Network Security - UTM
-
@Dashrender said:
Removing external email (or access to their personal email on company machines) seems like a great start in the battle against baddies getting into our network.
How do you do that, though? How do you do it without sending them to a different email option? Users will always work around you. Trying to block them is hubris and hubris is the enemy of security.
If you really need to secure people, give them broad access AND an isolated network. Find ways to make things easier for them, not harder.
Being secure means working as partners. The moment the company itself is seen as the enemy, security is no longer a possibility. You are into the realm of everyone acting against one another. You need to get people on the same team. Seeing them as the enemy makes that impossible.
-
@scottalanmiller said:
@Dashrender said:
Ummm... Frankly I do. They are the enemy of security. End users are almost always the weakest link in a companies security.
Then every one should be fired. If you have enemies in the company, whoever hired them and retains them is a sabatour. Call the police.
If the owners of the company don't agree, that makes IT the enemy.
I understand why you're saying this, but the fact that users get scammed by phishing attaches and bad websites - are we just suppose to say "f it - we can't stop those things, there is nothing we can do to protect ourselves from them" and just always react to the problems they cause.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
Ummm... Frankly I do. They are the enemy of security. End users are almost always the weakest link in a companies security.
Then every one should be fired. If you have enemies in the company, whoever hired them and retains them is a sabatour. Call the police.
If the owners of the company don't agree, that makes IT the enemy.
I understand why you're saying this, but the fact that users get scammed by phishing attaches and bad websites - are we just suppose to say "f it - we can't stop those things, there is nothing we can do to protect ourselves from them" and just always react to the problems they cause.
No, we actually address fixing the problem rather than implementing placebos.
Things that we can't do...
- Not have users
- Not have computers
- Not have people with risks
So given that any attempt to stop one of those three things will ultimately fail, we don't look to those things for security.
Instead we change how we think of security. For example... you are concerned with securing your network. Why the network? What is the risk to "the network?"
Let's say User A does something bad. How are they putting User B or the company in general, or the network, at risk? What are the vectors that are a concern? Start there.
-
getting away from the LAN concept is definitely a plus in this situation. Treating the network connection as untrusted seems to be the only real solution, but not a great one at that.
While Crypto viruii today can't infect Owncloud, tomorrow they will find a way through locally running scripts using the logged on user's access. Granted it will never be as good as they have it now with file shares
-
@Dashrender said:
getting away from the LAN concept is definitely a plus in this situation. Treating the network connection as untrusted seems to be the only real solution, but not a great one at that.
Why not great?
-
@Dashrender said:
While Crypto viruii today can't infect Owncloud, tomorrow they will find a way through locally running scripts using the logged on user's access. Granted it will never be as good as they have it now with file shares
Once they do that, they are past the point of there being anything we can do. That means that we will be infected, without us being involved, from the Internet and none of the security or blocks that you put in place matter.
So not a situation to be concerned about.
-
@scottalanmiller said:
@Dashrender said:
While Crypto viruii today can't infect Owncloud, tomorrow they will find a way through locally running scripts using the logged on user's access. Granted it will never be as good as they have it now with file shares
Once they do that, they are past the point of there being anything we can do. That means that we will be infected, without us being involved, from the Internet and none of the security or blocks that you put in place matter.
So not a situation to be concerned about.
This is why not great - because it's not a full on solution. That was all I was getting at - it's not a full solution, as there can't be as long as users have access.
So you're right, from that point - OwnCloud, SharePoint, etc all we can do it restore from that point.
-
@Dashrender said:
This is why not great - because it's not a full on solution. That was all I was getting at - it's not a full solution, as there can't be as long as users have access.
Great and perfect are not synonymous. It seems like a pretty great solution to me... make everything as secure as the outside connection. It's as full of a solution as there can be. Nothing is perfect, but many things are great.
-
OK what abut from a PCI/Data protection standpoint.
Shouldn't we be doing everything we can to secure all ways into the network no matter how remote the chance a hacker will try is?
-
@scottalanmiller said:
@Dashrender said:
This is why not great - because it's not a full on solution. That was all I was getting at - it's not a full solution, as there can't be as long as users have access.
