Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: External Load Balancing

From: Ng Pheng Siong <ngps () netmemetic com>
Date: Wed, 12 Jan 2005 09:26:15 +0800
On Tue, Jan 11, 2005 at 10:01:38AM -0500, Mark.Boltz () stonesoft com wrote:

One advantage of the Radware products is that they are true
appliances, and you can tightly lock down remote management protocols.


On BigIP units, the web-interface, SSH, and the serial console can 
all be disabled. Perhaps you should do your homework first :-)


providing reasonably secure options like SSH but not plain HTTP is a bit 
better, especially when they are not on by DEFAULT. Arg. When will vendors 
stop this nonsense? When the customers finally stop accepting it and 
DEMANDING better products!


They do it so that when sales engineers demo the units on site they can
say, "This does SSH, but you probably don't have putty on your Windows test
laptop here and there is also all that host key and user key mumble mumble.
I'll just use HTTP with a standard browser to show you the management
interface.  You should disable HTTP and use HTTPS after you've bought our
box, of course. Remember your site security policy and your threat model!"

If the boxen come up HTTPS-only by default then you get back all that stuff
about keys and trusted CAs and whatnot. Heaven forbid being unable to
access the management interface while demo'ing to the customer.


-- 
Ng Pheng Siong <ngps () netmemetic com> 

http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog
http://www.sqlcrypt.com -+- Database Engine with Transparent AES Encryption
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: