Jump to content
OpenSecurity.global
  • Recently Browsing   0 members

    No registered users viewing this page.

  • 0
Carl Gottlieb

Egress traffic blocking and zero trust

Question

As we head towards zero trust models, how relevant does blocking bad stuff at the perimeter become?

DNS over HTTP is a good example. Trying to control that would be ideal, but since few organisations actually control/filter more basic protocols and a vast amount of client browser traffic is straight from laptop to Internet (via Starbucks wifi), is it even worth bothering?

Share this post


Link to post

9 answers to this question

Recommended Posts

  • 0

Personally - I don't use zero trust models, and pipe remote laptops back via VPN, so blocking is relevant to me.

Share this post


Link to post
  • 0

I heard about zero trust from a SANS mailing I subscribe to. I googled zero trust and came across this blog entry, which goes into detail about how Google, Netflix, Facebook, and Uber all do SSH. https://gravitational.com/blog/how_uber_netflix_facebook_do_ssh/. (Disclaimer: I never heard of the company and not an endorsement. Although I wonder how they got this information!).

Not every midsize company can pull off what Google does. It's a trope you deal all the time in IT from management. "Well, Google does it, why can't we?"

Personally, if your company builds up a layered security model with good perimeter defences, why get rid of them just to say you're zero trust? You can still secure your internal nodes further without ditching existing equipment.

Share this post


Link to post
  • 0
21 minutes ago, Tim Casey said:

Not every midsize company can pull off what Google does. It's a trope you deal all the time in IT from management. "Well, Google does it, why can't we?"

Haha, I love that one. 

Zero trust works when you have very good documentation and incredible IT resource, or a greenfield company. Not so much when a company doesn’t have backups and no asset list. 

  • Like 3

Share this post


Link to post
  • 0

we channel everyone back to our DC, if you take a laptop home - it is just to RDP back into our DC - People complain about working while travelling but we let them complain and make them come back to our clean hardened monitored environment.

 

So inbound and outbound web and email big part of our monitoring

 

And incase anyone is getting excited about me writing R D P back in -  it is MFA controlled non persistent VDI that is patched every 14 days - so I can sleep at night whilst waiting for the next EternalBlueKeep

 

 

Share this post


Link to post
  • 0
On 7/22/2019 at 4:02 PM, Carl Gottlieb said:

As we head towards zero trust models, how relevant does blocking bad stuff at the perimeter become?

DNS over HTTP is a good example. Trying to control that would be ideal, but since few organisations actually control/filter more basic protocols and a vast amount of client browser traffic is straight from laptop to Internet (via Starbucks wifi), is it even worth bothering?

Still critically important. Zero-trust is great IF (as others above have stated) you have complete control of the users & devices connecting to your network. For the other 99.9999% of organisations the amount of "not a clue what that is" stuff connected to your networks still need to have ingress/egress blocking in place to at least try and control whatever the hell they are doing......

  • Like 1

Share this post


Link to post
  • 0

Zero trust feels very much like an attempt to reinvent the Jericho forum from back in the day. It may work for organisations that are aligned with it's objectives and can do so at scale, but it's going to end in tears for a lot of people because they lack the ability to implement it properly and are just opening themselves up to bad stuff happening.

I'd take decently funded hunting, monitoring and response over arbitrary blocking any day of the week though.

  • Like 1

Share this post


Link to post
  • 0
Posted (edited)
8 hours ago, Steve Lord said:

Zero trust feels very much like an attempt to reinvent the Jericho forum

Jericho forum advocates for "perimeterless" environment, and a the same time for "layered security approach". So, how would someone define a "layer" as if not being a "perimeter"?!  As Pres.Trump would say: "another beauty!" as he would say about ZeroTrust too...

Colleagues, I encourage us to think about what we offer a bit deeper.

And here is my definition of a "perimeter": it is a point of "security policy enforcement" - it is consistent with the layered approach (one can have many enforcement points - i.e. layers), and explains what does "perimeterless" actually mean: not a line, but a set of enforcement points that constitute the perimeter where the policy is enforced.

 

Edited by Boris T

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Members online now

    No members to show

×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy