ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    If LAN is legacy, what is the UN-legacy...?

    Scheduled Pinned Locked Moved IT Discussion
    188 Posts 13 Posters 91.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Dashrender
      last edited by

      @Dashrender said:

      The biggest concern I see from something like ZT and Pertino is the breakdown of the protections that users get from simple routers - no even counting firewall features. i.e. ethernet packets (MAC based) traditionally can't traverse routers, therefore devices can't be attacked with these lower level MITM attacks that hear hear about on wireless networks, etc.

      Am I concerned for nothing?

      The concern would be the same as any LAN. Any VPN technology can bypass those "security" measures that you are envisioning and anyone on the same LAN is "wide open" to each other. So while there is a reason to be aware, if you feel it is a full concern, the only answer would be a hardware router in front of every device.

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @Dashrender
        last edited by

        @Dashrender said:

        @adam.ierymenko said:

        Firewalls are dead. Thank the cloud.

        huh - you're the first that I can recall ever saying that firewalls are dead. from your above post about IPV6 and killing local firewalls, I can see I think you really mean that.

        https://community.spiceworks.com/topic/1409230-need-for-firewalls-on-home-networks
        http://www.infoworld.com/article/2616931/firewall-software/why-you-don-t-need-a-firewall.html

        DashrenderD 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @adam.ierymenko
          last edited by

          @adam.ierymenko said:

          No joke though. I really honestly think we could have just taken our firewall down and given every machine a public IP and there would have been little or no change to security posture. If anything, firewalls encourage the "soft underbelly" problem by giving people the illusion that the local network is secure. Take that old obsolete crutch away and people who do things like bind unpassworded databases to ::0 will look like dummies real fast and the problem will take care of itself over time.

          I don't agree with the concept that hardware network edge firewalls are dead, mostly because of the layered vulnerability problem (any bug in your OS is exposed for exploit instead of only bugs in your firewall first then bugs in your OS.) But I totally agree with the problems around the illusion of security. This is why things like port changing are actually security negatives - they both give a totally false sense of security and do nothing to actually slow an attacker in the least while flagging you as having something to hide and being clueless about security all at once.

          1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @adam.ierymenko
            last edited by

            @adam.ierymenko said:

            My approach to security is: secure everything as if it will be totally exposed on the public Internet, then add firewalls and such as an afterthought if appropriate. If something is not secure enough to be exposed to the public Internet without a firewall, it's not secure enough to be connected to any network ever.

            Totally agree, and this is my "LANless" philosophy. The LAN is public, it is the the enemy.

            You should only be "LAN-aware" insofar as knowing where the bandwidth is high versus where it is slow and/or metered.

            1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @adam.ierymenko
              last edited by

              @adam.ierymenko said:

              Most people don't run php web apps on desktops and mobile devices.

              Apple did for a while 🙂

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @Dashrender
                last edited by

                @Dashrender said:

                That is no lie - So I can't get what I want, you'll give me this little thing over here, OK I'll just create a way to get what I want through that little thing.. done.. yeah - huge problem!

                Which is a key reason why I don't promote "over blocking" end users. Blocking things they would never want but might stumble on (malware, for example) at work is fine, if they were trying to download malware you've got other issues. But if they are trying to read their email, check on the time to pick up their kids from school or see how their buddy in the hospital is doing and we block them we become a barrier to overcome, IT becomes the silent enemy and they will find ways around that security.

                It is more secure to work with end users as security partners. In it together. Once we work against the end users, they are working against us.

                DashrenderD 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @adam.ierymenko
                  last edited by

                  @adam.ierymenko said:

                  Fundamentally the endpoint is either secure or it is not. If it's not, all someone has to do is get into something behind your firewall and they own you. Increasingly that something could be a printer, a light bulb, or a microwave oven. How often do you patch your light bulbs? If the cloud killed the firewall, then IoT will dig it up and cremate it and encase it in concrete and re-bury it.

                  DMZ should address that, of course. If you have random consumer IoT on your corporate LAN, you have design issues.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @adam.ierymenko
                    last edited by

                    @adam.ierymenko said:

                    @wirestyle22 I was describing a guiding principle. Obviously not everything measures up to that and firewalls are still needed for a lot of situations. I just consider them "legacy" and think that if you're designing or building something new it's best to design it to be secure in itself rather than assuming your private network is always going to stay private. Never trust the network, especially if it might have light bulbs and cloud connected printers on it.

                    If you think of most cloud services, except for Azure, by default there is no firewall. Azure does this, somewhat obviously, to slow the attacks against Windows since Azure is the only cloud with a focus on Windows and that brings a lot of vulnerabilities compared to what everyone else focuses on.

                    By default, if you start using Amazon, Rackspace, Digital Ocean, Vultr or most others, your machines get no firewall. They get full exposure via a public IP. This is now standard. And hacking rates are low. You don't hear about those machines getting hacked left and right. Of course, most are patched via the template prior to install, that's huge. And the DevOps model encourages rapid destruction and constant updating.

