RE: [fw-wiz] question on securing out-of-band management (ver. 2)

golovast wrote:
If the appliance is essentially an SSL proxy, the problem is that the traffic
between the appliance and the servers is not encrypted.

That's pretty much par for the course; most networks built with
front-end SSL processors have a relatively short wire between
the front-end processor and back-end server. So it's generally
considered OK for that data to be in the clear since it's
usually going through a switch in the same rack locked in
the same data center.

I was leaning this way. The logic that I tried to use, is that
if the switch is compromised, which is what will need to happen
in order for someone to sniff the traffic, the company will have
bigger concerns at that point regardless. If that event
does happen, a potential intruder is more or less in control
of the network.

At the same time, I do want to make sure that customer
data is protected and that the risk, however slight, is offset
by the gains.


I wanted to ask if the people who read this list would consider using an
appliance a secure configuration?

"appliance" is a marketing term.

It is. I probably should have called it an SSL-proxy which would be more accurate.

Obviously, you'd want to
learn what you could about whether the front-end SSL
processor was capable of protecting itself.

Most products are proprietary and often all I have to go on is
manufacturer's word and reputation. I can also look at security
advisories, but just like they say about the markets,
"past performance does not guarantee future results"..=]

The device can be fips compliant, but that
only tells me about their cryptography, not necessarily the
device itself.




mjr.



Thanks for the advice, mjr.


_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • RE: [fw-wiz] question on securing out-of-band management (ver. 2)
    ... between the appliance and the servers is not encrypted. ... That's pretty much par for the course; most networks built with ... learn what you could about whether the front-end SSL ...
    (Firewall-Wizards)
  • Re: Help with Installation of Rack Mounted Appliances
    ... Racks are by standard 19" wide. ... Servers and 3U UPS) it got a bit harder. ... > Does anyone have experience with installation of a rack- ... > What method do you prefer for appliance configuration? ...
    (microsoft.public.exchange2000.admin)
  • RE: [fw-wiz] question on securing out-of-band management (ver. 2)
    ... PCI SSL accelerators in them. ... More servers can be on it,easier to manage, scalable, etc. ... If the appliance is essentially an SSL proxy, the problem is that the traffic ... Just because you're paranoid, it doesn't mean they aren't after you...=]. ...
    (Firewall-Wizards)
  • Re: Hardware vs software firewall
    ... > so a NAS box is a server, not an appliance, as it supports storage of files? ... My Linksys units have small web interfaces, ... web servers, and it doesn't make them servers. ...
    (comp.security.firewalls)
  • Re: Routing mail to servers in the organization
    ... remove it and set it on SMTP Connector for address space *. ... This will ensure messages to other Exchange Servers in the same Routing ... mail via the SMTP smart host to the appliance and the appliance fowrwards ...
    (microsoft.public.exchange.admin)