Moving Away From LAN-Centric Security

wrx7m

@crustachio said in Moving Away From LAN-Centric Security:

@dashrender said in Moving Away From LAN-Centric Security:

/sigh, this says it's to expensive for me!

We were quoted $30/seat for 300 seats, plus $6/seat for 1-year maintenance. We ended up buying it for less than that after "negotiations".

Out of curiosity, what pricing did you settle on?

wrx7m

@scottalanmiller said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

@scottalanmiller said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

• I know that some people have strong opinions on UTMs, but being that I have one, I am using the transparent proxy, content filter and AV. What would you use to prevent people from visiting known, sketchy sites, whether it's intentional or it's just an accident (phishing, ads, etc.).

I like DNS filtering a lot. Strongarm.io or just a PiHole. DNS is fast, effective, and cheap and stops all kinds of accidents and is really simple to manage. People who are intent on doing bad things and are going to work around that, well they were going to find a way anyway. But stopping accidents, I'm all for. You don't technically block anyone, you just make it really hard to do something bad by accident. I like that as an approach. I also like that it is not "inline" so actually can speed, rather than slow, the network and doesn't bring you down if it fails.

Question regarding strongarm-
Based on what I can tell, for an internal network, you would set your internal DNS servers' forwarders to strongarm's servers. For remote devices, do you manually set the DNS IP addresses? How would that not cause internal name resolution issues when remote devices connect to the LAN via hard-wire, WiFi or VPN?

Depends. If you are going LANless, you'd not use DNS internally normally. It's a really rare thing to have internal DNS unless you need it for LAN-centric services. That's nearly the only reason (other than caching in the late 1990s and early 2000s) that anyone has ever had internal DNS. So eliminate the need for the LAN, you eliminate the need for the local DNS, problem solved. And literally, that's how we solve it. Then you can hard code Strongarm.io or our Pi-Hole to our hearts content. Actually makes things easier, rather than harder.

So let me rephrase, "moving away from" to "becoming less focused on" - I just want to confirm that in order to use strongarm on remote computers, I would have to hardcode DNS server settings into the client. They don't have some sort of client application that you install on the endpoint, right?

scottalanmiller

@wrx7m said in Moving Away From LAN-Centric Security:

@scottalanmiller said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

@scottalanmiller said in Moving Away From LAN-Centric Security:

@wrx7m said in Moving Away From LAN-Centric Security:

• I know that some people have strong opinions on UTMs, but being that I have one, I am using the transparent proxy, content filter and AV. What would you use to prevent people from visiting known, sketchy sites, whether it's intentional or it's just an accident (phishing, ads, etc.).

I like DNS filtering a lot. Strongarm.io or just a PiHole. DNS is fast, effective, and cheap and stops all kinds of accidents and is really simple to manage. People who are intent on doing bad things and are going to work around that, well they were going to find a way anyway. But stopping accidents, I'm all for. You don't technically block anyone, you just make it really hard to do something bad by accident. I like that as an approach. I also like that it is not "inline" so actually can speed, rather than slow, the network and doesn't bring you down if it fails.

Question regarding strongarm-
Based on what I can tell, for an internal network, you would set your internal DNS servers' forwarders to strongarm's servers. For remote devices, do you manually set the DNS IP addresses? How would that not cause internal name resolution issues when remote devices connect to the LAN via hard-wire, WiFi or VPN?

Depends. If you are going LANless, you'd not use DNS internally normally. It's a really rare thing to have internal DNS unless you need it for LAN-centric services. That's nearly the only reason (other than caching in the late 1990s and early 2000s) that anyone has ever had internal DNS. So eliminate the need for the LAN, you eliminate the need for the local DNS, problem solved. And literally, that's how we solve it. Then you can hard code Strongarm.io or our Pi-Hole to our hearts content. Actually makes things easier, rather than harder.

So let me rephrase, "moving away from" to "becoming less focused on" - I just want to confirm that in order to use strongarm on remote computers, I would have to hardcode DNS server settings into the client. They don't have some sort of client application that you install on the endpoint, right?

Not that I know of.

scottalanmiller

@dashrender said in Moving Away From LAN-Centric Security:

@tim_g said in Moving Away From LAN-Centric Security:

@dashrender said in Moving Away From LAN-Centric Security:

@crustachio said in Moving Away From LAN-Centric Security:

BeyondTrust PowerBroker

/sigh, this says it's to expensive for me!

https://i.imgur.com/IBiC3Do.png

I used their free Linux stuff to join Linux File Servers to AD so I could control file share access via AD Groups. It worked well.

Can't Linux files servers join AD through Samba alone? That asked, I have no idea if GPOs can be applied to the nix boxes at that point though.

GPO could be applies, if you have something that reads GPO. GPO is just a suggestion, and if nothing tells Linux to do something with it, it does nothing.

pmoncho

@tim_g said in Moving Away From LAN-Centric Security:

@dashrender said in Moving Away From LAN-Centric Security:

@crustachio said in Moving Away From LAN-Centric Security:

BeyondTrust PowerBroker

/sigh, this says it's to expensive for me!

https://i.imgur.com/IBiC3Do.png

I used their free Linux stuff to join Linux File Servers to AD so I could control file share access via AD Groups. It worked well.

Tim, Is there a specific name for the product you used? This may help me immensely in my future quest of AD Groups and Linux.

Obsolesce

@pmoncho said in Moving Away From LAN-Centric Security:

@tim_g said in Moving Away From LAN-Centric Security:

@dashrender said in Moving Away From LAN-Centric Security:

@crustachio said in Moving Away From LAN-Centric Security:

BeyondTrust PowerBroker

/sigh, this says it's to expensive for me!

https://i.imgur.com/IBiC3Do.png

I used their free Linux stuff to join Linux File Servers to AD so I could control file share access via AD Groups. It worked well.

Tim, Is there a specific name for the product you used? This may help me immensely in my future quest of AD Groups and Linux.

https://www.beyondtrust.com/products/powerbroker-identity-services-open/

My use case was very simple... I only used it for controlling access to Samba shares via MS Active Directory groups.

So make sure your use case is covered in this free/open version.

pmoncho

@tim_g said in Moving Away From LAN-Centric Security:

e is covered in this free/

I was playing with Samba a few months ago specific for file services and could not get AD group perms to work. If it can help with my final issue, then I will be a very happy camper and needing one less Windows License.

Obsolesce

@pmoncho said in Moving Away From LAN-Centric Security:

@tim_g said in Moving Away From LAN-Centric Security:

e is covered in this free/

I was playing with Samba a few months ago specific for file services and could not get AD group perms to work. If it can help with my final issue, then I will be a very happy camper and needing one less Windows License.

Yeah that tool made it quick and easy.

It'll require you to change your Samba share permissions in the config file a little bit, but I think that's in their documentation. For groups, you need to put a plus in front like +domain\\\groupName or something like that. It's been a while, but I'm sure you'll read it.

Obsolesce

There were two pieces... that main part, and then installing another "add-in" like thing specifically for Samba. It was like a Samba integration extension or soemthintg like that. Maybe it's built in now, I don't know.

Obsolesce

Like I said, it was a couple years ago. Make sure to go through their documentation well.