Re: question on securing out-of-band management (ver. 2)

[Dave Piscitello <dave () corecom com>]

We know that there are vast differences between operating systems - 
even within a single OS, which executables are included, what the OS 
will serve as a platform for, and how the OS is configured. There are 
similarly vast differences in appliances. Some appliance vendors use 
commercial OSs and do a pathetic job of customizing and hardening; 
others thoughtfully approach the task of securing the OS and end up with 
as secure a system as even the most expert admins on this list might 
manage to deploy.

So asking "would I consider a topology where I employ security 
appliances a secure configuration?" is too general.

To answer your question, "it depends on how secure the appliance proves 
to be".

My philosophy is simple: if you're going to buy an appliance, you ought 
to treat the purchase as thoughtfully as you would if you were hardening 
an OS (and proxies of course) yourself. You don't shop off eBay for a 
PIX:-) then put it into production by modifying the last working config 
 that the prior owner failed to erase from the box (ah, the stories I 
could tell). Instead, you talk with the developers and other users who 
have experience with the appliance in deployments similar to how you 
intend to use it. Learn everything you can about the 
design/architecture/test methodology of the appliance. Cruise through 
vulnerability/exploit lists. Beat on it yourself (I don't know too many 
vendors who won't part with a unit for a few weeks).

Maybe I'm overly fortunate and some folks will say, "I can't get gear as 
easily as you". The reason why I get boxes fairly easily is because I 
give something back. If I beat on a box and it disappoints, I explain 
why. If the vendor is foolish, they get huffy and learn nothing. If the 
vendor is smart, I have to be careful not to get stuck with the damned 
thing while they hurry to fix what I've identified (hint: always ask for 
an RMA and send your negative comments back when you've returned the 
unit, i.e., BEFORE they ask you to try it again :0) Most vendors are 
desperate to find folks who'll help them make their appliance better. If 
you are fortunate enough to work with cooperating, earnest vendors and 
behave in this manner, you become an A list customer no matter how many 
units your company will buy.


---------
N.B. In an earlier email, Marcus included me on his short list of 
outliers, folks don't "trade for the perception of performance over the 
perception of security.(*)" Flatterer!

Marcus J. Ranum wrote:
> golovast wrote:
> > If the appliance is essentially an SSL proxy, the problem is that the traffic 
> > between the appliance and the servers is not encrypted.
>
> That's pretty much par for the course; most networks built with
> front-end SSL processors have a relatively short wire between
> the front-end processor and back-end server. So it's generally
> considered OK for that data to be in the clear since it's
> usually going through a switch in the same rack locked in
> the same data center.
>
> > I wanted to ask if the people who read this list would consider using an 
> > appliance a secure configuration?
>
> "appliance" is a marketing term. Obviously, you'd want to
> learn what you could about whether the front-end SSL
> processor was capable of protecting itself.
>
> mjr. 
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Attachment: dave.vcf
Description:

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature