Posts made by dave247

Turns out I would also need proper MICR font, like this https://www.1001fonts.com/micr-encoding-font.html

@dashrender said in Looking for MICR check printing software that doesn't suck:

@dave247 said in Looking for MICR check printing software that doesn't suck:

@dashrender said in Looking for MICR check printing software that doesn't suck:

Isn't the MICR just in the toner? Does that part even matter? Maybe I'm wrong and those printers actually have two types of toner in them...

That's what I was wondering. And yes, MICR is just magnetic ink. I don't know if I could even just technically use Microsoft Word to print on them using the MICR printer....

I think you can. Only one way to find out

you know what, you're right hahaha

@dashrender said in Looking for MICR check printing software that doesn't suck:

Isn't the MICR just in the toner? Does that part even matter? Maybe I'm wrong and those printers actually have two types of toner in them...

That's what I was wondering. And yes, MICR is just magnetic ink. I don't know if I could even just technically use Microsoft Word to print on them using the MICR printer....

I work at a bank and we have been using an application called MMS Forms from Blauser Technologies for like 10 years to print temporary checks and loan coupons. It totally sucks. It looks like something out of 1995 and the annual update process is very confusing and nonsensical. It's not a big complex to-do or anything, just messy and different than a normal, modern application. Updating the check image graphic requires using something like InfraView with a plugin to edit a .pcx file. I could go on. All we use MMS Forms for is to print temporary checks which obviously requires a MICR printer and then loan coupons. I can't imagine the software has to be "special" or something crazy...

I searched around the internet but keep finding equally questionable looking applications. I'm hoping some of you here have used something in the past that maybe worked well.

Delete me - got it all figured out

@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@voip_n00b said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dave247 I use certificates to only allow company owned and managed devices to connect.

Interesting, can you elaborate more on how you achieve that?

It's common to have certificates with VPN.

A OpenVPN client for example without any MFA is usually setup so that it needs a client certificate and a username and a password as well as the connection info. The same goes for Cisco AnyConnect and others.

The VPN connection uses mutual authentication so the client authenticate that the server is who he is suppose to be and the server authenticate the client is who he says he is.

If you install the certificate on your company devices you can't connect to the VPN just by downloading and installing the client on another computer and enter the credentials. Because you don't have the certificate.

So that's how you can control what device is allowed to connect. For more security the certificates can also be stored on smart cards, hardware devices or even the TPM module inside the computer.

You should have something similar on NetExtender. Look for client certificate or client authentication.

Another thing with certificates is that you can prevent VPN access by revoking the client's certificate. And also certificates expire so you can give someone a short term access if you like.

Nice, I will check it out. I have opened a few tickets and asked around other places regarding NetExtender and nobody has said anything about this, so I don't know if its possible with the Sonicwall NSA / NetExtender setup, but I will find out.

@scottalanmiller said in New customer - greenfield setup:

@dave247 said in New customer - greenfield setup:

I was able to add many category-based exceptions which included banking and medical services, among others. So at least that concern is somewhat removed there, but still.

That's good that they try. A problem with that, though, is that categories have to be maintained and trusted. So if you use Bank of America or Wells Fargo, I'm sure you are fine. But what if you use a local savings and loan or credit union or a foreign bank or do your banking through a third party site? Sure, your bank might make their list, but it might not. They make an effort, and probably a good one, but at some point it's just people making a list of sites they feel should be in a category. They don't really know. Anyone can make a fake bank website to get around that, there's no way to have enough staff to check sites. And I'm sure tons of real financial institutions get missed because no one though of checking that name.

Yes, great points there. Oh hey, I was also going to ask you why you excluded Sophos from your deep packet inspection comment. I assume you will say they do it right, and if that's they case, how do they do it better / correctly?

@voip_n00b said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dave247 I use certificates to only allow company owned and managed devices to connect.

Interesting, can you elaborate more on how you achieve that?

@scottalanmiller said in New customer - greenfield setup:

@dave247 said in New customer - greenfield setup:

@scottalanmiller said in New customer - greenfield setup:

@dashrender said in New customer - greenfield setup:

Of course it's really only worthwhile where we can do SSL inspection (can this be down without installing certs on the clients to allow MiTM inspection?)

Nope, that's physically impossible. These types of devices I see as reckless because they are often poorly maintained, often made by questionable vendors (Sophos is fine, but many others are less respectable) and provide a single point of total egress of your data with nearly all assumed protections removed.

Hey Scott, can you elaborate a bit more on that - I'm talking about the recklessness of SSL inspection. I ask because my company has a Sonicwall NSA appliance and in the past I have attempted using the "DPI-SSL" feature (deep packet inspection) which required installing the Sonicwall cert on all systems and then the traffic would be intercepted and inspected. Despite me following their guide and applying the correct settings and site exceptions, I still had some issues and ended up scrapping the effort for now. I already know your opinion on Sonicwall but I just wanted to get more insight into the whole deep packet inspection effort.

