Use SSL wisely

I am beginning to dislike SSL. It should not be used to pass management traffic in a secure environment, so why do people try and do it?

If you are building a robust infrastructure with security devices in place to review traffic and inspect the contents then please do not choose to encrypt the management traffic from edge devices to central syslog servers or management information collectors. You may as well stand outside and start ripping $100 bills into pieces.  You will never see the compromise coming and may never even know it occured if it is any good.

Advertisements

~ by Simon Hancock on October 26, 2008.

2 Responses to “Use SSL wisely”

  1. Hey Si, can you expand upon this a little bit more? – for example are you suggesting that you should not encrypt management sessions to devices such as routers / firewalls – or – not encrypt log data that might be sent to a centralised server (such as SYSLOG) – what is the reasoning behind this? Is there for example a situation where mailformed data is in the SYSLOG communication? – what about the mitigating the internal threat of a “savvy” user snooping the syslog data as open text.
    I guess I am trying to see where this fits into the overall picture.

  2. Hi Andy, so some additions to this should include the following.

    Yes securing management traffic is a good thing but this can be achieved in better ways. For example the use of management VLANs for a start to ensure that all management based information is separated from normal traffic. While these are not considered an assured barrier they do assist in the reduction of risk.

    Secondly if you cannot encrypt the data at source and then transmit to the destination you could create and encrypted pipe between the source and the destination only if you are taking appropriate measures to scan the traffic. If you have a suitable device on the network then you can easily terminate the SSL tunnel on the incoming interface and create a new tunnel on the final leg to the centralised server.

    It should be considered that many of these centralised audit platforms are COTS (commercial off the shelf) products and as such are the target for exploits as they can help erase or mask activities.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: