[GRLUG] FF 33 & SSL
Michael Mol
mikemol at gmail.com
Wed Nov 5 17:57:20 EST 2014
On Wed, Nov 5, 2014 at 4:00 PM, Tim Schmidt <timschmidt at gmail.com> wrote:
> Hell, thanks to websockets, any machine running a web browser behind
> the firewall is a potential vector for 'interesting' activity. Looks
> like a lot of work has gone into confining them to port 80, etc, but
> there are several vulnerable releases of popular browsers on multiple
> platforms. :-/
There are practical (budgetary, be it in equipment, personnel or time)
reasons why you can only go so far in protecting a network.
And I don't know about your setups, but my intranet servers are only
accessible over isolated management VLANs accessed by way of VPNs,
with servers further isolated from each other. I.e. there's no
routable path that might allow a web server or phone server to access
a VM host or an iLO, and there are a couple servers that have their
own dedicated VLANs with external firewalls controlling ingress and
egress, since I don't trust them much at all.
No machine that isn't virtually dedicated to management roles can
access management interfaces.
Even then, I'd be OK with a proxy solution like I described. In
theory, nothing can see the packets that shouldn't be able to, and if
there's legacy stuff that's just darn difficult to clean up (say, a,
an ancient EOL appliance), it would be one solution I'd look at. (I'd
rather just get rid of the appliance, though...)
--
:wq
More information about the grlug
mailing list