                    But even at @NTG, the vast majority of our servers are not firewalled externally and there are no issues. But back in 2001, doing the same thing, meant our systems were pwned before you could put them into production! Now we get decades without a successful attack.

                    1 Reply Last reply Reply Quote 1
                    • scottalanmillerS
                      scottalanmiller @wirestyle22
                      last edited by

                      @wirestyle22 said:

                      This appsec keynote is terrifying. I mean, you kind of expect your security to be somewhat low at the 25 million dollar level but these fortune 500 companies too? Man. The stuff of nightmares

                      Actually the opposite. The F500 are so large they have essentially no means of being heavily secure. Only medium sized companies can hire "the best". Everyone else has to hire the leftovers.

                      SMBs are too small and poor to attract "the best" except for special cases, it's rare. SMBs like high end MSPs or open source shops are different because they don't use money to attract the top talent, people do it for the good of mankind or because of flexibility or whatever - they do things that are not monetary compensation (I make only 12% what I could in the F500 sector, for example, but my lifestyle is so much better.)

                      F500 hire more people (even smaller F500 hire towards 100K bodies) than exist in the top ranks of any field. If you want to hire "the best", you can't also hire "100K of them." There aren't 100K best people out there. And there are 500 companies of that size. So that's not 100K, it's 100K each. There are like 50 million people working in those 500 companies. That's like 1/3rd of the entire workforce or more in the US. (Remember kids, retirees, stay at home parents and others don't work.) So the F500 works by trying to "not hire the worst", rather than "hiring the best." They use procedure and process to make middling workers do moderately well.

                      This leaves the medium space, where the pockets are deep, the company is small enough to focus and care and be guided by someone with passion and know how, to make an attempt at hiring the best and the brightest. They can pay the salaries like the F500, but they can also be selective. It's a unique space for general hiring of the absolute best outside of small, niche players in the SMB.

                      1 Reply Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender @scottalanmiller
                        last edited by

                        @scottalanmiller said:

                        @Dashrender said:

                        @adam.ierymenko said:

                        Firewalls are dead. Thank the cloud.

                        huh - you're the first that I can recall ever saying that firewalls are dead. from your above post about IPV6 and killing local firewalls, I can see I think you really mean that.

                        https://community.spiceworks.com/topic/1409230-need-for-firewalls-on-home-networks
                        http://www.infoworld.com/article/2616931/firewall-software/why-you-don-t-need-a-firewall.html

                        LOL - did you just want to see that others have said the firewall was dead for years?

                        scottalanmillerS 1 Reply Last reply Reply Quote 1
                        • scottalanmillerS
                          scottalanmiller @Dashrender
                          last edited by

                          @Dashrender said:

                          @scottalanmiller said:

                          @Dashrender said:

                          @adam.ierymenko said:

                          Firewalls are dead. Thank the cloud.

                          huh - you're the first that I can recall ever saying that firewalls are dead. from your above post about IPV6 and killing local firewalls, I can see I think you really mean that.

                          https://community.spiceworks.com/topic/1409230-need-for-firewalls-on-home-networks
                          http://www.infoworld.com/article/2616931/firewall-software/why-you-don-t-need-a-firewall.html

                          LOL - did you just want to see that others have said the firewall was dead for years?

                          I was just showing that it's a theory that has been going around.

                          1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender @scottalanmiller
                            last edited by

                            @scottalanmiller said:

                            @Dashrender said:

                            That is no lie - So I can't get what I want, you'll give me this little thing over here, OK I'll just create a way to get what I want through that little thing.. done.. yeah - huge problem!

                            Which is a key reason why I don't promote "over blocking" end users. Blocking things they would never want but might stumble on (malware, for example) at work is fine, if they were trying to download malware you've got other issues. But if they are trying to read their email, check on the time to pick up their kids from school or see how their buddy in the hospital is doing and we block them we become a barrier to overcome, IT becomes the silent enemy and they will find ways around that security.

                            It is more secure to work with end users as security partners. In it together. Once we work against the end users, they are working against us.

                            While I do understand what you are getting at on the last point there - I just haven't brought myself to fully agree with the entirety of the message. The reason being is that I personally don't care if users are using their personal email, Facebook, random web surfing at work, that's an HR problem, not an IT problem. But I do care about keeping their often wrought with garbage traffic off my current LAN setup. My personal goals are different than my stated goals from my thread the other day.

                            In the hopefully not to distant future when the LAN is just another untrusted network it would be less of an issue.

                            1 Reply Last reply Reply Quote 1
                            • dafyreD
                              dafyre
                              last edited by

                              What I don't understand is why anyone with any IT knowledge in a business setting would treat their network as trusted? I don't even do this with my ZT netowork, and I manually authorized every device on there (granted it's only 10 so far, lol).

                              It is far too easy to bring in a personal device that may or may not be infected with a polymorphic bug / worm / trojan / crypto / other bad things and plug it in or connect it to the network at your business -- even if you are doing 802.11x or some other type of LAN security.

                              I generally keep things like the Windows Firewall and FirewallD enabled on my devices, and only punch holes in them for services that I want available on my lan or public network. This is also true of my ZT subnet as well. Why take the risk that one device could get a bug and easily share it with the rest of the systems on my ZT Subnet or LAN?

