|
Sickening posted:Is it much harder than just having a flat network? Of course. The issue is more in that it requires more effort from your network engineers more so than cost. Quoted for truth.
|
# ? May 11, 2021 16:48 |
|
|
# ? May 25, 2024 14:28 |
|
I can't agree more. Proper ACL, no trust IAM,, etc. are ultimately more effective than a bunch of VLANs.
|
# ? May 11, 2021 17:05 |
|
Ynglaur posted:I can't agree more. Proper ACL, no trust IAM,, etc. are ultimately more effective than a bunch of VLANs. VLANs are not bad, but they are also not security and most Networking teams stop after making them and leave them as one giant flat network, but with multiple DHCP scopes.
|
# ? May 11, 2021 17:19 |
|
encrypt all traffic and let god sort it out
|
# ? May 11, 2021 18:17 |
|
are there people that don't? i can't even access any ports that don't start with a tls clienthello handshake. postgres + tls works, postgres without tls just times out
|
# ? May 11, 2021 18:22 |
|
Yes? Yes. Lots of people.
|
# ? May 11, 2021 18:25 |
|
There are many, many sites still running HTTP, but it's fine because it's inside the firewall right? What's a "blast radius"?
|
# ? May 11, 2021 18:42 |
Internet Explorer posted:use bridging and CSMA/CA and let god sort it out
|
|
# ? May 11, 2021 19:37 |
|
Exchange. Exchange never changes. https://twitter.com/nicoleperlroth/status/1392196162493444098?s=20
|
# ? May 11, 2021 21:01 |
|
CommieGIR posted:Exchange. Exchange never changes. So you are saying this company had some major gaps in infosec? :shocked:
|
# ? May 11, 2021 21:12 |
|
CommieGIR posted:Exchange. Exchange never changes. It never stops lol
|
# ? May 11, 2021 21:24 |
|
Ynglaur posted:There are many, many sites still running HTTP, but it's fine because it's inside the firewall right? What's a "blast radius"? there are a lot of complexities associated with full stack TLS. I agree that it's something to strive for, but terminating SSL at edge and then using HTTP traffic for internal services (assuming that no traffic goes out through the internet again) is not a completely insane idea depending on your architecture. It's not great, and obviously it's best to use encryption wherever you can! But there are other problems I'd tackle first. In fact, lots of BigCloud providers do so within their architecture! I know for a fact GCP does not use HTTPS everywhere internally once you've gone through a L7 load balancer, for example.
|
# ? May 11, 2021 21:26 |
|
The Iron Rose posted:there are a lot of complexities associated with full stack TLS. I agree that it's something to strive for, but terminating SSL at edge and then using HTTP traffic for internal services (assuming that no traffic goes out through the internet again) is not a completely insane idea depending on your architecture. It's not great, and obviously it's best to use encryption wherever you can! But there are other problems I'd tackle first. its also a terrible idea because it basically is the EXACT opposite of zerotrust, and if anyone pops any of your internal nodes and just LISTENS, they are going to get free creds. I would never encourage this. I'd also assume groups like AWS and GCP are doing SSL decryption where it makes no sense to NOT be TLS everywhere internally because when they need it plaintext they are already decrypting. And yeah, its fairly standard practice to strip TLS at the load balancer, but that comes with its own risks especially if you can figure out how to identify the machines behind the load balancer.
|
# ? May 11, 2021 22:07 |
|
The Iron Rose posted:there are a lot of complexities associated with full stack TLS. I agree that it's something to strive for, but terminating SSL at edge and then using HTTP traffic for internal services (assuming that no traffic goes out through the internet again) is not a completely insane idea depending on your architecture. It's not great, and obviously it's best to use encryption wherever you can! But there are other problems I'd tackle first. AWS makes it horribly difficult to use HTTPS between load balancers and instances. 😩
|
# ? May 12, 2021 04:22 |
|
BlankSystemDaemon posted:there's enough confusion over the word 'crypto' goddammit i'm still mad that when i meet people at defcon and ask if they're interested in crypto they want to tell me about their dumb fake money portfolios instead of talking about the real poo poo like how else am i supposed to ask?? use the word "cryptography" i guess
|
# ? May 12, 2021 04:51 |
|
Cup Runneth Over posted:AWS makes it horribly difficult to use HTTPS between load balancers and instances. 😩 It's not that bad. Just use a network load balancer and pass the traffic through as-is, or use an application load balancer and have it connect to the targets over https (internally signed certs are fine here). The only pain is that you can't use ACM, which is great and all, but "equivalent to the work you'd have to do in an on-prem deployment" doesn't really seem like "AWS makes it horribly difficult." But, really, it's also not all that necessary outside of check-the-box compliance. AWS is very strict about not letting instances see each others' traffic - sure, you can put an interface into promiscuous mode, but you can't touch the switch that says "you only see the traffic I want you to see." That still leaves the threat of someone breaking into AWS at the infrastructure or physical level and adjusting things to snoop on traffic, but at that point, you have to assume that they'd be able to reach right into your EC2 instance and snag the private key no matter what you do. Protecting against that kind of threat means you need to leave public cloud infrastructure and run your own hardware top to bottom, in your own datacenter with your own physical security.
