[HamWAN PSDR] We need to design secure control access

Bart Kus me at bartk.us
Wed Feb 8 04:08:56 PST 2023 

Your background sounds like you'd make meaningful contributions, so I'd 
encourage you to consider participating in read-write mode, not just 
read-only.

We got hit by this a few days ago on several HVs:

https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/

I'll avoid getting into the technical weeds question, to keep this 
thread focused on working group formation.

--Bart

On 2/8/2023 3:55 AM, Jamie Owens wrote:
> What\when was the most recent beach?
>
> The hypervisors are accessible publicly?  Why no VPN/VPC.
>
> I've been in admin/networking/devops world since 2000 and currently 
> attending to get my BS in CIS/Cyber Security... so if nothing more, 
> I'd like to tag along and learn more from this real world scenario 
> from I'm sure way more experienced users.
>
> On Wed, Feb 8, 2023, 3:34 AM Bart Kus <me at bartk.us> wrote:
>
>     All of the network's control points are on public non-firewalled IPs.
>     This is the worst security.  It was done this way for the sake of
>     simplicity.  Our netops volunteers had to get up to speed with
>     unfamiliar concepts like routing, funky netmasks, dynamic routing
>     protocols, policy routing, VRRP, firewalls, MTUs, MSS control, IPsec,
>     etc.  We reaped the rewards of KISS from broader volunteer
>     engagement,
>     but lately we've been paying too heavy of a price for the awful
>     security
>     this simplicity creates.  In the most recent breach we've lost
>     important
>     source code that will now need to be re-created.  We escaped total
>     disaster by the thinnest of margins, as one critical hypervisor just
>     happened to be patched to 1 version higher than exploitable. This
>     simplicity is not a good tradeoff anymore, so the time has come to
>     introduce more complexity to the network to protect all control
>     points.
>
>     This is not a simple problem, since there are many fragility vs
>     security
>     tradeoffs, as well as complexity cost concerns.  If you have
>     experience
>     or thoughts around this area, and can commit to a few weeks of design
>     and implementation work on this project, please indicate your
>     interest.
>     We'll assemble a small working group in the next few days and start
>     discussions.  I expect the working format will involve some virtual
>     meetings, since email is not high bandwidth enough to hash out
>     everything quickly.
>
>     Here's hoping we don't make it worse,
>
>     --Bart
>
>     _______________________________________________
>     PSDR mailing list
>     PSDR at hamwan.org
>     http://mail.hamwan.net/mailman/listinfo/psdr
>
>
> _______________________________________________
> PSDR mailing list
> PSDR at hamwan.org
> http://mail.hamwan.net/mailman/listinfo/psdr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20230208/abc19e9e/attachment.html>

More information about the PSDR mailing list