Moving Away From LAN-Centric Security

wrx7m

After reading some posts here (mostly from @scottalanmiller), I am trying to move my network to a point where security is more from the endpoint side instead of just relying on the security at the network level.

Current Network Configuration-

I have my network configured where there is one main network and all servers and hard-wired clients (including IP phones) are connected. I am not using 802.1X.

My wireless controller, APs and clients are on a separate VLAN (or VLANs depending on SSID). They then go through the firewall (Sophos UTM) to access the main LAN and can only access certain servers and services (and not other client devices) due to ACLs at the firewall level. Company-issued mobile devices and approved mobile BYOD devices for company access are authenticated via AD USER account against a RADIUS server. Company-issued Windows laptops, are authenticated via AD COMPUTER account against the same RADIUS server.

Current Endpoint Configurations-

Servers - Webroot SecureAnywhere AV, Windows Firewall enabled with certain rules to allow for services and administration. 95% virtualized.
Windows LAN Clients - Currently, 99% are Windows 7 but I am rolling out Windows 10 now. No one is a local admin. Using LAPS for local admin passwords. Webroot SecureAnywhere AV with Outbound Firewall enabled, Windows firewall is not configured yet, but I am rolling it out via GPO. Windows 10 will also allow us to use Application policy.
Windows Wireless Clients - The majority of the wireless clients are being used in and out of the office (for home/remote and occasional in-office visits). 99% Windows 7 but will be moving to 10. Non one is local admin. Webroot SecureAnywhere AV with outbound firewall enabled. Windows firewall enabled. Using LAPS for local admin passwords. Windows 10 will also allow us to use Application policy.

Initial Questions-

• I want to move away from using the firewall for the WiFi networks' ACLs. In doing so, would I be moving that to the switch?

• Should I be doing something else like switch-level ACLs for the servers from all other clients, or is that just too complex and unnecessary?

• I know that some people have strong opinions on UTMs, but being that I have one, I am using the transparent proxy, content filter and AV. What would you use to prevent people from visiting known, sketchy sites, whether it's intentional or it's just an accident (phishing, ads, etc.).

• What else should I be considering to secure and manage an ever-increasing distributed workforce?

Dashrender

@wrx7m said in Moving Away From LAN-Centric Security:

• I want to move away from using the firewall for the WiFi networks' ACLs. In doing so, would I be moving that to the switch?

Are you proposing getting rid of ACLs all together, or simply moving the ACL's to the switch? You can do that, if you switch supports it. Not sure what you'd be looking to gain by moving it to the switch though?

Dashrender

@wrx7m said in Moving Away From LAN-Centric Security:

• Should I be doing something else like switch-level ACLs for the servers from all other clients, or is that just too complex and unnecessary?

You started this conversation by saying that you wanted to move away from LAN-Centric security. This means killing ACLs on the network altogether. i.e. treat everything like it's directly on the internet, and secure from that POV.

Dashrender

@wrx7m said in Moving Away From LAN-Centric Security:

• I know that some people have strong opinions on UTMs, but being that I have one, I am using the transparent proxy, content filter and AV. What would you use to prevent people from visiting known, sketchy sites, whether it's intentional or it's just an accident (phishing, ads, etc.).

The issue around here regarding UTMs is that most are very underpowered for their feature set. Plus having all those features in a single device means if the device is breached, all those things are compromised.

For a truly mobile workforce, I'm not sure there is much you can do in UTM style, other than software on each endpoint. IF you can use your own DNS wherever you travel, that might be a possibility - i.e. have all machines use a PieHole that you setup, but there are places that block all DNS outbound and force users to use the DNS provided by DHCP (think coffee shop).

Webroot has it's own rating system for websites, along with the firewall should pretty much cover you. I assume that webroot also allows you to blacklist websites if that feature is needed.

wrx7m

@dashrender said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

• Should I be doing something else like switch-level ACLs for the servers from all other clients, or is that just too complex and unnecessary?

You started this conversation by saying that you wanted to move away from LAN-Centric security. This means killing ACLs on the network altogether. i.e. treat everything like it's directly on the internet, and secure from that POV.

Hmmm. I don't think that I would go that far.

wrx7m

@dashrender said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

• I want to move away from using the firewall for the WiFi networks' ACLs. In doing so, would I be moving that to the switch?

Are you proposing getting rid of ACLs all together, or simply moving the ACL's to the switch? You can do that, if you switch supports it. Not sure what you'd be looking to gain by moving it to the switch though?

Performance. Best practices.

wrx7m

What kind of solutions are available that are easy to configure and manage but also ensure endpoints that connect meet certain criteria? For example, Windows is updated, AV is current, 3rd party apps are patched, etc.

Dashrender

@wrx7m said in Moving Away From LAN-Centric Security:

What kind of solutions are available that are easy to configure and manage but also ensure endpoints that connect meet certain criteria? For example, Windows is updated, AV is current, 3rd party apps are patched, etc.

