2022-04-14 18:30 from Nurb432
I cant give you details ( and even if i could, i probably should not
say too much ), but i guess CF offers some sort of service to
'secure' external facing web apps. We are migrating one of our
largest. I guess once the switch is flipped you access it thru
their 'stuff' which tunnels back to our internal network, i assume
via VPN.
ya, pretty vague, but i'm not part of the teams involved, nor in
testing.. BUT it seems like a bad plan to me.
Yes, I know the drill.
The have offers for small business in which they set themselves in front of your websites and services and act as the user facing point, tunneling the connections of your users into your infrastructure. It is popular with medium-sized webmasters because they filter most bots, serve as DDoS mitigators, and make it very difficul for your users to know where your servers actually are. They also offer TLS acceleration in which they offer a TLS facing port to the users and then strip the connection and send you the cleartext, which SUCKS from them and makes them deserving of an horrible death.
IRC Masters also use this sort of provider from time to time because they are a cushion against DDoS. If you have a popular network you either have a good network in which you can null-route attacks or you hire somebody who does :(
compliance compliance compliance, don't let this become all I do
BLEEP BLOOP BLEEP I'm going CRAZY!!1
We are OK for DoS attacks and have enough stuff in place to mitigate that ourselves. This move is mostly for authentication reasons. This started when the that java log4j vulnerability came out. They yanked it off the outside that weekend, and made it only available to internal network, and 'we need to make this use SSO before we put it back online" "but we some how have to support people without accounts too" . Why a current product in 2022 cant support SSO native, i dont understand. A mix of on/off network, well that is hard to do, safely. i will give them that. I assume the log4j problem was updated, donno, im not in that group and security team, well they are not forthcoming with information, even to people in their same org..
I guess there were around 10k employees that didnt have network accounts, as they dont need them. Complicating matters with the last minute change to mandate on-network access only. A side from other things, its used for timekeeping, benefits, general HR stuff, including contractor access as it also includes financial modules.. So we will have a 'mix' of users. But from what i hear, they are going to move the 'public' access pieces to a 3rd party system completely and will never go back on the sso requirement.
Rumor too is that if this goes well, ALL internet facing apps will have to use CF.. Even if you already do SSO..
And i guess its not a secret of what we use, its SAP's PeopleSoft.. So not some fly night thing that is 30 years old.
In the case of DNS you may also run an iterative server and access the
Root DNS services directly with no middle man.
I did this for a while, and I'll probably do it again. For added bonusfest, run your DNS server on a remote network and access that with a VPN so that your ISP and any nearby meddlers can't even see your lookups if they're monitoring the wire.
The only reason I stopped is because I wasn't comfortable with my whole household having an outage if my DNS failed. I did have it set up so that my DNS server's address was 1.1.1.1 and if it failed it would revoke the route and use Cloudflare, but the first time it actually failed the route didn't revoke, so I took it down.
I suppose I could just only put it on my own computer. My wife seldom makes lookups of any sites other than gmail.com, facebook.com etc. and my kids don't hang out in seedy neighborhoods either. I on the other hand am a person of interest.
in theory 1.1.1.1 is my secondary here, so if my pihole dies, it should ( should ) go there instead.
I have not tested that theory, tho i guess it would not be hard. just turn it off :)
The chinese army is watching over you to protect you.
I picked up this camera for fun... you know, for experiments. it's battery powered for $29.
I uses CloudEdge software (chinese army) and syncs up with the camera really fast.
Here is what you provide
email address, gps location of your camera (house), wifi network and password.
The camera detects events, stores images on a sd card. but notifications come through the app, not your email.
so, im pondering how this system sends me alerts with images and video clips when im 50 miles from home (which it does thru the app)
maybe there is vpn established between a chinese server and the app and the camera posts the events.
no other network setting were needed pairing the camera with the app.
https://www.amazon.com/dp/B08L3RBF6P
it wanted the email to send a confirmation. the account on their system is also my email account (different password specific to cloudedge).
The system works pretty well. it gets whiney about the 50% wifi signal and sends me messages to fix it. so far no red's out front surveilling me, unless you count the local cops.
daughter was in and out all day, the battery dropped to 96%. at that rate i'll recharge in 25 days.
it seems the WYSE system might be better, it has a wireless base station that hard wires into your network. not sure how its wireless signal is setup or if it has a local hard drive. i'll have to look into it a bit more.
2022-06-05 19:05 from IGnatius T FoobarIn the case of DNS you may also run an iterative server and access
theRoot DNS services directly with no middle man.
I did this for a while, and I'll probably do it again. For added
bonusfest, run your DNS server on a remote network and access that with
a VPN so that your ISP and any nearby meddlers can't even see your
lookups if they're monitoring the wire.
