Jenkins amplification
Matt Harris
matt at netfire.net
Mon Feb 3 19:34:09 UTC 2020
On Mon, Feb 3, 2020 at 12:50 PM Christopher Morrow <morrowc.lists at gmail.com>
wrote:
>
> Sorry, to be a little less flippant and a bit more productive:
> "I don't think every remote endpoint needs full access (or even some
> compromise based on how well you can/can't scale your VPN box's
> policies) access to the internal network. I think you don't even want
> to provide this access based on some loose ideas about 'ip address'
> and 'vpn identity'."
>
This isn't particularly difficult or costly to do right, though. pfSense on
a VM with relatively minimal resources running your VPNs works very well
and can easily be configured to authenticate against, for example, LDAP as
well. It also has a convenient firewall configuration user interface that's
very straight-forward, so you don't need some highly-paid network
engineering guru to manage the thing, either, so you can associate a given
identity with a given address and then apply firewall rules right at that
VPN border in addition to the other access controls that you should have in
place upstream. Certainly giving full access to everyone is overkill,
unnecessary, and can be problematic for obvious reasons - but at the same
time, we're talking about back doors here when many of the same folks
worried about these back doors also have wide open front doors at the same
time.
Matt Harris|CIO
816-256-5446|Direct
Looking for something?
Helpdesk Portal|Email Support|Billing Portal
We build and deliver innovative IT solutions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200203/8a8ff5ac/attachment.html>
More information about the NANOG
mailing list