Screencasts - Hilfsvideos

SWG Console access restriction

Created: 23 Juli 2012 | 6 Kommentare
das Bild der SMLatCSTs
4 Zustimmen
2 Nicht zustimmen
+2 6 Stimmen
Bitte loggen Sie sich ein, um abzustimmen

As it stands, there is no native method of restricting access to the SWG admin console.

Please consider the below (very basic) ideas:

  • Allow administrators the ability to restrict web console access by IP ranges
  • Make web console access available ONLY via the MGMT port if the "Separate management and inline networks" option is enabled

The second option is the one I get asked about most, and by far the most baffling considering what is implied by the "Separate management and inline networks" option.

Kommentare KommentareZum neuesten Kommentar

das Bild der BenDCs

Currently the block pages are served by the same application/service as the admin console UI. Blocking access based on network would also end up blocking functionality and information to the user(s) if they are being blocked they would only see a page cannot be displayed type message.

-1
Bitte loggen Sie sich ein, um abzustimmen
das Bild der SMLatCSTs

So separate out the functionality.

This is an idea of what I believe would benefit security of the device.  I was not expecting the idea to be judged on if it could be accomplished easily or not (clearly I've not got any dealings with its development).  I was just hoping someone at Symantec would consider it as a benefit to security and look into it.

+1
Bitte loggen Sie sich ein, um abzustimmen
das Bild der TSE-JDaviss

Strong passwords is a much better idea. There is no reason to block the Admin UI since they can't do anything without proper credentials.

0
Bitte loggen Sie sich ein, um abzustimmen
das Bild der SMLatCSTs

Credentials are insufficient, as you must already have access to the logon page for this level of protection.  This is a webpage that the CCS-Vulnerability Manager is able to find vulnerabilites in I might add.

You can hardly argue that a strong password is more secure than preventing access to the logon page at all.  It's like saying a complex lock on a safe is better than preventing access to the safe at all.

To cap it off, this is what I get asked about by customers.  I am not alone in thinking that the security on this security device could be more robust.

+1
Bitte loggen Sie sich ein, um abzustimmen
das Bild der Cricket17s

I agree with SMLatCST.   Since is idea included the idea of implenting this when deployed using Separate management and inline network option, it should be an option in that mode.  Even in the single interface mode, certainly the appliance should be able to understand that the traffic is for the device admin gui and not general network traffic.

I'd also expect some interest in the report of the GUI failing a vulnerabililty assesment tool.

+1
Bitte loggen Sie sich ein, um abzustimmen
das Bild der SMLatCSTs

Thanks for the support Cricket17.

As you mention it, the thread detailing some of the CCS-VM's detections can be found below, and has not been updated in over a month at time of writing this post.

https://www-secure.symantec.com/connect/forums/swg...

0
Bitte loggen Sie sich ein, um abzustimmen