When a brand-new, out-of-the-box Sophos UTM appliance is started up, it generates a variety of "random" keys, certificates, and passwords. I have looked at them, and they differ from the keys on a software UTM that I have running at home. (Yeah, I know that is not saying much.) The keys, etc. appear to be random, but I have not run any tests of randomness on them.
Here is my question, which may not be easily answered by anyone in this forum, unless they are privy to Sophos design internals:
How does Sophos seed each newly minted UTM appliance before they ship it to the end customer? In other words, how does Sophos ensure that each appliance's random numbers are truly random and start out widely separate and independent from all other Sophos UTM appliances?
Has anyone inquired into this aspect of UTM security? It is a big job to replace all the keys, certificates, and self-generated passwords in the UTM. Can we trust the randomness of the initial installation and setup?
This thread was automatically locked due to age.
Guest User!
You are not Sophos Staff.
