On Tue, Feb 4, 2020 at 11:15 AM Mike Meredith <mike.meredith@port.ac.uk> wrote:
On Mon, 3 Feb 2020 16:13:34 -0500, Christopher Morrow <morrowc.lists@gmail.com> may have written:
My experience, and granted it's fairly scoped, is that this sort of thing works fine for a relatively small set of 'persons' and 'resources'.
Seeing as managing this sort of thing is my primary job these days ...
<beer, you probably deserve one> :)
it ends up being about the cross-product of #users * #resources.
That's the interesting part of the job - coalescing rules in a way that minimises the security impact but maximises the decrease of complexity. If you don't, you get an explosion of complexity that results in a set of rules (I know of an equivalent organisation that has over 1,000 firewall rules) that becomes insanely complex to manage.
I think the fact that it's hard to keep all of this going and to contain the natural spread of destruction (that it takes someone with a pretty singular foc us) makes my point.
certainly a more holistic version of the story is correct. the relatively flippant answer way-back-up-list of: "vpn"
I think that "vpn" is the right answer - it's preferrable to publishing services to the entire world that only need to be used by empoyees. But it's not cheap or easy.
Weighing the cost/benefit is certainly each org's decision. having lived without vpn for a long while and under the regime of authen/author for users with proper token/etc access... I'd not want my internal network opened to the wilds of vpn users :( (I actively discourage this at work because there are vanishingly small reasons why a full network connection is really required by a user at this point). anyway, good luck!