                              wirestyle22W FATeknollogeeF 2 Replies Last reply Reply Quote 0
                              • wirestyle22W
                                wirestyle22 @dafyre
                                last edited by wirestyle22

                                @dafyre said:

                                What I don't understand is why anyone with any IT knowledge in a business setting would treat their network as trusted? I don't even do this with my ZT netowork, and I manually authorized every device on there (granted it's only 10 so far, lol).

                                It is far too easy to bring in a personal device that may or may not be infected with a polymorphic bug / worm / trojan / crypto / other bad things and plug it in or connect it to the network at your business -- even if you are doing 802.11x or some other type of LAN security.

                                I generally keep things like the Windows Firewall and FirewallD enabled on my devices, and only punch holes in them for services that I want available on my lan or public network. This is also true of my ZT subnet as well. Why take the risk that one device could get a bug and easily share it with the rest of the systems on my ZT Subnet or LAN?

                                Yeah this is one of the worst parts of my network. I do monitor the LAN and run Wireshark every day but it's not great. My company will not purchase anything. I got them to buy ten raspberry pi's simply because they are cheap. I use them for all sorts of things. That's all I can really hope for (which isn't much)

                                1 Reply Last reply Reply Quote 0
                                • FATeknollogeeF
                                  FATeknollogee @dafyre
                                  last edited by

                                  @dafyre said:

                                  I generally keep things like the Windows Firewall and FirewallD enabled on my devices...

                                  Curious, what is FirewallD?

                                  dafyreD 1 Reply Last reply Reply Quote 0
                                  • dafyreD
                                    dafyre @FATeknollogee
                                    last edited by

                                    @FATeknollogee said:

                                    @dafyre said:

                                    I generally keep things like the Windows Firewall and FirewallD enabled on my devices...

                                    Curious, what is FirewallD?

                                    It's a Firewall front end for a few Linux distros. (It just does iptables commands for you).

                                    1 Reply Last reply Reply Quote 1
                                    • wirestyle22W
                                      wirestyle22
                                      last edited by wirestyle22

                                      Any recommendations for best books for network security in a windows network? I am creating a home library to educate myself.

                                      1 Reply Last reply Reply Quote 0
                                      • A
                                        adam.ierymenko @Dashrender
                                        last edited by adam.ierymenko

                                        @Dashrender Decentralization is not all or nothing. You can have a p2p network with a central database that it uses for persistence and missed connections.

                                        If you want to go all-in on decentralization you can do that with a DHT and crypto, but it's more work and possibly less reliable or slower.

                                        As far as the feds telling Skype to centralize: I personally doubt this and have always heard it was because they found p2p too hard on mobile. Another reason is they were bought by Microsoft. Centralization's cost decreases exponentially if you already own data centers. It's an economy of scale. So once MS bought them the economic incentive to decentralize was gone and centralization is a more standard way of doing things that more coders understand and it does make some problems simpler.

                                        DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 2
                                        • DashrenderD
                                          Dashrender @adam.ierymenko
                                          last edited by

                                          @adam.ierymenko said:

                                          @Dashrender Decentralization is not all or nothing. You can have a p2p network with a central database that it uses for persistence and missed connections.

                                          If you want to go all-in on decentralization you can do that with a DHT and crypto, but it's more work and possibly less reliable or slower.

                                          As far as the feds telling Skype to centralize: I personally doubt this and have always heard it was because they found p2p too hard on mobile. Another reason is they were bought by Microsoft. Centralization's cost decreases exponentially if you already own data centers. It's an economy of scale. So once MS bought them the economic incentive to decentralize was gone and centralization is a more standard way of doing things that more coders understand and it does make some problems simpler.

                                          Huh - that does make sense, but you're the first I've heard mention these points.

                                          A 1 Reply Last reply Reply Quote 0
                                          • A
                                            adam.ierymenko @Dashrender
                                            last edited by adam.ierymenko

                                            @Dashrender The economy of scale thing is what I meant by the p2p complexity tax being "regressive" in my presentation on firewalls. The bigger you are, the less it costs to either invest in the engineering required to do p2p well or just back-haul everything to the cloud. If (like MS) you own a bunch of your own data centers, then putting all traffic through your cloud is very cheap due to the scale you already have. So the cloud back-haul requirement intrinsically favors large vendors.

                                            Personally I think Skype going central was just the MS economy of scale thing. You can do P2P on mobile-- ZeroTier has an Android app and soon an iOS one and they work fine. My phone is always pingable on our company LAN and the impact on battery life is in the fractions of a percent. Of course maybe that's more true today... Skype ported to mobile back when phones had slower single-core CPUs and smaller batteries. Radios have quietly gotten way more efficient too, so the constant low-grade peer-to-peer packet slinging doesn't eat as much battery as it might have with earlier generation LTE and WiFi chipsets.

                                            scottalanmillerS 1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 6
                                            • 7
                                            • 8
                                            • 9
                                            • 10
                                            • 8 / 10
                                            • First post
                                              Last post