1. OCAU Merchandise now available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion here.
    Dismiss Notice

Consolidated Business & Enterprise Computing Rant Thread

Discussion in 'Business & Enterprise Computing' started by elvis, Jul 1, 2008.

  1. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    41,068
    Location:
    Brisbane
    Like all security, there's no one single solution there, and no solution is without problems. SSL decryption is an interesting problem, as the whole fudging of certificates at the client side thing leads to bigger issues around what the users see at their end, and whether or not applications work with it. That doesn't make it bad, but it does mean it's not a trivial panacea courtesy of a magical vendor-provided box, and that other issues downstream will occur as a result.

    I previously worked for a large finance org, and they had non-stop issues with the Justice Attorney General's central security department who needed to use the web based services, and their SSL inspection stuff constantly broke the software (they'd do things like not respect the no-cache headers, cache user content that should be inside SSL anyway, and end up exposing secure/private data to the wrong users inside their org). The development and management costs at both ends were enormous. Completely warranted, given what each side was responsible for, but incredibly costly and complex.

    Services like OpenDNS are pretty interesting too, as they can give you a lot of eyes on the "shadow IT" stuff that goes on in every single company these days. I'm looking at that for my current workplace as a way to get some extra reporting without having to develop it ourselves. It's not the answer to seeing what happens inside SSL encrypted communications, but it does give a very quick view of who's using what services around the Innertubes, which in turn allows us to dig in a more focussed manner when we need to.

    I get you're just making the example, but if security is a genuine concern to your industry, you won't be allowing sites like dropbox at all, long before you bother digging inside the HTTPS stream.

    SSL decrypt is cool, but some of the oldschool methods like whitelisting do a lot more for security at a fraction of the CPU and dollar cost. I understand too that it can piss off the non-technical folk who don't understand how to email the client with instructions on how to use the provided, secure SFTP site, and they "need" their urgent dropbox hosted XLSX file now now now, but that's where the business and the security teams need to work together better outside of computers, and have some faith that they're all working for the same team, and towards the same goals. (Hey look at that, I'm being all friendly, fluffy, and rose coloured glasses for once - Happy New Year!).

    But yes, the point is understood, there are many other services less blatantly dodgy than dropbox that are SSL encrypted, valid for business use, and are nice to peer inside once in a while to make sure they're not sending nasties around the place.

    All I can say is, it's a financially viable time to have even the tiniest bit of security experience. Thanks, cloud! :)
     
  2. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    13,338
    Location:
    Canberra
    It's of course easy to do (MITM) now and has been for ages, but it completely breaks the whole idea of SSL/TLS (the trust part at least).

    I know (years ago now) one department would whitelist SSL sites (default deny all). This will (if not already) become useless/unmanageable, as the general push on the interwebs at large is to go TLS completely for everything - rather than the traditional banking/logon pages/shopping cards/payment gateways etc. Why does the google search page need TLS*?



    * SPDY/HTTP2 ?
     
  3. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,924
    So Google have Leverage over the Gubermint... otherwise they would just read whatever they wanted off the wire.
     
  4. tin

    tin Member

    Joined:
    Jul 31, 2001
    Messages:
    6,414
    Location:
    Narrabri NSW
    Having used a few "secure FTP" sites designed in-house by various companies, I'd guess not understanding how to send the instructions is the least of their concerns... The mere fact people need instructions is one major factor for most users.
    I'm pretty sure I've never had to use the one where elvis works though, which I hope/assume is better than some of the abominations I've seen :D

    A well designed system doesn't need instructions because the instructions become part of the interface. All the client needs to be sent is a link (and maybe a username/password). The rest should be as self-explanatory as Dropbox or similar.
     
  5. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    13,056
    Location:
    Brisbane
    Gonna have to disagree on that one sorry. Decryption and interception of SSL certificates breaks the whole point of certificates in the first place, and makes a great place for an attacker to intercept all company information.

    Your intercepting HTTP proxy ain't gonna magically prevent the HTTPS download of cryptolocker.js. Are you logging DNS traffic too to identify data ex-filtration over DNS? Etc etc

    To me the biggest attack vector is still the easily the users :)
     
  6. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    41,068
    Location:
    Brisbane
    My problem with this is businesses (more accurately, users) stamping their feet and demanding things that are one-click simple for their iPhone using brains to comprehend, turning to tools like Dropbox because it is exactly that, and then becoming a trivialised attack vector for cryptolocker et al.

    Which leads perfectly into this post...

    +1 to all of that. SFTP with a 1-page PDF of instructions is too hard, so we turn to services like Dropbox, but then insist on SSL inspection as a way to "secure" these services we don't trust? It all seems arse backwards.

