Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: question on securing out-of-band management (ver. 2)
From: Dave Piscitello <dave () corecom com>
Date: Tue, 07 Feb 2006 22:27:19 -0500

We know that there are vast differences between operating systems - even within a single OS, which executables are included, what the OS will serve as a platform for, and how the OS is configured. There are similarly vast differences in appliances. Some appliance vendors use commercial OSs and do a pathetic job of customizing and hardening; others thoughtfully approach the task of securing the OS and end up with as secure a system as even the most expert admins on this list might manage to deploy.

So asking "would I consider a topology where I employ security appliances a secure configuration?" is too general.

To answer your question, "it depends on how secure the appliance proves to be".

My philosophy is simple: if you're going to buy an appliance, you ought to treat the purchase as thoughtfully as you would if you were hardening an OS (and proxies of course) yourself. You don't shop off eBay for a PIX:-) then put it into production by modifying the last working config that the prior owner failed to erase from the box (ah, the stories I could tell). Instead, you talk with the developers and other users who have experience with the appliance in deployments similar to how you intend to use it. Learn everything you can about the design/architecture/test methodology of the appliance. Cruise through vulnerability/exploit lists. Beat on it yourself (I don't know too many vendors who won't part with a unit for a few weeks).

Maybe I'm overly fortunate and some folks will say, "I can't get gear as easily as you". The reason why I get boxes fairly easily is because I give something back. If I beat on a box and it disappoints, I explain why. If the vendor is foolish, they get huffy and learn nothing. If the vendor is smart, I have to be careful not to get stuck with the damned thing while they hurry to fix what I've identified (hint: always ask for an RMA and send your negative comments back when you've returned the unit, i.e., BEFORE they ask you to try it again :0) Most vendors are desperate to find folks who'll help them make their appliance better. If you are fortunate enough to work with cooperating, earnest vendors and behave in this manner, you become an A list customer no matter how many units your company will buy.

N.B. In an earlier email, Marcus included me on his short list of outliers, folks don't "trade for the perception of performance over the perception of security.(*)" Flatterer!

Marcus J. Ranum wrote:
golovast wrote:
If the appliance is essentially an SSL proxy, the problem is that the traffic between the appliance and the servers is not encrypted.

That's pretty much par for the course; most networks built with
front-end SSL processors have a relatively short wire between
the front-end processor and back-end server. So it's generally
considered OK for that data to be in the clear since it's
usually going through a switch in the same rack locked in
the same data center.

I wanted to ask if the people who read this list would consider using an appliance a secure configuration?

"appliance" is a marketing term. Obviously, you'd want to
learn what you could about whether the front-end SSL
processor was capable of protecting itself.

firewall-wizards mailing list
firewall-wizards () honor icsalabs com

Attachment: dave.vcf

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]