zlacker

[parent] [thread] 6 comments
1. mjg59+(OP)[view] [source] 2022-01-27 21:19:54
It's not clear to me that a VPN endpoint is a meaningfully smaller attack surface than an authenticating proxy? The VPN approach has a couple of downsides:

* You don't have a central location to perform more granular access control. Per-service context aware access restrictions (device state, host location, that sort of thing) need to be punted down to the services rather than being centrally managed.

* Device state validation is either a one-shot event or, again, needs to be incorporated into the services rather than just living in one place.

I love Wireguard and there's a whole bunch of problems it solves, but I really don't see a need for a VPN for access to most corporate resources.

replies(1): >>tptace+T
2. tptace+T[view] [source] 2022-01-27 21:24:01
>>mjg59+(OP)
Sure: an authenticating proxy serves the same purpose. I agree that unless you have a pretty clever VPN configuration, you're losing the device context stuff, which matters a lot in some places.

I'd do:

* SSO integration on all internal apps.

* An authenticating proxy if the org that owned it was sharp and had total institutional buy-in both from developers and from ops.

* A WireGuard VPN otherwise.

replies(2): >>mjg59+b3 >>xyzzy_+VW
◧◩
3. mjg59+b3[view] [source] [discussion] 2022-01-27 21:34:58
>>tptace+T
If you have the institutional buy-in to handle auth being done at the proxy level, that gets you away from having to implement SSO per service. I agree that doing this well isn't trivial, but in the long term there's a reasonably compelling argument that it makes life easier for both developers and ops.
◧◩
4. xyzzy_+VW[view] [source] [discussion] 2022-01-28 03:51:25
>>tptace+T
> * SSO integration on all internal apps.

> * An authenticating proxy

I'm having trouble understanding what the fundamental difference is between these. Is it just a matter of a single, centralized proxy at the perimeter of your service network versus in-service SSO? Is there a functional difference between being in the same process space versus a sidecar on the same host versus a service on another host?

Ultimately it boils down to trusting the authority, whether that's a function (code review), a shared library (BOM), an RPC (TLS), a sidecar (kernel), or a foreign service (mTLS). There are different strengths and weaknesses for each of these, but it's not clear to me that the options you would prefer are distinctly more or less secure -- maybe there is an argument for defense in depth, but I'm not certain that's what you're pitching.

replies(1): >>mjg59+Dc1
◧◩◪
5. mjg59+Dc1[view] [source] [discussion] 2022-01-28 07:01:27
>>xyzzy_+VW
Most SSO solutions don't verify device identity or state, so you're not ensuring that the connection is coming from a computer you trust running software you trust.
replies(1): >>xyzzy_+Mn1
◧◩◪◨
6. xyzzy_+Mn1[view] [source] [discussion] 2022-01-28 08:42:11
>>mjg59+Dc1
I guess it's a matter of what the IdP attests. It's definitely possible for an IdP like Okta to include a ton of client details as part of the attestation payload. Stuff like GeoIP, client certificate fields, MDM status, etc.
replies(1): >>tptace+Pl2
◧◩◪◨⬒
7. tptace+Pl2[view] [source] [discussion] 2022-01-28 15:36:46
>>xyzzy_+Mn1
Right, but you have to individually set up all of your apps to work with it; the proxy can be mandatory for all apps by dint of network controls.
[go to top]