Moving Away From LAN-Centric Security

wrx7m

@dashrender said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

• I want to move away from using the firewall for the WiFi networks' ACLs. In doing so, would I be moving that to the switch?

Are you proposing getting rid of ACLs all together, or simply moving the ACL's to the switch? You can do that, if you switch supports it. Not sure what you'd be looking to gain by moving it to the switch though?

Performance. Best practices.

wrx7m

What kind of solutions are available that are easy to configure and manage but also ensure endpoints that connect meet certain criteria? For example, Windows is updated, AV is current, 3rd party apps are patched, etc.

Dashrender

@wrx7m said in Moving Away From LAN-Centric Security:

What kind of solutions are available that are easy to configure and manage but also ensure endpoints that connect meet certain criteria? For example, Windows is updated, AV is current, 3rd party apps are patched, etc.

Salt can verify the systems have xyz installed.

scottalanmiller

@wrx7m said in Moving Away From LAN-Centric Security:

• I know that some people have strong opinions on UTMs, but being that I have one, I am using the transparent proxy, content filter and AV. What would you use to prevent people from visiting known, sketchy sites, whether it's intentional or it's just an accident (phishing, ads, etc.).

I like DNS filtering a lot. Strongarm.io or just a PiHole. DNS is fast, effective, and cheap and stops all kinds of accidents and is really simple to manage. People who are intent on doing bad things and are going to work around that, well they were going to find a way anyway. But stopping accidents, I'm all for. You don't technically block anyone, you just make it really hard to do something bad by accident. I like that as an approach. I also like that it is not "inline" so actually can speed, rather than slow, the network and doesn't bring you down if it fails.

wrx7m

@scottalanmiller said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

• I know that some people have strong opinions on UTMs, but being that I have one, I am using the transparent proxy, content filter and AV. What would you use to prevent people from visiting known, sketchy sites, whether it's intentional or it's just an accident (phishing, ads, etc.).

I like DNS filtering a lot. Strongarm.io or just a PiHole. DNS is fast, effective, and cheap and stops all kinds of accidents and is really simple to manage. People who are intent on doing bad things and are going to work around that, well they were going to find a way anyway. But stopping accidents, I'm all for. You don't technically block anyone, you just make it really hard to do something bad by accident. I like that as an approach. I also like that it is not "inline" so actually can speed, rather than slow, the network and doesn't bring you down if it fails.

Question regarding strongarm-
Based on what I can tell, for an internal network, you would set your internal DNS servers' forwarders to strongarm's servers. For remote devices, do you manually set the DNS IP addresses? How would that not cause internal name resolution issues when remote devices connect to the LAN via hard-wire, WiFi or VPN?

Dashrender

@wrx7m said in Moving Away From LAN-Centric Security:

@scottalanmiller said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

• I know that some people have strong opinions on UTMs, but being that I have one, I am using the transparent proxy, content filter and AV. What would you use to prevent people from visiting known, sketchy sites, whether it's intentional or it's just an accident (phishing, ads, etc.).

I like DNS filtering a lot. Strongarm.io or just a PiHole. DNS is fast, effective, and cheap and stops all kinds of accidents and is really simple to manage. People who are intent on doing bad things and are going to work around that, well they were going to find a way anyway. But stopping accidents, I'm all for. You don't technically block anyone, you just make it really hard to do something bad by accident. I like that as an approach. I also like that it is not "inline" so actually can speed, rather than slow, the network and doesn't bring you down if it fails.

Question regarding strongarm-
Based on what I can tell, for an internal network, you would set your internal DNS servers' forwarders to strongarm's servers. For remote devices, do you manually set the DNS IP addresses? How would that not cause internal name resolution issues when remote devices connect to the LAN via hard-wire, WiFi or VPN?

Even more, assuming remote access from a coffee shop what if the shop only allows its own DNS servers out for DNS quiries, your hard coded DNS would basically keep you offline... more or less.

JaredBusch

@dashrender said in Moving Away From LAN-Centric Security:

what if the shop only allows its own DNS servers out for DNS quiries, your hard coded DNS would basically keep you offline... more or less.

This is the second time in this thread that this particular scenario has been memntioned. Have you ever witnessed this in the real world?

I have not. Granted, I have not tried hard either.

scottalanmiller

@dashrender said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

@scottalanmiller said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

• I know that some people have strong opinions on UTMs, but being that I have one, I am using the transparent proxy, content filter and AV. What would you use to prevent people from visiting known, sketchy sites, whether it's intentional or it's just an accident (phishing, ads, etc.).

I like DNS filtering a lot. Strongarm.io or just a PiHole. DNS is fast, effective, and cheap and stops all kinds of accidents and is really simple to manage. People who are intent on doing bad things and are going to work around that, well they were going to find a way anyway. But stopping accidents, I'm all for. You don't technically block anyone, you just make it really hard to do something bad by accident. I like that as an approach. I also like that it is not "inline" so actually can speed, rather than slow, the network and doesn't bring you down if it fails.

Question regarding strongarm-
Based on what I can tell, for an internal network, you would set your internal DNS servers' forwarders to strongarm's servers. For remote devices, do you manually set the DNS IP addresses? How would that not cause internal name resolution issues when remote devices connect to the LAN via hard-wire, WiFi or VPN?

Even more, assuming remote access from a coffee shop what if the shop only allows its own DNS servers out for DNS quiries, your hard coded DNS would basically keep you offline... more or less.

Yes, but you can say this about anything. What if they only allowed their own web pages. If they don't offer internet, they don't offer it. You can't plan on people randomly blocking you.

scottalanmiller

@wrx7m said in Moving Away From LAN-Centric Security:

@scottalanmiller said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

• I know that some people have strong opinions on UTMs, but being that I have one, I am using the transparent proxy, content filter and AV. What would you use to prevent people from visiting known, sketchy sites, whether it's intentional or it's just an accident (phishing, ads, etc.).

I like DNS filtering a lot. Strongarm.io or just a PiHole. DNS is fast, effective, and cheap and stops all kinds of accidents and is really simple to manage. People who are intent on doing bad things and are going to work around that, well they were going to find a way anyway. But stopping accidents, I'm all for. You don't technically block anyone, you just make it really hard to do something bad by accident. I like that as an approach. I also like that it is not "inline" so actually can speed, rather than slow, the network and doesn't bring you down if it fails.

Question regarding strongarm-
Based on what I can tell, for an internal network, you would set your internal DNS servers' forwarders to strongarm's servers. For remote devices, do you manually set the DNS IP addresses? How would that not cause internal name resolution issues when remote devices connect to the LAN via hard-wire, WiFi or VPN?

Depends. If you are going LANless, you'd not use DNS internally normally. It's a really rare thing to have internal DNS unless you need it for LAN-centric services. That's nearly the only reason (other than caching in the late 1990s and early 2000s) that anyone has ever had internal DNS. So eliminate the need for the LAN, you eliminate the need for the local DNS, problem solved. And literally, that's how we solve it. Then you can hard code Strongarm.io or our Pi-Hole to our hearts content. Actually makes things easier, rather than harder.

scottalanmiller

@wrx7m said in Moving Away From LAN-Centric Security:

What kind of solutions are available that are easy to configure and manage but also ensure endpoints that connect meet certain criteria? For example, Windows is updated, AV is current, 3rd party apps are patched, etc.

Salt, Ansible, Chef, Puppet. cfEngine will do it but isn't up to par with those four. SodiumSuite is working towards eventually taking this to a far easier and more automated level than those do today, but that's way down the roadmap.

scottalanmiller

@dashrender said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

• Should I be doing something else like switch-level ACLs for the servers from all other clients, or is that just too complex and unnecessary?

You started this conversation by saying that you wanted to move away from LAN-Centric security. This means killing ACLs on the network altogether. i.e. treat everything like it's directly on the internet, and secure from that POV.

Not necessarily killing ACLs on the network, but definitely not depending on them.

black3dynamite

@scottalanmiller said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

What kind of solutions are available that are easy to configure and manage but also ensure endpoints that connect meet certain criteria? For example, Windows is updated, AV is current, 3rd party apps are patched, etc.

Salt, Ansible, Chef, Puppet. cfEngine will do it but isn't up to par with those four. SodiumSuite is working towards eventually taking this to a far easier and more automated level than those do today, but that's way down the roadmap.

