In a message written on Mon, Nov 28, 2016 at 01:10:29PM -0500, Jared Mauch wrote:
my experiences say that most people would accept this. things like IT are a cost and any way to externalize that cost makes sense. If you look at something like a SMB service, where you have mandatory NID or provider managed CPE/handoff, having a solution pre-built seems like a no-brainer.
Historically, I agree. However I sense the winds are changing on this issue. Various auditors and certification schemes have changed over the past 2-3 years to be much more skeptical of these sorts of devices. They want to see "endpoint security" (AV and/or Fingerprinting) on all devices. To the extent these "appliance" VM's are standard OS's (often CentOS) they are more insistant it should be possible. Where it is not possible, they want to see severe network quarantine, for instance per host firewalls to lock down the devices. I'm not sure why the OP was asking, but if they are developing a new product of this type I might suggest they consider their response to a customer who says they need endpoint security on it before building it. -- Leo Bicknell - bicknell@ufp.org PGP keys at http://www.ufp.org/~bicknell/