Most active commenters
  • tptacek(5)
  • mjg59(3)

←back to thread

I read the federal government’s Zero-Trust Memo so you don’t have to

(www.bastionzero.com)
656 points EthanHeilman | 13 comments | 27 Jan 22 15:06 UTC | HN request time: 1.668s | source | bottom
Show context
uncomputation ◴[27 Jan 22 17:33 UTC] No.30103419[source]
> “Enterprise applications should be able to be used over the public internet.”

Isn’t exposing your internal domains and systems outside VPN-gated access a risk? My understanding is this means internaltool.faang.com should now be publicly accessible.

replies(10): >>30103496 #>>30103558 #>>30103584 #>>30103588 #>>30103623 #>>30104344 #>>30104669 #>>30105221 #>>30106774 #>>30106879 #
1. tptacek ◴[27 Jan 22 19:03 UTC] No.30104669[source]
It is a risk. The discourse on VPNs is messy. It's true that you shouldn't rely solely on VPNs for access control to applications. It's also true that putting important services behind a VPN significantly reduces your attack surface, and also puts you in a position to get your arms around monitoring access.

The right way to set this stuff up is to have a strong modern VPN (preferably using WireGuard, because the implementations of every other VPN protocol are pretty unsafe) with SSO integration, and to have the applications exposed by that VPN also integrate with your SSO. Your users are generally on the VPN all day, and they're logging in to individual applications or SSH servers via Okta or Google.

"RIP VPNs" is not a great take.

replies(4): >>30104873 #>>30106246 #>>30106871 #>>30107049 #
2. SecurityLagoon ◴[27 Jan 22 19:17 UTC] No.30104873[source]
Thanks for saying this. This was exactly my take. Saying goodbye to VPNs just completely ignores the risk of RCE vulnerabilities on your services. You can have a VPN that still brings you into a zero trust network.
replies(1): >>30104924 #
3. tptacek ◴[27 Jan 22 19:21 UTC] No.30104924[source]
It does essentially define away the authentication bypass problem, which is a class of vulnerability we still regularly find in modern web applications. To say nothing of the fact that no human has ever implemented a SAML RP without a game-over vulnerability. Seems like a self-evidently bad plan.
4. emptysongglass ◴[27 Jan 22 20:38 UTC] No.30106246[source]
I don't like VPNs. I think there's better ways of protecting our infrastructure without them. AWS offers a lot of technologies for doing just that.

A VPN is another failure layer that when it goes down all of your remote workers are hosed. The productivity losses are immense. I've seen it first-hand. The same for bastion hosts. Some tiny misconfiguration that sneaks in and everybody is fubared.

Bastion hosts and VPNs: we have better ways of protecting our valuables that's also a huge win for worker mobility and security.

replies(1): >>30106419 #
5. tptacek ◴[27 Jan 22 20:48 UTC] No.30106419[source]
That's true of legacy VPNs like OpenVPN, and less true of modern VPNs. But either way: a VPN is a meaningful attack surface reduction for all internal apps that don't require individual apps to opt-in or stage changes for, and doesn't require point-by-point auditing of every app. Most organizations I've worked with would be hard-pressed to even generate an inventory of all their internal apps, let alone an assurance that they're properly employing web application security techniques to ensure that they're safe to expose on the Internet.

We're just going to disagree about this.

6. mjg59 ◴[27 Jan 22 21:19 UTC] No.30106871[source]
It's not clear to me that a VPN endpoint is a meaningfully smaller attack surface than an authenticating proxy? The VPN approach has a couple of downsides:

* You don't have a central location to perform more granular access control. Per-service context aware access restrictions (device state, host location, that sort of thing) need to be punted down to the services rather than being centrally managed.

* Device state validation is either a one-shot event or, again, needs to be incorporated into the services rather than just living in one place.

I love Wireguard and there's a whole bunch of problems it solves, but I really don't see a need for a VPN for access to most corporate resources.

replies(1): >>30106926 #
7. tptacek ◴[27 Jan 22 21:24 UTC] No.30106926[source]
Sure: an authenticating proxy serves the same purpose. I agree that unless you have a pretty clever VPN configuration, you're losing the device context stuff, which matters a lot in some places.

I'd do:

* SSO integration on all internal apps.

* An authenticating proxy if the org that owned it was sharp and had total institutional buy-in both from developers and from ops.

* A WireGuard VPN otherwise.

replies(2): >>30107068 #>>30110524 #
8. count ◴[27 Jan 22 21:33 UTC] No.30107049[source]
If you can get the govt to drop FIPS or wireguard to change to ...different crypto, wireguard would take off like hotcakes.

I'd be flogging tailscale so hard!

Stupid policies.

9. mjg59 ◴[27 Jan 22 21:34 UTC] No.30107068{3}[source]
If you have the institutional buy-in to handle auth being done at the proxy level, that gets you away from having to implement SSO per service. I agree that doing this well isn't trivial, but in the long term there's a reasonably compelling argument that it makes life easier for both developers and ops.
10. xyzzy_plugh ◴[28 Jan 22 03:51 UTC] No.30110524{3}[source]
> * SSO integration on all internal apps.

> * An authenticating proxy

I'm having trouble understanding what the fundamental difference is between these. Is it just a matter of a single, centralized proxy at the perimeter of your service network versus in-service SSO? Is there a functional difference between being in the same process space versus a sidecar on the same host versus a service on another host?

Ultimately it boils down to trusting the authority, whether that's a function (code review), a shared library (BOM), an RPC (TLS), a sidecar (kernel), or a foreign service (mTLS). There are different strengths and weaknesses for each of these, but it's not clear to me that the options you would prefer are distinctly more or less secure -- maybe there is an argument for defense in depth, but I'm not certain that's what you're pitching.

replies(1): >>30111498 #
11. mjg59 ◴[28 Jan 22 07:01 UTC] No.30111498{4}[source]
Most SSO solutions don't verify device identity or state, so you're not ensuring that the connection is coming from a computer you trust running software you trust.
replies(1): >>30112189 #
12. xyzzy_plugh ◴[28 Jan 22 08:42 UTC] No.30112189{5}[source]
I guess it's a matter of what the IdP attests. It's definitely possible for an IdP like Okta to include a ton of client details as part of the attestation payload. Stuff like GeoIP, client certificate fields, MDM status, etc.
replies(1): >>30115912 #
13. tptacek ◴[28 Jan 22 15:36 UTC] No.30115912{6}[source]
Right, but you have to individually set up all of your apps to work with it; the proxy can be mandatory for all apps by dint of network controls.