Moving Away From LAN-Centric Security
-
@wrx7m said in Moving Away From LAN-Centric Security:
What kind of solutions are available that are easy to configure and manage but also ensure endpoints that connect meet certain criteria? For example, Windows is updated, AV is current, 3rd party apps are patched, etc.
Salt, Ansible, Chef, Puppet. cfEngine will do it but isn't up to par with those four. SodiumSuite is working towards eventually taking this to a far easier and more automated level than those do today, but that's way down the roadmap.
-
@dashrender said in Moving Away From LAN-Centric Security:
@wrx7m said in Moving Away From LAN-Centric Security:
- Should I be doing something else like switch-level ACLs for the servers from all other clients, or is that just too complex and unnecessary?
You started this conversation by saying that you wanted to move away from LAN-Centric security. This means killing ACLs on the network altogether. i.e. treat everything like it's directly on the internet, and secure from that POV.
Not necessarily killing ACLs on the network, but definitely not depending on them.
-
@scottalanmiller said in Moving Away From LAN-Centric Security:
@wrx7m said in Moving Away From LAN-Centric Security:
What kind of solutions are available that are easy to configure and manage but also ensure endpoints that connect meet certain criteria? For example, Windows is updated, AV is current, 3rd party apps are patched, etc.
Salt, Ansible, Chef, Puppet. cfEngine will do it but isn't up to par with those four. SodiumSuite is working towards eventually taking this to a far easier and more automated level than those do today, but that's way down the roadmap.
Does Chef requires an agent on the client side?
-
@black3dynamite said in Moving Away From LAN-Centric Security:
@scottalanmiller said in Moving Away From LAN-Centric Security:
@wrx7m said in Moving Away From LAN-Centric Security:
What kind of solutions are available that are easy to configure and manage but also ensure endpoints that connect meet certain criteria? For example, Windows is updated, AV is current, 3rd party apps are patched, etc.
Salt, Ansible, Chef, Puppet. cfEngine will do it but isn't up to par with those four. SodiumSuite is working towards eventually taking this to a far easier and more automated level than those do today, but that's way down the roadmap.
Does Chef requires an agent on the client side?
No, I'm not sure that any require an agent. But you generally want an agent, as that keeps you from having to expose management ports.
-
@wrx7m said in Moving Away From LAN-Centric Security:
What else should I be considering to secure and manage an ever-increasing distributed workforce?
Look into products like BeyondTrust PowerBroker, which is basically an endpoint privilege manager. It allows you to exercise really fine-grained policy based controls over endpoints. Think Group Policy on steroids (in fact, its UI is a GP snap-in clone). You can allow users to self-escalate for specific admin tasks like installing or updating whitelisted software, as an example, while preventing any other task from running. And all kinds of other stuff like controlling peripherals, executing tasks based on policy conditions (AV & Windows Updates, etc), performing file integrity monitoring, etc... It lets you do some pretty slick stuff at a very low permissions-based level to shut down malware before it can even start, and severely restrict what any executing malware can actually achieve. Plus there's all kinds of session monitoring, auto screencapping, behavior analysis, auditing, and so on. You can do a LOT with this tool, if you are comfortable with policy based control.
They have a companion product called Retina which is basically a vulnerability manager & network scanner that integrates tightly with it, but PowerBroker is what has the real teeth for endpoint security.
-
@crustachio said in Moving Away From LAN-Centric Security:
BeyondTrust PowerBroker
/sigh, this says it's to expensive for me!
-
@dashrender said in Moving Away From LAN-Centric Security:
/sigh, this says it's to expensive for me!
We were quoted $30/seat for 300 seats, plus $6/seat for 1-year maintenance. We ended up buying it for less than that after "negotiations".
-
@crustachio said in Moving Away From LAN-Centric Security:
@dashrender said in Moving Away From LAN-Centric Security:
/sigh, this says it's to expensive for me!
We were quoted $30/seat for 300 seats, plus $6/seat for 1-year maintenance. We ended up buying it for less than that after "negotiations".
So $30 one time, with an annual fee of $6/seat/year? That's actually pretty good. I have a client that this product MIGHT solve a huge hassle they currently have.
-
@dashrender said in Moving Away From LAN-Centric Security:
@crustachio said in Moving Away From LAN-Centric Security:
BeyondTrust PowerBroker
/sigh, this says it's to expensive for me!
I used their free Linux stuff to join Linux File Servers to AD so I could control file share access via AD Groups. It worked well.
-
@scottalanmiller said in Moving Away From LAN-Centric Security:
@black3dynamite said in Moving Away From LAN-Centric Security:
@scottalanmiller said in Moving Away From LAN-Centric Security:
@wrx7m said in Moving Away From LAN-Centric Security:
What kind of solutions are available that are easy to configure and manage but also ensure endpoints that connect meet certain criteria? For example, Windows is updated, AV is current, 3rd party apps are patched, etc.
Salt, Ansible, Chef, Puppet. cfEngine will do it but isn't up to par with those four. SodiumSuite is working towards eventually taking this to a far easier and more automated level than those do today, but that's way down the roadmap.
Does Chef requires an agent on the client side?
No, I'm not sure that any require an agent. But you generally want an agent, as that keeps you from having to expose management ports.
That's one of the two main reasons I chose Salt over Ansible.
- Uses an agent
- Faster
-
@tim_g said in Moving Away From LAN-Centric Security:
@dashrender said in Moving Away From LAN-Centric Security:
@crustachio said in Moving Away From LAN-Centric Security:
BeyondTrust PowerBroker
/sigh, this says it's to expensive for me!
I used their free Linux stuff to join Linux File Servers to AD so I could control file share access via AD Groups. It worked well.
Can't Linux files servers join AD through Samba alone? That asked, I have no idea if GPOs can be applied to the nix boxes at that point though.
-
@crustachio said in Moving Away From LAN-Centric Security:
@dashrender said in Moving Away From LAN-Centric Security:
/sigh, this says it's to expensive for me!
We were quoted $30/seat for 300 seats, plus $6/seat for 1-year maintenance. We ended up buying it for less than that after "negotiations".
Out of curiosity, what pricing did you settle on?
-
@scottalanmiller said in Moving Away From LAN-Centric Security:
@wrx7m said in Moving Away From LAN-Centric Security:
@scottalanmiller said in Moving Away From LAN-Centric Security:
@wrx7m said in Moving Away From LAN-Centric Security:
- I know that some people have strong opinions on UTMs, but being that I have one, I am using the transparent proxy, content filter and AV. What would you use to prevent people from visiting known, sketchy sites, whether it's intentional or it's just an accident (phishing, ads, etc.).
I like DNS filtering a lot. Strongarm.io or just a PiHole. DNS is fast, effective, and cheap and stops all kinds of accidents and is really simple to manage. People who are intent on doing bad things and are going to work around that, well they were going to find a way anyway. But stopping accidents, I'm all for. You don't technically block anyone, you just make it really hard to do something bad by accident. I like that as an approach. I also like that it is not "inline" so actually can speed, rather than slow, the network and doesn't bring you down if it fails.
Question regarding strongarm-
Based on what I can tell, for an internal network, you would set your internal DNS servers' forwarders to strongarm's servers. For remote devices, do you manually set the DNS IP addresses? How would that not cause internal name resolution issues when remote devices connect to the LAN via hard-wire, WiFi or VPN?Depends. If you are going LANless, you'd not use DNS internally normally. It's a really rare thing to have internal DNS unless you need it for LAN-centric services. That's nearly the only reason (other than caching in the late 1990s and early 2000s) that anyone has ever had internal DNS. So eliminate the need for the LAN, you eliminate the need for the local DNS, problem solved. And literally, that's how we solve it. Then you can hard code Strongarm.io or our Pi-Hole to our hearts content. Actually makes things easier, rather than harder.
So let me rephrase, "moving away from" to "becoming less focused on" - I just want to confirm that in order to use strongarm on remote computers, I would have to hardcode DNS server settings into the client. They don't have some sort of client application that you install on the endpoint, right?
-
@wrx7m said in Moving Away From LAN-Centric Security:
@scottalanmiller said in Moving Away From LAN-Centric Security:
@wrx7m said in Moving Away From LAN-Centric Security:
@scottalanmiller said in Moving Away From LAN-Centric Security:
@wrx7m said in Moving Away From LAN-Centric Security:
- I know that some people have strong opinions on UTMs, but being that I have one, I am using the transparent proxy, content filter and AV. What would you use to prevent people from visiting known, sketchy sites, whether it's intentional or it's just an accident (phishing, ads, etc.).
