|
it definitely matters a lot where you put data in certain circumstances, especially with personal data, but what I've seen in the last maybe 12 months is a huge increase in the amount of times it's mentioned and it's never backed up or put into writing anywhere. At this point it feels like an excuse to get out of doing work, to be honest. And while work-avoidance is fine by me just don't achieve it by creating a bunch of useless work for other people in the process imo On micro-segmentation - the biggest problem with it is that it relies on your ability to categorise your systems so they can be sorted into network segments and have policy applied to them. This is a very easy job on the surface but an extremely arduous and potentially impossible job in reality. This is because of a number of factors but I think the primary reason is that most networks of a reasonable size don't have a lot of homogeneity between systems. All of the tiny little differences can and will be referenced as a reason to increase the level of segmentation in the network or relax the policy, of which both options will require a lot of human intervention to make reality. For instance, you might start by making a segment for all your database servers. You allow all the *SQL ports through to it from your app servers. however, someone wants to install a mongodb server. Now, do you update the policy to also permit the mongo ports, potentially creating attack vectors to all of the other servers in the segment? Do you make a bespoke rule just for the mongo server? Do you put it on it's on "web-scale" segment? There's a bullet full of work in every chamber! Very quickly either the policy or the network (or both, in some circumstances) will become hilariously over-complicated. Luckily, by this point, VMWARE or CISCO or whomever sold you on the micro-segmentation piece are well on their way out the door. If you read that and thought "well sure, only if you're some sort of stupid dumb dumb idiot who doesn't know how to automate stuff" not so fast hot stuff - all those changes I mentioned previously are extremely hard to automate because it involves loving with network gear which sits on the scale of terrible -> literally impossible even in this day and age. Generally it's fairly easy to use automation to stand up new stuff but ongoing cleanups and sanity-checking requires a lot of complicated logic that is hard to implement - ask anyone who is using Ansible (for example) for network automation how do they detect and then cleanup stuff when it's decommissioned and you'll get some interesting responses. Can you guess what happens when new changes are easy to automate but old policy is very hard to get rid of? Can it ever work? Actually, yes, in the following scenarios: - you don't give a gently caress about denying new systems access to the network i.e Tax office, Defense, banks. Using the mongo example, whomever tried to pull that one would get flat out rejected with a 'we don't use mongodb, that is not supported.' - you have a very narrow suite of applications you support and you know exactly how they work i.e Google, Facebook. These places can get away with it because they can make massive sweeping generalisations like "if your app won't work through a forward proxy then it's not allowed on the network" - you are a service provider who doesn't implement policy above layer 3, i.e the entire point of segmentation is to keep customer IP space from communicating with each other when it's inside your environment. So if someone asks you about why you aren't deploying ACI or NSX or good ol' 4096 vlans with a firewall between 'em, the best response is to talk about all the other, far better and more productive things you could be spending that time on. If you are concerned about your hosts being vulnerable to east-west attacks, you should be targeting the hosts themselves FIRST to determine where the concern lies. 9/10 I've had this conversation it has brought up some extremely stupid/irresponsible design decisions like "oh well this application uses a version of apache that has a bunch of active vulnerabilities in it, that's why we wanted to make sure it was segmented off because we don't want to patch it". In other words, micro-segmentation is often proposed as a solution to operational problems that should not exist in the first place.
|
# ? Mar 24, 2019 09:12 |
|
|
# ? Jun 12, 2024 06:02 |
|
tiny netblocks in general are great after a few years when you have unexpected growth and run out of usable ips because as everyone knows network rearch is the easiest thing in the world
|
# ? Mar 24, 2019 13:22 |
|
jammyozzy posted:Mercifully it wasn't my job to know or care, but I understood from smarter/more important people at a previous gig that ITAR means it sometimes matters very much where your data is stored. *pant pant* gently caress did someone say itar you woke me up for a forums post ugh
|
# ? Mar 24, 2019 13:23 |
|
abigserve posted:however, someone wants to install a mongodb server. Now, do you update the policy to also permit the mongo ports, potentially creating attack vectors to all of the other servers in the segment? Do you make a bespoke rule just for the mongo server? Do you put it on it's on "web-scale" segment? scream at them
|
# ? Mar 24, 2019 13:36 |
|
our IS implemented some kind of internal firewall that kills any extant connection after an hour, no matter what boy it was fun implementing auto-reconnect in our DB layer
|
# ? Mar 24, 2019 14:17 |
|
abigserve posted:
turn the server off op
|
# ? Mar 24, 2019 14:24 |
|
~Coxy posted:our IS implemented some kind of internal firewall that kills any extant connection after an hour, no matter what i'm sorry what the gently caress?
