1 |
On Sunday 24 Jan 2016 13:44:12 Rich Freeman wrote: |
2 |
> On Sun, Jan 24, 2016 at 1:36 PM, Mick <michaelkintzios@×××××.com> wrote: |
3 |
> > On Sunday 24 Jan 2016 11:40:04 Rich Freeman wrote: |
4 |
> >> On Sun, Jan 24, 2016 at 10:56 AM, Grant <emailgrant@×××××.com> wrote: |
5 |
> >> > So the user is safe if I send all internet requests from her remote |
6 |
> >> > laptop through the Zerotier connection (instead of only sending |
7 |
> >> > requests to my server through Zerotier)? |
8 |
> >> |
9 |
> >> It depends on what you mean by "safe." If you mean that there is no |
10 |
> >> possibility of malware stealing or messing with your data this is the |
11 |
> >> case if: |
12 |
> >> |
13 |
> >> As long as: |
14 |
> >> 1. You ensure that no malware enters through zerotier. |
15 |
> >> 2. No malware is present before you set up zerotier. |
16 |
> >> 3. No network connections are ever used other than zerotier. |
17 |
> >> |
18 |
> >> If you mean safe to mean that nothing bad happens to the user's system |
19 |
> >> that wouldn't have happened if they use their own internet connect, |
20 |
> >> there is no real harm in using yours, assuming you don't leak your own |
21 |
> >> malware onto their system. |
22 |
> > |
23 |
> > As Rich alludes to if through Zerotier the user can only connect to your |
24 |
> > webserver and no connections of the user are forwarded (through your |
25 |
> > Zerotier- LAN, or your webserver) to the Internet, the XSS kind of |
26 |
> > threats will be contained. |
27 |
> > |
28 |
> > However, as I understand it the Zerotier provides a split tunnel |
29 |
> > arrangement. The user will be able to use their browser to connect |
30 |
> > through Zerotier to your LAN, while through another window on the same |
31 |
> > browser they will be able to connect to the Internet using their own |
32 |
> > network. |
33 |
> |
34 |
> That, and after they disconnect from zerotier the malware that has |
35 |
> been logging everything can go ahead and phone home to report in |
36 |
> without going through whatever protections you'd have on your own |
37 |
> network for outbound connections. |
38 |
|
39 |
To cover most eventualities big corporates I know use: |
40 |
|
41 |
a) Company issued laptops, which are completely locked down in terms of |
42 |
applications and settings and connect to the corporate LAN via VPN with client |
43 |
SSL certificate authentication. |
44 |
|
45 |
b) For BYODs, Virtualised Citrix XenDesktop, totally controlled by the |
46 |
corporate sysadmins, with DPI and webfiltering at the corporate firewall for |
47 |
outgoing connections. Connections to Facebook, Twitter, prawn, etc. are |
48 |
blocked. |
49 |
|
50 |
Both of the above are provided as work tools and the users understand that |
51 |
restrictions are part of their employment contract and at company time they |
52 |
are not meant to spend their mornings organising junior's birthday party on |
53 |
Facebook. |
54 |
|
55 |
I don't know to what extent your users can be trusted and relied upon to |
56 |
follow good working practices. Full VPN tunnel to the corporate LAN, plus up |
57 |
to date antivirus products if they are using MSWindows and up to date Linux |
58 |
PCs should protect from most attack vectors. Alternatively, locked down |
59 |
Chrome books as Rich has already suggested and regular back ups should |
60 |
hopefully protect your corporate data from irretrievable damage. |
61 |
|
62 |
-- |
63 |
Regards, |
64 |
Mick |