I like DNS filtering a lot. Strongarm.io or just a PiHole. DNS is fast, effective, and cheap and stops all kinds of accidents and is really simple to manage. People who are intent on doing bad things and are going to work around that, well they were going to find a way anyway. But stopping accidents, I'm all for. You don't technically block anyone, you just make it really hard to do something bad by accident. I like that as an approach. I also like that it is not "inline" so actually can speed, rather than slow, the network and doesn't bring you down if it fails.
Question regarding strongarm-
Based on what I can tell, for an internal network, you would set your internal DNS servers' forwarders to strongarm's servers. For remote devices, do you manually set the DNS IP addresses? How would that not cause internal name resolution issues when remote devices connect to the LAN via hard-wire, WiFi or VPN?Depends. If you are going LANless, you'd not use DNS internally normally. It's a really rare thing to have internal DNS unless you need it for LAN-centric services. That's nearly the only reason (other than caching in the late 1990s and early 2000s) that anyone has ever had internal DNS. So eliminate the need for the LAN, you eliminate the need for the local DNS, problem solved. And literally, that's how we solve it. Then you can hard code Strongarm.io or our Pi-Hole to our hearts content. Actually makes things easier, rather than harder.
So let me rephrase, "moving away from" to "becoming less focused on" - I just want to confirm that in order to use strongarm on remote computers, I would have to hardcode DNS server settings into the client. They don't have some sort of client application that you install on the endpoint, right?
Not that I know of.
-
@dashrender said in Moving Away From LAN-Centric Security:
@tim_g said in Moving Away From LAN-Centric Security:
@dashrender said in Moving Away From LAN-Centric Security:
@crustachio said in Moving Away From LAN-Centric Security:
BeyondTrust PowerBroker
/sigh, this says it's to expensive for me!
I used their free Linux stuff to join Linux File Servers to AD so I could control file share access via AD Groups. It worked well.
Can't Linux files servers join AD through Samba alone? That asked, I have no idea if GPOs can be applied to the nix boxes at that point though.
GPO could be applies, if you have something that reads GPO. GPO is just a suggestion, and if nothing tells Linux to do something with it, it does nothing.
-
@tim_g said in Moving Away From LAN-Centric Security:
@dashrender said in Moving Away From LAN-Centric Security:
@crustachio said in Moving Away From LAN-Centric Security:
BeyondTrust PowerBroker
/sigh, this says it's to expensive for me!
I used their free Linux stuff to join Linux File Servers to AD so I could control file share access via AD Groups. It worked well.
Tim, Is there a specific name for the product you used? This may help me immensely in my future quest of AD Groups and Linux.
-
@pmoncho said in Moving Away From LAN-Centric Security:
@tim_g said in Moving Away From LAN-Centric Security:
@dashrender said in Moving Away From LAN-Centric Security:
@crustachio said in Moving Away From LAN-Centric Security:
BeyondTrust PowerBroker
/sigh, this says it's to expensive for me!
I used their free Linux stuff to join Linux File Servers to AD so I could control file share access via AD Groups. It worked well.
Tim, Is there a specific name for the product you used? This may help me immensely in my future quest of AD Groups and Linux.
https://www.beyondtrust.com/products/powerbroker-identity-services-open/
My use case was very simple... I only used it for controlling access to Samba shares via MS Active Directory groups.
So make sure your use case is covered in this free/open version.
-
@tim_g said in Moving Away From LAN-Centric Security:
e is covered in this free/
I was playing with Samba a few months ago specific for file services and could not get AD group perms to work. If it can help with my final issue, then I will be a very happy camper and needing one less Windows License.
-
@pmoncho said in Moving Away From LAN-Centric Security:
@tim_g said in Moving Away From LAN-Centric Security:
e is covered in this free/
I was playing with Samba a few months ago specific for file services and could not get AD group perms to work. If it can help with my final issue, then I will be a very happy camper and needing one less Windows License.
Yeah that tool made it quick and easy.
It'll require you to change your Samba share permissions in the config file a little bit, but I think that's in their documentation. For groups, you need to put a plus in front like
+domain\\\groupName
or something like that. It's been a while, but I'm sure you'll read it. -
There were two pieces... that main part, and then installing another "add-in" like thing specifically for Samba. It was like a Samba integration extension or soemthintg like that. Maybe it's built in now, I don't know.