<div dir="ltr"><div><div><div>It's not possible to be in the wrong group on the Internet. On the Internet, everyone knows everything ;)<br><br></div>Pointing to where it's all been tried before and all too hard, overlooks businesses actively creating successful business opportunities based on a security plane overlay (APM), and new protocols (SAML). But these aren't solutions, they're after the fact workarounds, symptoms of the underlying failure to deliver end to end security at the network layer. If you're dialling in from Chad or Upper Volta, welcome to the internet, but I really don't want your packets touching my email spool, ever.<br><br></div><div> SSL is not the solution, it's just another bandaid. We're approaching a situation where you don't need a firewall because a router ACL on port 443 offers equivalent security. And then because now you can't secure the control plane because the data's encrypted, you have to spoof certificates on the firewall.<br><br>It smacks of all care and no responsibility. (Read any user license) And if you get hacked, you were stupid, and probably ugly, overlooking that the overwhelming majority of IT users are definitely not literate in IT security.<br></div><div><br></div>Kind regards<br><br></div>Paul Wilkins<br></div><div class="gmail_extra"><br><div class="gmail_quote">On 18 May 2017 at 00:51, Chris Hurley <span dir="ltr"><<a href="mailto:chris@minopher.net.au" target="_blank">chris@minopher.net.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif"><div>At the end of the day it's about sharing ideas/experiences.</div><div><br></div><div>If you think you know everything, sadly your with the wrong group. ;-)</div><div><br></div><span id="m_8425051030530994749OLK_SRC_BODY_SECTION"><div style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt"><span style="font-weight:bold">From: </span> AusNOG <<a href="mailto:ausnog-bounces@lists.ausnog.net" target="_blank">ausnog-bounces@lists.ausnog.<wbr>net</a>> on behalf of John Lindsay <<a href="mailto:johnslindsay@mac.com" target="_blank">johnslindsay@mac.com</a>><br><span style="font-weight:bold">Date: </span> Thursday, 18 May 2017 12:13 AM<br><span style="font-weight:bold">To: </span> Mark Smith <<a href="mailto:markzzzsmith@gmail.com" target="_blank">markzzzsmith@gmail.com</a>><br><span style="font-weight:bold">Cc: </span> AUSNog <<a href="mailto:ausnog@lists.ausnog.net" target="_blank">ausnog@lists.ausnog.net</a>><span class=""><br><span style="font-weight:bold">Subject: </span> Re: [AusNOG] The Ransomware to come<br></span></div><div><div class="h5"><div><br></div><div><div dir="auto"><div>Watching your server get owned between installing the OS and the patching finishing is always sobering. <br><br><div>John Lindsay</div></div><div><br>On 17 May 2017, at 11:14 pm, Mark Smith <<a href="mailto:markzzzsmith@gmail.com" target="_blank">markzzzsmith@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="auto"><div><br><div class="gmail_extra"><br><div class="gmail_quote">On 17 May 2017 10:36 pm, "James Hodgkinson" <<a href="mailto:yaleman@ricetek.net" target="_blank">yaleman@ricetek.net</a>> wrote:<br type="attribution"><blockquote class="m_8425051030530994749quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u><div><div class="m_8425051030530994749quoted-text"><div>> <span class="m_8425051030530994749m_6972393465376694500highlight" style="background-color:rgb(255,255,255)"><span class="m_8425051030530994749m_6972393465376694500colour" style="color:rgb(31,31,31)"><span class="m_8425051030530994749m_6972393465376694500font" style="font-family:'Source Sans Pro',sans-serif"><span class="m_8425051030530994749m_6972393465376694500size" style="font-size:14px">according to the data's provenance</span></span></span></span><br></div><div><span class="m_8425051030530994749m_6972393465376694500highlight" style="background-color:rgb(255,255,255)"><span class="m_8425051030530994749m_6972393465376694500colour" style="color:rgb(31,31,31)"><span class="m_8425051030530994749m_6972393465376694500font" style="font-family:'Source Sans Pro',sans-serif"><span class="m_8425051030530994749m_6972393465376694500size" style="font-size:14px"><br></span></span></span></span></div></div><div>And how do you verify this provenance? I'm still looking for any more methods of confirming provenance or intent or validity than the ones we already have - which work perfectly well when implemented correctly. The same way your various "planes" would work well *if* implemented correctly. <br></div><div><br></div><div>I think you're missing out on a whole world of security that's already in place by being stuck in old world ideas of segmenting traffic for the sake of it.<br></div><div><br></div><div>Check out Beyond Corp (<a href="https://beyondcorp.com/" target="_blank">https://beyondcorp.com/</a>) and the Zero-Trust concepts for something already out there which helps solve what you're trying to do, but doesn't require a whole new networking protocol for the sake of it.</div></div></blockquote></div></div></div><div dir="auto"><br></div><div dir="auto">I think they're giving Google a bit too much credit for this idea of having a perimeterless network- although it is very good to have them as a major production example to point towards.