Tuesday, February 5, 2008

Fine, I'll do it myself.

You may remember that I have vented about vendors dumping insecure products on us and being clueless about the dangers- or having the nerve to charge extra to secure the products they sell us.

What can you do about it? Fix it yourself, of course. Log into that multi-function printer, appliance, whatever and lock it down. Turn off unnecessary services, change default passwords (or add passwords to the really lame systems), do the things you already know to do.
But what about the stuff you can't fix? You know, the stuff you can't secure because it is controlled by the clueless vendor and you can't hack it due to some lease or maintenance agreement. That may still be relatively easy- isolate it, physically and/or logically. Maybe some network segmentation will do the trick- use VLANs or put the system(s) on a separate subnet- maybe you'll have to blow a few bucks on a cheap firewall/router to do what you need.
You could roll your own custom solution by hacking consumer hardware, but you may not need to spend that much time on this- an off-the-shelf broadband router can do a credible job of controlling traffic. Sure, it isn't perfect. And it is another device to secure and manage.

Maybe you have a whole rack of insecure, third-party gear stuck in a corner of your network, what then? The same, only more- give the rack it's own switch and single firewalled link to the network. Even a managed switch with a good set of ACLs will be an improvement over letting a bunch of questionable gear have unlimited access to your network. (In case you are wondering, this situation is fairly common in automotive retail and some other environments).

You will probably have to monitor traffic to and from the device(s) to be screened, Wireshark or Show Traffic running on a SPAN port should give you a pretty good idea of the traffic you will need to allow to and from the devices.

Is this ideal? No. But you are moving forward, towards a more secure environment- and that is the idea.