“Yes,” I told him, “but the article you read probably only gave you part of the story.”
“Part of the story?” he sounded worried.
“Exactly. The rest of the story is that foreign-made security appliances are widely deployed on the networks of our country’s most sensitive government agencies and public utilities. And these appliances come pre-installed with default passwords – hidden backdoors that create all sorts of security holes.”
That’s right, security appliances – firewalls, intrusion detection, UTMs and the like – have some little known security issues that create some very large vulnerabilities.
The Promise of Security Appliances
I don’t mean to suggest that appliances have no place in the enterprise, of course. They bring benefits that make it much easier for IT staff to manage the network.
Appliances come self-contained and preconfigured, helping you to eliminate setup time and more quickly deploy essential security measures in your infrastructure. Even better, all the components of security appliances are already licensed and paid-for when you receive them, meaning less paperwork hassles. Essentially this all means that there’s only “one throat to choke” as we say, and no finger pointing if any problems do arise.
The Ugly Truth
However, despite these advantages – and with rare exception – your “appliance” is primarily a collection of off-the-shelf software components that are available to – and exploitable by – anyone. It’s rare for an appliance vendor to document every off-the-shelf component – and every potential security hole – present on their equipment. We call this “security by obscurity,” which means that if there are no documented standards, there is no security.