If LAN is legacy, what is the UN-legacy...?
-
@Dashrender said:
@adam.ierymenko said:
Firewalls are dead. Thank the cloud.
huh - you're the first that I can recall ever saying that firewalls are dead. from your above post about IPV6 and killing local firewalls, I can see I think you really mean that.
https://community.spiceworks.com/topic/1409230-need-for-firewalls-on-home-networks
http://www.infoworld.com/article/2616931/firewall-software/why-you-don-t-need-a-firewall.html -
@adam.ierymenko said:
No joke though. I really honestly think we could have just taken our firewall down and given every machine a public IP and there would have been little or no change to security posture. If anything, firewalls encourage the "soft underbelly" problem by giving people the illusion that the local network is secure. Take that old obsolete crutch away and people who do things like bind unpassworded databases to ::0 will look like dummies real fast and the problem will take care of itself over time.
I don't agree with the concept that hardware network edge firewalls are dead, mostly because of the layered vulnerability problem (any bug in your OS is exposed for exploit instead of only bugs in your firewall first then bugs in your OS.) But I totally agree with the problems around the illusion of security. This is why things like port changing are actually security negatives - they both give a totally false sense of security and do nothing to actually slow an attacker in the least while flagging you as having something to hide and being clueless about security all at once.
-
@adam.ierymenko said:
My approach to security is: secure everything as if it will be totally exposed on the public Internet, then add firewalls and such as an afterthought if appropriate. If something is not secure enough to be exposed to the public Internet without a firewall, it's not secure enough to be connected to any network ever.
Totally agree, and this is my "LANless" philosophy. The LAN is public, it is the the enemy.
You should only be "LAN-aware" insofar as knowing where the bandwidth is high versus where it is slow and/or metered.
-
@adam.ierymenko said:
Most people don't run php web apps on desktops and mobile devices.
Apple did for a while
-
@Dashrender said:
That is no lie - So I can't get what I want, you'll give me this little thing over here, OK I'll just create a way to get what I want through that little thing.. done.. yeah - huge problem!
Which is a key reason why I don't promote "over blocking" end users. Blocking things they would never want but might stumble on (malware, for example) at work is fine, if they were trying to download malware you've got other issues. But if they are trying to read their email, check on the time to pick up their kids from school or see how their buddy in the hospital is doing and we block them we become a barrier to overcome, IT becomes the silent enemy and they will find ways around that security.
It is more secure to work with end users as security partners. In it together. Once we work against the end users, they are working against us.
-
@adam.ierymenko said:
Fundamentally the endpoint is either secure or it is not. If it's not, all someone has to do is get into something behind your firewall and they own you. Increasingly that something could be a printer, a light bulb, or a microwave oven. How often do you patch your light bulbs? If the cloud killed the firewall, then IoT will dig it up and cremate it and encase it in concrete and re-bury it.
DMZ should address that, of course. If you have random consumer IoT on your corporate LAN, you have design issues.
-
@adam.ierymenko said:
@wirestyle22 I was describing a guiding principle. Obviously not everything measures up to that and firewalls are still needed for a lot of situations. I just consider them "legacy" and think that if you're designing or building something new it's best to design it to be secure in itself rather than assuming your private network is always going to stay private. Never trust the network, especially if it might have light bulbs and cloud connected printers on it.
If you think of most cloud services, except for Azure, by default there is no firewall. Azure does this, somewhat obviously, to slow the attacks against Windows since Azure is the only cloud with a focus on Windows and that brings a lot of vulnerabilities compared to what everyone else focuses on.
By default, if you start using Amazon, Rackspace, Digital Ocean, Vultr or most others, your machines get no firewall. They get full exposure via a public IP. This is now standard. And hacking rates are low. You don't hear about those machines getting hacked left and right. Of course, most are patched via the template prior to install, that's huge. And the DevOps model encourages rapid destruction and constant updating.
But even at @NTG, the vast majority of our servers are not firewalled externally and there are no issues. But back in 2001, doing the same thing, meant our systems were pwned before you could put them into production! Now we get decades without a successful attack.
