Re: Re:Predictive failures

"Don Y" <blockedofcourse@foo.invalid> wrote in message
news:uvnqg7$1f0pl$1@dont-email.me...

On 4/16/2024 10:39 PM, Edward Rawde wrote:

"Don Y" <blockedofcourse@foo.invalid> wrote in message
news:uvnlr6$1e3fi$1@dont-email.me...

On 4/16/2024 9:21 PM, Edward Rawde wrote:

The internal network isn't routed.  So, the only machines to worry
about
are
this one (used only for email/news/web) and a laptop that is only used
for ecommerce.

>
My LAN is more like a small/medium size business with all workstations,
servers and devices behind a firewall and able to communicate both with
each
other and online as necessary.

>
I have 72 drops in the office and 240 throughout the rest of the house
(though the vast majority of those are for dedicated "appliances")...
about 2.5 miles of CAT5.

>
Must be a big house.

>
The office is ~150 sq ft.  Three sets of dual workstations each sharing a
set of monitors and a tablet (for music) -- 7 drops for each such set.
Eight drops for my "prototyping platform".  Twelve UPSs.  Four scanners
(two B size, one A-size w/ADF and a film scanner).  An SB2000 and Voyager
(for cross development testing; I'm discarding a T5220 tomorrow).
Four "toy" NASs (for sharing files between myself and SWMBO, documents
dropped by the scanners, etc.).  Four 12-bay NASs, two 16 bay.  Four
8-bay ESXi servers.  Two 1U servers.  Two 2U servers.  My DBMS server.
A "general services" appliance (DNS, NTP, PXE, FTP, TFTP, font, etc.
services).  Three media front ends.  One media tank.  Two 12 bay
(and one 24 bay) iSCSI SAN devices.
....
>

I have an out-facing server that operates in stealth mode and won't
appear
on probes (only used to source my work to colleagues).  The goal is
not
to
look "interesting".

>
Not sure what you mean by that.
Given what gets thrown at my firewall I think you could maybe look more
interesting than you think.

>
Nothing on my side "answers" connection attempts.  To the rest of the
world,
it looks like a cable dangling in air...

>
You could ping me if you knew my IP address.

>
You can't see me, at all.  You have to know the right sequence of packets
(connection attempts) to throw at me before I will "wake up" and respond
to the *final*/correct one.  And, while doing so, will continue to
ignore *other* attempts to contact me.  So, even if you could see that
I had started to respond, you couldn't "get my attention".

I've never bothered with port knocking.
Those of us with inbound connectable web servers, database servers, email
servers etc have to be connectable by more conventional means.

....

>
I wouldn't bother. I'd just not connect it to wifi or wired if I
thought
there was a risk.

>
What I mean by that is I'd clean it without it being connected.
The Avira boot CD used to be useful but I forget how many years ago.

>
If you were to unplug any of the above mentioned ("house") drops,
you'd find nothing at the other end.  Each physical link is an
encrypted tunnel that similarly "hides" until (and unless) properly
tickled.  As a result, eavesdropping on the connection doesn't
"give" you anything (because it's immune from replay attacks and
it's content is opaque to you)

I'm surprised you get anything done with all the tickle processes you must
need before anything works.

>

So, you'd have to *police* all such connections.  What do you do with
hundreds
of drops on a factory floor?  Or, scattered throughout a business?  Can
you prevent any "foreign" devices from being connected -- even if IN
PLACE
OF
a legitimate device?  (after all, it is a trivial matter to unplug a
network
cable from one "approved" PC and plug it into a "foreign import")

>
Devices on a LAN should be secure just like Internet facing devices.

>
They should be secure from the threats they are LIKELY TO FACE.
If the only access to my devices is by gaining physical entry
to the premises, then why waste CPU cycles and man-hours protecting
against a threat that can't manifest?  Each box has a password...
pasted on the outer skin of the box (for any intruder to read).

Sounds like you are the the only user of your devices.
Consider a small business.
Here you want a minimum of either two LANs or VLANs so that guest access to
wireless can't connect to your own LAN devices.
Your own LAN should have devices which are patched and have proper
identification so that even if you do get a compromised device on your own
LAN it's not likely to spread to other devices.
You might also want a firewall which is monitored remotely by somone who
knows how to spot anything unusual.
I have much written in python which tells me whether I want a closer look at
the firewall log or not.

>
Do I *care* about the latest MS release?  (ANS:  No)
Do I care about the security patches for it?  (No)
Can I still do MY work with MY tools?  (Yes)

But only for your situation.
If I advised a small business to run like that they'd get someone else to do
it.

>
I have to activate an iPhone, tonight.  So, drag out a laptop
(I have 7 of them), install the latest iTunes.  Do the required
song and dance to get the phone running.  Wipe the laptop's
disk and reinstall the image that was present, there, minutes
earlier (so, I don't care WHICH laptop I use!)

You'll have to excuse me for laughing at that.
Cybersecurity is certainly a very interesting subject, and thanks for the
discussion.
If I open one of the wordy cybersecurity books I have (pdf) at a random page
I get this.
"Once the attacker has gained access to a system, they will want to gain
administrator-level access to the current resource, as well as additional
resources on the network."
Well duh. You mean like once the bank robber has gained access to the bank
they will want to find out where the money is?

>