This is a network defense design scheme question.

In a scenario where your organization is designing multi-layered firewall deployment and management, how granular  do you create rules at each of these three layers?

Example site is a main/HQ site that also houses your data center (basic 3 tier model).

1. Site has your main internet gateway and VPN termination point. As am example, it's a Cisco or other ZBF. It has four zones: (1) Internet, (2) VPNs from other sites/clients, (3) your corporate LAN including data center, (4) Guest/untrusted/Iot.

2. Between your gateway and the rest of your corporate network/datacenter, you have transparent proxy firewall/IPS/monitor. It's bridging traffic between gateway and data center.

3. Within data center, hosts have software host based firewalls, all centrally managed by management product.

Questions:

• How granular do you make ZBF policies at gateway? Limit it to broad zones, subnets, etc? Get granular by source/destination? Further granular by source/destination/port?

• How granular do you make rules for transparent proxies between segments? Src/dst? Src/dst/port?

• How granular do you make rules for host based firewalls? Src/dst? Src/dst/port? Src/dst/port/application/executable?

• How have organizations you've worked for implemented these strategies?

• Were they manageable vs effective?

• Did the organization detect/prevent lateral movement if any unauthorized access happened?

• What would you change about your organization's firewall related designs?

What sources of technical controls does your organization use?

Do you base device/operating system configurations on:

• CIS workbench?
• NIST/STIG?
• Microsoft best practice?
• Google searches and 'that looks good'?

How closely rigorously does your organization enforce change management for policies or settings?

• Can you change GPOs/Linux/Network device settings as needed?
• During maintenance window?
• After a group meeting with code/change review and some sort of approval authority?

Does anyone fully implement workstation and server logon restrictions, and priviledged access workstations (PAW) as prescribed by NIST/STIG/CIS?

The URL is Microsoft's long description of the same concepts.

Specifically from the above, there's a few things like:

• Establishing asset/systems tiers (domain controllers or entire org compromise tier 0, moving towards less consequence in the event of system compromise)
• Accounts with the Active Directory Domain Admins or equivalent are supposed to be blocked from logging into lower tier assets
• Workstations that have access to log into these super sensitive assets like Domain controllers for management are considered PAWs, and are blocked from internet access, highly locked down, might have extra hoops or management plane assets are air gapped?

Question:

Does anyone actually do any of this at their organization?

If so, to what degree?

People hated red forest because it was a whole other set of infrastructure to baby sit.

People hate air gapped systems because no remote access or work from home.

The above doesn't work well with cloud, and as a result Microsoft (just as an example) pushed for the new hybrid PIM models replacing their old red forest concept.

I'm just curious.

I don't even know where to begin with some of the quotes in this article, good or bad.

The topic of politics can be aggausting, but I wonder if there isn't merit to this idea?

If we'll have republican local reps regardless based on trends, should people jump party and vote for more moderate candidates, if any exist?

Even if you know your candidate isn't likely to win, do you vote them on principle to vote metrics and data, or do you vote for the lesser evil opponent, even if you feel dirty for it?

I'm not taking or endorsing a side or suggesting anyone should, just curious. Pretend it's the opposite parties than Indiana if it helps thinking through it.

My reason for posting this question is to get some perspective, since I don't live further west than Indiana.

Indiana has a lot of conservative tendencies, usually opposes progressive policies, and a little old school bigotry in the form of religion based disagreement with people's life styles, like letter community.

From an outsiders perspective, TX, OK, MO etc are even more extreme.

This permalink above from a comment from a person referencing recently proposed legislation against letter community people specifically, though there's tons of examples of bigotry like the school principal getting sued for discrimination due to a kid's hair (black hair).

We know Lemmy is a bit more populated with left than right thinkers, but regardless, what's going on in these western plains states? Is it as bad as it looks?

Do you personally know some sweet old church ladies who 'hate the gays because they'll going to hell' or are there just more extreme law makers being elected that don't represent the majority?

EDIT: tried to fix link to a conversation instead of a login page.

This is not an ad.

Does anyone have experience with Tenable products?

I'm interested in real world experience regarding:

• cost
• effectiveness
• ease of use

I'm playing with Tenable Security Center and Nessus Scanner. I'm early in the deployment, just looking for pointers and whether anyone has used it?

What alternatives is your org using if not?

Can you compare?

Edit, if anyone is interested, I can post results and opinions here also.

INDIANAPOLIS – Angry reaction from community leaders continue to pour in after a controversial punishment was handed down to the man who was convicted of killing Indianapolis Metropolitan Police Department officer Breann Leath.

Dorsey was sentenced on Thursday to 25 years in prison after he was found guilty but mentally ill on the following charges:

One count of reckless homicide Three counts of criminal recklessness committed with a deadly weapon One count of attempted murder One count of criminal confinement Dorsey was not convicted of murder by the jury. That charge was reduced to the lesser reckless homicide charge.

