Optimization Requires Orchestration

Started by deanwebb, March 22, 2022, 04:13:16 PM

Previous topic - Next topic

deanwebb

Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

Good article. I bet the author is one awesome dude. You just can't scale if you are doing everything by hand. Now where that automation can really help from the security side is to block external threats that show up. You should be ingesting authentication logs from say your VPN head end. If you see multiple failed attempts then black hole that IP across your entire infrastructure. You are probably OK with not letting the guy trying to brute force your VPN from connecting to your web site, or sending you email.

-Otanx

deanwebb

Exactly. And most shops will stop short at notification-only with manual responses. Works great against the Great Sloth Lord and his hordes of snail soldiers...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

Quote from: deanwebb on March 23, 2022, 08:13:31 AM
Exactly. And most shops will stop short at notification-only with manual responses. Works great against the Great Sloth Lord and his hordes of snail soldiers...

Yep, and how I typically handle that fear is to automate the deployment, but let them keep their manual activation. So give them a way to supply IPs/networks, domains, ASN, and file hashes. That can cover just about anything they would want to block. Then we automate the deployment. IPs/Networks/ASNs out to the routers, firewalls, etc. Domains pushed to proxies, DNS Servers, firewalls, hashes to AV solutions, email filters, etc. Still slow, but at least they don't get partial deployments of the blocks they want. Once they accept that then we can start talking about automating the activation depending on the source. Like mentioned in the article, take it slow. Get A to B before talking about A to C.

-Otanx

deanwebb

Indeed. Security is often a game of inches. But the good news is if the tools being used have good reporting, the pretty colors and circles in the reports can convince managers that we're making progress. :smug:

I'm working on a one-pager about firewall management tools. It's taking me back to $GLOBAL_MEGACORP days when we found all kinds of hell in our firewall rule sets when we started on that project.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

Quote from: deanwebb on March 23, 2022, 09:00:44 AM
I'm working on a one-pager about firewall management tools. It's taking me back to $GLOBAL_MEGACORP days when we found all kinds of hell in our firewall rule sets when we started on that project.

Can't wait for that one. Firewall rule management is a pain. We have automated object management so the objects that the rules reference are maintained automagically, but the rules themselves are still manual, and manual audit.

-Otanx

icecream-guy

Quote from: Otanx on March 23, 2022, 01:06:50 PM
Quote from: deanwebb on March 23, 2022, 09:00:44 AM
I'm working on a one-pager about firewall management tools. It's taking me back to $GLOBAL_MEGACORP days when we found all kinds of hell in our firewall rule sets when we started on that project.

Can't wait for that one. Firewall rule management is a pain. We have automated object management so the objects that the rules reference are maintained automagically, but the rules themselves are still manual, and manual audit.

-Otanx

I'm still living in a nightmare GAO audit from 2 years ago.  Although Algosec is a fairly good tool for firewall management tool, it does not really help with implementing granular rules needed to secure the network, it just says that the traffic is permitted, and if not, makes it so.  Policy is better, but someone has to define the policy. The granular rules are all manual using the ASA ACL hashes and Splunk to see what is hitting any particular rule, sort on count high to low and start trimming the offending rule.

:professorcat:

My Moral Fibers have been cut.

deanwebb

Algosec is more lightweight. I'd prefer Firemon or Tufin - currently partnered with Firemon, so I'll sing their praise. There's also RedSeal which is wicked cool for finding what CVEs you have exposed and where.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.