|
# ? Mar 24, 2019 15:29 |
|
~Coxy posted:our IS implemented some kind of internal firewall that kills any extant connection after an hour, no matter what lol what
|
# ? Mar 24, 2019 17:38 |
|
Shinku ABOOKEN posted:i'm sorry what the gently caress? some executive watches NCIS and knows you just gotta stop the hacker before the progress bar gets to 100%
|
# ? Mar 24, 2019 17:41 |
|
~Coxy posted:our IS implemented some kind of internal firewall that kills any extant connection after an hour, no matter what ahahah
|
# ? Mar 24, 2019 17:53 |
|
abigserve posted:If you read that and thought "well sure, only if you're some sort of stupid dumb dumb idiot who doesn't know how to automate stuff" not so fast hot stuff - all those changes I mentioned previously are extremely hard to automate because it involves loving with network gear which sits on the scale of terrible -> literally impossible even in this day and age. Generally it's fairly easy to use automation to stand up new stuff but ongoing cleanups and sanity-checking requires a lot of complicated logic that is hard to implement - ask anyone who is using Ansible (for example) for network automation how do they detect and then cleanup stuff when it's decommissioned and you'll get some interesting responses. Can you guess what happens when new changes are easy to automate but old policy is very hard to get rid of? I'm about to accept (I think) a new job where my task might be to fix this mess for the whole industry. I'd say more, but I don't really know yet and/or am under NDA. Any general thoughts you're willing to share on the "automate all the networking configuration bullshit, and make it Actually Good" front? This isn't my background (my background is that "sanity-checking requires a lot of complicated logic" part), so I have a lot to learn on the state of the industry and what the pain-points are.
|
# ? Mar 24, 2019 18:20 |
|
crazypenguin posted:I'm about to accept (I think) a new job where my task might be to fix this mess for the whole industry. I'd say more, but I don't really know yet and/or am under NDA.
|
# ? Mar 24, 2019 18:35 |
|
~Coxy posted:our IS implemented some kind of internal firewall that kills any extant connection after an hour, no matter what
|
# ? Mar 24, 2019 19:13 |
|
cell connections kick you off every couple hours depending on carrier so really you should always be ready for reconnects
|
# ? Mar 24, 2019 19:42 |
|
evil_bunnY posted:man what the gently caress they probably call it chaos monkey or something.
|
# ? Mar 24, 2019 19:54 |
|
hobbesmaster posted:cell connections kick you off every couple hours depending on carrier so really you should always be ready for reconnects
|
# ? Mar 24, 2019 19:58 |
|
crazypenguin posted:I'm about to accept (I think) a new job where my task might be to fix this mess for the whole industry. I'd say more, but I don't really know yet and/or am under NDA. The issue is vendors can't get their poo poo together when it comes to interfacing with their operating systems. I don't expect everyone to agree on a single API spec but at least some standard methodology for device configuration beyond "use the CLI" needs to happen. The leading vendors like Juniper/Palo support a HTTP API and because of that, they are relatively easy to program around - the configuration schema is real gross thought because it's written with a lot of technical debt saddling it, so you get calls like this: code:
If you're writing middleware loving r.i.p seriously welcome to a literal nightmare If you're writing a NOS or NOS software then you have a chance. The ideal solution would be a NOS that provides: - stateless configuration files (think Apache or Nginx style) - A REST api (JSON or XML)
|
# ? Mar 24, 2019 20:44 |
|
make and support a terraform module
|
# ? Mar 24, 2019 21:06 |
|
abigserve posted:For instance, you might start by making a segment for all your database servers. You allow all the *SQL ports through to it from your app servers. however, someone wants to install a mongodb server. Now, do you update the policy to also permit the mongo ports, potentially creating attack vectors to all of the other servers in the segment? sudo iptables -A PREROUTING -t nat -p tcp --dport 3306 -j REDIRECT --to-ports 27017
|
# ? Mar 24, 2019 23:52 |
|
Methanar posted:sudo iptables -A PREROUTING -t nat -p tcp --dport 3306 -j REDIRECT --to-ports 27017 This illustrates the other issue which I didn't even mention; firewalls are poo poo garbage at actually restricting access and most micro-segmentation implementations don't even go above L4. This is the level of policy you achieve after spending x million of dollars on the solution lmao
|
# ? Mar 25, 2019 00:32 |
|
