2022-04-14 18:30 from Nurb432
I cant give you details ( and even if i could, i probably should not
say too much ), but i guess CF offers some sort of service to
'secure' external facing web apps. We are migrating one of our
largest. I guess once the switch is flipped you access it thru
their 'stuff' which tunnels back to our internal network, i assume
ya, pretty vague, but i'm not part of the teams involved, nor in
testing.. BUT it seems like a bad plan to me.
Yes, I know the drill.
The have offers for small business in which they set themselves in front of your websites and services and act as the user facing point, tunneling the connections of your users into your infrastructure. It is popular with medium-sized webmasters because they filter most bots, serve as DDoS mitigators, and make it very difficul for your users to know where your servers actually are. They also offer TLS acceleration in which they offer a TLS facing port to the users and then strip the connection and send you the cleartext, which SUCKS from them and makes them deserving of an horrible death.
IRC Masters also use this sort of provider from time to time because they are a cushion against DDoS. If you have a popular network you either have a good network in which you can null-route attacks or you hire somebody who does :(
compliance compliance compliance, don't let this become all I do
BLEEP BLOOP BLEEP I'm going CRAZY!!1
We are OK for DoS attacks and have enough stuff in place to mitigate that ourselves. This move is mostly for authentication reasons. This started when the that java log4j vulnerability came out. They yanked it off the outside that weekend, and made it only available to internal network, and 'we need to make this use SSO before we put it back online" "but we some how have to support people without accounts too" . Why a current product in 2022 cant support SSO native, i dont understand. A mix of on/off network, well that is hard to do, safely. i will give them that. I assume the log4j problem was updated, donno, im not in that group and security team, well they are not forthcoming with information, even to people in their same org..
I guess there were around 10k employees that didnt have network accounts, as they dont need them. Complicating matters with the last minute change to mandate on-network access only. A side from other things, its used for timekeeping, benefits, general HR stuff, including contractor access as it also includes financial modules.. So we will have a 'mix' of users. But from what i hear, they are going to move the 'public' access pieces to a 3rd party system completely and will never go back on the sso requirement.
Rumor too is that if this goes well, ALL internet facing apps will have to use CF.. Even if you already do SSO..
And i guess its not a secret of what we use, its SAP's PeopleSoft.. So not some fly night thing that is 30 years old.