Two previous posts talked about the security benefits an appliance gets from the physical configuration, and by leaving stuff out. This one is simpler, and talks about the security benefits of knowing what's "on the box."
When an appliance leaves the factory, one of the last steps of the manufacturing process it to install the right firmware on it. The word firmware is a better term than software because it typically includes data, low-level chip controllers and device drivers, and so on. In addition to the technical reasons, it's also a more properly-evocative term of what's installed: a special-purpose monolithic image, as opposed to software running on some server.
The firmware can include a decryption key, and a certificate. When an administrator downloads and installs an update, the existing firmware will check the signature and decrypt the image. (Not necessarily in that order.) The fact that the firmware is encrypted allows the vendor to put it in a reasonably-public web site such as a download support site. Verifying the signature, and using the certificate to verify the signer's credentials, allows the existing firmware to "know" that the new install is authentic (comes from the same source), and unmodified.
Those simple mechanisms allow us to maintain a chain of trust -- we
always know exactly what is installed, and are sure of its provenance.
The firmware can also include a signed manifest, that enumerates every file on the appliance, and its digest value. This allows verification of the running image and supporting files, against accidental damage. It is not a full-strength protection against someone installing a corrupt operating system in an adversary's hardware, but the form-factor should prevent that. This shows how multiple security features interact to provide stronger security.
Security, Middleware, Appliances
From archive: July 2011 X