-
@wirestyle22 said:
This appsec keynote is terrifying. I mean, you kind of expect your security to be somewhat low at the 25 million dollar level but these fortune 500 companies too? Man. The stuff of nightmares
Actually the opposite. The F500 are so large they have essentially no means of being heavily secure. Only medium sized companies can hire "the best". Everyone else has to hire the leftovers.
SMBs are too small and poor to attract "the best" except for special cases, it's rare. SMBs like high end MSPs or open source shops are different because they don't use money to attract the top talent, people do it for the good of mankind or because of flexibility or whatever - they do things that are not monetary compensation (I make only 12% what I could in the F500 sector, for example, but my lifestyle is so much better.)
F500 hire more people (even smaller F500 hire towards 100K bodies) than exist in the top ranks of any field. If you want to hire "the best", you can't also hire "100K of them." There aren't 100K best people out there. And there are 500 companies of that size. So that's not 100K, it's 100K each. There are like 50 million people working in those 500 companies. That's like 1/3rd of the entire workforce or more in the US. (Remember kids, retirees, stay at home parents and others don't work.) So the F500 works by trying to "not hire the worst", rather than "hiring the best." They use procedure and process to make middling workers do moderately well.
This leaves the medium space, where the pockets are deep, the company is small enough to focus and care and be guided by someone with passion and know how, to make an attempt at hiring the best and the brightest. They can pay the salaries like the F500, but they can also be selective. It's a unique space for general hiring of the absolute best outside of small, niche players in the SMB.
-
@scottalanmiller said:
@Dashrender said:
@adam.ierymenko said:
Firewalls are dead. Thank the cloud.
huh - you're the first that I can recall ever saying that firewalls are dead. from your above post about IPV6 and killing local firewalls, I can see I think you really mean that.
https://community.spiceworks.com/topic/1409230-need-for-firewalls-on-home-networks
http://www.infoworld.com/article/2616931/firewall-software/why-you-don-t-need-a-firewall.htmlLOL - did you just want to see that others have said the firewall was dead for years?
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
@adam.ierymenko said:
Firewalls are dead. Thank the cloud.
huh - you're the first that I can recall ever saying that firewalls are dead. from your above post about IPV6 and killing local firewalls, I can see I think you really mean that.
https://community.spiceworks.com/topic/1409230-need-for-firewalls-on-home-networks
http://www.infoworld.com/article/2616931/firewall-software/why-you-don-t-need-a-firewall.htmlLOL - did you just want to see that others have said the firewall was dead for years?
I was just showing that it's a theory that has been going around.
-
@scottalanmiller said:
@Dashrender said:
That is no lie - So I can't get what I want, you'll give me this little thing over here, OK I'll just create a way to get what I want through that little thing.. done.. yeah - huge problem!
Which is a key reason why I don't promote "over blocking" end users. Blocking things they would never want but might stumble on (malware, for example) at work is fine, if they were trying to download malware you've got other issues. But if they are trying to read their email, check on the time to pick up their kids from school or see how their buddy in the hospital is doing and we block them we become a barrier to overcome, IT becomes the silent enemy and they will find ways around that security.
It is more secure to work with end users as security partners. In it together. Once we work against the end users, they are working against us.
While I do understand what you are getting at on the last point there - I just haven't brought myself to fully agree with the entirety of the message. The reason being is that I personally don't care if users are using their personal email, Facebook, random web surfing at work, that's an HR problem, not an IT problem. But I do care about keeping their often wrought with garbage traffic off my current LAN setup. My personal goals are different than my stated goals from my thread the other day.
In the hopefully not to distant future when the LAN is just another untrusted network it would be less of an issue.
-
What I don't understand is why anyone with any IT knowledge in a business setting would treat their network as trusted? I don't even do this with my ZT netowork, and I manually authorized every device on there (granted it's only 10 so far, lol).
It is far too easy to bring in a personal device that may or may not be infected with a polymorphic bug / worm / trojan / crypto / other bad things and plug it in or connect it to the network at your business -- even if you are doing 802.11x or some other type of LAN security.
I generally keep things like the Windows Firewall and FirewallD enabled on my devices, and only punch holes in them for services that I want available on my lan or public network. This is also true of my ZT subnet as well. Why take the risk that one device could get a bug and easily share it with the rest of the systems on my ZT Subnet or LAN?
