Jenkins amplification

• Previous message (by thread): Jenkins amplification
• Next message (by thread): Jenkins amplification
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 3 Feb 2020 16:13:34 -0500, Christopher Morrow
<morrowc.lists at gmail.com> may have written:
> My experience, and granted it's fairly scoped, is that this sort of thing
> works fine for a relatively small set of 'persons' and 'resources'.

Seeing as managing this sort of thing is my primary job these days ...

> it ends up being about the cross-product of #users * #resources.

That's the interesting part of the job - coalescing rules in a way that
minimises the security impact but maximises the decrease of complexity. If
you don't, you get an explosion of complexity that results in a set of
rules (I know of an equivalent organisation that has over 1,000 firewall
rules) that becomes insanely complex to manage. 

> certainly a more holistic version of the story is correct.
> the relatively flippant answer way-back-up-list of: "vpn"

I think that "vpn" is the right answer - it's preferrable to publishing
services to the entire world that only need to be used by empoyees. But
it's not cheap or easy. 

-- 
Mike Meredith, University of Portsmouth
Hostmaster, Security, and Chief Systems Engineer
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200204/51fff1b7/attachment.sig>

• Previous message (by thread): Jenkins amplification
• Next message (by thread): Jenkins amplification
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]