Great and perfect are not synonymous. It seems like a pretty great solution to me... make everything as secure as the outside connection. It's as full of a solution as there can be. Nothing is perfect, but many things are great.
I give ya that
-
@hobbit666 said:
OK what abut from a PCI/Data protection standpoint.
Shouldn't we be doing everything we can to secure all ways into the network no matter how remote the chance a hacker will try is?
Then the best security would be the best, right? The best is always the best.
-
@hobbit666 said:
Shouldn't we be doing everything we can to secure all ways into the network no matter how remote the chance a hacker will try is?
That depends, does "securing" that resource make the security better or worse? Often it makes it worse.
-
@hobbit666 said:
OK what abut from a PCI/Data protection standpoint.
Shouldn't we be doing everything we can to secure all ways into the network no matter how remote the chance a hacker will try is?
You can, by not trusting the local network at all.. not making it important in any way.
What I mean is no more file shares that are just open, logons for anything that is accessed.
Basically treat your local network as if it's the internet, and then you don't have to worry about it as much.
I think you can still use Active Directory in a setup like this.
-
@hobbit666 Did someone say PCI? Hold everything!
What level of PCI compliance are you working towards? Or has the goal not been set yet?
-
ownCloud does not protect you from Crypto, because the file will be encrypted locally and then synced up to the server and back down to everyone that has access to it.
-
@JaredBusch said:
ownCloud does not protect you from Crypto, because the file will be encrypted locally and then synced up to the server and back down to everyone that has access to it.
One huge reason why offline sync clients are a bad thing.
Perhaps a needed thing, but still a bad solution.
It might be better if the files could be saved in a webapp instead through a sync client just dumped into the filesystem.
-
@Dashrender said:
@JaredBusch said:
ownCloud does not protect you from Crypto, because the file will be encrypted locally and then synced up to the server and back down to everyone that has access to it.
One huge reason why offline sync clients are a bad thing.
Perhaps a needed thing, but still a bad solution.
It might be better if the files could be saved in a webapp instead through a sync client just dumped into the filesystem.
Entirely possible, but not likely a default setup for someone using ownCloud (or any other solution) in replacement of foldershares.
-
@JaredBusch said:
@Dashrender said:
@JaredBusch said:
ownCloud does not protect you from Crypto, because the file will be encrypted locally and then synced up to the server and back down to everyone that has access to it.
One huge reason why offline sync clients are a bad thing.
Perhaps a needed thing, but still a bad solution.
It might be better if the files could be saved in a webapp instead through a sync client just dumped into the filesystem.
Entirely possible, but not likely a default setup for someone using ownCloud (or any other solution) in replacement of foldershares.
Really? For folder shares? I don't know anyone who by default syncs folder shares (a network share used by many people) to their local system. Sure it's possible, and I know JB has the situation where his techs need to maintain copies of their technical manuals while offline, but would you call that common?
-
Now if you tell me that they are moving from a person shared drive (say a typical U: drive or redirected folders) or something like DropBox, then I would agree, moving to OwnCloud from those things, I would expect a sync client to be completely common.
-
@Dashrender said:
@JaredBusch said:
@Dashrender said:
@JaredBusch said:
ownCloud does not protect you from Crypto, because the file will be encrypted locally and then synced up to the server and back down to everyone that has access to it.
One huge reason why offline sync clients are a bad thing.
Perhaps a needed thing, but still a bad solution.
It might be better if the files could be saved in a webapp instead through a sync client just dumped into the filesystem.
Entirely possible, but not likely a default setup for someone using ownCloud (or any other solution) in replacement of foldershares.
Really? For folder shares? I don't know anyone who by default syncs folder shares (a network share used by many people) to their local system. Sure it's possible, and I know JB has the situation where his techs need to maintain copies of their technical manuals while offline, but would you call that common?
Yes, because they expect the files to be available. We are discussing this form the point of veiw of replacing shares on a LAN. You would add a LOT of steps to these users to access files before they can open them. Users would quickly start using local files and emailing copies around.