|
# ? May 12, 2021 04:56 |
|
Cup Runneth Over posted:AWS makes it horribly difficult to use HTTPS between load balancers and instances. 😩 I am curious what your pain points are for this situation. I haven't found this to be the case, even with absurd setups like akamai in front of akamai in front of akamai in front of a load balancer. At a minimum you just use a NLB and terminate your TLS traffic on your instance, if you need to know the IP enable proxy protocol. I am a bit more ok in this discussion context about final TLS being early-terminated because I know your hopefully correctly set up and constrained VPC is .. your VPC, and it isn't going to be sniffable in plaintext across the entire org like an onprem flat network design. Same with GCP. Impotence fucked around with this message at 07:16 on May 12, 2021 |
# ? May 12, 2021 07:12 |
|
for some reason this just made me think of null encryption ssh https://hamwan.org/Standards/Network%20Engineering/Authentication/SSH%20Without%20Encryption.html
|
# ? May 12, 2021 07:24 |
|
Biowarfare posted:are there people that don't? i can't even access any ports that don't start with a tls clienthello handshake. postgres + tls works, postgres without tls just times out
|
# ? May 12, 2021 07:34 |
|
RFC2324 posted:for some reason this just made me think of null encryption ssh loving Silicon Valley reinventing rsh again
|
# ? May 12, 2021 07:38 |
|
more falafel please posted:loving Silicon Valley reinventing rsh again its apparently mainly for amateur Ham radio networking, where it seem that encryption is a no-no. Weird, but you have to explicitly compile it in E: well, that rabbit hole led me to discovering that amateur satellites are a thing https://www.amsat.org/ RFC2324 fucked around with this message at 07:46 on May 12, 2021 |
# ? May 12, 2021 07:41 |
|
RFC2324 posted:its apparently mainly for amateur Ham radio networking, where it seem that encryption is a no-no. Weird, but you have to explicitly compile it in it was a joke about reinventing the bus or some other public service every 15 minutes. i debug network services for a living I understand why sometimes you might need a way to disable encryption
|
# ? May 12, 2021 07:47 |
|
more falafel please posted:it was a joke about reinventing the bus or some other public service every 15 minutes. i debug network services for a living I understand why sometimes you might need a way to disable encryption sorry. I got the joke, I'm just excited to learn the ham/satellite stuff
|
# ? May 12, 2021 07:52 |
|
RFC2324 posted:sorry. I got the joke, I'm just excited to learn the ham/satellite stuff that is cool. Radio is the past/future
|
# ? May 12, 2021 08:13 |
|
CLAM DOWN posted:It never stops lol unlike the gas
|
# ? May 12, 2021 08:37 |
Achmed Jones posted:goddammit i'm still mad that when i meet people at defcon and ask if they're interested in crypto they want to tell me about their dumb fake money portfolios instead of talking about the real poo poo RFC2324 posted:its apparently mainly for amateur Ham radio networking, where it seem that encryption is a no-no. Weird, but you have to explicitly compile it in Also yeah, AMSAT is cool - I've been HAMing with a few of the people who're involved with AMSAT-UK, you can listen in here. BlankSystemDaemon fucked around with this message at 14:28 on May 12, 2021 |
|
# ? May 12, 2021 14:22 |
|
Achmed Jones posted:goddammit i'm still mad that when i meet people at defcon and ask if they're interested in crypto they want to tell me about their dumb fake money portfolios instead of talking about the real poo poo I feel your pain. (And I have exactly the same issue with motorcycle people stealing the word "bike" from the bicycle people.)
|
# ? May 12, 2021 14:32 |
|
BlankSystemDaemon posted:"Do you know Bob and Alice"? "Bob and alice solved it with Blockchain" -Vendor *brain finally snaps*
|
# ? May 12, 2021 16:38 |
|
ahahaahahahahhahh https://twitter.com/DaybookJobs/status/1392474130264457219
|
# ? May 12, 2021 17:28 |
|
CLAM DOWN posted:ahahaahahahahhahh "We need a fall guy for the next time this happens, no we won't implement your security program"
|
# ? May 12, 2021 17:42 |
|
what the gently caress is the deal with auditors who want screenshots instead of console output?
|
# ? May 12, 2021 18:17 |
|
probably think its too easy to edit text
|
# ? May 12, 2021 18:23 |
|
Jeoh posted:what the gently caress is the deal with auditors who want screenshots instead of console output? Poor training or bad instructions from management which they're not willing to push back on, usually.
|
# ? May 12, 2021 18:24 |
|
our wiki has screenshots of commands in it. why the gently caress would you do that, it just makes errors more likely!
|
# ? May 12, 2021 18:40 |
|
Jeoh posted:what the gently caress is the deal with auditors who want screenshots instead of console output? A guy that I used to work with would always do these screenshots with his terminal set to very slightly transparent, so that if you looked close, you could see the dinosaur porn desktop background that he kept ready for just this circumstance.
|
# ? May 12, 2021 18:50 |
|
Powered Descent posted:A guy that I used to work with would always do these screenshots with his terminal set to very slightly transparent, so that if you looked close, you could see the dinosaur porn desktop background that he kept ready for just this circumstance.
|
# ? May 12, 2021 19:00 |
|
Powered Descent posted:A guy that I used to work with would always do these screenshots with his terminal set to very slightly transparent, so that if you looked close, you could see the dinosaur porn desktop background that he kept ready for just this circumstance. the hero we need
|
# ? May 12, 2021 19:06 |
|
RFC2324 posted:the hero we need And the hero they deserved.
|
# ? May 12, 2021 20:13 |
|
Jeoh posted:what the gently caress is the deal with auditors who want screenshots instead of console output? God this is a huge thing with us and it drives me insane. Look person do you know how much more effort it would take to go through and fake this massive debug dump? Significantly more than doctoring a screenshot, stay in your loving lane.
|
# ? May 12, 2021 20:14 |
|
|
# ? May 25, 2024 14:28 |
|
Set the font on your terminal emulator to some scribble handwriting font before you do the show run e: windings
|
# ? May 12, 2021 20:18 |