Identifying Counterfeit Cisco Equipmentby Eric Conrad |
|
Waking Sleeping Dogs: Information Security Ethics, a paper I wrote for my SANS Technical Institute masters degree, has generated a lot of great comments and questions.
Many folks are asking how to identify counterfeit Cisco gear that may be their environment. Continue reading for how we did it.
Our biggest counterfeit problem was with SFPs and GBICs. Our investigation showed we received them from a number of sources (all Cisco registered resellers), including a Cisco Gold partner.
We initially detected them due to shoddy packaging: labels that smear, cheap boxes, etc. The Cisco logo used was several generations old. Cisco is usually diligent on labeling: the serial number on the device matches the number on the bag (or box).
The counterfeit gear had a label/serial number on the device, but no serial number on the bag or box.
Once we investigated, there was a clear pattern on the counterfeit gear, regarding bogus serial numbers.
A legit SFP looks like this:
DECKARD-C3750-1#show idprom interface
gigabitEthernet 1/0/1
General SFP Information
------------------------------
Identifier : 0x03
Connector : 0x07
Transceiver : 0x00 0x00 0x00 0x01 0x20 0x40 0x0C 0x01
Encoding : 0x01
BR_Nominal : 0x0C
Vendor Name : CISCO-FINISAR
Vendor Part Number : FTRJ-8519-7D-CSC
Vendor Revision : 0x00 0x00 0x00 0x00
Vendor Serial Number : FNS0827A12H
The key is the serial number (bolded), with is in the standard Cisco format for SFPs: 3 letters, followed by 4 numbers, followed by 4 letters/numbers. The 1st 3 letters are the factory, the next 4 numbers are a date code, and the last 4 letters/numbers are a unique ID.
Here's a counterfeit SFP:
BATTY-C3750-1#show idprom interface gigabitEthernet 1/0/1
General SFP Information
------------------------------
Identifier : 0x03
Transceiver : 0x00 0x00 0x00 0x01 0x20 0x40 0x0C 0x00
Encoding : 0x01
BR_Nominal : 0x0C
Vendor Name : CISCO-FINISAR
Vendor Part Number : FTRJ-8519-7D-CSC
Vendor Revision : 0x20 0x20 0x20 0x20
Vendor Serial Number : H11F797
Note the serial number 'H11F797' is not in the standard (longer) format. This is very typical, and how we identified hundreds of bogus SFPs that were in production. The initial letter changes (we saw some begin with H, and P).
Also, in restrospect, we realized the counterfeit devices had a far higher failure rate than real Cisco. We shipped the questionable SFPs to Cisco Brand Protection Labs, and they verified all were counterfeit.
Here's a photo of an SFP that appears to be counterfeit:
Note the serial number. This photo was taken from a reseller located in Asia. This SFP is priced for $20 on that site (a real SFP from a legitimate Cisco reseller lists for hundreds). That seller has plenty of other "Cisco" equipment for sale at equally impressive discounts compared to legit gear:
* CISCO GBIC&SFP
* CISCO MODULE
* WIC CARD
* NETWORK MODULE(NM)
* VWIC CARD
* VIC CARD
* 1700 SERIES
* 1800 SERIES
* 2800 SERIES
* 2950 SERIES
* 2970 SERIES
* 3560 SERIES
All of this stuff ends up in secondary channels like Ebay. Some Cisco certified resellers get greedy, buy the counterfeit stuff for pennies on the dollar, and then resell it a 'great discount.' All of this violates their Cisco reseller agreement, but greed seems to win the day.
We got ours for 50% off Cisco list. These parts listed for $500 then (they are less now). We got a bargain price of $250: for a $20 knockoff.
Eric Conrad is a SANS Certified Instructor and Independent Information Security Consultant. His blog can be found here. The CCIE Flyer would like to thank Eric for allowing us to reprint this article.
Return to the top of 'Identifying Counterfeit Cisco Equipment'.
Send Feedback