One thing I’ve noticed about these enterprise networking products like firewalls, managed routers and physical VPN gateways are that their software never seems to be written with security in mind. Why is there a python interpreter available, capable of executing arbitrary code, on a security focused network exposed device at all?
As usual it comes down to bad incentives, people don’t tend to want a minimum set of features that would reduce actual attack surface. They want to be able to pretend they can just plug things in and they will work, and so you end up in a weird place where security products have the same development mindset of adding more and more features to support every possible clients’ use case. It’s sort of an open “secret” that enterprise security products are often some of the most insecure and over-privileged systems, which make them perfect targets for attackers.
Yoou aren’t wrong, but I have a very slightly different perspective, I guess. In my experience, the core product the company came up with (e.g. actual firewall) is often very well designed and secured, but for many reasons customers are demanding more be packed into single points. So the firewall is done by the real experts, but the pretty management UI, or the bolt on IDS/IPS, or the layered proxy, or whatever, is done by the “B-team” and that’s where things go off the rails.
You are also very right, but as I always say on red team engagements: attackers don’t care what department made which component. Surface area is surface area to someone bug hunting and it’s pretty important to look at systems holistically, which everyone struggles with and unfortunately drags projects down to the low water point when things like this bubble up. I always joke that I care very little for flashy exploits when I can type Spring2024! to bypass everything, the low-hanging fruit is the juiciest.
One thing I’ve noticed about these enterprise networking products like firewalls, managed routers and physical VPN gateways are that their software never seems to be written with security in mind. Why is there a python interpreter available, capable of executing arbitrary code, on a security focused network exposed device at all?
As usual it comes down to bad incentives, people don’t tend to want a minimum set of features that would reduce actual attack surface. They want to be able to pretend they can just plug things in and they will work, and so you end up in a weird place where security products have the same development mindset of adding more and more features to support every possible clients’ use case. It’s sort of an open “secret” that enterprise security products are often some of the most insecure and over-privileged systems, which make them perfect targets for attackers.
As someone who works in the defensive side of infosec, this mindset is putting my kids through college.
Yoou aren’t wrong, but I have a very slightly different perspective, I guess. In my experience, the core product the company came up with (e.g. actual firewall) is often very well designed and secured, but for many reasons customers are demanding more be packed into single points. So the firewall is done by the real experts, but the pretty management UI, or the bolt on IDS/IPS, or the layered proxy, or whatever, is done by the “B-team” and that’s where things go off the rails.
You are also very right, but as I always say on red team engagements: attackers don’t care what department made which component. Surface area is surface area to someone bug hunting and it’s pretty important to look at systems holistically, which everyone struggles with and unfortunately drags projects down to the low water point when things like this bubble up. I always joke that I care very little for flashy exploits when I can type
Spring2024!to bypass everything, the low-hanging fruit is the juiciest.