Salt can verify the systems have xyz installed.

scottalanmiller

@wrx7m said in Moving Away From LAN-Centric Security:

• I know that some people have strong opinions on UTMs, but being that I have one, I am using the transparent proxy, content filter and AV. What would you use to prevent people from visiting known, sketchy sites, whether it's intentional or it's just an accident (phishing, ads, etc.).

I like DNS filtering a lot. Strongarm.io or just a PiHole. DNS is fast, effective, and cheap and stops all kinds of accidents and is really simple to manage. People who are intent on doing bad things and are going to work around that, well they were going to find a way anyway. But stopping accidents, I'm all for. You don't technically block anyone, you just make it really hard to do something bad by accident. I like that as an approach. I also like that it is not "inline" so actually can speed, rather than slow, the network and doesn't bring you down if it fails.

wrx7m

@scottalanmiller said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

• I know that some people have strong opinions on UTMs, but being that I have one, I am using the transparent proxy, content filter and AV. What would you use to prevent people from visiting known, sketchy sites, whether it's intentional or it's just an accident (phishing, ads, etc.).

I like DNS filtering a lot. Strongarm.io or just a PiHole. DNS is fast, effective, and cheap and stops all kinds of accidents and is really simple to manage. People who are intent on doing bad things and are going to work around that, well they were going to find a way anyway. But stopping accidents, I'm all for. You don't technically block anyone, you just make it really hard to do something bad by accident. I like that as an approach. I also like that it is not "inline" so actually can speed, rather than slow, the network and doesn't bring you down if it fails.

Question regarding strongarm-
Based on what I can tell, for an internal network, you would set your internal DNS servers' forwarders to strongarm's servers. For remote devices, do you manually set the DNS IP addresses? How would that not cause internal name resolution issues when remote devices connect to the LAN via hard-wire, WiFi or VPN?

Dashrender

@wrx7m said in Moving Away From LAN-Centric Security:

@scottalanmiller said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

• I know that some people have strong opinions on UTMs, but being that I have one, I am using the transparent proxy, content filter and AV. What would you use to prevent people from visiting known, sketchy sites, whether it's intentional or it's just an accident (phishing, ads, etc.).

I like DNS filtering a lot. Strongarm.io or just a PiHole. DNS is fast, effective, and cheap and stops all kinds of accidents and is really simple to manage. People who are intent on doing bad things and are going to work around that, well they were going to find a way anyway. But stopping accidents, I'm all for. You don't technically block anyone, you just make it really hard to do something bad by accident. I like that as an approach. I also like that it is not "inline" so actually can speed, rather than slow, the network and doesn't bring you down if it fails.

Question regarding strongarm-
Based on what I can tell, for an internal network, you would set your internal DNS servers' forwarders to strongarm's servers. For remote devices, do you manually set the DNS IP addresses? How would that not cause internal name resolution issues when remote devices connect to the LAN via hard-wire, WiFi or VPN?

Even more, assuming remote access from a coffee shop what if the shop only allows its own DNS servers out for DNS quiries, your hard coded DNS would basically keep you offline... more or less.

JaredBusch

@dashrender said in Moving Away From LAN-Centric Security:

what if the shop only allows its own DNS servers out for DNS quiries, your hard coded DNS would basically keep you offline... more or less.

This is the second time in this thread that this particular scenario has been memntioned. Have you ever witnessed this in the real world?

I have not. Granted, I have not tried hard either.

scottalanmiller

@dashrender said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

@scottalanmiller said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

• I know that some people have strong opinions on UTMs, but being that I have one, I am using the transparent proxy, content filter and AV. What would you use to prevent people from visiting known, sketchy sites, whether it's intentional or it's just an accident (phishing, ads, etc.).

I like DNS filtering a lot. Strongarm.io or just a PiHole. DNS is fast, effective, and cheap and stops all kinds of accidents and is really simple to manage. People who are intent on doing bad things and are going to work around that, well they were going to find a way anyway. But stopping accidents, I'm all for. You don't technically block anyone, you just make it really hard to do something bad by accident. I like that as an approach. I also like that it is not "inline" so actually can speed, rather than slow, the network and doesn't bring you down if it fails.

Question regarding strongarm-
Based on what I can tell, for an internal network, you would set your internal DNS servers' forwarders to strongarm's servers. For remote devices, do you manually set the DNS IP addresses? How would that not cause internal name resolution issues when remote devices connect to the LAN via hard-wire, WiFi or VPN?

Even more, assuming remote access from a coffee shop what if the shop only allows its own DNS servers out for DNS quiries, your hard coded DNS would basically keep you offline... more or less.

