Secondhand networks and back-alley firmware

Sometimes, you have no other option but to get your code and gear from questionable sources

When it's time to update firmware on, say, a router or a switch, the vast majority of folks head to the vendor site and grab whatever version they need, easy-peasy. But a large and growing number of admins don't have that luxury because the vendor requires paid support contracts to access those files -- and, in many cases, will only allow access to firmware for hardware covered under those contracts.

Even if you have a hefty support bill for a dozen devices on your network from the same vendor, you may not be able to download a much-needed update for an older unit because it isn't covered. Few things are more frustrating than finding a link to a firmware update that will fix all your problems, only to be prevented from downloading it because of such restrictions.

[ Download Paul Venezia's Networking Deep Dive for the basics of setting up a modern network. | For best practices on how to set up remote monitoring and control systems, see Paul Venezia's "Troubleshoot your data center from the easy chair." ]

It's enough to make even the mildest-mannered admins seethe -- to the point where they take a walk on the wild side and download black market firmware.

When the chips (and possibly the network) are down, admins may be left with little recourse. Even if they decide to add a device to the support contract to access much-needed firmware, that would take days -- not an option during a midnight firefight. So with a deep sense on unease, they turn to BitTorrent and file hosting sites to download these images, without really knowing if they're legitimate. It's a calculated risk at this point: If the network is down or hobbled, but can be brought back together via a downloaded image of questionable lineage, it might be worth it, at least in the interim. After all, what's the worst that could happen? A fradulent image that brings down the network?

With a tiny bit of Google-fu, you can easily locate firmware images for just about everything. There are torrents available that contain dozens of firmware releases for Cisco ASA firewalls, routers, and switches. Pull that down, load up the right image, and off you go -- but you're now running firewalls, routers, or switches on code from an unknown origin. If you can't access the checksums from the original image, you're gambling that these images have been provided by good Samaritans who've been in this situation before, rather than a gang of Chinese hackers who have surreptitiously slipped in their own backdoor code. Again, when everyone's running around with their hair on fire, it's a risk that many would take.

In an ideal world, a scenario like this would be followed later, in calmer times, by someone procuring the proper support access, downloading a verified image, and replacing the questionable code. But I'd wager that only a small percentage of these situations have that outcome. Most times, the black market image will remain in perpetuity, especially if an outside consultant fixed the problem in this manner.

Of course, there are those poor, unfortunate souls who toil under management that refuses to spend money on silly things like support contracts, and they wind up running most of the core infrastructure on firmware they downloaded from a PirateBay tracker. They may have no other choice. When you give nontechnical management the choice between "free" downloads and a $100,000 annual support contract, caution and reason can get shoved aside.

There's also the gray market scenario. Clearly, vendors would prefer that you buy new gear from only them, but in many cases, you can get the same functionality from a used device off eBay for a tenth the cost. Again, the reward may outweigh the risk in this instance, but good luck getting a vendor support contract on that used device; many vendors require a recertification of the hardware that can cost nearly as much as a new unit. Think of it as a "tough love" gesture to make sure you keep buying the brand-new stuff.

There are certainly valid reasons that some vendors guard their firmware in this manner. Many, like Cisco, offer a variety of different features in different firmware revisions and want more money for those advanced features -- too bad they also throw the baby out with the bathwater with these restrictions. In many cases, the firmware that is needed is actually the same firmware that's already on the device, but has become corrupted or otherwise rendered unusable.

When budgets are tight and IT is under the gun to do a whole lot with just a little, going the gray/black market route is a viable option. If handled properly and with caution, it can result in a substantial cost savings without sacrificing any functionality or performance -- but only if you don't mind walking on the wild side.

This story, "Secondhand networks and back-alley firmware," was originally published at Read more of Paul Venezia's The Deep End blog at For the latest business technology news, follow on Twitter.