Bad Architecture Diagrams: N-Tier, where N is an imaginary number
A lot of security work is based on understanding architecture design, and how systems interact. To that end, I ask for diagrams - and I typically receive the diagrams that vendors include in their documentation. Much to my chagrin, they often look like this recent example.
What's missing here? A lot.
I normally look for:
- Directionality of traffic - which system initiates a connection, and to which other system(s).
- Ports and protocols - at least a destination port or range of ports, and details on which ports are TCP and which are UDP.
- Real tiering, and the ability to separate functions - a favorite question for vendors is "in your claim of an n-tier architecture, what values of N do you mean?" Often, you'll find that the system hasn't been tested with a true 3 tier model, or that the vendor recommends a monolithic installation.
- Administrative interfaces - How do you control the system?
What's the worst architecture diagram you've seen recently?
No comments:
Post a Comment