Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SWG Console access restriction

Created: 23 Jul 2012 | 6 comments
SMLatCST's picture
4 Agree
2 Disagree
+2 6 Votes
Login to vote

As it stands, there is no native method of restricting access to the SWG admin console.

Please consider the below (very basic) ideas:

  • Allow administrators the ability to restrict web console access by IP ranges
  • Make web console access available ONLY via the MGMT port if the "Separate management and inline networks" option is enabled

The second option is the one I get asked about most, and by far the most baffling considering what is implied by the "Separate management and inline networks" option.

Comments 6 CommentsJump to latest comment

BenDC's picture

Currently the block pages are served by the same application/service as the admin console UI. Blocking access based on network would also end up blocking functionality and information to the user(s) if they are being blocked they would only see a page cannot be displayed type message.

-1
Login to vote
SMLatCST's picture

So separate out the functionality.

This is an idea of what I believe would benefit security of the device.  I was not expecting the idea to be judged on if it could be accomplished easily or not (clearly I've not got any dealings with its development).  I was just hoping someone at Symantec would consider it as a benefit to security and look into it.

+1
Login to vote
TSE-JDavis's picture

Strong passwords is a much better idea. There is no reason to block the Admin UI since they can't do anything without proper credentials.

0
Login to vote
SMLatCST's picture

Credentials are insufficient, as you must already have access to the logon page for this level of protection.  This is a webpage that the CCS-Vulnerability Manager is able to find vulnerabilites in I might add.

You can hardly argue that a strong password is more secure than preventing access to the logon page at all.  It's like saying a complex lock on a safe is better than preventing access to the safe at all.

To cap it off, this is what I get asked about by customers.  I am not alone in thinking that the security on this security device could be more robust.

+1
Login to vote
Cricket17's picture

I agree with SMLatCST.   Since is idea included the idea of implenting this when deployed using Separate management and inline network option, it should be an option in that mode.  Even in the single interface mode, certainly the appliance should be able to understand that the traffic is for the device admin gui and not general network traffic.

I'd also expect some interest in the report of the GUI failing a vulnerabililty assesment tool.

+1
Login to vote
SMLatCST's picture

Thanks for the support Cricket17.

As you mention it, the thread detailing some of the CCS-VM's detections can be found below, and has not been updated in over a month at time of writing this post.

https://www-secure.symantec.com/connect/forums/swg...

0
Login to vote