|
Yeah that’s exactly how I felt. We’re very much a trad Windows AD setup currently, but it is and has been a short-term department and company objective to change that so we can properly support a distributed workforce. They were about 5 years too late on the next-gen FW purchase.
|
#
?
Jul 4, 2021 01:09
|
|
|
|
| # ? May 25, 2024 16:47 |
|
|
Speaking of firewalls, Fortinet support is so bad. Simple questions like 'what is the latest version of FortiOS that is FIPS compliant' can't be answered. They send you documentation or arcane references. Then I was having trouble setting up SNMP. I've gotten it working before, but something was blocking access. I'd expect a tech to say "'oh check this and this", this guy literally sends me a link on how to set it up, which I obviously already looked at. I mentioned some of the errors or out of date info in the document he linked me to. He then wants to walk through it step by step. I oblige, and he gets stuck where I told him the inaccuracies were. After almost 2 hours on the phone we get nowhere. It was like it was his first day on the job and they just gave him a firewalls for dummies book and sent him on his way.
|
|
#
?
Jul 5, 2021 01:31
|
|
|
Bob Morales posted:Speaking of firewalls, Fortinet support is so bad. I've honestly never had too much of an issue with Fortinet support, but I will caveat that with usually the issue has been escalated to Tier 3/Engineers on both sides by the time I'm involved. Also, we had a large enough deployment that they built us a snowflake version of the firmware rather than us having to wait on certain problems being addressed in the production development chain. Personally, I like Fortigates, but I've used them for so long I find them mostly straightforward to deal with. I have no experience with their APs or switches.
|
|
#
?
Jul 5, 2021 09:36
|
|
|
"Hey can you please chase the supplier on these swit.." No, gently caress off. There's a global shortage of loads of components, every switch we'd want to use is showing lead times measured in months. It's just how it is.
|
|
#
?
Jul 5, 2021 13:20
|
|
|
Thanks Ants posted:"Hey can you please chase the supplier on these swit.." i'm sure calling them is going to make the global supply chain go a little faster
|
|
#
?
Jul 5, 2021 18:19
|
|
|
Thanks Ants posted:"Hey can you please chase the supplier on these swit.." Ask to rent a chopper so you can fly over to one of those freight ships lined up outside all major ports and dig through their containers. You can probably find the switches you're looking for there.
|
|
#
?
Jul 5, 2021 18:30
|
|
|
Thanks Ants posted:"Hey can you please chase the supplier on these swit.." Yes, sure. Are you willing to pay $275,000 more per item? That's the going rate.
|
|
#
?
Jul 5, 2021 19:56
|
|
|
Jeoh posted:i'm sure calling them is going to make the global supply chain go a little faster this would all be fixed if there were a couple more squeaky wheels
|
|
#
?
Jul 5, 2021 20:13
|
|
|
They just want you to bug them until you get to the front of the queue. Or have the suppliers decide you are too much of a pain to deal with and blacklist your company. Either way I am sure asking to speak with a manager will get this sorted.
|
|
#
?
Jul 5, 2021 22:17
|
|
|
Why would you both share and peer the same VPC networks with one another?! It’s like they wanted to make my nascent lucidchart even stupider looking 
|
|
#
?
Jul 6, 2021 14:17
|
|
Cat Army 
|
Thanks Ants posted:We’re a SonicWall partner and all their product communication is about how you can increase revenue and nothing about the product itself (which is hot garbage), which I think says all you need to know about them. Funny that Sonicwalls came up in discussion. One of them is currently the bane of my existence. I posted before about our anti-spam service using a port (10080) that's now blocked by most (all) major web browsers. It's now been three weeks and no resolution is in sight. The Sonicwall appears to give the option to change the port it operates on to something more sane, but as soon as I hit the "Apply" button it reverts to 10080. Wish I had the budget to bin the thing.
|
|
#
?
Jul 6, 2021 19:30
|
|
|
Proofpoint uses a similar number port for the user control panel. Problem is, our people are in hospitals so non-standard ports are locked down pretty hard usually. We had to put a definition in for proofpoint in Zscaler private access so our employees could get to it through the tunnel.
|
|
#
?
