How Secure Is That Security Appliance?

By | March 20, 2013

Posted in: Network Security Trends

The trusted firewall that is guarding your network may not be as secure as advertised.

In a recently released white paper (PDF) titled "Hacking Appliances: Ironic exploits in security products," Ben Williams, a penetration tester for the NCC Group, discovered that roughly 80% of the security products he tested had vulnerabilities which enabled the appliance to be compromised in some way. Williams wrote that while many assume the security device they've employed has been tested and fortified, that, in fact, might not be the case.

Williams tested the latest versions of a wide range of products from various vendors (Citrix, Sophos, Trend Micro, Symantec and others), including firewalls, antispam and antivirus filtering for email and remote access gateways. He found that most of the vulnerabilities encountered were in the web-based user interface (UI) of the product, which left them open to automated password attacks due to a lack of brute force protection.

John Grady, Research Manager, Security Products at leading research firm IDC, told Security Bistro that he wasn't surprised to learn that the UI was the gateway to many of the vulnerabilities. He said that limiting the exposure of management interfaces to the Internet is always a best practice and a great way to limit risk.

In addition to the UI issues, the products tested were also almost all vulnerable to Cross Site Scripting (XSS) and most lacked a hardened underlying operating system, which while deemed a low severity issue could allow an attacker to do reconnaissance on an appliance and discover potential flaws, according to Williams' research.

In an interview with the IDG New Service Williams elaborated on his findings stating that "most tested appliances were actually poorly maintained Linux systems with outdated kernel versions, old and unnecessary packages installed, and other poor configurations. Their file systems were not 'hardened' either, as there was no integrity checking, no SELinux or AppArmour kernel security features, and it was rare to find non-writeable or non-executable file systems."

Grady said that while these issues are indeed a concern, vendors can sometimes be caught off guard.

"When we think about flaws like this and zero-day exploits, I think vendors typically are in the dark like everyone else. The researchers looking for stuff like this have a different focus than the vendor side," Grady said. "In the end, its the vendor's response to announcements like this that matters more than the fact that a vulnerability was present in the first place."

Williams found that products that undergo regular third party security testing improve over time. However, he was surprised to find a small number of vendors that seemed unable to understand the significance of some issues, or to produce fixes in a reasonable timeframe. There was a large disparity with some vendors fixing all issues within 3 months, and other vendors not addressing very similar issues after nearly a year, he wrote.

This is why Grady said he believes the onus is on the SMB to conduct a thorough evaluation to make certain the security device they're considering will perform as needed.

"Being armed ahead of time with this type of research that names some of the specific vendors and the threats will enable organizations to have a conversation around what the vulnerabilities are, whether the vendor has addressed and if not, why, how to configure the device properly to prevent vulnerabilities from being exploited," Grady added.

In the end, Grady believes that while flaws like these can be dangerous, these issues aren't limited to security appliances.

"This isn't specific to security products, its just that customers wrongly assume that security products are themselves, secure. Which can lead to obviously problems if they're not," he said.

You May Also Be Interested In: