undefined | Better HN

0 pointsspudlyo2y ago0 comments

I'm not entirely comfortable with a security device streaming telemetry to a third party. The kind of metrics that you're thinking of have historically been made available on management interfaces via SNMP OIDs assigned to the manufacturer.

Personally I'd much prefer to poll the device myself and keep those metrics in-house. This may seem like an antiquated way of managing network devices, but SNMP is a well understood, interoperable, standards-based protocol without vendor lock-in.

Futhermore, as we've seen, features like these expose a larger attack surface on the device. My primary worry would have been around it being used somehow in a data exfiltration scheme, but a root-level compromise of the device is the worst possible outcome.

0 comments

1 comments · 1 top-level

FreakLegion2y ago

It does literally everything you're asking for though? The data is also kept on-device. SNMP is there. Log aggregators and log forwarding are there. Rolling up to a centralized controller is there. The vendor data lake is just one more option.

To be clear, this is a VPN interface that has to handle incoming connection requests and traffic. Exploits are super common here. The command injection happens to only work when telemetry is also enabled, for reasons I haven't seen explained yet, but it could just as easily have been SNMP.

j / k navigate · click thread line to collapse