Cisco Lifts & Separates in IOS

Cisco Systems Inc. (Nasdaq: CSCO), which has rarely been out of the security spotlight in recent weeks, today separated key functions of its IOS software for the Catalyst 6500 switches in an attempt to boost reliability and cut users network downtime (see Cisco Overhauls Switch IOS).

IOS hit the headlines at the recent Black Hat Briefings in Las Vegas when a researcher revealed the existence of a major hole in the software. Cisco officials said that the bug had been patched, and the buggy version of IOS is no longer available for download (see Cisco Faces Security Flap and Cisco Reveals 'Black Hat' Flaw).

Then, earlier this month, the company had to reset user passwords on its Website in response to a potential vulnerability, and, more recently, it highlighted a security flaw in its Intrusion Prevention System (IPS) technology that could potentially leave users’ systems open to attack (see Cisco Passwords Get Makeover and Cisco Focuses on IPS Flaw).

Cisco, execs, however, say that the decision to overhaul IOS had nothing to do with recent events, particularly the Black Hat brouhaha. “We have been working on this for the past few years,” says John Yen, senior manager for Cisco’s Catalyst technology.

But with today’s announcement, Cisco is clearly looking to reassure users that the Catalyst 6500 offers both security and high availability.To do this, Cisco has effectively separated parts of the IOS. Different functions of the software that deal, with, for example, routing or handling TCP connections, can now run as independent processes on the Catalyst 6500, each with its own portion of memory. Whereas different processes previously shared the same memory, problems can now be contained, according to Cisco execs. “If you have a failure in one process, the other processes will not be affected,” says Yen.

The networking giant is also looking to cut unplanned network downtime through a feature called Stateful Process Restart. This lets users restart a specific process, such as TCP connections with neighboring devices, from precisely the point at which the system went down. “When you come alive [again], when the process restarts, it knows that these are the people that I need to be talking to,” says Sachin Gupta, another senior manager for the Catalyst 6500 product team.

With demands on users’ networks growing more quickly than their IT staffing levels, Cisco has also attempted to improve firms’ ability to roll out software upgrades (see Survey: Data Center Staff in the Dumps). Another new feature in IOS, called In-Service Software Upgrades (ISSU), lets users automatically certify the codes used when upgrading to new versions of software or rolling out a security patch.

Although Cisco could not give NDCF any ballpark figures for exactly how many man hours can be saved by using the new version of IOS, American Century Investments says it expects to slash the amount of time spent on software upgrades. The firm estimates that the new IOS will reduce the amount of time needed to upgrade its 60 Catalyst 6500s from six weeks to six hours.

Cisco has also got other IOS upgrades up its sleeve. These include security enhancements, new virtualization features, stronger support for converged applications, and Power Over Ethernet (POE) integration, says Yen. “There’s a very deep pipeline of more innovations in place,” he adds, although he would not reveal roadmap specifics.The networking giant is not the only vendor with security on its mind at the moment. Juniper Networks Inc. (Nasdaq: JNPR), for example, recently announced new security blades for its NetScreen 5000 series of devices, which compete directly with the Catalyst 6500 (see Juniper Launches Security Blades).

— James Rogers, Site Editor, Next-Gen Data Center Forum