...

Snyder, who is the president of the Indianapolis FOP, said during a Friday afternoon news conference that residents of Indianapolis, as well as Indiana residents and those throughout the country, saw a “miscarriage of justice” through Stoner’s sentencing.

In response, Snyder said the maximum sentence of 63 years should have been implemented for Dorsey in this case, which Snyder called an attempt of “cold blooded murder.”

...

“As mayor and as a father, I’m shocked and disappointed in the decision that was handed down yesterday,” said Indianapolis Mayor Joe Hogsett.

INDIANAPOLIS — A traffic stop ended up leading investigators to a restaurant on Indy’s east side where police uncovered cocaine, methamphetamine, marijuana, fentanyl and enough firepower for a shootout.

William Collins, 45, was arrested by the Indianapolis Metropolitan Police Department on Monday for his role in the alleged drug trafficking. Collins also isn’t permitted to own a firearm due to being a convicted felon.

Police said Collins was arrested during a traffic stop after detectives witnessed a “hand-to-hand drug transaction” in a parking lot in the 3200 block of N. Emerson. During the traffic stop, police found a handgun in Collins’ possession.

The investigation eventually led police to 1313 Eatery, a chicken wing shop located at 5299 E. 38th Street. Detectives searched the business and seized approximately 600 grams of cocaine, five pounds of meth, one pound of marijuana and 70 grams of fentanyl pills.

Also found in the restaurant were three firearms, two of which were reported stolen, and nearly 900 rounds of live ammunition.

INDIANAPOLIS — Indiana State Police troopers made 120 traffic stops and cited a majority of those drivers for speeding during a two-hour ticket-writing blitz on the west side of Indianapolis Wednesday.

More than a dozen troopers, warned by lawmen with handheld laser speed detectors, pulled over drivers exceeding the 55-mile-per-hour limits on I-465 between 56th and 38th streets for two hours in the afternoon.

Sgt. John Perrine said troopers were stopping only drivers topping out at 75 MPH and above.

”We’re certainly not out here looking for the people who are minor speeding. We’re looking for the most egregious, most aggressive drivers who are really causing problems,” he said. ”We would like to lower that threshold but it’s really hard to go out and stop the people doing 10 over when we know a few seconds later there is somebody coming who is doing thirty over.”

Perrine said excessive speed is often to blame for road rage incidents.

”We have a group of drivers who want to drive slow in the left lane and say, ‘Hey, you’re not passing me. If I’m gonna drive the speed limit, you’re gonna drive the speed limit.’ And the other side of the selfish driver is, ‘I don’t care about anybody else. I’m gonna drive the way I want as fast as I want.’ We really need to get a handle on both of those.”

Perrine said troopers from across the state will be patrolling Indianapolis area interstates through the rest of this year engaging in occasional blitzes. ...

Why can't we go faster?

Why cant the speed limit of Indiana's 465 beltway be increased over 55 mph?

Copilot

The speed limit on I-465, despite most drivers exceeding it, remains at 55 mph due to Indiana state law. Specifically, because I-465 is considered to be within an urban area, its speed limit cannot exceed 55 mph. The Indiana Department of Transportation (INDOT) has the authority to lower the speed limit if an engineering study demonstrates that a lower speed is necessary for safety or traffic reasons1. So, even though many drivers find the current limit too low, it remains in place due to legal constraints.

Interestingly, the real-world data supports the notion that drivers consistently exceed the speed limit on I-465. For instance:

96.3% of vehicles recorded at one spot on the northwest side of I-465 were going over the speed limit. More than half of the vehicles were recorded at speeds exceeding 65 mph, which is more than 10 mph over the limit1. While there have been discussions about implementing variable speed limits on parts of I-465, the existing legal framework keeps the maximum speed at 55 mph2. So, despite the bustling traffic and the urge to go faster, the beltway remains a place where the Racing Capital of the World meets the 55 mph speed limit1! 🏎️🚗

southbendtribune.com indystar.com aaroads.com

Let's Play Date, Marry, Kill...with Roundabouts.

What are your thoughts as Indiana starts adopting these modern traffic control measures (Europe has been doing them since...forever)?

Most people I talk to either love or hate these intersections. For some reason, I can't find people who are indifferent to them very often.

According to the Carmel's city webpage: "Carmel is internationally known for its roundabout network. Since the late 1990’s Carmel has been building and replacing signalized intersections with roundabouts. Carmel now has more than 150 roundabouts, more than any other city in the United States."

"The number of injury accidents in Carmel have reduced by about 80 percent and the number of accidents overall by about 40 percent."

https://www.carmel.in.gov/government/departments-services/engineering/roundabouts#:~:text=Carmel%20is%20internationally%20known%20for,city%20in%20the%20United%20States.

