Appliance security: What’s inside does matter

I was watching over the engineer’s shoulder while he demonstrated the management interface for an infrastructure product. It was a CLI (command line interface), but it brought back a lot of memories. “Say,” I said, as there was a break in the conversation, “that command line looks a lot like …”

The engineer looked up at me. “We like to think of it as POSIX-like,” he said. While I can’t divulge just yet which company made the product, or even what exactly the product was, it’s no secret to say that I was surprised to see a Unix-derived OS embedded into infrastructure. Still, it was a cool idea, and it certainly made it easier to navigate and use.

But I wondered (aloud as it turned out) — what had they done about security? The engineer assured me that the designers had already taken security into account. “Besides,” he said, “it’s an embedded OS. What can they do, even if someone finds an exploit?”

The answer to that, unfortunately, is plenty. Cisco had to upgrade a large number of its switches after a worm was released that could exploit IOS, the Cisco embedded OS. Even if this particular product is indeed as well-protected as its engineers say it is, that doesn’t mean danger is not lurking elsewhere.

For the last couple of years, I’ve been reviewing network appliances of one sort or another that use mainstream operating systems, usually covertly. Because the companies that make these appliances frequently don’t advertise what’s inside their boxes, it’s up to the end-user to figure it out, looking for answers from the manufacturer if necessary.

The reason is obvious. Let’s suppose the appliance you have running your intrusion detection system (for example) runs Linux. A new Linux worm appears. Are you protected, just because it’s an appliance?

It depends: Most manufacturers say that the OS is “hardened,” but what does that mean? You’ll rarely, if ever, find an explanation. Suppose your appliance runs Windows (some do) and you know it because of the Windows logo and the license sticker on the back. How do you make sure your appliance has the latest patches?

And that’s the problem. You could have vulnerabilities that you don’t know about, and don’t even suspect, because you can’t see inside those appliances. Imagine, for example, finding out that your NAS appliance is infected with Nachi, and that is what’s bringing down your network. How do you explain that? More importantly, what do you do about it?

First, don’t just buy an appliance or infrastructure product without knowing what’s in it. Demand that the underlying OS be disclosed to you. When you find out what’s there, find out how to apply patches. If the company claims the appliance is “hardened,” find out what they mean by that and how it was tested and proven. Don’t buy the “just trust us” response you’re likely to hear. After all, it’s not the company selling you that cool gear that has to deal with the worm when it arrives — it’s you.