[HN Gopher] Zero Trust Networks
___________________________________________________________________
Zero Trust Networks
Author : pcr910303
Score : 46 points
Date : 2020-03-15 19:06 UTC (3 hours ago)
(HTM) web link (crawshaw.io)
(TXT) w3m dump (crawshaw.io)
| thanksforfish wrote:
| This post is partially plugging https://tailscale.com.
|
| With everyone looking at remote work, tons of people must be
| questioning their VPN strategy right now. I know we are.
|
| I was going to complain that that's a close source product (as I
| don't want to use something closed source for my network access
| controls) but it looks like the code is on Github, just not
| linked in an obvious way from the website.
| https://github.com/tailscale/tailscale
|
| Has anyone used this or checked out the code? I may give it a
| spin.
| fulafel wrote:
| Aka common sense.
| nif2ee wrote:
| @dang please will you ever take action against this excessive and
| systematic exploitation of this company to market its products
| for free here?
| nif2ee wrote:
| @dang please will you ever take action against this excessive and
| systematic exploitation of this company to market its products
| for free here?
| nif2ee wrote:
| This company has been exploiting HN for so long on a systematic
| basis. Really tells you how things work here.
| [deleted]
| kerng wrote:
| The entire "BeyondCorp" strategy from Google has probably done
| more harm then good. Tons of smaller companies and well known
| startup paid their prices with breaches left and right.
|
| Removing or not deploying basic firewall controls to lock down
| traffic is ill advised. Tons of exposed s3 buckets and other
| assets keep showing that.
|
| Zero Trust is correct strategy of course, but it doesn't mean you
| have to open up your network to the entire world- it's in
| addition to already established best practices. Better to
| continue those traditional practices and be more thorough via
| micro-segmenation for instance, and identity on top of it.
| pm90 wrote:
| > Tons of exposed s3 buckets and other assets keep showing
| that.
|
| Would firewall rules help alleviate that though? I can only
| speak for GCS (GCP's s3 equivalent), but firewall rules don't
| apply to GCS buckets.
|
| Like a sibling commentator said, I would like to know more
| instances of companies getting breached specifically for
| adopting a zero trust networking philosophy.
| kerng wrote:
| Zero Trust is the right strategy, but very few have the
| resources to implement it.
|
| So they in spirit do Zero Trust, but end up without basic
| security controls nor full fledged micro segmentation and
| identity.
|
| If you work at a startup and experience exponential growth,
| you know that your internal production network likely has no
| authentication - this is unfortunately not uncommon and can
| be dangerous.
|
| What old school security controls prevent, are the script
| kiddie attacks (ooops, that database or Elastic Search
| cluster exposed on Internet) and random automation attacks -
| which there are plenty of examples.
| closeparen wrote:
| BeyondCorp does not imply opening up your network to the entire
| world! If anything, it means locking down your network tighter,
| because not even the office is privileged. Production is a
| black box that you touch by authenticating through the same
| reverse proxy tier, no matter where outside of it you are. In
| effect, _nginx_ is your "VPN" server and _everyone_ has to use
| it.
|
| Plenty of companies paid dearly for trusting every device that
| merely needed internet access.
| detaro wrote:
| Do you have examples of breaches you'd attribute to imitating
| "BeyondCorp"? What you describe does not sound like that.
| api wrote:
| One of my biggest gripes with infosec is how un-empirical the
| field is. Best practices and advice are based on what
| security people think is the best strategy for preventing
| breaches, but rarely do I see that backed by actual data
| about how real world breaches actually happen.
|
| This leads to an outsized focus on the latest sexy
| vulnerabilities (e.g. CPU speculative execution
| vulnerabilities) and fetishes for things like firewalls.
| Meanwhile people type 'npm install kitchen-sink' with no
| worries.
|
| In my own anecdotal but real world experience most breaches
| result from phishing, downloaded malware, phishing to get the
| user to download malware, and malware-assisted phishing, in
| no particular order. Firewalls do nothing for that.
| blondin wrote:
| > This leads to an outsized focus on the latest sexy
| vulnerabilities (e.g. CPU speculative execution
| vulnerabilities) and fetishes for things like firewalls.
|
| sounds like a fantastic plot for an anime. i can even see
| firewall san in my head :)
|
| seriously though, maybe phishing and malware are common
| because firewalls are working?
| yoloClin wrote:
| I hugely agree on a lot of your points.
|
| I'll also add that once I'm on a traditional network,
| ripping through active directory is generally not difficult
| - my first ever live pentest went from privileged non-AD
| asset to domain admin within about 4 hours. My average time
| to compromise has come down significantly since then, too.
|
| There's lots of bad/scam security focusing on logging and
| monitoring, weird antivirus products and securing the wrong
| things. The last network I compromised dropped an obscene
| amount of money on a SIEM product that couldn't detect nmap
| or PtH attacks, I achieved complete compromise with the
| same chain of attack as my first ever pentest because
| nobody had looked at the fundamentals of
| implementation/configuration security.
|
| If I could list things that would actually secure
| traditional networks:
|
| - Application Whitelisting (Binary executables, strong
| macro group policies, browser plugin whitelisting).
|
| - Active Directory Hardening (See: ADSecurity, Microsoft AD
| Hardening Guidelines, ACSC Windows 10 Hardening Guidelines)
|
| - Regular Patching and reliance on Microsoft Products
| (they're actually pretty good!)
|
| Dunno if you'd consider these 'zero trust', but unless
| you've covered the fundamentals nobody is going to waste
| time figuring out how to abuse your network with
| speculative execution or drop a huge amount of budget to
| develop a perimeter breaching RCE 0day. Especially when in
| most cases sending shitware.docx.exe to a sales staff
| member (who is almost always going to run whatever you send
| them if there's a bonus incentive) will suffice.
| emj wrote:
| "Application Whitelisting" Does that actually work
| anywhere except in an boring office? Everyone that has a
| functioning devshop always has too many holes in their
| whitelists to effectively protect them. Client machines
| WITH credentials has to be made untrusted.
___________________________________________________________________
(page generated 2020-03-15 23:00 UTC)