#security (2020-10)

Archive: https://archive.sweetops.com/security/

2020-10-15

roth.andy avatar
roth.andy
05:37:29 PM

Thought some might find this interesting. Was just approved for public release.

Zach avatar

Got the source url handy?

roth.andy avatar
roth.andy

it was emailed to me. hang on I’ll see if I can find it

Zach avatar

oh ok I can search too in that case

roth.andy avatar
roth.andy

Looks like it isn’t posted yet but a link to it will likely end up here: https://software.af.mil/dsop/documents/

Zach avatar

yah was only finding the 2019 pre-release myself

Zach avatar

thanks!

andrey.a.devyatkin avatar
andrey.a.devyatkin

Thanks for sharing

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Protect teams with Browser Isolation | Cloudflare attachment image

Cloudflare Browser Isolation works with your native browser to protect remote teams and make web browsing safer and faster.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Introducing Cloudflare Browser Isolation beta attachment image

Today, we’re excited to open up a beta of a third approach to keeping web browsing safe with Cloudflare Browser Isolation.

2020-10-14

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Argo Tunnels that live forever attachment image

Securely connecting your infrastructure to Cloudflare’s network just became easier.

imiltchman avatar
imiltchman

As a provider, IP Whitelisting is still the main way that firewall exceptions are made to us by our customers to access their protected applications. Is there a better solution to this use case than VPN? I’ve looked at Perimeter81, but I am not sold on the whole approach.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

This is a rich space these days. Perimeter being just one of dozens.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

The zero trust/beyondcorp model is more or less the gold standard today, with various vendors taking their own approach

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Last week cloudflare launched “one”

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Today HashiCorp announced boundary

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

What is your wire protocol for your apps?

imiltchman avatar
imiltchman

For this use case, just https

imiltchman avatar
imiltchman

I think that’s part of the problem. Everyone is going to be implementing their flavor of zero-trust and we’ll have to jump through hoops to set up our connectivity as opposed to having a single way of doing it with something universal like IP Whitelisting/VPN client

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So with IP whitelisting, is the single way of doing it with Security Groups, NACLs, WAF, ingress, or in the application?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So HTTP is the ideal case and perhaps the most demonstrated case for how to expose apps in the zero trust model with IAP (identity aware proxies). It’s more or less synonymous to VPNs. A VPN will require a user to identify and login. It then creates a point to point connection with the VPN server and sends layer 3 or 4 traffic over it. Then additional firewall rules and subnet routing policies need to be used to protect services from the VPN traffic.

In the IAP model, you have a point to point TCP connection (just like with the VPN). You’re speaking one wire protocol (HTTP), unlike with the VPN it can be anything. You identifying with Single Sign On (e.g. works well with Okta, Gsuite, etc). The proxy connects you to exactly one service, not the entire network so there’s no need for additional firewalling and routing rules.

:--1:1
    keyboard_arrow_up