We know that there are vast differences between operating systems -
even within a single OS, which executables are included, what the OS
will serve as a platform for, and how the OS is configured. There are
similarly vast differences in appliances. Some appliance vendors use
commercial OSs and do a pathetic job of customizing and hardening;
others thoughtfully approach the task of securing the OS and end up with
as secure a system as even the most expert admins on this list might
manage to deploy.
So asking "would I consider a topology where I employ security
appliances a secure configuration?" is too general.
To answer your question, "it depends on how secure the appliance proves
to be".
My philosophy is simple: if you're going to buy an appliance, you ought
to treat the purchase as thoughtfully as you would if you were hardening
an OS (and proxies of course) yourself. You don't shop off eBay for a
PIX:-) then put it into production by modifying the last working config
that the prior owner failed to erase from the box (ah, the stories I
could tell). Instead, you talk with the developers and other users who
have experience with the appliance in deployments similar to how you
intend to use it. Learn everything you can about the
design/architecture/test methodology of the appliance. Cruise through
vulnerability/exploit lists. Beat on it yourself (I don't know too many
vendors who won't part with a unit for a few weeks).
Maybe I'm overly fortunate and some folks will say, "I can't get gear as
easily as you". The reason why I get boxes fairly easily is because I
give something back. If I beat on a box and it disappoints, I explain
why. If the vendor is foolish, they get huffy and learn nothing. If the
vendor is smart, I have to be careful not to get stuck with the damned
thing while they hurry to fix what I've identified (hint: always ask for
an RMA and send your negative comments back when you've returned the
unit, i.e., BEFORE they ask you to try it again :0) Most vendors are
desperate to find folks who'll help them make their appliance better. If
you are fortunate enough to work with cooperating, earnest vendors and
behave in this manner, you become an A list customer no matter how many
units your company will buy.
---------
N.B. In an earlier email, Marcus included me on his short list of
outliers, folks don't "trade for the perception of performance over the
perception of security.(*)" Flatterer!
Marcus J. Ranum wrote:
> golovast wrote:
>> If the appliance is essentially an SSL proxy, the problem is that the traffic
>> between the appliance and the servers is not encrypted.
>
> That's pretty much par for the course; most networks built with
> front-end SSL processors have a relatively short wire between
> the front-end processor and back-end server. So it's generally
> considered OK for that data to be in the clear since it's
> usually going through a switch in the same rack locked in
> the same data center.
>
>> I wanted to ask if the people who read this list would consider using an
>> appliance a secure configuration?
>
> "appliance" is a marketing term. Obviously, you'd want to
> learn what you could about whether the front-end SSL
> processor was capable of protecting itself.
>
> mjr.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards_at_honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 08 2006
Intro
