The Chief Product Officer at Yubico thinks "long passwords" offer little security. 2ee75ee4e4b359576257fc7d3bfc5ec75d358f10e17caf9e668e09cc032af36d That is the SHA256 of the 76-character passphrase to my master backups, plus '!'. Pwn me. I'm waiting.https://twitter.com/appenz/status/1238121735142031360 …
-
The VPN also provides a single point of entry. If I have dozens of SSH endpoints reachable from outside, forgetting to patch or misconfiguring any of them provides a potential entry point. With this setup, you need either a VPN pre-auth RCE or a client cert.
Yeah, I have a ton of VLANs mostly for testing purposes and stuff like that. The core is mostly 4 though, 1) networking equipment (management), 2) "private" network, 3) public/guest network, 4) IoT. Only 2 and 3 are openly routed to the internet, rest of routing is finer grained
-
-
I do however fully route 2 and 3, because I rely on host security policies (firewall) to decide what goes where between those, not on router ACLs. The segmentation there is to avoid blatant IP spoofing, so I can use simple IP ACLs. And then there's some IPsec host pairs on 2.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
My firewall domains (not all vlans, some physical interfaces) * internet * networking equipment * lab SCADA * family/guest wifi+wired * lab workstations/servers * DMZ for internet-facing servers * DMZ for internet-facing clients (browsers, irc) * sandbox for development
-
* security cameras * VPN clients * non-lab SCADA (sump pump monitor etc) All are fully routed. Additionally, VPN IPs are bound to specific certificates to provide a (somewhat weak) additional layer of policy between different clients.
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.