Re: Preference for Mini PC for "jump" box
|
Not much to add here. With the right appliance, you can do DPI (deep packet inspection) - which checks not only the header of a package, but also the content of the package.
Another buzzword to look for is NAC (network access control) - endpoints will be scanned as soon as they are connecting to the network. If they are not compliant (e.g. required software like virus scanner or agents are installed), machine is moved to a specific (quarantine) network segment.
One of the simpler methods is just to check machines? MAC addresses and block them if they are not known.
Am 05.02.2020 05:12:50 schrieb Lincoln King-Cliby <lincoln@...>:
It depends on how uptight ITSec is and the threat posture, among other things I¡¯ve seen with some regularity and in various combinations
?
- Computers have to be authenticated using 802.1X. Without being a proper 802.1X client you either have no access, ¡°walled garden¡± access to specific resources (e.g. download the antispam
and systems management software), or access to internal resources only.
- Outbound traffic is permitted on ports 80 (HTTP) and 443 (HTTPS) only
- In addition to this arbitrarily short ?max TTLs drop connections after ¡°long enough to download a webpage or average graphic¡± but before ¡°you can transfer any substantial amount of
data¡±
- All outbound traffic is routed through a man-in-the-middle proxy/compliance agent.
- Depending on the aggressiveness of the MITM configuration you may see certificate errors (because the traffic is being decrypted and encrypted along the way ¨C and usually in such a
configuration a root cert with the proper signatures is pushed as part of GPO and/or software images so machines properly on the network don¡¯t see the MITM cert as invalid) ?
- Even if you aren¡¯t snooping encrypted traffic you can pick up a lot from non-encrypted header info ¨C or lack thereof
- This seems to be particularly common in large healthcare
- Traffic patterns relative to assets and assigned users can be monitored. If a box appears on the network that has no known owner user, isn¡¯t monitored by the device management/deployment
solution the client is using, and is generating unusual outbound traffic (non-HTTP/HTTPS) it will raise eyebrows
- Likewise, traffic flow alone can raise flags ¨C is a device that¡¯s not classified as a server/not on a server VLAN/etc pushing a large amount of data out towards the Internet especially
relative to the data that is being pulled in from the Internet
- HTTPS SSL VPN traffic, broadly speaking, looks different over time than ¡°standard¡± HTTPS traffic. If you/the network monitoring solution is just looking at a few packets it might not
be distinguishable but over day(s) or longer it stands out to humans and automation.
?
--
Lincoln King-Cliby, CTS, DMC-E-4K/T/D
Commercial Market Director
Sr. Systems Architect | Crestron Certified Master Programmer (Platinum)
ControlWorks Consulting, LLC |
D: (+1)440.771.4807 | O: (+1)440.449.1100? | F: (+1)440.449.1106
Crestron Services Provider | Biamp Authorized Independent Programmers | Extron Qualified Independent Programmer
?
From: [email protected] <[email protected]> On Behalf Of
Jason Mussetter
Sent: Tuesday, February 4, 2020 10:02 PM
To: [email protected]
Subject: Re: [crestron] Preference for Mini PC for "jump" box
?
Question to those who say this type of connection would be blocked by IT Dept on a corporate network.? HOW?? How would the network prevent this device from calling/tunneling home?
Since VPN is encrypted, it would look like any other encrypted traffic to the network.? The network doesn't block HTTPS connections or other encrypted connections usually, so how would it know it's a VPN connection and not something else?? If the answer is
a specific port #, can't you just configure the VPN to use a different port that isn't blocked?
I know some Corps block TeamViewer and Dropbox/Box and things, but I always assumed these were blocked by both standard port usage and endpoint/host connection. ie: they all call home to a limited number of IP addresses owned by TeamViewer or Dropbox, and those
can be blocked if you have a list of them.? But if you're doing your own VPN, they wouldn't have a list of what VPN server address you are using to block, it would be some random IP to them.? Unless this rely's on a very well known VPN server service that
they have on a block list (I doubt it).
Just like my ISP can't tell if I VPN outside of their network or not, I don't think a corporate network can tell easily either.? I'm not a VPN expert though, am I missing something?
--
Jason Mussetter
Control Systems Designer
Mussetter Programming Services
|