So my issue with that is that it "breaks" the entire security chain. The idea behind the certificate system is that your traffic is encrypted end to end. By adding a man in the middle there is a time when the traffic is not encrypted, but both the browser and the server believe that it is.

If everything works as expected, this is fine because we trust the man in the middle, in this case. But that's asking a lot of "another system" to be completely trusted.

In reality neither of the end points truly trust the man in the middle. The "firewall" isn't a friend here, it's in the path because it already distrusts both end points. So trust is not really appropriately at play here.

On a technology side, this adds an extremely high profile target that is rarely secured close to as well as the server or the workstations are. Traditionally firewalls were an extra layer of security, rather than an extra layer of risk. A compromised firewall meant that you lost a layer of defense, not that the firewall represented a bypass to existing security measures as well. So this ends up being a lot like a VPN, everyone says it's for security, but as used it is nearly always a huge risk because risk is extended rather than the tool being used to lock it down more.

So both hard technical by adding a huge point of exposure and for bypassing existing controls; and soft technical by putting the most critical point of exposure where network admins tend to understand it the least and where politics tend to keep it from getting properly maintained.

Then comes liability. Legally you can use this in most circumstances. But only most. I would never use this without my legal team signing off on it. Because you are hijacking encrypted data mid-stream that is meant to be trusted you risk both political fallout (customers, vendors, etc. being angry or going public that data may have been hijacked - possibly without consent) and legal fallout (if this is discovered and HIPAA data was in flight, for example, it technically violated any end to end encryption laws or requirements.) Knowing decrypting network traffic midway carries a lot of risk and you really need to understand the legal or business risk to all of the traffic. It's not something you can just do and not worry about.

As a business owner, never ever would I take that risk. Huge risk, no real value to doing so. I'd have to be a seriously emotionally driven control freak to consider doing something like this.

Which brings the final problem with it... a tool like this would not be made by or deployed by those who value security. So if you have a vendor making these tools, or you have management demanding these tools, you have people who are prioritizing control or the emotional perception of control above business interests and security. Sure, a vendor like SonicWall is just catering to their client base. To them it is a good business decision, but that decision is to allow their customers to undermine their own security. So from a security perspective, this goes against all common sense and otherwise stated practices.

As an aside, IF something like this was ever warranted, it should never be put on the firewall but run in a VM like any other production workload. That people put it on the firewall instead shows how little security thinking is involved when these products are discussed. There are better ways to do this if someone actually intended to do it in a good way.

Nice! I'm glad to hear you point all those things out because I've also thought similarly about deep packet inspection / MITM functionality on the firewall. It's basically breaking that secure chain of trust, like you said, and when I first learned about it, I just though it seemed a little risky or wrong or something.

And as I added more and more exceptions, I began to think, what is the point of this if I'm going to add a bunch of exceptions? Then I would just be leaving all the untrusted sites but that sort of thing should be more filtered out using web content filtering, not DPI.

Also, I'm not defending it, but when I was attempting to enable DPI-SSL on our Sonicwall, I was able to add many category-based exceptions which included banking and medical services, among others. So at least that concern is somewhat removed there, but still.

I was just thinking, there's not really currently a way I can lock down access to specific computers that can access the VPN. I can give assess to only select employees but what's to stop an employee from downloading NetExtender on a non-company managed device and accessing the network that way?

@scottalanmiller said in New customer - greenfield setup:

@dashrender said in New customer - greenfield setup:

Of course it's really only worthwhile where we can do SSL inspection (can this be down without installing certs on the clients to allow MiTM inspection?)

Nope, that's physically impossible. These types of devices I see as reckless because they are often poorly maintained, often made by questionable vendors (Sophos is fine, but many others are less respectable) and provide a single point of total egress of your data with nearly all assumed protections removed.

Hey Scott, can you elaborate a bit more on that - I'm talking about the recklessness of SSL inspection. I ask because my company has a Sonicwall NSA appliance and in the past I have attempted using the "DPI-SSL" feature (deep packet inspection) which required installing the Sonicwall cert on all systems and then the traffic would be intercepted and inspected. Despite me following their guide and applying the correct settings and site exceptions, I still had some issues and ended up scrapping the effort for now. I already know your opinion on Sonicwall but I just wanted to get more insight into the whole deep packet inspection effort.

For basic site filter, would you consider OpenDNS? Then, like Jared said, discipline the employees.

