “tend to be very minimal,” says James Quin, a senior research analyst at Info-Tech Research Group Inc. “They don’t come up very quickly at all.” But James Arlen, a Toronto-based security consultant and principal author of the respected LiquidMatrix IT security blog, points out that besides the engineering faults that create vulnerabilities in a specific product or product line, security problems can emerge elsewhere in the network that require a response from equipment vendors. These include faults in widely used libraries – the vulnerability revealed last summer in the Internet’s Domain Name System (DNS) is an example – and possible flaws, as yet undiscovered, in routing and switching protocols such as VPNs and Multi-Protocol Label Switching (MPLS). Poorly protected networks: should Nortel shops be concerned? Hackers, either inside or out, could gain access to routing tables and reroute a company’s data, resulting in disruption, chaos and loss of confidential information. Distributed denial of service attackers could either use your network to attack someone else, resulting in compromised network and company integrity, or target you, resulting in network down time and lost business. Should Nortel shops be worried near-term? “I don’t think so, no,” Quin says. “As long as you’re maintaining your infrastructure with the current version of the operating system. As long as you’re making sure are not using default passwords.” And as long as Nortel exists in any form or even if its network equipment division is sold lock, stock and barrel to another vendor, it’s unlikely “critical” vulnerabilities would go unpatched for long, Quin believes. But Arlen, again, takes a more pessimistic view. “I think they almost have to be ,” he says. “If only because they’re not going to have the guaranteed response to those widespread faults that they might want.” With Nortel in bankruptcy protection, service level agreements may still be in force, depending on the language in the contracts. If they’re not, Arlen says big companies with lots of installed equipment may be able to “scream” loudly enough that even an under-resourced Nortel would respond in the event of a security emergency. But would it be able to quickly deliver a well-tested fix? “Maybe, maybe not,” he says. It’s also known that the best and brightest employees have already left the company. “It’s obvious to anyone that Nortel has been a bit of a sinking ship for a long time,” says Arlen. That may mean it has not been able to maintain the kind of “secure development life cycle” that would minimize product-specific engineering flaws, Arlen suggests. Stiennon says much the same. “The real concern is that because Nortel hasn’t really been doing much over the last four years of its decline, its products are long in the tooth when it comes to having security capabilities.” Also, while historically, criminal hackers have not targeted infrastructure from specific vendors, it is known that they are more likely to target user companies in the throes of a merger or acquisition, when their guards may be down, Stiennon says. “So a savvy attacker might start looking for Nortel gear and attacking it because Nortel is not in a good position to respond right now.” Another thing to keep in mind in the short term: hackers, ethical and otherwise, sometimes save revealing – or exploiting – newly discovered vulnerabilities until late summer, when Las Vegas hosts conferences for both corporate IT security and hacking communities. “If there’s a flaw in one of the big routing or switching protocols or a wide scale flaw of one of the other types, that’s the time you’re going to see it,” Arlen says. And the end of summer isn’t so far off. The concern is “if someone is cooking up something absolutely brilliant from an oops- I-broke-the-internet standpoint, and it lands on you at a time when Nortel is unable to respond or unable to respond adequately.” If the risks and threats in the short term are to some extent hypothetical, it’s clear that the more time passes, the more real and pressing they become. “Obviously in the longer term, the likelihood is that the frequency of operating system patches will decrease,” Quin says. “And you do get to a point where patch frequency is so protracted that you’re faced with an increasing risk factor.” What to do? “At some point,” Quin says, “the organization has to sit down and say, ‘Okay, there’s increased risk.’ Then you have to decide to accept it or mitigate it.” Quin’s focus is mainly on the network core, the big switches, where Nortel is more likely to play, because as he points out, all of a company’s data passes through the core. While accepting or merely mitigating risk of security breaches in core switches may seem a poor option, bolstering defenses at the edge can be an adequate response, he suggests. “Here’s an analogy,” Quin says. “Let’s say I’m a bank and I can’t lock the vault properly anymore. I can’t go to the people who made it because they’re out of business. But I can make sure the doors on my building have better locks and that I have a better monitoring system to detect breaches. So the vault can’t stop thieves, but peripheral things can.” This may in fact be the only possible response for many companies given that new “vaults” from Cisco Systems to replace now potentially vulnerable Nortel core switches can cost as much as $100,000 each. And many Fortune 1000 companies will need several, Quin points out. So, first priority: bolster defenses at the edge. And if you have Nortel gear there too? “You’re going to have to replace your edge switching and routing architecture in a hurry,” Arlen says. “I’m not necessarily so worried about the core – the crunchy-on-the-outside-soft-and-squishy-on-the-inside network model is still the preferred version.” That said, Arlen does not recommend making quick decisions on such things. For one thing, the correct response – and the timing of that response – will depend in part on Nortel’s fate: if and how it’s broken up and sold, and to whom. “It’s probably over-cautious to replace everything wholesale until we know what happens to Nortel,” he says. The trouble is, it’s not even clear when we will know that. In the meantime, Nortel shops should at the very least begin to do something akin to accession planning, to figure out what steps they will need to take to bolster network security under various scenarios, Arlen says. What if Juniper Networks or Cisco or Oracle Corp or Hewlett-Packard buys all of Nortel or part of it? What if nobody does? As Arlen notes, the list of companies that might acquire Nortel or some of it is a small one. Stiennon believes Nortel shops should be laying firm plans now to replace all gear at the edge. It may not be possible to do this in six months – by which time he believes the risk/threat environment will have deteriorated enough for real concern. “But they should have plans in place by then. They should have finished product evaluation and architecting.” Leaving aside core switches, even the cost to migrate away from Nortel at the edge could be substantial – $700,000 to $1.8 million for many Fortune 1000 companies, Stiennon guesstimates. The business case for bailing on Nortel Is there a business case for full migration off of Nortel gear? For some companies, the cost in lost revenues and remediation from one outage could be more than the bill for a wholesale replacement of edge network gear, he suggests. “It’s good insurance.” The saving grace for many companies, Arlen says, is that they went through a big push to upgrade network infrastructure about five years ago. “So it’s probably time for another big network push anyway.” Now may also be the time to re-evaluate approaches to network security, Stiennon says. Companies that use Nortel network gear are already “way behind” on security matters because the company has neglected this area, he points out. “The good news is that so have all routing and switching companies.” We’re not sure that’s exactly good news. But Stiennon’s point is that networks based on Nortel gear are not in much worse shape – yet – than other networks. And third-party IT security products and services can fill the security gaps left by Nortel or any other network equipment maker. “The best of breed products are all from third parties,” he says. Stiennon’s top pick: Fortinet Inc. It offers a suite of well-integrated security capabilities that cover “the whole range of the seven different things you should be doing.” Those include firewalls, VPN, inline content filtering, malware download blocking and intrusion prevention. Stiennon estimates that two thirds of companies already use security products and services from third-party organizations. The rest, which rely on the native security features of their network equipment, now also need to explore third-party options, he suggests. Another possibility: outsourcing, to companies such as VeriSign, ePerimeter Security, Nuspire and AT&T. “It’s a great way to very quickly get enhanced security in front of the older equipment,” Stiennon says. Including Nortel gear.