In quite a few environments I see Cisco hardware treated as 'set it and forget it'. Many admins just don't even think about updating IOS. If you look in places like Packstorm or Bugtraq, some months you will see tons of attacks all centered at IOS. What are the real risks being taken if someone does not have an interest in keeping their routers/switches up to date especially when a new zero day gets launched?
Update: We are all smart and know what theoretical problems can be caused, but it has been my experience that these networks are left standing for quite sometime, even though an internal employee could leverage this if they so wished.
Has anyone experienced an attack on Cisco gear that would like to chime in?
Your mentioning of Packstorm and Bugtraq already answers your question. As with any update, you could be exposed to:
I would answer with another question; why not? It would be a very sloppy thing to do.
We have a policy of;
Major bug fixes with real danger of attack - we test the code for 48 hours in our Reference rig then push out to Production ASAP. Minor bug fixes with limited risk - they go into bi-weekly roll-up testing and get pushed out monthly at a scheduled time. Anything else gets rolled up and pushed out quarterly, if not longer.
Basically it's all about risk management; if your site isn't the sort of site that gets a lot of attacks and your business could live with a DDOS or hack every so often then it might actually make sense to stick at a known stable release. If you're an easy target (and we are) then you need to put a lot more time and attention into it and treat it with the respect and patience it deserves.
Hope this helps.
It depends on how big your deployment is, and how willing you are to run untested code. For example, many large companies will have their own in-house network architecture teams who will need to confirm that all required features/configurations function as advertised before rolling out a new code version/
On the other hand, if your entire network consists of ten devices and you are the sole network administrator, the window between a new version being released and you deploying it may only be limited by how quickly you can download the image.
Some rules of thumb that have served me well in the past:
Try and run the same version of code on all instances of a specific model of hardware. This simplifies inventory management; no need to check which devices a given security advisory applies to. It either applies to everything or nothing.
If you have a current support contract with Cisco, ask your SE to perform a bug scrub for you. Specify the features you need and the hardware platform you're running, and leave them to do the leg-work of finding the release that's right for you.
Devices that are directly internet facing, or that are routeable from the internet, should never be left running code with known vulnerabilities. Seriously, just don't do it.