</div><div dir="auto"><br></div><div dir="auto">First time I came across the idea was in Steve Bellovin's "Distributed Firewalls" from 1999. Entirely changed my perspective on where host security is best done, having deployed network firewalls in around 1996 when they were just coming into the scene.</div><div dir="auto"><br></div><div dir="auto"><a href="https://www.cs.columbia.edu/~smb/papers/distfw.pdf" target="_blank">https://www.cs.columbia.edu/~<wbr>smb/papers/distfw.pdf</a><br></div><div dir="auto"><br></div><div dir="auto">Many parts of my 2013 AusNOG presentation were heavily influenced by that paper and its fundamental ideas and observations.</div><div dir="auto"><br></div><div dir="auto">Look up Steve Bellovin to see how significant it is for him to say the firewalling is best done primarily on the hosts.</div><div dir="auto"><br></div><div dir="auto">A slightly more recent project related to "perimeterless networks" was the Jericho Forum, founded in 2004.</div><div dir="auto"><br></div><div dir="auto"><a href="https://en.m.wikipedia.org/wiki/Jericho_Forum" target="_blank">https://en.m.wikipedia.org/<wbr>wiki/Jericho_Forum</a><br></div><div dir="auto"><br></div><div dir="auto">Regards,</div><div dir="auto">Mark.</div><div dir="auto"><br></div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="m_8425051030530994749quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><font color="#888888"><br></font></div><font color="#888888"><div><br></div><div>James <br></div></font><div class="m_8425051030530994749elided-text"><div><br></div><div><br></div><div>On Wed, 17 May 2017, at 21:45, Paul Wilkins wrote:<br></div></div><blockquote type="cite"><div class="m_8425051030530994749elided-text"><div dir="ltr"><div><div><div>Mark,<br></div><div>That's a good question and I'm glad you asked.<br></div><div><br></div></div><div>Once you have a security plane for your data, you can assign profiles according to the data's provenance. Integrate this with your OS security plane, including as an input to your virus scanner, with a view ultimately to preventing control plane actions (like encrypting all your data) that emanate from untrusted or untrustworthy sources from ever being allowed write access outside of the mail spool.<br></div></div><div>The basic problem being, the OS treats a control plane action on a socket the same, regardless of you're logged in from iLo, or coming remote from Ukraine. Firewalls are essentially creating an artificial security plane, but it's a bandaid, and requires you architect your network to channel all your traffic through a chokepoint. If a socket's security profile was part of the API, the profile would follow control actions up the stack, and you'd get end to end security.<br></div><div><br></div><div><div>Kind regards<br></div></div><div>Paul Wilkins<br></div></div><div><div><br></div><div><div>On 17 May 2017 at 11:12, Mark Newton <span dir="ltr"><<a href="mailto:newton@atdot.dotat.org" target="_blank">newton@atdot.dotat.org</a>></span> wrote:<br></div><blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div><span>On May 14, 2017, at 3:34 PM, Paul Wilkins <<a href="mailto:paulwilkins369@gmail.com" target="_blank">paulwilkins369@gmail.com</a>> wrote:<br> > My feeling is we could see Cisco invent a means of allocating SGT tags by BGP community extended to 64 bits, and some integration of 802.1x to deliver Trustsec to the desktop. The problem being, this implies separate routing tables for different security profiles, being necessarily the case, which is not something ipv6 could be made to support.<br> <br> </span>How, precisely, would that make any difference to the ransomware attack that sparked your creation of this thread?</div><div> <span><span class="m_8425051030530994749m_6972393465376694500colour" style="color:rgb(136,136,136)"><br> - mark<br> <br> <br> </span></span></div></blockquote></div></div></div><div class="m_8425051030530994749quoted-text"><div><u>______________________________<wbr>_________________</u><br></div><div>AusNOG mailing list<br></div><div><a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br></div><div><a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailma<wbr>n/listinfo/ausnog</a><br></div></div></blockquote><div><br></div></div><br>______________________________<wbr>_________________<br>
AusNOG mailing list<br><a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br><a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailma<wbr>n/listinfo/ausnog</a><br><br></blockquote></div><br></div></div></div></div></blockquote><blockquote type="cite"><div><span>______________________________<wbr>_________________</span><br><span>AusNOG mailing list</span><br><span><a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a></span><br><span><a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/<wbr>mailman/listinfo/ausnog</a></span><br></div></blockquote></div></div>______________________________<wbr>_________________
AusNOG mailing list
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/<wbr>mailman/listinfo/ausnog</a>
</div></div></span></div>
<br>______________________________<wbr>_________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/<wbr>mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br></div>