Jul 6, 2021 20:19
|
|
|
devmd01 posted:Proofpoint uses a similar number port for the user control panel. Problem is, our people are in hospitals so non-standard ports are locked down pretty hard usually. We had to put a definition in for proofpoint in Zscaler private access so our employees could get to it through the tunnel. The issue isn't so much that it uses a special port number to access the user's spam junkbox, I can handle that in my firewall/VPN routing rules. The problem is that web browsers have stopped allowing users to browse to a http resource that includes said port number. Users get a security warning page that basically says "you're not allowed to do this, goodbye." You can bypass the restriction by disabling the security in the browser, but I'm not going to tell all my staff to do this, and I'm certainly not going to do it for them. The sane solution is to change the port number used to access the user control panel, but this sonicwall device is preventing this from happening for some reason. I've got a support case open, hopefully it's just a UI issue and there's some CLI string that can be executed on the device to force the change, but I'm not holding my breath.
|
|
#
?
Jul 6, 2021 20:37
|
|
|
PremiumSupport posted:The issue isn't so much that it uses a special port number to access the user's spam junkbox, I can handle that in my firewall/VPN routing rules. The problem is that web browsers have stopped allowing users to browse to a http resource that includes said port number. Users get a security warning page that basically says "you're not allowed to do this, goodbye." You can bypass the restriction by disabling the security in the browser, but I'm not going to tell all my staff to do this, and I'm certainly not going to do it for them. Could you NAT the traffic as a workaround in the meantime? Original: source - $userIPs destination - $junkboxIP port - 80 Translated source - $userIPs destination - $junkboxIP port - $nonstandardPort
|
|
#
?
Jul 6, 2021 20:49
|
|
|
rafikki posted:Could you NAT the traffic as a workaround in the meantime? Probably not with a sonicwall, it can get real finicky about stuff like this. Their new *7 series firmware is extra trash, dealing with all sort of random issues that the previous gen didn't have; not that I like them much anyway, Fortinet is way better if you're planning on implementing NGFW.
|
|
#
?
Jul 6, 2021 21:09
|
|
|
Why don’t they use a domain or something like spambox.company.com instead of a non standard port number
|
|
#
?
Jul 6, 2021 21:20
|
|
|
I’m now on an Azure project that is stretching on til January 2022 to deploy ecomm stuff to every major region on the planet, and it’s been a while since I’ve been this close to the compute/PaaS side instead of identity and security. And Jesus Christ I forgot what a total piece of poo poo this platform is, I love stuff being in failed provisioning states for no reason and applying regular things in TF taking loving forever and my dipshit clients choosing Azure Premium firewall despite me telling them I wouldn’t use it and don’t know how the advanced features work and then they want TLS inspection and it’s a half documented mess from MS I’m gonna switch to consulting sales soon and just start my own company
|
|
|
#
?
Jul 6, 2021 21:22
|
|
|
Could you run a local reverse proxy with an internal subdomain?
|
|
#
?
Jul 6, 2021 21:22
|
|
|
I'm not aware of that being a browser thing (the custom port). Are you sure? Have you set a policy that you just need to tweak? Do you have a proxy/filter that is doing it?
|
|
#
?
Jul 6, 2021 21:32
|
|
|
Thanks Ants posted:I'm not aware of that being a browser thing (the custom port). Are you sure? Have you set a policy that you just need to tweak? Do you have a proxy/filter that is doing it? https://www.bleepingcomputer.com/news/security/google-chrome-blocks-port-10080-to-stop-nat-slipstreaming-attacks/ Edit: Firefox and Edge do it too now.
|
|
#
?
Jul 6, 2021 21:38
|
|
|
Ah OK, it's specific to that port. Never mind. SonicWall seem to think that spam service runs on 10443 as well, you'd just need to put a cert on the box.
|
|
#
?
Jul 6, 2021 21:43
|
|
|
Right, that's what I'm trying to switch it to, following Sonicwall's own instructions. I change the url to "https://<site>:10443" I push the "test" button and everything works I push the "Apply" button and the page refreshes with "Settings Applied!" but the url has reverted to "http://<site>:10080"
|
|
#
?
Jul 6, 2021 21:49
|
|
|
SonicWalls are garbage but usually the event log will have an entry with red text in crying about the reason why that didn't work. As it's SonicWall I guess also try without ad blockers on because their JavaScript is trash.
|
|
#
?
