RE: question on securing out-of-band management (ver. 2)

["golovast" <golovast () yandex ru>]

> golovast wrote:
> > If the appliance is essentially an SSL proxy, the problem is that the traffic 
> > between the appliance and the servers is not encrypted.
>
> That's pretty much par for the course; most networks built with
> front-end SSL processors have a relatively short wire between
> the front-end processor and back-end server. So it's generally
> considered OK for that data to be in the clear since it's
> usually going through a switch in the same rack locked in
> the same data center.

I was leaning this way. The logic that I tried to use, is that
if the switch is compromised, which is what will need to happen
in order for someone to sniff the traffic, the company will have
bigger concerns at that point regardless. If that event
does happen, a potential intruder is more or less in control
of the network. 

At the same time, I do want to make sure that customer
data is protected and that the risk, however slight, is offset
by the gains. 


> > I wanted to ask if the people who read this list would consider using an 
> > appliance a secure configuration?
>
> "appliance" is a marketing term. 

It is. I probably should have called it an SSL-proxy which would be more accurate. 

> Obviously, you'd want to
> learn what you could about whether the front-end SSL
> processor was capable of protecting itself.

Most products are proprietary and often all I have to go on is 
manufacturer's word and reputation. I can also look at security
advisories, but just like they say about the markets, 
"past performance does not guarantee future results"..=]

The device can be fips compliant, but that
only tells me about their cryptography, not necessarily the 
device itself. 



> mjr. 


Thanks for the advice, mjr. 


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards