FYI https://nvd.nist.gov/vuln/detail/CVE-2020-2100 A nice description: https://mobile.twitter.com/Foone/status/1223063275996213248 May you live in interesting times. Do not postpone a software update if Jenkins is deployed somewhere in your network. -- Töma
Jenkins, like a zillion other developer-oriented tools, should never be deployed Internet-facing. Reflection attacks inside an enterprise are handled by HR. :) -- Harald Koch chk@pobox.com
On Mon, Feb 3, 2020 at 11:45 AM Harald Koch <chk@pobox.com> wrote:
Jenkins, like a zillion other developer-oriented tools, should never be deployed Internet-facing.
Reflection attacks inside an enterprise are handled by HR. :)
good golly, so glad everyone's enterprise is a hard candy version of same. no need for these remote workers, or discontiguous offices, or 'internet centric workforces'. <slaps hands> all fixed! </slaps hands>
On Mon, Feb 3, 2020 at 10:24 AM Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Mon, Feb 3, 2020 at 11:45 AM Harald Koch <chk@pobox.com> wrote:
Jenkins, like a zillion other developer-oriented tools, should never be deployed Internet-facing. Reflection attacks inside an enterprise are handled by HR. :)
good golly, so glad everyone's enterprise is a hard candy version of same. no need for these remote workers, or discontiguous offices, or 'internet centric workforces'.
VPN. -- William Herrin bill@herrin.us https://bill.herrin.us/
On Mon, Feb 3, 2020 at 1:26 PM William Herrin <bill@herrin.us> wrote:
On Mon, Feb 3, 2020 at 10:24 AM Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Mon, Feb 3, 2020 at 11:45 AM Harald Koch <chk@pobox.com> wrote:
Jenkins, like a zillion other developer-oriented tools, should never be deployed Internet-facing. Reflection attacks inside an enterprise are handled by HR. :)
good golly, so glad everyone's enterprise is a hard candy version of same. no need for these remote workers, or discontiguous offices, or 'internet centric workforces'.
VPN.
I love it when my home network gets full access to the corporate network!
On Mon, Feb 3, 2020 at 1:35 PM Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Mon, Feb 3, 2020 at 1:26 PM William Herrin <bill@herrin.us> wrote:
On Mon, Feb 3, 2020 at 10:24 AM Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Mon, Feb 3, 2020 at 11:45 AM Harald Koch <chk@pobox.com> wrote:
Jenkins, like a zillion other developer-oriented tools, should never be deployed Internet-facing. Reflection attacks inside an enterprise are handled by HR. :)
good golly, so glad everyone's enterprise is a hard candy version of same. no need for these remote workers, or discontiguous offices, or 'internet centric workforces'.
VPN.
I love it when my home network gets full access to the corporate network!
Sorry, to be a little less flippant and a bit more productive: "I don't think every remote endpoint needs full access (or even some compromise based on how well you can/can't scale your VPN box's policies) access to the internal network. I think you don't even want to provide this access based on some loose ideas about 'ip address' and 'vpn identity'." Ideally you'd be able to authenticate and authorize and even account(!) based on a real user-id + passwd + token (2fa thing). Somethign akin to this: https://cloud.google.com/beyondcorp/ maybe using the googz work directly isn't your cup-o-joe(jane?) but... the idea itself is the point I was aiming for.
On Mon, Feb 3, 2020 at 12:50 PM Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Mon, Feb 3, 2020 at 1:35 PM Christopher Morrow Matt Harris|CIO 816-256-5446|Direct Looking for something? Helpdesk Portal|Email Support|Billing Portal We build and deliver innovative IT solutions.
<morrowc.lists@gmail.com> wrote:
On Mon, Feb 3, 2020 at 1:26 PM William Herrin <bill@herrin.us> wrote:
On Mon, Feb 3, 2020 at 10:24 AM Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Mon, Feb 3, 2020 at 11:45 AM Harald Koch <chk@pobox.com> wrote:
Jenkins, like a zillion other developer-oriented tools, should
never be deployed Internet-facing.
Reflection attacks inside an enterprise are handled by HR. :)
good golly, so glad everyone's enterprise is a hard candy version of same. no need for these remote workers, or discontiguous offices, or 'internet centric workforces'.
VPN.
I love it when my home network gets full access to the corporate network!
Sorry, to be a little less flippant and a bit more productive: "I don't think every remote endpoint needs full access (or even some compromise based on how well you can/can't scale your VPN box's policies) access to the internal network. I think you don't even want to provide this access based on some loose ideas about 'ip address' and 'vpn identity'."
Ideally you'd be able to authenticate and authorize and even account(!) based on a real user-id + passwd + token (2fa thing). Somethign akin to this: https://cloud.google.com/beyondcorp/
maybe using the googz work directly isn't your cup-o-joe(jane?) but... the idea itself is the point I was aiming for.
On Mon, Feb 3, 2020 at 12:50 PM Christopher Morrow <morrowc.lists@gmail.com> wrote:
Sorry, to be a little less flippant and a bit more productive: "I don't think every remote endpoint needs full access (or even some compromise based on how well you can/can't scale your VPN box's policies) access to the internal network. I think you don't even want to provide this access based on some loose ideas about 'ip address' and 'vpn identity'."
This isn't particularly difficult or costly to do right, though. pfSense on a VM with relatively minimal resources running your VPNs works very well and can easily be configured to authenticate against, for example, LDAP as well. It also has a convenient firewall configuration user interface that's very straight-forward, so you don't need some highly-paid network engineering guru to manage the thing, either, so you can associate a given identity with a given address and then apply firewall rules right at that VPN border in addition to the other access controls that you should have in place upstream. Certainly giving full access to everyone is overkill, unnecessary, and can be problematic for obvious reasons - but at the same time, we're talking about back doors here when many of the same folks worried about these back doors also have wide open front doors at the same time. Matt Harris|CIO 816-256-5446|Direct Looking for something? Helpdesk Portal|Email Support|Billing Portal We build and deliver innovative IT solutions.
Jean, Do you have facts to support this claim? Signed, A happy pfSense user. On Mon, Feb 3, 2020, 12:42 PM Jean | ddostest.me via NANOG <nanog@nanog.org> wrote:
Netgate bought Pfsense and they already started to destroy it.
You should consider to switch to Opnsense.
On 2020-02-03 14:34, Matt Harris wrote:
fSense on a VM with relatively minimal resources running your VPNs works very well
https://en.wikipedia.org/wiki/PfSense In November 2017, a World Intellectual Property Organization <https://en.wikipedia.org/wiki/World_Intellectual_Property_Organization> panel found that Netgate, the copyright holder of pfSense, had been using the domain opnsense.com in bad faith to discredit OPNsense <https://en.wikipedia.org/wiki/OPNsense>, a competing open source firewall forked from pfSense. It compelled Netgate to transfer the domain to Deciso, the developer of OPNsense. I was happy with pfsense too, until Netgate bought the copyrights. On 2020-02-03 15:57, Ryan Hamel wrote:
Jean,
Do you have facts to support this claim?
Signed,
A happy pfSense user.
On Mon, Feb 3, 2020, 12:42 PM Jean | ddostest.me <http://ddostest.me> via NANOG <nanog@nanog.org <mailto:nanog@nanog.org>> wrote:
Netgate bought Pfsense and they already started to destroy it.
You should consider to switch to Opnsense.
On 2020-02-03 14:34, Matt Harris wrote: > fSense on a VM with relatively minimal resources running your VPNs > works very well
On Mon, Feb 3, 2020 at 2:34 PM Matt Harris <matt@netfire.net> wrote:
On Mon, Feb 3, 2020 at 12:50 PM Christopher Morrow < morrowc.lists@gmail.com> wrote:
Sorry, to be a little less flippant and a bit more productive: "I don't think every remote endpoint needs full access (or even some compromise based on how well you can/can't scale your VPN box's policies) access to the internal network. I think you don't even want to provide this access based on some loose ideas about 'ip address' and 'vpn identity'."
This isn't particularly difficult or costly to do right, though. pfSense on a VM with relatively minimal resources running your VPNs works very well and can easily be configured to authenticate against, for example, LDAP as well. It also has a convenient firewall configuration user interface that's very straight-forward, so you don't need some highly-paid network engineering guru to manage the thing, either, so you can associate a given identity with a
My experience, and granted it's fairly scoped, is that this sort of thing works fine for a relatively small set of 'persons' and 'resources'. Soon it gets very messy to say: "Bob can access A, B, D not C, ....." "Jane can access X, Y, Z, A not B"... adding groups of people is fine, then you will need (eventually) to split those groups, or provide scoped access to part of the group(s). In the end, ick, this is 'hard' and the set of rules can really get large, it ends up being about the cross-product of #users * #resources. now, make the solution redundant and geographically redundant, and keep the config in sync, and open that to your helpdesk folk to manage, and provide compliance reporting/etc. given address and then apply firewall rules right at that VPN border in
addition to the other access controls that you should have in place upstream. Certainly giving full access to everyone is overkill, unnecessary, and can be problematic for obvious reasons - but at the same time, we're talking about back doors here when many of the same folks worried about these back doors also have wide open front doors at the same time.
certainly a more holistic version of the story is correct. the relatively flippant answer way-back-up-list of: "vpn" though is, I think: 1) naive 2) destructive to the cause 3) not a simple as the 3 letters implies 4) wrong, very, very wrong. but of course: "your network, your choices" just make sure you walk in with both eyes open and the appropriate riot gear installed.
On Mon, 3 Feb 2020 16:13:34 -0500, Christopher Morrow <morrowc.lists@gmail.com> may have written:
My experience, and granted it's fairly scoped, is that this sort of thing works fine for a relatively small set of 'persons' and 'resources'.
Seeing as managing this sort of thing is my primary job these days ...
it ends up being about the cross-product of #users * #resources.
That's the interesting part of the job - coalescing rules in a way that minimises the security impact but maximises the decrease of complexity. If you don't, you get an explosion of complexity that results in a set of rules (I know of an equivalent organisation that has over 1,000 firewall rules) that becomes insanely complex to manage.
certainly a more holistic version of the story is correct. the relatively flippant answer way-back-up-list of: "vpn"
I think that "vpn" is the right answer - it's preferrable to publishing services to the entire world that only need to be used by empoyees. But it's not cheap or easy. -- Mike Meredith, University of Portsmouth Hostmaster, Security, and Chief Systems Engineer
On Tue, Feb 4, 2020 at 11:15 AM Mike Meredith <mike.meredith@port.ac.uk> wrote:
On Mon, 3 Feb 2020 16:13:34 -0500, Christopher Morrow <morrowc.lists@gmail.com> may have written:
My experience, and granted it's fairly scoped, is that this sort of thing works fine for a relatively small set of 'persons' and 'resources'.
Seeing as managing this sort of thing is my primary job these days ...
<beer, you probably deserve one> :)
it ends up being about the cross-product of #users * #resources.
That's the interesting part of the job - coalescing rules in a way that minimises the security impact but maximises the decrease of complexity. If you don't, you get an explosion of complexity that results in a set of rules (I know of an equivalent organisation that has over 1,000 firewall rules) that becomes insanely complex to manage.
I think the fact that it's hard to keep all of this going and to contain the natural spread of destruction (that it takes someone with a pretty singular foc us) makes my point.
certainly a more holistic version of the story is correct. the relatively flippant answer way-back-up-list of: "vpn"
I think that "vpn" is the right answer - it's preferrable to publishing services to the entire world that only need to be used by empoyees. But it's not cheap or easy.
Weighing the cost/benefit is certainly each org's decision. having lived without vpn for a long while and under the regime of authen/author for users with proper token/etc access... I'd not want my internal network opened to the wilds of vpn users :( (I actively discourage this at work because there are vanishingly small reasons why a full network connection is really required by a user at this point). anyway, good luck!
On 2/3/20 10:48 AM, Christopher Morrow wrote:
Sorry, to be a little less flippant and a bit more productive: "I don't think every remote endpoint needs full access (or even some compromise based on how well you can/can't scale your VPN box's policies) access to the internal network. I think you don't even want to provide this access based on some loose ideas about 'ip address' and 'vpn identity'."
Ideally you'd be able to authenticate and authorize and even account(!) based on a real user-id + passwd + token (2fa thing). Somethign akin to this: https://cloud.google.com/beyondcorp/
maybe using the googz work directly isn't your cup-o-joe(jane?) but... the idea itself is the point I was aiming for.
So somebody is using the internet as it was originally designed. Will miracles never cease. Mike
----- On Feb 3, 2020, at 10:35 AM, Christopher Morrow morrowc.lists@gmail.com wrote:
On Mon, Feb 3, 2020 at 1:26 PM William Herrin <bill@herrin.us> wrote:
VPN.
I love it when my home network gets full access to the corporate network!
Most places I've worked at issue company controlled laptops with company controlled VPN software which will disable all local access and even disconnect if you dare to manually change the routing table to access the printer in your home office. In fact, a too tightly controlled VPN contributed to a 7 figure loss during an outage at a company which name shall not be mentioned. Your home network should have no access to the corp network. Your company issued laptop should. Thanks, Sabri
On Mon, Feb 3, 2020 at 1:55 PM Sabri Berisha <sabri@cluecentral.net> wrote:
----- On Feb 3, 2020, at 10:35 AM, Christopher Morrow morrowc.lists@gmail.com wrote:
On Mon, Feb 3, 2020 at 1:26 PM William Herrin <bill@herrin.us> wrote:
VPN.
I love it when my home network gets full access to the corporate network!
Most places I've worked at issue company controlled laptops with company controlled VPN software which will disable all local access and even disconnect if you dare to manually change the routing table to access the printer in your home office.
In fact, a too tightly controlled VPN contributed to a 7 figure loss during an outage at a company which name shall not be mentioned.
Your home network should have no access to the corp network. Your company issued laptop should.
you have used a bunch of 'should' and 'most' in your explanation. I do not believe you.
On Mon, 3 Feb 2020 10:55:35 -0800 (PST) Sabri Berisha <sabri@cluecentral.net> wrote:
----- On Feb 3, 2020, at 10:35 AM, Christopher Morrow morrowc.lists@gmail.com wrote:
On Mon, Feb 3, 2020 at 1:26 PM William Herrin <bill@herrin.us> wrote:
VPN.
I love it when my home network gets full access to the corporate network!
Most places I've worked at issue company controlled laptops with company controlled VPN software which will disable all local access and even disconnect if you dare to manually change the routing table to access the printer in your home office.
In fact, a too tightly controlled VPN contributed to a 7 figure loss during an outage at a company which name shall not be mentioned.
Your home network should have no access to the corp network. Your company issued laptop should.
Thanks,
Sabri
That's how our company operates. I went a step further and put all company issued equipment on it's own vlan at home.
It really depends on how much control the employer really needs. In a tightly-knit two-site company where the tech guy probably is the reason the boss hired the grunt half way across the province, friends don't generally let friends down like that, and you really don't have to have that sort of vise-tight control. On Mon, 3 Feb 2020 10:55:35 -0800 (PST) Sabri Berisha <sabri@cluecentral.net> wrote:
----- On Feb 3, 2020, at 10:35 AM, Christopher Morrow morrowc.lists@gmail.com wrote:
On Mon, Feb 3, 2020 at 1:26 PM William Herrin <bill@herrin.us> wrote:
VPN.
I love it when my home network gets full access to the corporate network!
Most places I've worked at issue company controlled laptops with company controlled VPN software which will disable all local access and even disconnect if you dare to manually change the routing table to access the printer in your home office.
In fact, a too tightly controlled VPN contributed to a 7 figure loss during an outage at a company which name shall not be mentioned.
Your home network should have no access to the corp network. Your company issued laptop should.
Thanks,
Sabri
-- Large Hadron Collider <large.hadron.collider@gmx.com>
good golly, so glad everyone's enterprise is a hard candy version of same. no need for these remote workers, or discontiguous offices, or 'internet centric workforces'.
VPN.
I love it when my home network gets full access to the corporate network!
make things simpler and L2 tunnel so it's the same LAN.
participants (13)
-
Christopher Morrow
-
Daryl
-
Harald Koch
-
Jean | ddostest.me
-
Large Hadron Collider
-
Matt Harris
-
Michael Thomas
-
Mike Meredith
-
Randy Bush
-
Ryan Hamel
-
Sabri Berisha
-
Töma Gavrichenkov
-
William Herrin