Does Chef requires an agent on the client side?

scottalanmiller

@black3dynamite said in Moving Away From LAN-Centric Security:

@scottalanmiller said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

What kind of solutions are available that are easy to configure and manage but also ensure endpoints that connect meet certain criteria? For example, Windows is updated, AV is current, 3rd party apps are patched, etc.

Salt, Ansible, Chef, Puppet. cfEngine will do it but isn't up to par with those four. SodiumSuite is working towards eventually taking this to a far easier and more automated level than those do today, but that's way down the roadmap.

Does Chef requires an agent on the client side?

No, I'm not sure that any require an agent. But you generally want an agent, as that keeps you from having to expose management ports.

crustachio

@wrx7m said in Moving Away From LAN-Centric Security:

What else should I be considering to secure and manage an ever-increasing distributed workforce?

Look into products like BeyondTrust PowerBroker, which is basically an endpoint privilege manager. It allows you to exercise really fine-grained policy based controls over endpoints. Think Group Policy on steroids (in fact, its UI is a GP snap-in clone). You can allow users to self-escalate for specific admin tasks like installing or updating whitelisted software, as an example, while preventing any other task from running. And all kinds of other stuff like controlling peripherals, executing tasks based on policy conditions (AV & Windows Updates, etc), performing file integrity monitoring, etc... It lets you do some pretty slick stuff at a very low permissions-based level to shut down malware before it can even start, and severely restrict what any executing malware can actually achieve. Plus there's all kinds of session monitoring, auto screencapping, behavior analysis, auditing, and so on. You can do a LOT with this tool, if you are comfortable with policy based control.

They have a companion product called Retina which is basically a vulnerability manager & network scanner that integrates tightly with it, but PowerBroker is what has the real teeth for endpoint security.

Dashrender

@crustachio said in Moving Away From LAN-Centric Security:

BeyondTrust PowerBroker

/sigh, this says it's to expensive for me!

https://i.imgur.com/IBiC3Do.png

crustachio

@dashrender said in Moving Away From LAN-Centric Security:

/sigh, this says it's to expensive for me!

We were quoted $30/seat for 300 seats, plus $6/seat for 1-year maintenance. We ended up buying it for less than that after "negotiations".

Dashrender

@crustachio said in Moving Away From LAN-Centric Security:

@dashrender said in Moving Away From LAN-Centric Security:

/sigh, this says it's to expensive for me!

We were quoted $30/seat for 300 seats, plus $6/seat for 1-year maintenance. We ended up buying it for less than that after "negotiations".

So $30 one time, with an annual fee of $6/seat/year? That's actually pretty good. I have a client that this product MIGHT solve a huge hassle they currently have.

Obsolesce

@dashrender said in Moving Away From LAN-Centric Security:

@crustachio said in Moving Away From LAN-Centric Security:

BeyondTrust PowerBroker

/sigh, this says it's to expensive for me!

https://i.imgur.com/IBiC3Do.png

I used their free Linux stuff to join Linux File Servers to AD so I could control file share access via AD Groups. It worked well.

Obsolesce

@scottalanmiller said in Moving Away From LAN-Centric Security:

@black3dynamite said in Moving Away From LAN-Centric Security:

@scottalanmiller said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

What kind of solutions are available that are easy to configure and manage but also ensure endpoints that connect meet certain criteria? For example, Windows is updated, AV is current, 3rd party apps are patched, etc.

Salt, Ansible, Chef, Puppet. cfEngine will do it but isn't up to par with those four. SodiumSuite is working towards eventually taking this to a far easier and more automated level than those do today, but that's way down the roadmap.

Does Chef requires an agent on the client side?

No, I'm not sure that any require an agent. But you generally want an agent, as that keeps you from having to expose management ports.

That's one of the two main reasons I chose Salt over Ansible.

• Uses an agent
• Faster

Dashrender

@tim_g said in Moving Away From LAN-Centric Security:

@dashrender said in Moving Away From LAN-Centric Security:

@crustachio said in Moving Away From LAN-Centric Security:

BeyondTrust PowerBroker

/sigh, this says it's to expensive for me!

https://i.imgur.com/IBiC3Do.png

I used their free Linux stuff to join Linux File Servers to AD so I could control file share access via AD Groups. It worked well.

Can't Linux files servers join AD through Samba alone? That asked, I have no idea if GPOs can be applied to the nix boxes at that point though.