Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

Whirlpool Spins New Address Scheme

New DNS address management tools help appliance maker wash away previous security woes

A year ago, the most frequent cause of network problems at Whirlpool wasn't hackers or disgruntled insiders. It was fat-fingered local network administrators.

"The problems were almost purely accidental," recalls Greg Fisbeck, lead network engineer for the appliance giant, which operates a global network of some 80,000 endpoints, including the Maytag business acquired last year.

"Some administrator would put in an extraneous character, or put a space in the middle of a host name, and the next thing you know, they'd bring down a whole [address] zone. And here in the data center, nobody knew about it until people started calling in to say they couldn't get into Whirlpool.com."

The problem, Fisbeck explains, was the company's address management system. The old system required a good deal of manual configuration, and many of the local administrators weren't familiar with the conventions of IP addressing. Worse, the old system didn't allow Whirlpool to restrict administrator access -- once they were in the system, untrained admins could make changes that might unintentionally affect whole address zones.

Whirlpool had been considering the purchase of a new IP address management system for years, but the functionality of earlier systems was limited, and it was difficult to explain the value of a DNS/DHCP administration tool to top-level managers who weren't familiar with addressing technology, Fisbeck recalls.

Then, in 2006, the stars began to align. Whirlpool acquired Maytag -- and all its IP addresses -- which made it easier to create a business case for an overarching management system. And Bluecat Networks was nearing completion of its Proteus 2.0 IP Address Management (IPAM) and Adonis 5.0 DNS/DHCP appliance lines, which answered many of Whirlpool's concerns about earlier address management systems.

With Proteus and Adonis, Whirlpool can now restrict administrators' access to addressing functions, so that they can make changes only to their own domains. Instead of several different systems, administrators make changes only in one central system, which reduces the likelihood of a mistake that takes down a whole zone of addresses. And the new systems offer templates for IP addressing, reducing the chances that an administrator will use the wrong format.

"With Proteus and Adonis, we've really reduced the chances of an administrator creating problems by accident," Fisbeck says.

The new appliances may also help Whirlpool avoid problems created by targeted attacks, Fisbeck says. For example, the Bluecat technology can manage heavy address requests created by a denial-of-service attack, and it can help Whirlpool's security team identify and quarantine bogus requests.

Fisbeck wouldn't say how much Whirlpool spent on the installation. Pricing for Adonis starts at $2,995; Proteus is $29,995. Whirlpool has five Adonis units in service and one Proteus.

Over the longer term, Whirlpool may also use Proteus and Adonis to help implement network admission control (NAC) at its endpoints. "Proteus has the ability to authenticate a user before we give them a permanent IP address, which would be one of the steps we need to take for NAC," Fisbeck says. The company still isn't completely sold on NAC, but the Bluecat products will allow Whirlpool to do some trials and test it out, he says.

In the meantime, Whirlpool is deploying Proteus and Adonis across its network, and expects to complete that deployment by the end of this month. "We think it's going to help a lot," Fisbeck says. "We won't have to worry anymore about losing a zone just because someone made a typo."

— Tim Wilson, Site Editor, Dark Reading

  • BlueCat Networks Inc. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Navigating Security in the Cloud
    Diya Jolly, Chief Product Officer, Okta,  12/4/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-16772
    PUBLISHED: 2019-12-07
    The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
    CVE-2019-9464
    PUBLISHED: 2019-12-06
    In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
    CVE-2019-2220
    PUBLISHED: 2019-12-06
    In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
    CVE-2019-2221
    PUBLISHED: 2019-12-06
    In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
    CVE-2019-2222
    PUBLISHED: 2019-12-06
    n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...