mailing list archives
Re: question on securing out-of-band management (ver. 2)
From: Dave Piscitello <dave () corecom com>
Date: Tue, 07 Feb 2006 22:27:19 -0500
We know that there are vast differences between operating systems -
even within a single OS, which executables are included, what the OS
will serve as a platform for, and how the OS is configured. There are
similarly vast differences in appliances. Some appliance vendors use
commercial OSs and do a pathetic job of customizing and hardening;
others thoughtfully approach the task of securing the OS and end up with
as secure a system as even the most expert admins on this list might
manage to deploy.
So asking "would I consider a topology where I employ security
appliances a secure configuration?" is too general.
To answer your question, "it depends on how secure the appliance proves
My philosophy is simple: if you're going to buy an appliance, you ought
to treat the purchase as thoughtfully as you would if you were hardening
an OS (and proxies of course) yourself. You don't shop off eBay for a
PIX:-) then put it into production by modifying the last working config
that the prior owner failed to erase from the box (ah, the stories I
could tell). Instead, you talk with the developers and other users who
have experience with the appliance in deployments similar to how you
intend to use it. Learn everything you can about the
design/architecture/test methodology of the appliance. Cruise through
vulnerability/exploit lists. Beat on it yourself (I don't know too many
vendors who won't part with a unit for a few weeks).
Maybe I'm overly fortunate and some folks will say, "I can't get gear as
easily as you". The reason why I get boxes fairly easily is because I
give something back. If I beat on a box and it disappoints, I explain
why. If the vendor is foolish, they get huffy and learn nothing. If the
vendor is smart, I have to be careful not to get stuck with the damned
thing while they hurry to fix what I've identified (hint: always ask for
an RMA and send your negative comments back when you've returned the
unit, i.e., BEFORE they ask you to try it again :0) Most vendors are
desperate to find folks who'll help them make their appliance better. If
you are fortunate enough to work with cooperating, earnest vendors and
behave in this manner, you become an A list customer no matter how many
units your company will buy.
N.B. In an earlier email, Marcus included me on his short list of
outliers, folks don't "trade for the perception of performance over the
perception of security.(*)" Flatterer!
Marcus J. Ranum wrote:
If the appliance is essentially an SSL proxy, the problem is that the traffic
between the appliance and the servers is not encrypted.
That's pretty much par for the course; most networks built with
front-end SSL processors have a relatively short wire between
the front-end processor and back-end server. So it's generally
considered OK for that data to be in the clear since it's
usually going through a switch in the same rack locked in
the same data center.
I wanted to ask if the people who read this list would consider using an
appliance a secure configuration?
"appliance" is a marketing term. Obviously, you'd want to
learn what you could about whether the front-end SSL
processor was capable of protecting itself.
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
Description: S/MIME Cryptographic Signature