The Splunk management port 8089 has come up repeatedly in enterprise wide security scans. I understand the security team's concerns: This port runs HTTPS with a self-signed certificate, which is a big no-no for any IT person who is even slightly security conscious.
Self-signed TLS certificate is not a security threat in and of itself. The main weakness is that, unless the Certificate Authority is known to clients connecting to the port, the clients are left to trust that certificate, rendering the connection prone to man-in-the-middle attacks.
To make a self-signed certificate as secure as a public CA signed one, Splunk just need to verify the self-signed cert using the signing CA cert. Or, even better yet, mutual authentication may be performed on these connections. However, that also means much stricter management of these certs.
My organization's security team suggested that we get third-party signed certificates for all the Splunk forwarders, which means we would need to obtain hundreds of certificates. That number could potentially grow to over a thousand or two. We are part of a large university with the benefit of largely self-administered certificate signing. But managing such a number of certificates is still a pretty big task unless the entire workflow of certificate creation, signing and renewal can be automated.
One remedy is to disable the port on all Splunk installations where the port is not absolutely needed. That means all the Universal Forwarders, whose main purpose is to collect data and forward to indexers. However, port 8089 is labeled a management port. Access to Splunk's REST APIs goes through that port. Disabling it means apps depending on the REST APIs, such as the UFMA app, may not function as designed.
The management port obviously exists for a reason. Beyond the REST API, do we lose any other functionality if we have to disable the port?
No comments:
Post a Comment