FireEye shows that even security products can have security holes
You shouldn’t have blind faith in anything you allow onto your network, and that includes security appliances. This was made amply clear to me a few years back, when a vendor of an email security appliance tried to convince me (as the CTO of a small company) to team up and help sell the appliance. I had our engineering team test the appliance, just as we would any product we were considering using or supporting. The team quickly found that the appliance was running an older SSH daemon that had known vulnerabilities. I notified the appliance team, and they sent back a “fixed”version that failed a second test a few days later. Needless to say, our partnership never happened.
In the FireEye vulnerability, the Apache network service was itself running as root, and there was a vulnerable PHP script that could be exploited, resulting in the attacker being able to attain root privileges on an affected system. That’s not good, but I don’t think it’s any worse for having been overlooked by a security vendor. Security will always fall short of perfection, as my personal mantra makes plain: There ain’t a horse that can’t be rode, and there ain’t a man that can’t be throwed.
And, yes, that applies to security products the same as it does to servers, applications and all the other things we allow on our networks. Here are a few things to bear in mind, in no particular order:
Security appliances offer plenty of value. Since the FireEye incident, some in the security community have suggested we should ban them from our networks. That’s just silly. We should continue to use them, but proceed with caution. And don’t ever assume that a security product is more secure than any other type of product.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.