Cisco Reviews Code After Juniper Backdoor Revelation


Cisco says voluntary review is to reassure customers and says it has no indication of unauthorised code in its equipment

Cisco is to check all of its products for any unauthorised code following the discovery of a backdoor in Juniper Networks’ NetScreen firewalls last week.

The San Jose-based firm says it has a strict ‘no backdoor policy’ in place and is adamant that its development process makes it difficult for malicious code or security bypasses to be introduced. It adds it has seen no evidence to suggest these safeguards have been breached.

However following the Juniper revelation last week, Cisco feels it needs to reassure customers who might be concerned about its equipment.

Cisco review

Cisco“We have seen none of the indicators discussed in Juniper’s disclosure,” said Anthony Grieco, senior director of Cisco’s Security and Trust organisation. “Our products are the result of rigorous development practices that place security and trust at the fore. They also receive continuous scrutiny from Cisco engineers, our customers, and third party security researchers, contributing to product integrity and assurance.

“Although our normal practices should detect unauthorised software, we recognize that no process can eliminate all risk. Our additional review includes penetration testing and code reviews by engineers with deep networking and cryptography experience.

“Cisco launched the review because the trust of our customers is paramount. We have not been contacted by law enforcement about Juniper’s bulletin, and our review is not in response to any outside request. We are doing this because it’s the right thing to do.”

Grieco added that any findings would be made public in accordance with its security vulnerability policy and encouraged any customers or researchers to report any suspected issues.

The backdoor in Juniper’s code was uncovered during an internal review and could allow a “knowledgeable attacker” to gain admin access to NetScreen devices and decrypt VPN connections. It has recommended all customers update their systems, but it is still unclear who implemented the code in the first place.

Do you know the secrets of Cisco? Take our quiz!