S 4.434 Secure use of appliances

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Devices that have been designed especially for an application scenario, e.g. to be used as firewall, router, packet filter, NAS or VoIP system, are referred to as appliances. This offers the advantage that hard- and software are optimally harmonised and the sometimes complex procedures can be easily understood by the users. In most cases, even the configuration has already been carried out largely by the manufacturers. They are often delivered ready-to-operate and can be put into operation after entering just a few basic settings. Thus, it is often easy to install and operate appliances. By the same token, the configuration of appliances, however, is less flexible and thus offers fewer options to adapt them to individual requirements than a solution individually assembled (by the organisation itself or by a service provider) with IT components.

Even self-built devices such as a firewall can often be installed on commercially available hardware with standard operating systems and suitable software components. Therefore, they offer a high level of flexibility and are well suited for numerous applications. The installation and integration of the required components is prone to error, though. Another disadvantage is that it is usually necessary to contact several different contacts, one for each component (e.g. for the hardware, operating system and software), in the event of support requests.

In the following, several advantages and disadvantages of appliances summarised and compared:

Advantages	Disadvantages
Simple installation, little time required up to the initial operation Little time and expense required for configuration, low complexity Building of specific knowledge only required to a limited extent for operation Simplified configuration, since appliances often offer administration surfaces Appliances often support automatic updates of the provided functions Compared to solutions based on IT components assembled for the application scenario, higher level of reliability, since appliances often contain fewer "moving parts" (e.g. hard disk or fan) than normal computers	Limited extension possibilities of the proprietary hard- and software In case of defects, it might be necessary under certain circumstances to replace the entire system Long downtimes if the device must be sent back to the manufacturer in case of an error. If necessary, a replacement device must be purchased that is held in reserve as "cold standby". It is difficult to check how well the security mechanisms have been implemented in the devices. Little information available on the secure configuration and secure operation regarding special products (in addition to the information provided by the manufacturer). This is particularly problematic when the manufacturer discontinues the support. Several appliances are only used relatively rarely. In this case, there might be only a few consultants and/or service providers for administration.

Advantages

Disadvantages

Simple installation, little time required up to the initial operation
Little time and expense required for configuration, low complexity
Building of specific knowledge only required to a limited extent for operation
Simplified configuration, since appliances often offer administration surfaces
Appliances often support automatic updates of the provided functions
Compared to solutions based on IT components assembled for the application scenario, higher level of reliability, since appliances often contain fewer "moving parts" (e.g. hard disk or fan) than normal computers

Limited extension possibilities of the proprietary hard- and software
In case of defects, it might be necessary under certain circumstances to replace the entire system
Long downtimes if the device must be sent back to the manufacturer in case of an error. If necessary, a replacement device must be purchased that is held in reserve as "cold standby".
It is difficult to check how well the security mechanisms have been implemented in the devices.
Little information available on the secure configuration and secure operation regarding special products (in addition to the information provided by the manufacturer). This is particularly problematic when the manufacturer discontinues the support.
Several appliances are only used relatively rarely. In this case, there might be only a few consultants and/or service providers for administration.

The reasons for taking the decision to use appliances as well as for choosing certain devices should be documented.

Installation, configuration and data backup

Appliances are often delivered with a pre-installed operating system, referred to as firmware. It is usually located on a stationary flash memory, for some appliances also on hard disks or exchangeable memory cards. Since the pre-installed firmware has already been copied to the device during the production of the appliances and as often very much time can pass between production and initial operation, the pre-installed firmware is generally outdated when it is initially taken into operation and new firmware versions are available. Based on the manufacturer's instructions, a firmware update should be performed prior to the initial operation of the appliance. Here, the firmware version to be installed must come from a trusted source, see S 4.177 Assuring the integrity and authenticity of software packages.

Appliances are generally configured using web interfaces, via Telnet/SSH, SNMP or proprietary logs. Depending on the product and manufacturer, configuration tools are offered, which can be installed on another IT system to configure one or several appliances. For each of these configuration options, it should be ensured that the communication cannot be read or changed by third parties when the configuration has been carried out via the network. Therefore, the configuration should only be carried out using protected connections, i.e. encrypted or via a separate configuration network.

In general, appliances are delivered with preset passwords. They should be changed immediately (S 4.7 Change of preset passwords) and stored in a suitable manner (S 2.22 Escrow of passwords).

After the configuration has been completed, the configuration settings should be backed up to ensure that a device identical in construction can be taken into operation promptly when a failure occurs. If the configuration of appliances is changed during operation, the configuration settings should also be backed up and the changes documented.

Logging

Events that must be logged often occur on appliances. Appliances often do not have enough storage space to save log files or the memory type is not suitable for permanent writing processes. Therefore, it is recommended to store the events on a dedicated IT system, usually on a separate logging server. Additional information can be found in S 5.22 Logging.

Secure withdrawal from operation

If appliances are to be replaced or taken out of operation, then all security-related information must be deleted from the devices. Depending on the application scenario, such information can, for example, include

configuration files from which information on the organisation's network structure can be taken
password files
log files containing security-related information or personal data
certificates and cryptographic keys (for example, to access other IT systems)

Deleting such information can be more difficult for appliances than for normal IT systems. For appliances, the approach depends on where and how the data is stored, i.e. stored on an installed hard disk or in a non-volatile memory. The devices often provide a "factory reset" option that can be used to reset all configuration settings to the values set at the factory before delivery. You should still check if the data was actually deleted or reset and if certain data or files are still present after performing a "factory reset".

If information particularly critical to security is stored on the device and it cannot be guaranteed with sufficient security that the data really was deleted, then it may be necessary to physically destroy the memory modules or hard disks and/or to make them unusable.

Appliances are often labelled on the outside with IP addresses, host names or other technical information. These labels should also be removed before disposal.

Review questions:

Have the reasons for choosing an appliance been documented?
Are all appliances updated prior to initial operation and the preset passwords changed?
Are the appliances only configured using protected connections (or directly on the device)?
Are the configuration settings of the appliances backed up at regular intervals?
Are the appliances withdrawn securely from operation and all confidential information deleted?