[HN Gopher] Zero Trust Networks ___________________________________________________________________ Zero Trust Networks Author : pcr910303 Score : 46 points Date : 2020-03-15 19:06 UTC (3 hours ago) (HTM) web link (crawshaw.io) (TXT) w3m dump (crawshaw.io) | thanksforfish wrote: | This post is partially plugging https://tailscale.com. | | With everyone looking at remote work, tons of people must be | questioning their VPN strategy right now. I know we are. | | I was going to complain that that's a close source product (as I | don't want to use something closed source for my network access | controls) but it looks like the code is on Github, just not | linked in an obvious way from the website. | https://github.com/tailscale/tailscale | | Has anyone used this or checked out the code? I may give it a | spin. | fulafel wrote: | Aka common sense. | nif2ee wrote: | @dang please will you ever take action against this excessive and | systematic exploitation of this company to market its products | for free here? | nif2ee wrote: | @dang please will you ever take action against this excessive and | systematic exploitation of this company to market its products | for free here? | nif2ee wrote: | This company has been exploiting HN for so long on a systematic | basis. Really tells you how things work here. | [deleted] | kerng wrote: | The entire "BeyondCorp" strategy from Google has probably done | more harm then good. Tons of smaller companies and well known | startup paid their prices with breaches left and right. | | Removing or not deploying basic firewall controls to lock down | traffic is ill advised. Tons of exposed s3 buckets and other | assets keep showing that. | | Zero Trust is correct strategy of course, but it doesn't mean you | have to open up your network to the entire world- it's in | addition to already established best practices. Better to | continue those traditional practices and be more thorough via | micro-segmenation for instance, and identity on top of it. | pm90 wrote: | > Tons of exposed s3 buckets and other assets keep showing | that. | | Would firewall rules help alleviate that though? I can only | speak for GCS (GCP's s3 equivalent), but firewall rules don't | apply to GCS buckets. | | Like a sibling commentator said, I would like to know more | instances of companies getting breached specifically for | adopting a zero trust networking philosophy. | kerng wrote: | Zero Trust is the right strategy, but very few have the | resources to implement it. | | So they in spirit do Zero Trust, but end up without basic | security controls nor full fledged micro segmentation and | identity. | | If you work at a startup and experience exponential growth, | you know that your internal production network likely has no | authentication - this is unfortunately not uncommon and can | be dangerous. | | What old school security controls prevent, are the script | kiddie attacks (ooops, that database or Elastic Search | cluster exposed on Internet) and random automation attacks - | which there are plenty of examples. | closeparen wrote: | BeyondCorp does not imply opening up your network to the entire | world! If anything, it means locking down your network tighter, | because not even the office is privileged. Production is a | black box that you touch by authenticating through the same | reverse proxy tier, no matter where outside of it you are. In | effect, _nginx_ is your "VPN" server and _everyone_ has to use | it. | | Plenty of companies paid dearly for trusting every device that | merely needed internet access. | detaro wrote: | Do you have examples of breaches you'd attribute to imitating | "BeyondCorp"? What you describe does not sound like that. | api wrote: | One of my biggest gripes with infosec is how un-empirical the | field is. Best practices and advice are based on what | security people think is the best strategy for preventing | breaches, but rarely do I see that backed by actual data | about how real world breaches actually happen. | | This leads to an outsized focus on the latest sexy | vulnerabilities (e.g. CPU speculative execution | vulnerabilities) and fetishes for things like firewalls. | Meanwhile people type 'npm install kitchen-sink' with no | worries. | | In my own anecdotal but real world experience most breaches | result from phishing, downloaded malware, phishing to get the | user to download malware, and malware-assisted phishing, in | no particular order. Firewalls do nothing for that. | blondin wrote: | > This leads to an outsized focus on the latest sexy | vulnerabilities (e.g. CPU speculative execution | vulnerabilities) and fetishes for things like firewalls. | | sounds like a fantastic plot for an anime. i can even see | firewall san in my head :) | | seriously though, maybe phishing and malware are common | because firewalls are working? | yoloClin wrote: | I hugely agree on a lot of your points. | | I'll also add that once I'm on a traditional network, | ripping through active directory is generally not difficult | - my first ever live pentest went from privileged non-AD | asset to domain admin within about 4 hours. My average time | to compromise has come down significantly since then, too. | | There's lots of bad/scam security focusing on logging and | monitoring, weird antivirus products and securing the wrong | things. The last network I compromised dropped an obscene | amount of money on a SIEM product that couldn't detect nmap | or PtH attacks, I achieved complete compromise with the | same chain of attack as my first ever pentest because | nobody had looked at the fundamentals of | implementation/configuration security. | | If I could list things that would actually secure | traditional networks: | | - Application Whitelisting (Binary executables, strong | macro group policies, browser plugin whitelisting). | | - Active Directory Hardening (See: ADSecurity, Microsoft AD | Hardening Guidelines, ACSC Windows 10 Hardening Guidelines) | | - Regular Patching and reliance on Microsoft Products | (they're actually pretty good!) | | Dunno if you'd consider these 'zero trust', but unless | you've covered the fundamentals nobody is going to waste | time figuring out how to abuse your network with | speculative execution or drop a huge amount of budget to | develop a perimeter breaching RCE 0day. Especially when in | most cases sending shitware.docx.exe to a sales staff | member (who is almost always going to run whatever you send | them if there's a bonus incentive) will suffice. | emj wrote: | "Application Whitelisting" Does that actually work | anywhere except in an boring office? Everyone that has a | functioning devshop always has too many holes in their | whitelists to effectively protect them. Client machines | WITH credentials has to be made untrusted. ___________________________________________________________________ (page generated 2020-03-15 23:00 UTC)