redfox

After reading this article, I had a few dissenting thoughts, maybe someone will provide their perspective?

The article suggests not running critical workloads virtually based on a failure scenario of the hosting environment (such as ransomware on hypervisor).

That does allow using the 'all your eggs in one basket' phrase, so I agree that running at least one instance of a service physically could be justified, but threat actors will be trying to time execution of attacks against both if possible. Adding complexity works both ways here.

I don't really agree with the comments about not patching however. The premise that the physical workload or instance would be patched or updated more than the virtual one seems unrelated. A hesitance to patch systems is more about up time vs downtime vs breaking vs risk in my opinion.

Is your organization running critical workloads virtual like anything else, combination physical and virtual, or combination of all previous plus cloud solutions (off prem)?

I've seen companies do all sorts of home grown things.

One uses a spreadsheet that is just the configuration row by row, they turn it I to text file and copy to startup, reload.

I have used git servers to do the same thing, but with obvious change tracking history of git.

What real or home grown things are you using?

Currently using an ISR4461x. Now 17.7+ supports ssl VPN.

Should we learn flexvpn or do ssl VPN?

This is a network defense design scheme question.

In a scenario where your organization is designing multi-layered firewall deployment and management, how granular  do you create rules at each of these three layers?

Example site is a main/HQ site that also houses your data center (basic 3 tier model).

1. Site has your main internet gateway and VPN termination point. As am example, it's a Cisco or other ZBF. It has four zones: (1) Internet, (2) VPNs from other sites/clients, (3) your corporate LAN including data center, (4) Guest/untrusted/Iot.

2. Between your gateway and the rest of your corporate network/datacenter, you have transparent proxy firewall/IPS/monitor. It's bridging traffic between gateway and data center.

3. Within data center, hosts have software host based firewalls, all centrally managed by management product.

Questions:

• How granular do you make ZBF policies at gateway? Limit it to broad zones, subnets, etc? Get granular by source/destination? Further granular by source/destination/port?

• How granular do you make rules for transparent proxies between segments? Src/dst? Src/dst/port?

• How granular do you make rules for host based firewalls? Src/dst? Src/dst/port? Src/dst/port/application/executable?

• How have organizations you've worked for implemented these strategies?

• Were they manageable vs effective?

• Did the organization detect/prevent lateral movement if any unauthorized access happened?

• What would you change about your organization's firewall related designs?

What sources of technical controls does your organization use?

Do you base device/operating system configurations on:

• CIS workbench?
• NIST/STIG?
• Microsoft best practice?
• Google searches and 'that looks good'?

How closely rigorously does your organization enforce change management for policies or settings?

• Can you change GPOs/Linux/Network device settings as needed?
• During maintenance window?
• After a group meeting with code/change review and some sort of approval authority?

Does anyone fully implement workstation and server logon restrictions, and priviledged access workstations (PAW) as prescribed by NIST/STIG/CIS?

The URL is Microsoft's long description of the same concepts.

Specifically from the above, there's a few things like:

• Establishing asset/systems tiers (domain controllers or entire org compromise tier 0, moving towards less consequence in the event of system compromise)
• Accounts with the Active Directory Domain Admins or equivalent are supposed to be blocked from logging into lower tier assets
• Workstations that have access to log into these super sensitive assets like Domain controllers for management are considered PAWs, and are blocked from internet access, highly locked down, might have extra hoops or management plane assets are air gapped?

Question:

Does anyone actually do any of this at their organization?

If so, to what degree?

People hated red forest because it was a whole other set of infrastructure to baby sit.

People hate air gapped systems because no remote access or work from home.

The above doesn't work well with cloud, and as a result Microsoft (just as an example) pushed for the new hybrid PIM models replacing their old red forest concept.

I'm just curious.

I don't even know where to begin with some of the quotes in this article, good or bad.

The topic of politics can be aggausting, but I wonder if there isn't merit to this idea?

If we'll have republican local reps regardless based on trends, should people jump party and vote for more moderate candidates, if any exist?

Even if you know your candidate isn't likely to win, do you vote them on principle to vote metrics and data, or do you vote for the lesser evil opponent, even if you feel dirty for it?

I'm not taking or endorsing a side or suggesting anyone should, just curious. Pretend it's the opposite parties than Indiana if it helps thinking through it.

My reason for posting this question is to get some perspective, since I don't live further west than Indiana.

Indiana has a lot of conservative tendencies, usually opposes progressive policies, and a little old school bigotry in the form of religion based disagreement with people's life styles, like letter community.

From an outsiders perspective, TX, OK, MO etc are even more extreme.

This permalink above from a comment from a person referencing recently proposed legislation against letter community people specifically, though there's tons of examples of bigotry like the school principal getting sued for discrimination due to a kid's hair (black hair).

We know Lemmy is a bit more populated with left than right thinkers, but regardless, what's going on in these western plains states? Is it as bad as it looks?

Do you personally know some sweet old church ladies who 'hate the gays because they'll going to hell' or are there just more extreme law makers being elected that don't represent the majority?

EDIT: tried to fix link to a conversation instead of a login page.

This is not an ad.

Does anyone have experience with Tenable products?

I'm interested in real world experience regarding:

• cost
• effectiveness
• ease of use

I'm playing with Tenable Security Center and Nessus Scanner. I'm early in the deployment, just looking for pointers and whether anyone has used it?

What alternatives is your org using if not?

Can you compare?

Edit, if anyone is interested, I can post results and opinions here also.

I like this bean. It's smooth, and I usually like roasts with chocolate notes.

I'm also cheap. This is around .50 cents US per once.

Do you have a favorite bean that's medium/smooth, and also in the .50 range that can be ordered online?

My local roasters are all around a dollar per once and I haven't found anything that was so good, I couldn't go back to this for half the cost, so I do them as a special occasion.

Not sure if this was already posted.

The article describes the referenced court case, and the artist's views and intentions.

Personally, I both loved and hated the idea at first. The more I think about it, the more I find it valuable in some way.

Indiana just passed legislation to require schools to ban phones.

They permit them for health reasons, emergencies, when part of lesson, and when part of a formal plan.

I personally don't like the idea of schools requiring locking them up. What would you do in that emergency they mentioned?

Why should kids not be able to use them at lunch?

If you want to control your kid's phone time, there's already apps for that.

Edit: additional comment from a teacher: she said the phone restrictions aren't going to be as effective as one would think with all the kids having watches with data plans. Dude...