-
@dafyre said:
What I don't understand is why anyone with any IT knowledge in a business setting would treat their network as trusted? I don't even do this with my ZT netowork, and I manually authorized every device on there (granted it's only 10 so far, lol).
It is far too easy to bring in a personal device that may or may not be infected with a polymorphic bug / worm / trojan / crypto / other bad things and plug it in or connect it to the network at your business -- even if you are doing 802.11x or some other type of LAN security.
I generally keep things like the Windows Firewall and FirewallD enabled on my devices, and only punch holes in them for services that I want available on my lan or public network. This is also true of my ZT subnet as well. Why take the risk that one device could get a bug and easily share it with the rest of the systems on my ZT Subnet or LAN?
Yeah this is one of the worst parts of my network. I do monitor the LAN and run Wireshark every day but it's not great. My company will not purchase anything. I got them to buy ten raspberry pi's simply because they are cheap. I use them for all sorts of things. That's all I can really hope for (which isn't much)
-
@dafyre said:
I generally keep things like the Windows Firewall and FirewallD enabled on my devices...
Curious, what is FirewallD?
-
@FATeknollogee said:
@dafyre said:
I generally keep things like the Windows Firewall and FirewallD enabled on my devices...
Curious, what is FirewallD?
It's a Firewall front end for a few Linux distros. (It just does iptables commands for you).
-
Any recommendations for best books for network security in a windows network? I am creating a home library to educate myself.
-
@Dashrender Decentralization is not all or nothing. You can have a p2p network with a central database that it uses for persistence and missed connections.
If you want to go all-in on decentralization you can do that with a DHT and crypto, but it's more work and possibly less reliable or slower.
As far as the feds telling Skype to centralize: I personally doubt this and have always heard it was because they found p2p too hard on mobile. Another reason is they were bought by Microsoft. Centralization's cost decreases exponentially if you already own data centers. It's an economy of scale. So once MS bought them the economic incentive to decentralize was gone and centralization is a more standard way of doing things that more coders understand and it does make some problems simpler.
-
@adam.ierymenko said:
@Dashrender Decentralization is not all or nothing. You can have a p2p network with a central database that it uses for persistence and missed connections.
If you want to go all-in on decentralization you can do that with a DHT and crypto, but it's more work and possibly less reliable or slower.
As far as the feds telling Skype to centralize: I personally doubt this and have always heard it was because they found p2p too hard on mobile. Another reason is they were bought by Microsoft. Centralization's cost decreases exponentially if you already own data centers. It's an economy of scale. So once MS bought them the economic incentive to decentralize was gone and centralization is a more standard way of doing things that more coders understand and it does make some problems simpler.
Huh - that does make sense, but you're the first I've heard mention these points.
-
@Dashrender The economy of scale thing is what I meant by the p2p complexity tax being "regressive" in my presentation on firewalls. The bigger you are, the less it costs to either invest in the engineering required to do p2p well or just back-haul everything to the cloud. If (like MS) you own a bunch of your own data centers, then putting all traffic through your cloud is very cheap due to the scale you already have. So the cloud back-haul requirement intrinsically favors large vendors.
Personally I think Skype going central was just the MS economy of scale thing. You can do P2P on mobile-- ZeroTier has an Android app and soon an iOS one and they work fine. My phone is always pingable on our company LAN and the impact on battery life is in the fractions of a percent. Of course maybe that's more true today... Skype ported to mobile back when phones had slower single-core CPUs and smaller batteries. Radios have quietly gotten way more efficient too, so the constant low-grade peer-to-peer packet slinging doesn't eat as much battery as it might have with earlier generation LTE and WiFi chipsets.
-
@adam.ierymenko said:
As far as the feds telling Skype to centralize: I personally doubt this and have always heard it was because they found p2p too hard on mobile. Another reason is they were bought by Microsoft. Centralization's cost decreases exponentially if you already own data centers. It's an economy of scale. So once MS bought them the economic incentive to decentralize was gone and centralization is a more standard way of doing things that more coders understand and it does make some problems simpler.
And MS had to change how it worked for the merge into Lync. It's that Skype was phased out is really what happened, not that it changed.