• United States
by Thomas Powell

Please secure your security device

May 17, 20042 mins

Time and again, it seems security products don’t address their own security as well as they could. While shipping a unit with admin/admin style access is a necessary fact of life, promoting a loose security stance in the administration of a device is unforgivable. Vendors of security-oriented products need to embrace the fact the hacking far too often comes  from within the circle of trust.

An example of an overly trusting security stance was noted during this test when we found that neither of the devices we tested enforced strong passwords, aging or many other reasonable security features for their administration facilities. If these devices are to be trusted to terminate the outside HTTP connections to keep hackers from the end Web servers, they might become attack candidates.

Obviously, they also might be open to compromise if they are poorly designed and/or administrated. Hardened shells are helpful, but neither vendors nor users should assume it is impossible to access the underlying system. When “magic key” line options exist to get at extra or undocumented features, it’s a foreseeable next step that backdoor entrance for device upgrade or maintenance also might be available. What’s going to happen if application firewall implementation exploits and command references are published out in the open?

As intruders inevitably turn to attack application firewalls, we need to take advantage of their lack of familiarly with these products to lock down and camouflage these devices. Simple reconnaissance countermeasures – like server header modification – might partially disguise the back-end server. But that just isn’t enough, particularly given the devices themselves provide obvious tell-tale signatures in HTTP responses, cookie names and error pages. If the operating system version of the appliance is easily found using NMAP, you’ve got to start worrying.

Of course we don’t need NMAP to tell us that many Web appliances are just modified Linux systems often administered by PHP-based Web consoles. We probably could guess that, but let’s not make the belief that the device can be hacked any more tempting. While I think most application firewalls have far better security than a typical origin Web server, ironically these devices could stand improvement in their own security practices, and administrators should always remember to secure their own security devices.

Back to review: Application firewall appliances