Jul 6, 2021 21:57
|
|
|
Thanks Ants posted:SonicWalls are garbage but usually the event log will have an entry with red text in crying about the reason why that didn't work. As it's SonicWall I guess also try without ad blockers on because their JavaScript is trash. No argument about the garbage status. I did try it without any script/ad blockers active with the same results. I can change other fields just fine, it's only this one that seems to be hard-coded to revert to default. I even rebooted the device which didn't make a lick of difference. Not seeing any red in my logs either.
|
|
#
?
Jul 6, 2021 22:07
|
|
|
The Iron Rose posted:Why would you both share and peer the same VPC networks with one another?! It’s like they wanted to make my nascent lucidchart even stupider looking all staging, production, and dev subnets have been shared with one another  I can create a VM on the same subnet with arbitrary network tags and ping our prod bastion hosts... from our no controls playground dev project. can't SSH! and most of our firewall rules are service account based. but yiiiiiikes.
|
|
#
?
Jul 7, 2021 00:08
|
|
|
Does Google Workspace have a concept of trusted network locations where MFA can be bypassed? I get that this is not a very ‘Google’ approach to things and we should be evaluating risk without trusting a network etc. but I have a requirement that needs a shared account but only needs to work from the office. The closest I can get is to use context aware access with Cloud Identity Premium to permit access to the application only from specific IP addresses, apply this rule to one account, and then exclude that account from MFA entirely but this isn’t totally going to do what I need as it will prevent access from outside the office network - it’s not a requirement yet but I can see it being added as someone will think it’s just a small change. I’m basically looking for Azure Conditional Access but Google don’t have anything as powerful as that as far as I can tell.
|
|
#
?
Jul 7, 2021 21:17
|
|
|
Our security team seem to not give a poo poo about PrintNightmare, we're supposed to go through them before taking any emergency action. We've asked if they'd like us to disable the print spooler on our DCs? Would they like us to apply the out of band patch? What about our massive RDS setup in a physically secure DataCentre that has tons of PII available and has printer redirection enabled? Can we just disable the print spooler on all non-printing servers, and amend the server build process to disable it by default? Silence. Only way to win this is to also stop caring. Edit: But they did manage to put a websense warning on Google Image Search yesterday. Yay! Priorities Lum fucked around with this message at 11:04 on Jul 8, 2021 |
|
#
?
Jul 8, 2021 10:59
|
|
|
Does anyone have a security team that is actually worth a poo poo? Because it sure doesn’t seem like it from my experience! We’ve only just in the last year or so gotten a couple of people with any kind of technical ability on our infosec team. I have no idea why the manager is still here, he is absolutely worthless and last I heard was on a PIP. We’ve been paying for Okta adaptive MFA for drat near two years and it still isn’t rolled out. We have a contract PM for a project that is kind of on hold for the moment, so he is getting tasked to get the ball rolling. They are targeting a full deployment by the end of August, for a company of 3000+ people lmfao. devmd01 fucked around with this message at 11:26 on Jul 8, 2021 |
|
#
?
Jul 8, 2021 11:23
|
|
|
Lum posted:Our security team seem to not give a poo poo about PrintNightmare, we're supposed to go through them before taking any emergency action. Stash the CYA messages somewhere safe
|
|
#
?
Jul 8, 2021 11:53
|
|
|
Do you actually print from your DCs? I assume not, in which case, maybe you can just disable Print Spooler as a "routine" hardening action instead of an "emergency" one!
|
|
#
?
Jul 8, 2021 12:27
|
|
|
guppy posted:Do you actually print from your DCs? I assume not, in which case, maybe you can just disable Print Spooler as a "routine" hardening action instead of an "emergency" one! Yeah, if the security team is failing to do their job, just disable it everywhere you can that's non-impacting.
|
|
#
?
Jul 8, 2021 12:43
|
|
|
We did the DCs, still haven't heard back from security. I'm more worried about the RDP environment and the ammount of ~robotic process automation~ that's dependent on a lovely PDF printer. Edit: Meanwhile a supplier asked for access to our SFTP server. I sent them the "how to create a keypair and send me the public key" document two weeks ago and they still haven't got their IT department to do it. This supplier has the phrase "accelerate digital transformation" on their home page. FML Lum fucked around with this message at 14:56 on Jul 8, 2021 |
|
#
?
