Cisco recently issued a security advisory about several serious vulnerabilities for its wireless LAN controllers, including DoS, privilege escalation, and ACL bypass vulnerabilities. These liabilities could allow attackers to modify your controller’s configuration or bypass your ACLs—so if it were my network, I’d certainly want a fix.
Cisco issued software updates, but they’re no quick-snap remedy. Here’s what I’d need to do before I could download the new release:
- Follow Cisco’s instructions on the command-line to determine which software version is running on my controller.
- Verify if my software version is an affected release. If it is, confirm which versions are “fixed” and note the “recommended release.”
- Download and install the patch.
The real kicker is what I’m signing up for when I actually install the patches. From Cisco’s advisory:
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release… Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.
We don’t mean to pick on Cisco here, and we certainly aren’t implying that one vendor’s products are more secure than another’s. With any complex system, bugs and security patches will happen. But the customer experience of dealing with these patches for traditional, behind-the-firewall appliances like wireless controllers is a royal pain. At best, they result in headaches, downtime, and frustration. At worst, administrators miss patches altogether, and their systems are vulnerable. Fortunately, The Cloud points to a better way.
The Cloud Controller, like other cloud applications such as Gmail and Salesforce.com, is always up to date. We push out new features, bug fixes, performance improvements, etc. several times a day. This is completely invisible to the customer, save for new features appearing from time to time. (How we do this, and maintain quality, is pretty interesting, but we’ll save that for another post.)
But what about the firmware running on our APs? They aren’t in the cloud… Are they resigned to the fate of traditional patch management?
Fortunately, an AP that can be managed from the cloud can also be upgraded from the cloud, seamlessly and automatically. Our Cloud Controller knows with certainty that all of the Meraki access points deployed around the world are up to date, with the latest features, fixes, and yes, security patches.
Since we can install firmware seamlessly, over the web, we’ve been able to release new firmware every three months or so, continually delivering new features to our customers. We just did one, in fact – with firmware support for application-aware traffic shaping.
Here’s what our customers saw in their dashboard before the update:
Customers can let the upgrade happen on its own, schedule it when they want it, or click “Upgrade Now” to get it right away. It’s worth noting that the upgrade process was engineered to be completely fault tolerant. Say, for example, you lose power in the middle of a firmware update. No problem, the AP will boot up with its previous firmware once power is restored. This technology has let us do quarterly upgrades for four years straight and keep customers happy.
We’re excited about how this system has not only eliminated headaches for our customers, but has also enabled us to innovate much faster. We hope to see this architecture spread to other types of infrastructure, so patch management nightmares some day become a thing of the past.