Re: [fw-wiz] question on securing out-of-band management (ver. 2)

We know that there are vast differences between operating systems - even within a single OS, which executables are included, what the OS will serve as a platform for, and how the OS is configured. There are similarly vast differences in appliances. Some appliance vendors use commercial OSs and do a pathetic job of customizing and hardening; others thoughtfully approach the task of securing the OS and end up with as secure a system as even the most expert admins on this list might manage to deploy.

So asking "would I consider a topology where I employ security appliances a secure configuration?" is too general.

To answer your question, "it depends on how secure the appliance proves to be".

My philosophy is simple: if you're going to buy an appliance, you ought to treat the purchase as thoughtfully as you would if you were hardening an OS (and proxies of course) yourself. You don't shop off eBay for a PIX:-) then put it into production by modifying the last working config that the prior owner failed to erase from the box (ah, the stories I could tell). Instead, you talk with the developers and other users who have experience with the appliance in deployments similar to how you intend to use it. Learn everything you can about the design/architecture/test methodology of the appliance. Cruise through vulnerability/exploit lists. Beat on it yourself (I don't know too many vendors who won't part with a unit for a few weeks).

Maybe I'm overly fortunate and some folks will say, "I can't get gear as easily as you". The reason why I get boxes fairly easily is because I give something back. If I beat on a box and it disappoints, I explain why. If the vendor is foolish, they get huffy and learn nothing. If the vendor is smart, I have to be careful not to get stuck with the damned thing while they hurry to fix what I've identified (hint: always ask for an RMA and send your negative comments back when you've returned the unit, i.e., BEFORE they ask you to try it again :0) Most vendors are desperate to find folks who'll help them make their appliance better. If you are fortunate enough to work with cooperating, earnest vendors and behave in this manner, you become an A list customer no matter how many units your company will buy.


---------
N.B. In an earlier email, Marcus included me on his short list of outliers, folks don't "trade for the perception of performance over the perception of security.(*)" Flatterer!

Marcus J. Ranum wrote:
golovast wrote:
If the appliance is essentially an SSL proxy, the problem is that the traffic between the appliance and the servers is not encrypted.

That's pretty much par for the course; most networks built with
front-end SSL processors have a relatively short wire between
the front-end processor and back-end server. So it's generally
considered OK for that data to be in the clear since it's
usually going through a switch in the same rack locked in
the same data center.

I wanted to ask if the people who read this list would consider using an appliance a secure configuration?

"appliance" is a marketing term. Obviously, you'd want to
learn what you could about whether the front-end SSL
processor was capable of protecting itself.

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

begin:vcard
fn:David Piscitello
n:Piscitello;David
adr;dom:;;3 Myrtle Bank Lane;Hilton Head;SC;29926
email;internet:dave@xxxxxxxxxxx
x-mozilla-html:FALSE
url:http://hhi.corecom.com/weblogindex.htm
version:2.1
end:vcard

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Relevant Pages

  • Re: IDSIPS that can handle one Gig
    ... If you have so many choke points that ... vulnerability remediation program, the need for IPS ... > ahead of any vendors, ... >>appliance. ...
    (Focus-IDS)
  • RE: [fw-wiz] Multiple firewalls from different manufactureres
    ... >> I just wish some of the vendors ... and make changes, improvements, or tailoring to fit my environment over ... Why pay for the seck-sy, pretty "appliance," if you don't have to? ...
    (Firewall-Wizards)
  • Experiences with ISA Server 2K4 appliances?
    ... We are thinking of implementing a ISA 2K4 appliance in our company. ... research indicates 3 vendors out there: HP, Celestix, and Network ... Engines. ...
    (microsoft.public.isa.enterprise)