Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

"Device telemetry collects data about your next-generation firewall or Panorama and shares it with Palo Alto Networks by uploading the data to Cortex Data Lake. This data is used to power telemetry apps, which are cloud-based applications that make it easy to monitor and manage your next-generation firewalls and Panoramas."

This is an eyebrow raising feature, and one I hope that I would have had the foresight to disable.



There's nothing eyebrow-raising about the feature itself. It's off by default, lets you control which kinds of data you share if you choose to share data at all, and is mainly used for basic operations (e.g. tracking CPU load, concurrent sessions, and other relevant metrics over time).


I'm not entirely comfortable with a security device streaming telemetry to a third party. The kind of metrics that you're thinking of have historically been made available on management interfaces via SNMP OIDs assigned to the manufacturer.

Personally I'd much prefer to poll the device myself and keep those metrics in-house. This may seem like an antiquated way of managing network devices, but SNMP is a well understood, interoperable, standards-based protocol without vendor lock-in.

Futhermore, as we've seen, features like these expose a larger attack surface on the device. My primary worry would have been around it being used somehow in a data exfiltration scheme, but a root-level compromise of the device is the worst possible outcome.


It does literally everything you're asking for though? The data is also kept on-device. SNMP is there. Log aggregators and log forwarding are there. Rolling up to a centralized controller is there. The vendor data lake is just one more option.

To be clear, this is a VPN interface that has to handle incoming connection requests and traffic. Exploits are super common here. The command injection happens to only work when telemetry is also enabled, for reasons I haven't seen explained yet, but it could just as easily have been SNMP.


Disable? This is the type of thing that enterprises make the conscious effort to pay for a higher tier license and enable.


Telemetry is pretty much the norm for XDR. The problem is all this stuff is cloud and not on-prem. Wazuh is great for on-prem, but the profiliferation of SaaS, etc., makes it extremely difficult to keep a handle on everything.


My feeling is that Wazuh is of little use to anyone besides those aiming to please security auditors, for whom it provides file integrity monitoring and other 20th century best practices that predate our modern world of virtualized short-lived servers.


I primarily use it as a tool to aggregate logs, alerts, and to proactively audit configurations.

It's great at finding people who can't remember passwords or misbehaving services or software.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: