Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4


1204 posts

Uber Geek
+1 received by user: 245

Subscriber

  Reply # 2079051 25-Aug-2018 15:08
Send private message

vulcannz:

 

Nunz I guess from my point of view you can pay for stuff which would save you heaps of time. But if you are giving away your time I guess it doesn't compete.

 

 

Or i found a simple tool to solve a simple problem. it took 20 minutes to set up and has been awesome. works on all the platforms I want it to work on. Configurable, hackable if I want to change it.

 

Stop judging what you don't know. you keep making assumptions and assumptions are the mother of all muck ups.





nunz

309 posts

Ultimate Geek
+1 received by user: 69


  Reply # 2079136 25-Aug-2018 18:48
One person supports this post
Send private message

nunz:

 

vulcannz:

 

Nunz I guess from my point of view you can pay for stuff which would save you heaps of time. But if you are giving away your time I guess it doesn't compete.

 

 

Or i found a simple tool to solve a simple problem. it took 20 minutes to set up and has been awesome. works on all the platforms I want it to work on. Configurable, hackable if I want to change it.

 

Stop judging what you don't know. you keep making assumptions and assumptions are the mother of all muck ups.

 

 

 

 

You don't know what I know. Just so you do know - I do network security for a living, and have done for a long long time.

 

If I were setting up such a network I'd be running a firewall with Layer 7 services like IPS to protect your web exposed services. For RDP I'd run an SSL reverse proxy, with RDP shortcuts and bang activesync through that.

 

This is how I run my network. For any services I do need to expose it Geo limit them where necessary. For example my SMTP traffic allows traffic from anywhere in the world, but my IMAP traffic is geo limited to ANZ/Pacific Islands. My public websites (via the SSL reverse proxy) allow traffic from anywhere and of course the traffic is inspected/blocked for attacks, but my activesync traffic is geo-limited to ANZ/Pacific Islands (and requires authorised devices). My SSL portal (which services HTML5 RDP access) has 2FA.

 

All remote access applications are actually blocked on the firewall (including RDP) by application control not just ports. I do SSL decryption on all outbound client access. So nothing gets in or out that I don't explicitly want.

 

The system requires very little management as I use a KISS principle. I'm also a gamer, so any lag would be a problem for me (and my 3 sons who are all gamers), but of course it isn't.

 

Oh and Wifi is running 802.1x. This is all integrated with AD for user identity management, access, and reporting.

 

Yes it all costs money, but to me it's time vs money problem (and perhaps effectiveness as well). If you're spending more than 40 hours per year on free stuff maintenance then the above will work out cheaper.

 

 

 

 


IcI

750 posts

Ultimate Geek
+1 received by user: 157

Trusted

  Reply # 2079157 25-Aug-2018 20:34
Send private message

vulcannz: ... - I do network security for a living, and have done for a long long time.
That counts for a lot and by extension, I believe that you do this at work

 

vulcannz: ... and bang activesync through that.

 

This is how I run my network.  ... I'm also a gamer, so any lag would be a problem for me (and my 3 sons who are all gamers) ...

Ah yes, the luxuries of being master of your domain and not having paying clients

 

nunz: ... Cant get it behind vpn or similar by the nature of the services offered. ...

 

Required for old SAP which didn't survive upgrade to windows 2008. client doesn't see paying ...

 

Mostly legacy software that doesn't survive upgrades. ...

 

Embedded XP running mitsubishi laster cutters, XP used for serial based DOS software that didn't survive upgrade ...

A perfect example of business clashing with personal home use.

 

nunz: ... however some need to be rdp accessed from road warriors ...

 

Windows xp machines - need remote access. ...

 

lots of cases where clients must have stuff exposed...

Maybe some things need to be re-evaluated? On the otherhand, if the client sign off on the risk register, ...?

 

 

 

nunz: ... The tools above make monitoring and proactive actions much easier.
and seem to work on multiple platforms. It is good to remind people that there are tools out there that can help in various ways to to make life easier. This advice was freely given & it is up to other if they want to accept it, bash it or move on.

 

Thx nunz

 

 




1204 posts

Uber Geek
+1 received by user: 245

Subscriber

  Reply # 2079160 25-Aug-2018 21:04
Send private message

IcI:

 

nunz: ... however some need to be rdp accessed from road warriors ...

 

Windows xp machines - need remote access. ...

 

lots of cases where clients must have stuff exposed...

Maybe some things need to be re-evaluated? On the otherhand, if the client sign off on the risk register, ...?

 

 

 

nunz: ... The tools above make monitoring and proactive actions much easier.
and seem to work on multiple platforms. It is good to remind people that there are tools out there that can help in various ways to to make life easier. This advice was freely given & it is up to other if they want to accept it, bash it or move on.

 

Thx nunz

 

 

 

 

Thanks for the post. Re-evaluation: Lots of industrial machinery runs on serial connections. Most of the software to run it was written under dos. There is no upgrade path and short of trashing several hundred $k of machines there is no way forward. I've tried dos box, virtual machines and a raft of other options but the reality is that there is always a disconnect somewhere making anything less than a bonafide physical box unworkable.

 

The Mitsi Laser cutter is $900k , came out after the earthquakes so is less than 8 years old, and came with Windows XP embedded. Lots of the industrial behemoths still run XP embedded for lots of good reasons.

 

Keeping it in a state where files can be uploaded to it or it can read files, from machines that receive files via email or dropbox or ... without sneaker netting them through the factory required multiple NICs, fancy firewall rules and a lot of clamping down. But it works.

 

Well it was working well until some knob got sick of not having mozilla on his machine, able to watch porn and download videos at work, so bought the heavily virused hard drive from his home box in and plugged it into his machine. The system shut down in a hurry and I spent a few hours making sure nothing had breached. Another example of security layers working inside a hardened exterior security system.

 

The server 2003 with SAP. I've begged, pleaded, cajoled and whined about that box. For my peace of mind it has VMWare images locally and virtual block level images on virtual metal on the net. The cloud vm boots up long enough to receive latest backups so I don't have a years or more worth of updates when the server finally dies. It then shuts down.  When the physical machine dies a vpn between the virtual machine and the physical LAN will be connected so it takes over smoothly. IP rules keep it tied to my site and my clients site but no where else.  At the end of the day the client is right and my job is to make things happen and advise.

 

 

 

 

 

 





nunz

309 posts

Ultimate Geek
+1 received by user: 69


  Reply # 2079201 25-Aug-2018 22:20
Send private message

IcI:

 

Ah yes, the luxuries of being master of your domain and not having paying clients

 

 

 

 

Who says I don't?


IcI

750 posts

Ultimate Geek
+1 received by user: 157

Trusted

  Reply # 2079495 26-Aug-2018 23:30
Send private message

vulcannz:

 

IcI:

 

Ah yes, the luxuries of being master of your domain and not having paying clients

 

Who says I don't?

 

 

Not me.

 

IcI:

 

vulcannz: ... - I do network security for a living, and have done for a long long time.
That counts for a lot and by extension, I believe that you do this at work

 

 

 

or do you have paying client on your HOME network?

 

vulcannz: ... I'm also a gamer, so any lag would be a problem for me (and my 3 sons who are all gamers) ...


309 posts

Ultimate Geek
+1 received by user: 69


  Reply # 2079508 27-Aug-2018 08:05
Send private message

You know, incredible as it may sound - it is possible to have paying clients AND a home network. Even stranger, you may even use your home network as lab to test solutions. Which even more incredibly means you actually know what you're doing when you propose or deploy solutions to clients.


UHD

674 posts

Ultimate Geek
+1 received by user: 305


  Reply # 2079760 27-Aug-2018 14:42
2 people support this post
Send private message

Oh. God.


309 posts

Ultimate Geek
+1 received by user: 69


  Reply # 2079782 27-Aug-2018 15:21
Send private message

UHD:

 

Oh. God.

 

 

 

 

Yes my son?


686 posts

Ultimate Geek
+1 received by user: 281

Subscriber

  Reply # 2079840 27-Aug-2018 16:28
Send private message

This thread is great, I love it how half way through IcI waded into the battle.

 

 










1204 posts

Uber Geek
+1 received by user: 245

Subscriber

  Reply # 2080004 27-Aug-2018 21:23
One person supports this post
Send private message

gbwelly:

 

This thread is great, I love it how half way through IcI waded into the battle.

