Security Audit of SolarWinds

Question

Has anyone done any in-depth security analysis of SolarWinds? I notice it's vulnerable to XSS (search for an interface/node and enter: ). Also, is there anyway of restricting views, as well as nodes/interfaces, etc. We want to expose pages to customers via a portal. We can prevent them seeing each others detailed node/interface pages, but we also want to stop them seeing who the other customers are, unfortunately, if we want a map per customer, any customer visiting solarwinds/.../AllMaps.aspx will be able to get a nice list of all our customers :( . Our solution may involve creating a list of accepted URL's per customer and let the juniper in front of the SW box apply filters based on customers, but this is a bit of a pain! - Grant.

Miron · Answer

Hi,

I remember a while ago asking if any one had had there installation pen tested, dont think I got any response at the time. We are considering having ours externally tested in the near future, however I am concerned that there is much to do with regards to creating a robust base secure platform for all the orion modules npm and specfically NCM.

I would hope to see in version 11, a lot of work to create a great secure core product including role based levels of access, work flows with approvals, auditing, chinese walls - before adding tons on additional functionality. If anyone uses a typical blackbox appliance like infoblox, bluecat etc these products have good granularity of control over groups or individual objects. Obviously im aware this is not a black box product, but I hold hope.

Maybe I harp on a bit but as I have said before I think that the SW products (as good as they are) have always been developed as a tool primarily for operations staff within single management trust structure and thus does not lend itself to easily be accessed by multiple entities of with a variety of trust or responsibility levels exist.

Miron

FormerMember · Answer

assuming you have citrix of course....

FormerMember · Answer

best bet is to hide the URL bar, so publish internet explorer with tons of controlls limited, so all you get is the content...   should let you give access to customers without any risk