Re: Yet another fascinating advisory!

[Rodney Thayer <rodney () canola-jones com>]

At 11:44 AM 2/11/2004 -0500, The Dave wrote:

> For those of you who wern't at my BlackHat talk in Seattle, one of the themes was that the management and monitoring 
> software and other enterprise-level software that people install is rarely looked at, and highly vulnerable.

One of the debates we have when testing security gear for magazine
reviews is "how much should you look at the management interface".
Vendors have this quaint delusion that nobody will ever attack
them through "the management LAN".  So, for example, they don't
consider it a problem that Dave's cute little SSL attack toy
is quite good at knocking over the control processes in their
IDS.  Other vendors think it's perfectly reasonable to take
a stately 3-6 months to patch their Linux kernels, even though
their devices as shipped allow shell access into the box.  A third
vendor (not a major one, this time) found it quite shocking that I would
complain they were running a 2 year old version of OpenSSH.

I think that in addition to testing your "gold build" you should
make sure that the same standards you apply to your external and internal
networks should be applied to management networks.

In other words, don't be a wuss and tell me I can't run Canvas 
on the management backside of my Checkpoint box, because I just
might find something...

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave