Recent vulnerabilities in F5 Big-IP, as well as Cisco ASA and FirePower appliances have highlighted the importance of protecting your network appliances from threats, as well as endpoints and servers. Both vulnerabilities are extremely dangerous and can be exploited remotely with no authentication. The F5 vulnerability is particularly bad and has been given the highest possible CVSS rating of 10, as it allows remote code execution.
Whilst the leading edge of network design and system architecture has a tendency to move towards cloud services and virtualisation of the features we used to use network appliances for, the number of these appliances embedded in enterprise networks is vast. It’s easy to forget about maintaining these workhorses as they can run for years without downtime, and they are often critical to core services, so downtime windows for patching can be hard to come by.
I see plenty of enterprise clients whose strategy is to move to the cloud, but years down the line, they still have data centres stuffed with load balancers, firewalls, routers and other bits of network kit. They are so often excluded from the scope of security testing that it can be difficult to adequately assess the impact that they have on the attack surface of a network. Some appliances are critical to the delivery of remote working solutions, and so have become more important than they were before.
Other vulnerabilities will undoubtedly turn up in other network components, so it’s a good idea to revisit your security strategy around them. Firstly it’s important to keep an inventory of your network appliances, the services running on them, and the software version they are running. This helps to ensure that you can find out at a glance whether your current software is susceptible to newly announced vulnerabilities (or whether you’ve got the vulnerable service turned off). You should also have a regular downtime window available for patching appliances as new software versions come out. Typically I don’t recommend updating software on appliances as a matter of course unless the new version fixes a vulnerability or provides some new functionality that you need, however, your strategy may differ depending on how important service uptime is. Just remember; new software versions often introduce new bugs as well as fixing old ones!
Sometimes you can’t patch, in which case you may need to implement mitigating controls, detection or both. If you can’t patch, then hopefully your architecture will have good segmentation controls in place to prevent a successful attacker getting very far.
One final piece of advice: don’t blindly run exploits on your infrastructure to test whether you’re vulnerable.