6
speak and you often have to dig to get that information out. Here is an example of a
security
developer (SD)
and a street wise
potential customer (PC)
having a conversation about their remote
device management software and its advertised security:
SD: We have an incredible remote device management solution that is completely secure and no one
anywhere has anything like it
PC: What security does it use?
SD: Web Services on top of SSL/TLS
PC: How does the device know that it is talking to your management station?
SD: We use SSL
PC: How does the device know that it is talking to your management station?
SD: Um… We use Digital Certificates?
PC: Ah! So my device needs a trusted CA certificate, trusted access to a real time clock, trusted
access to a Domain Name Server, and trusted access to a Lightweight Directory Access Protocol
Server or Hyper-Text Transmission Protocol server for the Certificate Revocation List or trusted
access to an Online Certificate Status Protocol server.
SD: Um…
PC: Well, I’m assuming the device needs to verify that the management station’s certificate is valid.
I mean it has to make sure the certificate hasn’t expired, it has to make sure that the management
station’s name and network address match, it has to make sure that the certificate hasn’t been
revoked, it has to make sure that the certificate is being used according to its certificate purpose and
so on. The device does do this doesn’t it?
SD: Um…Yes
PC: How do these things get configured on the device?
SD: Oh, that’s easy – the management station does it automatically!
PC: Don’t we have a chicken-egg problem here? I mean how does the device know that the
management station is really the management station if the management station has to configure the
things that would prove to the device that it is the management station?
SD: Um… I believe you can configure them manually as well.
PC: Oh – that means I’ll have to have a trusted administrator configure them with a trusted laptop on
a trusted network. I guess we can do that. My device setup is outsourced, but none of these settings
really undermines my network security, so I don’t mind providing them to my outsourcer. So, the
device has determined it is talking to a trusted management station, how does the management
station know that it is talking to a trusted device?
SD: We use a proprietary Web Service and keep our Web Services Device Language secret.
PC: Well, that is okay I guess, assuming no one ever figures it out and posts it to the Internet. How
do you prevent from even establishing a connection to an untrusted device?
SD: We use SSL.
PC: Yes, we established that. Are you requiring the device to have a digital certificate?
SD: Oh yes!
PC: Ah! So my management server needs a trusted CA certificate, trusted access to a real time
clock, trusted access to a Domain Name Server, and trusted access to a Lightweight Directory Access
Protocol Server or Hyper-Text Transmission Protocol server for the Certificate Revocation List or
trusted access to an Online Certificate Status Protocol server.
SD: Um…
PC: Well, I’m assuming the management station needs to verify that the device’s certificate is valid.
I mean it has to make sure the certificate hasn’t expired, it has to make sure that the device name and
IP address match, it has to make sure that the certificate hasn’t been revoked, it has to make sure that
the certificate is being used according to its certificate purpose and so on. The management station
does do this doesn’t it?
SD: Um…Yes.
PC: How does the device get a digital certificate?
SD: Oh, that’s easy – the management station does it automatically!
PC: Don’t we have a chicken-egg problem here? I mean how does the management station know
that the device is really the device if the management station has to configure the things on the
device that would prove to the management station that it is a trusted device?
SD: Um… I believe you can configure the digital certificate manually as well.
PC: Oh – that means I’ll have to have the outsourcer do more configuring. Unfortunately, to assign
the device a certificate, I’ll have to give my outsourcer access to my Certificate Authority – a definite
“no-no”. I’ll just have to wait until the device is on my network to assign a trusted certificate.
SD: Um… Okay.