Time and again, it seems security products don’t address their own security as well as they could. While shipping a unit with admin/admin style access is a necessary fact of life, promoting a loose security stance in the administration of a device is unforgivable. Vendors of security-oriented products need to embrace the fact the hacking far too often comes from within the circle of trust.An example of an overly trusting security stance was noted during this test when we found that neither of the devices we tested enforced strong passwords, aging or many other reasonable security features for their administration facilities. If these devices are to be trusted to terminate the outside HTTP connections to keep hackers from the end Web servers, they might become attack candidates.Obviously, they also might be open to compromise if they are poorly designed and/or administrated. Hardened shells are helpful, but neither vendors nor users should assume it is impossible to access the underlying system. When “magic key” line options exist to get at extra or undocumented features, it’s a foreseeable next step that backdoor entrance for device upgrade or maintenance also might be available. What’s going to happen if application firewall implementation exploits and command references are published out in the open?As intruders inevitably turn to attack application firewalls, we need to take advantage of their lack of familiarly with these products to lock down and camouflage these devices. Simple reconnaissance countermeasures – like server header modification – might partially disguise the back-end server. But that just isn’t enough, particularly given the devices themselves provide obvious tell-tale signatures in HTTP responses, cookie names and error pages. If the operating system version of the appliance is easily found using NMAP, you’ve got to start worrying. Of course we don’t need NMAP to tell us that many Web appliances are just modified Linux systems often administered by PHP-based Web consoles. We probably could guess that, but let’s not make the belief that the device can be hacked any more tempting. While I think most application firewalls have far better security than a typical origin Web server, ironically these devices could stand improvement in their own security practices, and administrators should always remember to secure their own security devices. Back to review: Application firewall appliances Related content news Fortinet brings AI help to enterprise security teams Fortinet Advisor aims to help customers respond to threats more quickly By Michael Cooney Dec 11, 2023 3 mins Network Security how-to Getting started with scripting on Linux, Part 1 Once a script is prepared and tested, you can get a significant task completed simply by typing the script's name followed by any required arguments. By Sandra Henry-Stocker Dec 11, 2023 5 mins Linux feature Starkey swaps out MPLS for managed SD-WAN Hearing aid manufacturer achieves performance boost, increased reliability and cost savings after a shift from MPLS to managed SD-WAN services from Aryaka. By Neal Weinberg Dec 11, 2023 6 mins SASE SD-WAN Network Security news Nvidia races to fulfill AI demand with its first Vietnam semiconductor hub Vietnam has been a growing tech manufacturing destination for the past few years, and Nvidia said it is open to a new manufacturing partner in Vietnam. By Sam Reynolds Dec 11, 2023 3 mins CPUs and Processors Technology Industry Podcasts Videos Resources Events NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe