Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

RE: question on securing out-of-band management (ver. 2)
From: "golovast" <golovast () yandex ru>
Date: Wed, 8 Feb 2006 13:24:41 +0300 (MSK)

golovast wrote:
If the appliance is essentially an SSL proxy, the problem is that the traffic 
between the appliance and the servers is not encrypted.

That's pretty much par for the course; most networks built with
front-end SSL processors have a relatively short wire between
the front-end processor and back-end server. So it's generally
considered OK for that data to be in the clear since it's
usually going through a switch in the same rack locked in
the same data center.

I was leaning this way. The logic that I tried to use, is that
if the switch is compromised, which is what will need to happen
in order for someone to sniff the traffic, the company will have
bigger concerns at that point regardless. If that event
does happen, a potential intruder is more or less in control
of the network. 

At the same time, I do want to make sure that customer
data is protected and that the risk, however slight, is offset
by the gains. 

I wanted to ask if the people who read this list would consider using an 
appliance a secure configuration?

"appliance" is a marketing term. 

It is. I probably should have called it an SSL-proxy which would be more accurate. 

Obviously, you'd want to
learn what you could about whether the front-end SSL
processor was capable of protecting itself.

Most products are proprietary and often all I have to go on is 
manufacturer's word and reputation. I can also look at security
advisories, but just like they say about the markets, 
"past performance does not guarantee future results"..=]

The device can be fips compliant, but that
only tells me about their cryptography, not necessarily the 
device itself. 


Thanks for the advice, mjr. 

firewall-wizards mailing list
firewall-wizards () honor icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]