7MS #4: Patch Strategies: Part Deux (audio)
In this episode I continue talking about some dos and donts of patch strategies – this time talking about enterprise level gear.
- There are often two trains of thought in regards to enterprise gear patching (like routers, switches, firewalls). 1. If it ain’t broke, don’t fix it. 2. If I see a new firmware release at noon today, I’m gonna install it at 12:05 p.m.
- Both trains of thought have problems. If you let your firmware get too long in the teeth, you may be susceptible to old vulns and your gear may crash if hit with something as simple as a vulnerability scan. If you patch too aggressively, you may end up patching unnecessarily (new firmware may just have GUI fixes, for example, that you don’t even use). You need to review the firmware release notes to see if it fixes security related issues and/or applies to your environment.