Firewall Wizards mailing list archives
RE: question on securing out-of-band management (ver. 2)
From: "golovast" <golovast () yandex ru>
Date: Wed, 8 Feb 2006 13:24:41 +0300 (MSK)
golovast wrote:If the appliance is essentially an SSL proxy, the problem is that the traffic between the appliance and the servers is not encrypted.That's pretty much par for the course; most networks built with front-end SSL processors have a relatively short wire between the front-end processor and back-end server. So it's generally considered OK for that data to be in the clear since it's usually going through a switch in the same rack locked in the same data center.
I was leaning this way. The logic that I tried to use, is that if the switch is compromised, which is what will need to happen in order for someone to sniff the traffic, the company will have bigger concerns at that point regardless. If that event does happen, a potential intruder is more or less in control of the network. At the same time, I do want to make sure that customer data is protected and that the risk, however slight, is offset by the gains.
I wanted to ask if the people who read this list would consider using an appliance a secure configuration?"appliance" is a marketing term.
It is. I probably should have called it an SSL-proxy which would be more accurate.
Obviously, you'd want to learn what you could about whether the front-end SSL processor was capable of protecting itself.
Most products are proprietary and often all I have to go on is manufacturer's word and reputation. I can also look at security advisories, but just like they say about the markets, "past performance does not guarantee future results"..=] The device can be fips compliant, but that only tells me about their cryptography, not necessarily the device itself.
mjr.
Thanks for the advice, mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: question on securing out-of-band management, (continued)
- Re: question on securing out-of-band management Marcus J. Ranum (Feb 07)
- Re: question on securing out-of-band management Kevin (Feb 07)
- RE: question on securing out-of-band management Brian Ford (brford) (Feb 07)
- RE: question on securing out-of-band management golovast (Feb 07)
- Re: question on securing out-of-band management Kevin (Feb 07)
- Re: question on securing out-of-band management golovast (Feb 07)
- Re: question on securing out-of-band management R. DuFresne (Feb 09)
- RE: question on securing out-of-band management golovast (Feb 07)
- RE: question on securing out-of-band management (ver. 2) golovast (Feb 07)
- RE: question on securing out-of-band management (ver. 2) Marcus J. Ranum (Feb 07)
- Re: question on securing out-of-band management (ver. 2) Dave Piscitello (Feb 08)
- RE: question on securing out-of-band management (ver. 2) golovast (Feb 08)
- Re: question on securing out-of-band management (ver. 2) Dave Piscitello (Feb 15)