@irj said in Staying at your shitty employer is your fault:

@gjacobse said in Staying at your shitty employer is your fault:

@irj said in Staying at your shitty employer is your fault:

He's referring to total comp in which you get a base of $150-200k

Lol - Guess I'm in the wrong LinkedIn circle as I don't get anything in that base range... And I'm okay with that (twitch).

It's generally based on skillset and experience. 2-3 years cloud experience is super valuable right now. I posted about this in 2019 here.

https://mangolassi.it/topic/19837/you-need-to-get-cloud-certified

I'm 6 years into IT (network admin, sysadmin, security (generalist)) and have my Security+ and am making $70,000 in Wisconsin right now. Is that low/normal/high?

@obsolesce said in Staying at your shitty employer is your fault:

@dave247 said in Staying at your shitty employer is your fault:

@jaredbusch said in Staying at your shitty employer is your fault:

@dave247 said in Staying at your shitty employer is your fault:

Where is everyone searching for quality IT job postings these days?

Word of mouth. I've never gotten a good job from a random posting.

I suppose the correct answer to myself is a wide net of every combination, including word of mouth, job posting sites like Indeed, Monster, etc, direct job postings on the website of the company, LinkedIn, etc.

I managed to get my first IT job using my state's job network website. I got a call-back from HR and had some awesome back and forth and landed a great gig. My friend and past co-worker got an amazing job from a head-hunter on LinkedIn. Another friend got a job from a company website post...

The last several good jobs I was either offered or have started were directly from LinkedIn, and some of them are $300K to $500K jobs.

Can I ask what kind of IT jobs those were and the general requirements? That seems a little hard to believe unless you're talking about jobs in the major US technology hubs... but I have limited knowledge and experience in this area.

@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dave247 Can you use 2FA on the VPN connection when doing it like that? Otherwise that would be a major concern.

Another issue with forced VPN is that if your VPN is down then the users can't login at all and can't work. That's a lot of eggs in the same basket. Does your company have HA firewalls, redundant internet, redundant power etc?

Otherwise using the cached domain password the users could login locally. Then they would be able to use their computers with local files and software and also have access to online resources such as M365 and whatever else you use.

Yes, the Sonicwall supports TOPT codes on the connection, thankfully. The VPN connection wouldn't be forced, though users would obviously need a continuous VPN connection to use apps on the local network. We do also have O365 so they aren't dead in the water if the VPN went down for some reason. Yes, I have redundant firewalls, Internet and power, etc. I have as much redundancy and failover as possible/makes sense to. Internet goes down maybe twice a year since I've been there (5+ years) so it's not really a concern at all. Honestly, this is probably the best setup currently for us in our current state.

@JasGot pretty much helped me the most here to solve my problem, which was just something simple I had overlooked.

/thread

@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dave247 Can you use 2FA on the VPN connection when doing it like that? Otherwise that would be a major concern.

Another issue with forced VPN is that if your VPN is down then the users can't login at all and can't work. That's a lot of eggs in the same basket. Does your company have HA firewalls, redundant internet, redundant power etc?

Otherwise using the cached domain password the users could login locally. Then they would be able to use their computers with local files and software and also have access to online resources such as M365 and whatever else you use.

No, you cannot use 2FA from within Windows Login screen with Sonicwall NetExtender.

Actually you can. You just click the icon to pull up NetExtender and punch your creds in, then it asks you for the TOTP.

@jaredbusch said in Staying at your shitty employer is your fault:

@dave247 said in Staying at your shitty employer is your fault:

Where is everyone searching for quality IT job postings these days?

Word of mouth. I've never gotten a good job from a random posting.

I suppose the correct answer to myself is a wide net of every combination, including word of mouth, job posting sites like Indeed, Monster, etc, direct job postings on the website of the company, LinkedIn, etc.

I managed to get my first IT job using my state's job network website. I got a call-back from HR and had some awesome back and forth and landed a great gig. My friend and past co-worker got an amazing job from a head-hunter on LinkedIn. Another friend got a job from a company website post...

Where is everyone searching for quality IT job postings these days?

@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dbeato The version I have is 10.2.319 and it doesn't have that option.

There isn't even a 10.2.319 version... you be trollin me! (see https://www.mysonicwall.com/muir/freedownloads)

For the record, the latest version is 10.2.315 and the functionality is there regardless of if you install or upgrade.

If I wanted to troll you, I would have failed very badly. You must know me for a while now that I don't troll. Here it is

This is also provided on the SMA Appliances which also has been posted here
https://www.reddit.com/r/sonicwall/comments/rbrlsv/netextender_102319/

http://www.wehrenberg.ch/remote.html (Downloads are there)

If you try that version it does go away. However in your case using a different version works for you and that's all that matter.

ah, well they must have removed it due to the bug since it's not available for download from Sonicwall's official download sources. I wouldn't get it anywhere else.