lmao you can beat packet inspection with like netcat and sed. or I guess stunnel Methanar fucked around with this message at 00:54 on Mar 25, 2019 |
# ? Mar 25, 2019 00:49 |
|
Methanar posted:lmao you can beat packet inspection with like netcat and sed my point was regardless of what layer you are doing "firewalling" it's always terrible but the microseg solutions don't even try going above layer 4 so it's even worse than usual
|
# ? Mar 25, 2019 00:52 |
|
abigserve posted:micro segmentation in the network is an incredibly dumb idea at best and actively detrimental to security at worst. I can make an effort post if required on this. its pretty trivial if you have things documented (you should) and you're using a process-aware firewall (you should). don't make excuses for creating vulnerable zones with a bunch of unchecked layer 2 traffic
|
# ? Mar 25, 2019 02:17 |
|
BangersInMyKnickers posted:its pretty trivial if you have things documented (you should) and you're using a process-aware firewall (you should). don't make excuses for creating vulnerable zones with a bunch of unchecked layer 2 traffic Show me a "process aware" firewall that works accurately and I might agree with you. You should not use micro-segmentation as a way to avoid good security practices on your endpoints. If you do that already, microsegmentation will gain you little if any practical benefit for a massive increase in complexity and a decrease in the performance of your network. Essentially, if you consider traffic between two endpoints on the same vlan "unchecked" you've already hosed up
|
# ? Mar 25, 2019 03:15 |
|
~Coxy posted:our IS implemented some kind of internal firewall that kills any extant connection after an hour, no matter what RMF by the book. https://nvd.nist.gov/800-53/Rev4/control/SC-10 maybe ask them to waiver that poo poo.
|
# ? Mar 25, 2019 04:31 |
|
We don't get enough exposure to the people who matter to be able to request stuff like that. Easier to catch the OracleException when it happens to dispose everything and recreate it.
|
# ? Mar 25, 2019 05:01 |
|
abigserve posted:Essentially, if you consider traffic between two endpoints on the same vlan "unchecked" you've already hosed up you don’t have to attack me personally you know i pushed against this poo poo but no one wants to create new firewall rules for same network traffic
|
# ? Mar 25, 2019 07:07 |
|
at least we managed to get software firewalls enabled on devices. yay?
|
# ? Mar 25, 2019 07:08 |
|
I don't get the hate for microsegmentation, I mean it's already baked-in to AWS and Azure, NSX is expensive but it's not insanely complex to implement once you get past the vSwitches that you should be using anyway. Of course you should be concentrating on OS's and endpoints, but most have terrible built-in firewalls and many more apps don't even have the ability to limit their own listeners by IP. So sure, I'm segmenting my OS's but I also want to segment my network without making everyone re-IP, what's wrong with that? At least with central firewalling I can log east-west traffic to one place and (at least with hypervisor-based firewalls) it's not impacting performance.
|
# ? Mar 25, 2019 13:28 |
|
abigserve posted:Show me a "process aware" firewall that works accurately and I might agree with you. You should not use micro-segmentation as a way to avoid good security practices on your endpoints. If you do that already, microsegmentation will gain you little if any practical benefit for a massive increase in complexity and a decrease in the performance of your network. Essentially, if you consider traffic between two endpoints on the same vlan "unchecked" you've already hosed up lol get gud skrub
|
# ? Mar 25, 2019 14:22 |
|
this is fun https://twitter.com/KimZetter/status/1110167942749052928
|
# ? Mar 25, 2019 14:29 |
|
if someone signs their software with asus certificate, doesn't that make it asus software? i mean, in a ship of theseus kind of way
|
# ? Mar 25, 2019 14:49 |
|
ASUS Signs Ur Stuff
|
# ? Mar 25, 2019 17:10 |
|
so they've released a tool and iocs that are only effective if you were a specific target but don't want to cleanup the rest of the mess?
|
# ? Mar 25, 2019 17:33 |
|
pegged by asus
|
# ? Mar 25, 2019 19:25 |
|
rock solid poop touching
|
# ? Mar 25, 2019 19:57 |
|
Military grade infection
|
# ? Mar 25, 2019 21:06 |
|
abigserve posted:Security Fuckup Megathread: not so fast hot stuff
|
# ? Mar 25, 2019 21:16 |
|
abigserve posted:Show me a "process aware" firewall that works accurately. Little Snitch my man! Or alternately windows firewall. Whatever works for you.
|
# ? Mar 26, 2019 08:54 |
|
|
# ? Jun 12, 2024 06:02 |
|
yoloer420 posted:windows firewall mods
|
# ? Mar 26, 2019 08:57 |