Secure Tunneling. Only with more Control!!!
Not having to hijack http://seclists.org/nanog/2013/Jul/251, and without further ado, On 7/12/13, ryangard@gmail.com <ryangard@gmail.com> wrote:
It wouldn't be. When the endpoint in question is compromised, there isn't any amount of tunneling or obscurity between point a and point b that will resolve it. Only thing you can do is change to a solution that you have more control over. Sent on the TELUS Mobility network with BlackBerry
This just got very interesting. Given that we do not own any Microsoft products here, and still able to function like any other corporation, I am more interested in a "solution that you have more control over" secured connections. We currently are using OpenVPN and PKI, coupled with a company policy of key updates every 3 months this will only get incrementally more complex as the number of clients increase. Not to mention one only needs a 3 minutes.... Question: What other options do we have to maintain a secure connection between client and server that gives us more control over traditional OpenVPN+PKI. It would be nice to be able to deploy private keys automatically to the different clients however, seems like a disaster waiting to happen. I would really appreciate some of your takes on this matter, what types of technology, policies are being employed out there for secure connections. Kind Regards, Nick.
On Sat, Jul 13, 2013 at 8:36 AM, Nick Khamis <symack@gmail.com> wrote:
This just got very interesting. Given that we do not own any Microsoft products here, and still able to function like any other corporation, I am more interested in a "solution that you have more control over" secured connections. We currently are using OpenVPN and PKI, coupled with a company policy of key updates every 3 months this will only get incrementally more complex as the number of clients increase. Not to mention one only needs a 3 minutes....
Question: What other options do we have to maintain a secure connection between client and server that gives us more control over traditional OpenVPN+PKI. It would be nice to be able to deploy private keys automatically to the different clients however, seems like a disaster waiting to happen.
I would really appreciate some of your takes on this matter, what types of technology, policies are being employed out there for secure connections.
Your current solutions sounds entirely reasonable... except your clients still surf the web, don't they? That is the biggest attack vector: browser and other client program exploits are rampant on *all platforms*. Witness the multitudes of image library bugs on Linux, which basically have allowed remote execution via webpage with a crafted image since the early 1990s. Every browser and OS combo, yes even Firefox on Linux, gets popped in each year's P0wn2Own contest. If you can execute code on the client, you can usually find one of the hundreds of local privilege escalation bugs stil there. Then you can compromise any private keys and certs on it, as well as any user credentials stored or entered on the machine. This makes it easy to pivot into the core of the target's network without being noticed, and is in fact how many penetration tests and "APT" or "watering hole" hacks succeed. They attack clients and pivot into the target network. So the solution would be: don't let your clients ever touch anything outside your private walled garden. Which is exactly what high-security installations in the defense and government sectors do: they are air-gapped from the Internet. Tough to get a lot of work done that way, and function as a business. -- RPM
participants (2)
-
Nick Khamis -
Ryan Malayter