 

 

 

 

Sadly a microcosm of the Nz knocking culture. it used to be just a tall poppy culture but now seems full blown rain down crap on people. Sad, sad, sad.





nunz

IcI

750 posts

Ultimate Geek
+1 received by user: 157

Trusted

  Reply # 2080037 27-Aug-2018 23:29
One person supports this post
Send private message

gbwelly: ... love it how half way through IcI waded into the battle.

 

Did I fan the flames? Or did somebody decide to bash it & not move on?

 

  • I applaud @nunz for finding a solution that fits within the constraints of his clients. I also applaud nunz for standing up & sharing that knowledge.
  • And yet, like Andib, MadEngineer & vulcannz seem to think, it seems utter madness to not only have the machines running, but also exposed onto the internet. Surely there must be a better way?

After vulcannz posted Reply # 2079508 on 27-Aug-2018 08:05 I was hoping to not comment on this thread. Maybe now is their time to resurface this old idea of mine & use it against me. laughing

 

 




1204 posts

Uber Geek
+1 received by user: 245

Subscriber

  Reply # 2080084 28-Aug-2018 09:34
Send private message

IcI:

 

gbwelly: ... love it how half way through IcI waded into the battle.

 

Did I fan the flames? Or did somebody decide to bash it & not move on?

 

  • I applaud @nunz for finding a solution that fits within the constraints of his clients. I also applaud nunz for standing up & sharing that knowledge.
  • And yet, like Andib, MadEngineer & vulcannz seem to think, it seems utter madness to not only have the machines running, but also exposed onto the internet. Surely there must be a better way?

After vulcannz posted Reply # 2079508 on 27-Aug-2018 08:05 I was hoping to not comment on this thread. Maybe now is their time to resurface this old idea of mine & use it against me. laughing

 

 

 

 

Respectfully  - I cannot understand how it is utter madness to have machines exposed to the internet. the server 2012 I referenced is a mail server.Its job is to be exposed to the internet.

 

It would seem to me there is still the old Microsoft fear of being on the internet - even for server products with IIS (web servers) and Exchange (mail servers) and other web services. It probably is a legacy from the way Ms built their operating systems - inherently unsafe and not designed for networks - and then built newer generations on top of a flawed stack.

 

Supposedly new server products are meant to be rebuilt from the ground up - but if Windows experts decide having servers with mail and web services enabled is madness to expose to the internet then I guess my decision to mostly use Linux for those purposes was a sound one - as I have yet to hear a linux person say having your serves exposed to the internet is madness, crazy or reckless. Instead they were built for the internet and network connectivity - from day one.

 

My clients certainly benefited from that decision.





nunz

3292 posts

Uber Geek
+1 received by user: 1793

Trusted
Lifetime subscriber

  Reply # 2080450 28-Aug-2018 21:05
One person supports this post
Send private message

nunz:

 

I have yet to hear a linux person say having your serves exposed to the internet is madness, crazy or reckless. Instead they were built for the internet and network connectivity - from day one.

 

My clients certainly benefited from that decision.

 

 

I work with both Windows and Linux servers.. I'm quite happy to say that I consider having ANY server (or desktop.. or IOT device or anything pretty much excepted a patched and well configured firewall device) exposed to the internet directly is asking for trouble. 





Information wants to be free. The Net interprets censorship as damage and routes around it.


309 posts

Ultimate Geek
+1 received by user: 69


  Reply # 2080460 28-Aug-2018 21:23
Send private message

nunz:

 

Respectfully  - I cannot understand how it is utter madness to have machines exposed to the internet. the server 2012 I referenced is a mail server. Its job is to be exposed to the internet.

 

 

As long as you have something inspecting the traffic (e.g. IPS) and you keep your patches up to date then I don't see a big issue with exposing either MS or Unix/Linux systems to the internet. 

 

Depending on the size of the organization it makes sense not to go too overboard if the costs are too much. (but for bigger sites you may want an email security system in front of your mail server (protects against spam, phishing, malware, DHAs, DDoS/Dos attacks), and you may want a WAF in front of your web servers)

 

if you are aware of the risks vs costs (because that's what it really boils down to), and make sure the customer is informed then you're doing a good job.


1 | 2 | 3 | 4
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.