Appliance-Based Network Services

Just about anything these days can be sold as an "appliance." The point, from a marketing perspective, is to promote the fact that the system is easy to use and requires little intervention from the operator. Just like your toaster, you just push down the lever and it works.

TIP

I like the appliance model but offer one caveat. If your appliance is really just a Linux box in a fancy case, you haven't solved your system management problem; you've just hidden it under the covers.

Say, for example, you use an appliance firewall that runs on Linux. When the latest Linux security vulnerability is released, will your appliance vendor fix it for you in a timely fashion? Make sure that it will. A large number of appliance products run on general-purpose OSs, even Windows! When you are evaluating an appliance product, find out what is running "under the covers." Then ask your vendor how it deals with security issues in the underlying OS. Appliance products can be real timesavers in systems management, just make sure your expectations are clear.

Some appliances use custom OSs and hardware and can better claim to be an appliance in function (though this doesn't eliminate the security issues because the custom OS can still have problems). These devices have no configurable OS running underneath them. The only user interface is the application configuration. Some devices commonly sold as appliances include the following:

• Network-based web cache
• Firewalls
• NIDS
• Load balancers
• Virtual private network (VPN) gateways
• IP telephony gateways

TIP

One way to find out what a system is running underneath is to watch for a major vulnerability in a common application and then look at the list of vendors affected by it. For example, the Apache web server had a vulnerability described by the Computer Emergency Response Team (CERT): http://www.cert.org/advisories/CA-2002-17.html. In looking through the list of affected vendors, you can see several you wouldn't expect to be running the Apache server. This isn't a bad thing. In fact, I would prefer vendors to use a publicly available and code-reviewed web server rather than build their own. Just be aware that appliances still need fixes, and when you are running an appliance, it might not always be easy to determine if you are affected.