The only reason I stopped is because I wasn't comfortable with my
whole household having an outage if my DNS failed. I did have it set
up so that my DNS server's address was 1.1.1.1 and if it failed it
would revoke the route and use Cloudflare, but the first time it
actually failed the route didn't revoke, so I took it down.
I suppose I could just only put it on my own computer. My wife seldom
makes lookups of any sites other than gmail.com, facebook.com etc. and
my kids don't hang out in seedy neighborhoods either. I on the other
hand am a person of interest.
You disappoint me. As a real datacenter architect you should be using CARP or relayd or HAproxy or whatever and use your second DNS cluster as a failover in case the first one bits the dust XD
2022-06-05 19:08 from Nurb432
in theory 1.1.1.1 is my secondary here, so if my pihole dies, it
should ( should ) go there instead.
I have not tested that theory, tho i guess it would not be hard.
just turn it off :)
In my networks I prefer to set local DNS servers and have things break if they all go down ratehr than switch to external DNS. It is not like keeping a good DNS uptime is hard for small networks.
I guess they are starting to roll out a 'service' on windows boxes that only lets you run whitelisted executables.. And its a long painful process to get one approved that isn't what they consider 'stock'. And i guess they are going to pull admin rights on the desktops too. it *has* to go thru this new thing.
I bet i lose access to fossil rcs
Aside from the chaos this will cause, their scanning crap takes 30% CPU ALL DAY LONG ( if you are lucky.. sometimes it more, and sometimes it eats SSDs .. )
in our shop they will just ignore you. They are the worst team of people i have ever seen. They ignore everything asked of them, even request for info on break-ins by our customers.. crickets. "we dont have to tell you what happened, or even that it did, now go away". They even make secret changes to systems and dont run it thru the CMR process... A few times its broken things "oh, we rolled back the change" "what change? wtf?"
Hell i have had a ticket in for nearly a week now, i lost Ethernet last week.. Figured they black listed me again. Not even looked at the ticket.
( today it started working again.. but i haven't told them this.. i want to see how long it takes them to get back with me )
You disappoint me. As a real datacenter architect you should be using CARP or relayd or HAproxy or whatever and use your second DNS cluster as a failover in case the first one bits the dust XD
I am among the best of them. But as is so often the case with high level IT people, eventually you get to the point where you just don't want to spend a lot of time being a system administrator at home. The time I'd have to spend putting together a world-class access network just to serve a family of four just isn't worth the time, the money, or the aggravation. When I'm not at work I'd rather be spending the time with the family, not fixing their computer problems.
Besides, what's the point of locking it all down when my wife is on Facebook and my son is all over YouTube and my daughter is who-knows-where collecting the dankest memes of the day?
To make things easy and secure for me, I've moved the security perimeter downstream. My main computer treats the home LAN as an untrusted network. It has its own access controls and it runs its own DNS server (straight to the root servers, no forwarders). And finally, I don't need a "home lab" because I have a development region in my data center.
All together, it lets me spend more time in the swimming pool and less time maintaining address pools.
I did notice yesterday that PI hole is blocking access to the DHT.. Magnets wont ever return anything, unless i swap out my DNS. ( my external vpn provider swaps in their own dns on the fly )
Must be a rule in there somewhere. But not sure i want to bother finding it since i dont run a DHT search bot anymore.
I reached that point a long time ago. ( burnout induced ).
It usually is, and often it comes on very suddenly, even for people who were previously loving the complexity of their "home data center".
For me it was one late night in 2011 when I ran some update or another and a bunch of stuff broke. And then my patience ran out all at once. I deleted Asterisk and went through the house replacing IP phones with regular ones. I deleted the iptables script on my main server and switched to the firewall built into my home router. I deleted all of the complex X-10 integration and only used the remotes.
That's another thing. Smart homes are for chumps. Just turn the damn light on if you want it on.
It was more than that for me. i'm an EE by schooling and electronics in general was a hobby. It was fun.
Somewhere around 25 years ago after i hit the wall, i realized that making your hobby you job was a farce. No, its not "you will never work again a day in your life" It was "you will lose your hobby and hate every minute of work"
Sure ill do what is needed, but its not fun anymore. None of it.
The first sign was the "great purge" of all my retro stuff. Then came some 40 years of books and magazines heading out the door...
Tried so many times to get interested again, just doesn't happen and i end up with a dust collector. Its one reason i got rid of mostly everything. Funny, this week i just asked the guy i gave all my "components" to ( and scope, breadboards, bla bla ) if i could borrow a 1.5k resistor. Need to test a sensor on the jeep. Never dreamed id say those words "borrow a resistor"...
On occasion I've received comments about "working" when I should be relaxing.
But all of those times it was just when I brought a laptop along on a trip or something and was tinkering on my own stuff. Because sometimes playing looks exactly like working to someone who doesn't recognize either.