Cisco initiative targets device security

Cisco is announcing a security initiative that will push customers to update or replace aging infrastructure components, such as routers, switches and firewalls, as well as discourage them from using any insecure features.

Called Resilient Infrastructure, the plan calls for Cisco to strengthen network security by increasing default protections, removing insecure legacy features, and introducing new capabilities that reduce the attack surface and enable better threat detection and response.

“Simply put, we are making it incredibly obvious when our customers are configuring insecure features that introduce new and unnecessary risks into their networks,” wrote Anthony Grieco, senior vice president and chief security and trust officer at Cisco, in a blog post about the initiative. “Initially, customers will receive increased security warnings that recommend discontinuing the use of any insecure features. In subsequent releases, features will be disabled by default or require additional steps to allow for configuration. Eventually, insecure options will be removed entirely.” 

Historically, network infrastructure hasn’t received the same level of monitoring and scrutiny as other parts of the IT infrastructure, but that’s changing, Grieco stated.

“We believe it is the responsibility of all trustworthy vendors, including Cisco, to inform customers when the use of certain technology may expose them to potential risks,” Grieco wrote. “That is why we are doubling down on the model where security is the default and any reduction in security requires an explicit choice. It moves our customers from facing unexpected risks to managing known and deliberate ones. In some cases, we will completely remove the ability to do things insecurely regardless of choice.”

Insecure features and protocols will be systematically deprecated and eventually removed from identified Cisco products. The phased removal strategy will span three feature releases to minimize disruption, Cisco stated. The stages are:

1. Warning: You will receive warnings when configuring key insecure features. We strongly recommend discontinuing their use immediately.
2. Restriction: In subsequent releases, key insecure features will be disabled by default or require explicit administrator action to enable. Existing deployments will continue to function, but new installations will require intentional enablement. Some features on specific platforms may not have a restriction phase, with only warnings continuing for several releases before removal.
3. Removal: Obsolete features are planned to be removed entirely from future software releases. The timing of removal will vary based on user impact and adoption (e.g., widely adopted features like SNMPv2 will phase out slower than less-used ones).

Looking to the future, Greico said that networks need to evolve to support post-quantum cryptography and must be secure by default. “This is not simply a switch to be flipped in the next decade as AI becomes the norm and quantum computing inches towards mainstream adoption. Those that do not act now will unfortunately be doing so at their own peril,” Grieco stated. 

Network technical debt

A newly release Cisco-commissioned report highlights the need for more forceful security measures. The research found that 48% of network assets worldwide are aging or obsolete, creating significant technical debt that diverts budgets toward maintenance rather than modernization.

“Calling this technology by the commonly used term ‘legacy’ technology can be deceptive. At this point, the technology can still be functioning and used within systems as intended. A bigger problem is when technology has become so old and obsolete that it can no longer be supported against security risks. It has reached the end of its life. Technology naturally has a lifespan, so once legacy technology reaches its ‘end-of-life’ state, the risks to the overall cyber resilience of the system multiply,” the study noted.