    I'm blown away lately by the volume of businesses who scream blue murder when you suggest outsourcing email (because "security"), but then admit to allowing their users to use all manner of untrustworthy cloud services like Dropbox (because "one click simplicity"). If you're insisting on keeping your mail server inside your firewall for security reasons, you'll be doing the same with your file transfer systems. Otherwise your excuses for arbitrarily allowing one but not the other are pretty damned thin.

    We rolled out a SFTP server (chrooted OpenSSH with SFTP-only, non-shell accounts) for transferring confidential files back and forth with two very large Hollywood film and TV production studios, both members of the MPAA. The setup was trivial to build, and achieved MPAA tick of approval without any fuss. Yes, it is harder to use than clicking a link in an email, but I'm hoping that both our company and theirs employ people who can do things that are of a larger complexity than a single mouse click. The most complex bit is having their various IT departments deploy an SFTP client to their SOE, but again this was trivial to achieve (given that SFTP is an open protocol, and the large number of clients out there left the individual IT departments from each company plenty of choice on what to deploy to meet their needs). No, not web based, but still simple and quite reliable (even when being automatically patched constantly).

    On the subject of monitoring DNS, I mentioned OpenDNS before. It's recently been acquired by Cisco (a negative in my books - see Iron Port for why I feel that way), but regardless of that offers some pretty good realtime DNS-level monitoring and alerting:

    https://www.opendns.com/enterprise-security/threat-enforcement/

    If someone within your organisation is making DNS requests to known bad hosts, you get alerted (even if the request is blocked). I've been interesting in trying it out for a while now purely on the reporting front. We log network connectivity at the application/IP/port level, but DNS logging is a missing part to that picture.
     
  7. EvilGenius

    EvilGenius Member

    Joined:
    Apr 26, 2005
    Messages:
    10,547
    Location:
    elsewhere
    We use opendns on our network. Had a few interesting cases where it appeared staff were browsing porn all day at work, but was in fact just crapware on their pc that wasn't tickling the spidey sense of anything else. Can't complain about it so far, other than I can't get onto IRC at work any more because it has oz.org flagged as a botnet :p
     
  8. tin

    tin Member

    Joined:
    Jul 31, 2001
    Messages:
    6,414
    Location:
    Narrabri NSW
    As I expected - correct use of the term SFTP, and no fuss.
    Register an Explorer style client to handle sftp:// URLs and it's back to being single click.

    I can kind of see why external users might be put off by installing some seemingly random program, but once that hurdle is jumped, it's like using a mapped drive... Actually - does anyone know of any SFTP programs that actually can map drives?

    Edit: Just checked Windows Feedback to see if anyone had requested SFTP in Win10 and saw this:
    :D
     
  9. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,924
  10. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    41,068
    Location:
    Brisbane
    We generally recommend WinSCP (from the Zip, without the SourceForge crapware addons) for Windows, or CyberDuck for Mac users. We provide 1-page PDFs for each with big, clear pictures and large red circles and arrows to guide the not so bright folk around the very complex tasks of putting in the hostname sftp.companyname.com.au and supplying a username and password.

    It's probably going to sound like I'm taking the piss here, but I'm genuinely not. I'm glad Microsoft have finally woken up to the power of the command line and remote secure shell access. PowerShell might have come a quarter of a century late, but thank the good lord it's finally here. Coupled with SSH, it's about bloody time.

    And amusingly, the recent explosion of cloud-everything devops type folk has made a younger generation of developers and admins wake up to exactly how powerful the command line is. Funny for me, because I spent quite a lot of time hearing that crowd complain about how archaic the command line was, and now I'm hearing them criticising the bigger companies for not embracing it. Quite amusing how perceptions change when people change from worrying about a handful of desktop machines to needing to keep thousands of these things in check out on the big bad internet. :)

    Good to hear. We went through substantial end point protection upgrades last year. Broader monitoring is on my list of things to try and convince the powers that be are necessary this year.
     
    Last edited: Jan 2, 2016
  11. wintermute000

    wintermute000 Member

    Joined:
    Jan 23, 2011
    Messages:
    2,297
    It is, if its your NGFW or IPS. Of course there's still 0-days etc. but its a lot better than not inspecting SSL traffic at all. Stuff like Fireeye and Palo have cloud based sandboxing as well and updates are pushed in almost real time.

    Opendns works well IMO, i always recommend it if the client wants something quick and easy, esp. if they have local internet access at their sites but no room/$$$ for branch firewalls and don't want to go to a proxy arch.

    I do agree re: Cisco security acquisitions, they haven't exactly covered themselves in glory over the past few years have they? Oh those new CX blades we were pushing only a couple of years now? you can f--k them off, along with MARs and CSM and oh here's a new sourcefire blade for our time tested (i.e. old) ASA architecture. There's a fair amount of angst out there from formerly happy Ironport users. I've talked to a few EAs who have been burnt too many times by Cisco security solutions to even give them the time of day LOL, and ASA is getting slapped around by every other NGFW vendor something shocking. I'm surprised they've been so poor in this area for so long (and yet still hang onto such a large market segment.... must be inertia + router guy bias IMO, and I say this as primarily a router guy!).

    Trustsec sounds great in theory but you'd have to have brass balls to roll it out (alongside all bells and whistles ISE), also your R&S staff will hate you forever as they struggle with implementing it on all edge devices (802.1X is nasty enough, now this? LOL). Also, it ties you to Cisco from your identity engine all the way to the access layer. Given their recent form, do I trust them to get the software right on all their platforms? (rhetorical question...)
     
    Last edited: Jan 2, 2016
  12. itsmydamnation

    itsmydamnation Member

    Joined:
    Apr 30, 2003
    Messages:
    10,613
    Location:
    Canberra
    yay someone replied for me... all i could do was sight and think i cbf'd...... ( i thought the reference to fire eye, would hint at, ICAP/services off loading).

    ASA is in a sad state, Source fire stuff has some very high performance platforms in limited early deployment ( 50-100 customers global) soon to be full release, should give the palo and check point a good run for its money.

    Also see that intel has ditched stonesoft, hopefully they will put some love back into the sidewinder.... always loved the charm of the old sidewinder, A "next gen firewall" for the last 15 years....lol
     
  13. wintermute000

    wintermute000 Member

    Joined:
    Jan 23, 2011
    Messages:
    2,297
    yeah the gossip I hear is that sourcefire is going to eventually take over, with ASA finally sliding into retirement. How to manage this gracefully is another question.

    There is also the mismatch between the features of the sourcefire tacked onto ASA, and native sourcefire, more confusion FTW (par for the course really for Cisco security products).
     
  14. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    41,068
    Location:
    Brisbane
    Yeah, all of that is what gives me the willies about Cisco's OpenDNS acquisition. I'm hoping it's a little different given it's software/cloud nature, rather than being an appliance device.
     
  15. DonutKing

    DonutKing Member

    Joined:
    Mar 21, 2004
    Messages:
    1,353
    Location:
    Tweed/Gold Coast
    We bought a new ASA with CX about 18 months ago... Can't say many good things about the CX. Lack of CLI and slow, laggy web interface makes config a chore.

    Ours also seems to stop web filtering completely after about 2 weeks of running, has since day 1 and even after about 4 software upgrades... just lets anything through. we have a ticket open with support but seems like they just want to procrastinate by waiting until the issue recurs and asking for something different each time - instead of checking the logs and config they already have....

    And to top it off our vendor tells us that Sourcefire is the way of the future and the CX will be put to pasture, but of course its a different licence you need to buy. Someone mentioned SSL interception, the ASA CX can do that but apparently the Sourcefire can't.
     
  16. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,924
  17. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
    it can... just need to buy extra bits :p
     
  18. Smokin Whale

    Smokin Whale Member

    Joined:
    Nov 29, 2006
    Messages:
    5,182
    Location:
    Pacific Ocean off SC
    Ugh, the phone is ringing again :thumbdn:

    I miss the peace and quiet already.

    Edit: The problem with these stats is that it doesn't document the severity of the vulnerabilities. Sure, a piece of software can have all sorts of holes, but if the holes don't compromise anything too serious then it's not a *big* deal.

    All it takes is one serious vulnerability (ie. heartbleed) to cause a serious clusterfuck.

    Saying that, pretty surprised how many vulnerabilities OSX and iOS have. I honestly didn't not expect it to be #1. Could anyone care to explain why this is the case?
     
    Last edited: Jan 4, 2016
  19. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    13,338
    Location:
    Canberra
    Don't expect a marketing company that sells expensive shiny toys to gullible creative types while making bogus patents and suing everyone to be able to code well - or care enough beyond the pretty gui to even attempt to do so.
     
  20. TehCamel

    TehCamel Member

    Joined:
    Oct 8, 2006
    Messages:
    4,183
    Location:
    Melbourne
    C: Could you remove access to $XX from $YY? I'll call you next week to explain.

    Me: Ok. does $YY know? Not yet, I'll call you next week to explain

    9:01am: Hi. It's $YY. I can't access $XX, it disappeared last week, I'm not sure what I did can you help me get it back

    Me: Ok, let me look into it and check the details in the background, it shouldn't just disappear. *Calls C, goes to "not available"*
    9:10am: Text C. Radio silence

    12:30pm: Hey, It's $YY again. I still cna't access $XX

    FFS. Obviously I've been told to remove this for a reason, but it's not my place to tell them why, especially if i dont' know why
     

Share This Page

Advertisement: