Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Quantifying risk of waiting vs. upgrading for router vulnerabilities

  • From: Pete Kruckenberg
  • Date: Mon Jan 31 03:06:39 2005

After another long week of dealing with "upgrade now or die"
vulnerabilities, I'm wondering...

Is there data or analysis that would help me quantify the risks of
waiting (while I plan and evaluate and test) vs. doing immediate
software upgrades?

With many router vulnerabilities, exploits are in the wild within 24
hours. But how often are they used, and how often do they cause actual
network outages? There have been several major router vulnerabilities
during the last 2 years which have provided a reasonable data sample to
analyze. Can that data be used to create a more-accurate risk-analysis

The risk of outage is very high (or certain) if I jump into upgrading
routers, and the quicker I do an upgrade, the more likely I am to have
a serious, extended outage. However, this is the only choice I have
absent information other than "every second gives the miscreants more
time to bring the network down."

If I delay doing the upgrade, using that delay to research and test
candidate versions, carefully deploy the upgrade, etc, I reduce the
risk of outage due to bad upgrades, at the expense of increasing the
risk of exploitation.

I'd love to find the "sweet spot" (if only generally, vaguely or by
rule-of-thumb), the theoretical maximum upgrade delay that will most
reduce the risks of upgrade outages while not dramatically increasing
the risks of exploitation outages.

Ideas? Pointers?


Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.