Yes, but you can say this about anything. What if they only allowed their own web pages. If they don't offer internet, they don't offer it. You can't plan on people randomly blocking you.

scottalanmiller

@wrx7m said in Moving Away From LAN-Centric Security:

@scottalanmiller said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

• I know that some people have strong opinions on UTMs, but being that I have one, I am using the transparent proxy, content filter and AV. What would you use to prevent people from visiting known, sketchy sites, whether it's intentional or it's just an accident (phishing, ads, etc.).

I like DNS filtering a lot. Strongarm.io or just a PiHole. DNS is fast, effective, and cheap and stops all kinds of accidents and is really simple to manage. People who are intent on doing bad things and are going to work around that, well they were going to find a way anyway. But stopping accidents, I'm all for. You don't technically block anyone, you just make it really hard to do something bad by accident. I like that as an approach. I also like that it is not "inline" so actually can speed, rather than slow, the network and doesn't bring you down if it fails.

Question regarding strongarm-
Based on what I can tell, for an internal network, you would set your internal DNS servers' forwarders to strongarm's servers. For remote devices, do you manually set the DNS IP addresses? How would that not cause internal name resolution issues when remote devices connect to the LAN via hard-wire, WiFi or VPN?

Depends. If you are going LANless, you'd not use DNS internally normally. It's a really rare thing to have internal DNS unless you need it for LAN-centric services. That's nearly the only reason (other than caching in the late 1990s and early 2000s) that anyone has ever had internal DNS. So eliminate the need for the LAN, you eliminate the need for the local DNS, problem solved. And literally, that's how we solve it. Then you can hard code Strongarm.io or our Pi-Hole to our hearts content. Actually makes things easier, rather than harder.

scottalanmiller

@wrx7m said in Moving Away From LAN-Centric Security:

What kind of solutions are available that are easy to configure and manage but also ensure endpoints that connect meet certain criteria? For example, Windows is updated, AV is current, 3rd party apps are patched, etc.

Salt, Ansible, Chef, Puppet. cfEngine will do it but isn't up to par with those four. SodiumSuite is working towards eventually taking this to a far easier and more automated level than those do today, but that's way down the roadmap.

scottalanmiller

@dashrender said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

• Should I be doing something else like switch-level ACLs for the servers from all other clients, or is that just too complex and unnecessary?

You started this conversation by saying that you wanted to move away from LAN-Centric security. This means killing ACLs on the network altogether. i.e. treat everything like it's directly on the internet, and secure from that POV.

Not necessarily killing ACLs on the network, but definitely not depending on them.

black3dynamite

@scottalanmiller said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

What kind of solutions are available that are easy to configure and manage but also ensure endpoints that connect meet certain criteria? For example, Windows is updated, AV is current, 3rd party apps are patched, etc.

Salt, Ansible, Chef, Puppet. cfEngine will do it but isn't up to par with those four. SodiumSuite is working towards eventually taking this to a far easier and more automated level than those do today, but that's way down the roadmap.

Does Chef requires an agent on the client side?

scottalanmiller

@black3dynamite said in Moving Away From LAN-Centric Security:

@scottalanmiller said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

What kind of solutions are available that are easy to configure and manage but also ensure endpoints that connect meet certain criteria? For example, Windows is updated, AV is current, 3rd party apps are patched, etc.

Salt, Ansible, Chef, Puppet. cfEngine will do it but isn't up to par with those four. SodiumSuite is working towards eventually taking this to a far easier and more automated level than those do today, but that's way down the roadmap.

Does Chef requires an agent on the client side?

No, I'm not sure that any require an agent. But you generally want an agent, as that keeps you from having to expose management ports.

crustachio

@wrx7m said in Moving Away From LAN-Centric Security:

What else should I be considering to secure and manage an ever-increasing distributed workforce?

Look into products like BeyondTrust PowerBroker, which is basically an endpoint privilege manager. It allows you to exercise really fine-grained policy based controls over endpoints. Think Group Policy on steroids (in fact, its UI is a GP snap-in clone). You can allow users to self-escalate for specific admin tasks like installing or updating whitelisted software, as an example, while preventing any other task from running. And all kinds of other stuff like controlling peripherals, executing tasks based on policy conditions (AV & Windows Updates, etc), performing file integrity monitoring, etc... It lets you do some pretty slick stuff at a very low permissions-based level to shut down malware before it can even start, and severely restrict what any executing malware can actually achieve. Plus there's all kinds of session monitoring, auto screencapping, behavior analysis, auditing, and so on. You can do a LOT with this tool, if you are comfortable with policy based control.

They have a companion product called Retina which is basically a vulnerability manager & network scanner that integrates tightly with it, but PowerBroker is what has the real teeth for endpoint security.

Dashrender

@crustachio said in Moving Away From LAN-Centric Security:

BeyondTrust PowerBroker

/sigh, this says it's to expensive for me!

https://i.imgur.com/IBiC3Do.png