Post by hlan on May 23, 2010 5:17:10 GMT 7
Assign a Security Consultant across the product range to advice about information security concerns in design, integration and documentation. Provide high levels of security for all access from the Internet, but also include Intranet for small businesses appliances onward. Some review points for N2200:
- Provide more information in the log file: When experimenting with the web server I discovered through the firewall (and the web server log that I had enabled myself) regular visitors from China and Korea. If it was for the N2200 log file I would not have seen anything.
- Access control to certain applications, e.g. FTP
- FTP passive port range
- Protect Admin account against password guessing. Disable (temporarily) after a number of unsuccessful login attempts. Allow to specify one or several trusted IP addresses for which this mechanism is not applicable.
- Different access screens for applications: It is not necessary that opening the firewall for somebody going to the Photo Server also gives access to the login screen for admin and Web Disk.
- Mutual authentication application: Integrate opensll. Provide GUI for (1) creating own CA, load the server certificate files into their respective folder, restart Apache; and (2) create and/or revoke web browser certificates for users. Having a openssl module would be really “cool”.
- Documentation: For all applications that can get accessed from the Internet explain about risks, access control and monitoring.
At some point in time security has to be addressed coherently, so better be the first company doing this, thus positively differentiating from the competition. Offering state-of-the-art security is an additional USP. Us, the users, are not experts in IT security and because nobody wants to expose personal data, or have the appliance hijacked in some form, it is important that the device builder designs in Security.
- Provide more information in the log file: When experimenting with the web server I discovered through the firewall (and the web server log that I had enabled myself) regular visitors from China and Korea. If it was for the N2200 log file I would not have seen anything.
- Access control to certain applications, e.g. FTP
- FTP passive port range
- Protect Admin account against password guessing. Disable (temporarily) after a number of unsuccessful login attempts. Allow to specify one or several trusted IP addresses for which this mechanism is not applicable.
- Different access screens for applications: It is not necessary that opening the firewall for somebody going to the Photo Server also gives access to the login screen for admin and Web Disk.
- Mutual authentication application: Integrate opensll. Provide GUI for (1) creating own CA, load the server certificate files into their respective folder, restart Apache; and (2) create and/or revoke web browser certificates for users. Having a openssl module would be really “cool”.
- Documentation: For all applications that can get accessed from the Internet explain about risks, access control and monitoring.
At some point in time security has to be addressed coherently, so better be the first company doing this, thus positively differentiating from the competition. Offering state-of-the-art security is an additional USP. Us, the users, are not experts in IT security and because nobody wants to expose personal data, or have the appliance hijacked in some form, it is important that the device builder designs in Security.