Jul 8, 2021 14:34
|
|
|
Lum posted:We did the DCs, still haven't heard back from security. Infosec is also a part of the org people can get into and realize the paychecks keep coming despite not actually working.
|
|
#
?
Jul 8, 2021 14:59
|
|
|
Sickening posted:Infosec is also a part of the org people can get into and realize the paychecks keep coming despite not actually working. They've finally decided to hold a meeting with my boss to decide a plan of action, despite the server team telling infosec about the issue on Monday. It's almost close of play in my time zone, so this will be a Friday deployment. I've already told my boss I have plans this weekend.
|
|
#
?
Jul 8, 2021 16:12
|
|
|
devmd01 posted:Does anyone have a security team that is actually worth a poo poo? Because it sure doesn’t seem like it from my experience! One of my friends did security for a small (50 person) brokerage firm. He kept requesting projects to setup SSO and mail filtering for their mail and services, and he kept getting rejected since the old CEO didn't want to mess with a token. He always wanted to start training on social engineering and what not but they wouldn't pay for it. After a while, the CEO got spear-phished and wired a few million overseas by accident. He got a legit email from the firms banker about wiring some funds, but unknown to him the bankers email was compromised, and the hacker responded from the bankers address with "hey I sent the wrong account number, here's the right one" and the money was gone. They blamed my friend for it, and tried to get him in legal trouble too, they made his life hell for a couple months, even though it was obviously not his fault. The firm was basically insolvent after that event so he quit.
|
|
#
?
Jul 8, 2021 16:34
|
|
|
Jerk McJerkface posted:One of my friends did security for a small (50 person) brokerage firm. He kept requesting projects to setup SSO and mail filtering for their mail and services, and he kept getting rejected since the old CEO didn't want to mess with a token. He always wanted to start training on social engineering and what not but they wouldn't pay for it. This, ladies and gents, is why you document the rejections for security projects. I had this happen with a client who I recommended they remediate a bunch of findings after a pen test. They did not. Fast foreward two years later, they got phished and had a lot of stuff taken, including some funds. They sued me. I had a nice, documented rejection letter my lawyer insisted they sign after the pen test when we discussed how they could and should address findings. They lost out on both the case and lawyers fees.
|
|
#
?
Jul 8, 2021 17:31
|
|
|
Recruiters who only use male pronouns in their job postings. It was a female recruiter! I’m clearly female on my profile picture, name, and literal LinkedIn pronouns!! gently caress off!!
|
|
#
?
Jul 9, 2021 02:54
|
|
|
The Iron Rose posted:Recruiters who only use male pronouns in their job postings. Form letter bot.exe doesn't care, and as such neither does the recruiter. The bot found a possible match, and the bot sent you a 'we totally think you'd be interested in this 4 month temp gig doing telco cobol programming at some research station in the south pacific, no relocation expenses, please let me know sir.' despite the fact that your profile has you doing infosec, are a girl, clearly states you refuse temp gigs or travel, and aren't looking for a job. Never attribute to malice what can be best explained by lazy programming or idiocy.
|
|
#
?
Jul 9, 2021 06:21
|
|
|
I’ve defaulted to using they/them/their in messages now when talking about someone that I’ve not met or worked with previously
|
|
#
?
Jul 9, 2021 08:45
|
|
|
|
| # ? May 25, 2024 16:47 |
|
|
So other people ended up dealing with printnightmare after the massive delay, including the boss TBF. I got ambusged by a Teams group call 15 minites before the end of the day, from the security and desktops teams asking questions about how to work the patching setup we built for them and they ignored. I left that call when they decided the best course of action was to roll out 20H2 on Friday afternoon instead of managing different versions of the patch. Now 5 mins before the end of the day had my boss call asking how to bulk-run a powershell script against a list of non-domain servers, but was able to point him at the template script I wrote for doing that. Only hiccup was I'd previously pointed the bosses boss at the same temppate script, and of course je pasted his own code in and then saved it over the top of the template. Still got out on time, none of this is my problem. 🍿
|
|
#
?
Jul 9, 2021 21:23
|
|