General PROs / CONs

• Up to a 90 percent reduction in fatalities
• 76 percent reduction in injury crashes
• 30-40 percent reduction in pedestrian crashes
• Reduces the severity of crashes
• Keeps pedestrians safer
• Roundabouts reduce the number of potential accident points within an intersection, 75 percent fewer conflict points than four-way intersections
• No signal equipment to install and repair, savings estimated at an average of $5,000 per year in electricity and maintenance costs
• Service life of a roundabout is 25 years (vs. the 10-year service life of signal equipment)
• Reduces pollution and fuel use
• 30-50 percent increase in traffic capacity, improves traffic flow for intersections that handle a high number of left turns, reduces need for turn lanes
• While roundabouts can handle moderate to heavy traffic volumes more efficiently than traditional intersections, they may experience congestion and delays during periods of extremely high traffic volumes or if not designed properly for the anticipated traffic flow
• Pedestrians and cyclists may face challenges navigating roundabouts, particularly multi-lane roundabouts with higher traffic volumes. Proper design considerations, such as providing safe crossing points, adequate sight lines, and dedicated pedestrian/cyclist facilities, are crucial to ensure their safety.
• Drivers unfamiliar with roundabouts may initially experience confusion or hesitation when navigating them, potentially leading to increased risks or delays until they become accustomed to the traffic patterns.
• Roundabouts generally require a larger footprint and more land area

https://www.in.gov/indot/traffic-engineering/roundabouts/#:~:text=Up%20to%20a%2090%20percent,points%20than%20four%2Dway%20intersections (CONs came from general searching, LLM compilation)

Indianapolis and the surrounding suburbs are implementing them more frequently now, how about your city?

Did you know that traffic circles are different from roundabouts? PA has a little comparison chart that was interesting (If you're into that sort of thing): https://www.penndot.pa.gov/PennDOTWay/pages/Article.aspx?post=24

The actor, who just celebrated his 93rd birthday on March 22, shared his excitement about experiencing the once-in-a-lifetime event. When asked about what to expect from him during the celebration, he said “darkness” with laughter.

“The next one over Indiana will be like a hundred years from now," he said. "We’ll all be dead. I might not be, but you guys are going to be dead the next time. It’s an event, but when you ponder the mystery - if you ponder what’s taking place in the heavens - it’s gargantuan.”

...

William Shatner, known for his iconic role as Captain William T. Kirk in the classic television series "Star Trek," is headed to Bloomington to take part in Indiana University’s “Hoosier Cosmic Celebration.”

...

The pace of violations, recorded since the city restricted turns at 97 downtown intersections, amounts to an average of about seven tickets per month.

Two pedestrian advocates told Mirror Indy they would like to see more enforcement, but city officials said the number of tickets issued is only one metric — and not the most indicative of success when it comes to pedestrian safety measures.

“Their desired effect was not to increase (the) number of tickets issued by IMPD. It was to ensure the safety of pedestrians and bicyclists in the Mile Square,” Vop Osili, the Democratic president of Indianapolis City-County Council, said in an emailed statement to Mirror Indy.

...

The policy change followed a study from the Indianapolis Department of Public Works that looked at a five-year history of pedestrian-related crashes in the downtown area. It found that 57% of were the result of vehicles failing to yield to pedestrians at intersections with traffic signals.

Data also showed that downtown pedestrians were more than twice as likely to be involved in a crash compared to pedestrians in the rest of Marion County.

...

Freeman, who was a city-county councilor from 2010 to 2016, argued that the policy would “create confusion and congestion” and “won’t stop distracted, reckless or aggressive driving.”

INDIANAPOLIS — Senator and Indiana Gubernatorial candidate Mike Braun reportedly missed a spending package vote early Saturday morning.

Braun’s officials also reported that he had a seat on a 9:35 p.m. flight to Washington D.C. The team added that Braun decided to skip the flight and stay in Indiana because no votes were scheduled at the time.

I like this bean. It's smooth, and I usually like roasts with chocolate notes.

I'm also cheap. This is around .50 cents US per once.

Do you have a favorite bean that's medium/smooth, and also in the .50 range that can be ordered online?

My local roasters are all around a dollar per once and I haven't found anything that was so good, I couldn't go back to this for half the cost, so I do them as a special occasion.

Not sure if this was already posted.

The article describes the referenced court case, and the artist's views and intentions.

Personally, I both loved and hated the idea at first. The more I think about it, the more I find it valuable in some way.

Indiana just passed legislation to require schools to ban phones.

They permit them for health reasons, emergencies, when part of lesson, and when part of a formal plan.

I personally don't like the idea of schools requiring locking them up. What would you do in that emergency they mentioned?

Why should kids not be able to use them at lunch?

If you want to control your kid's phone time, there's already apps for that.

Edit: additional comment from a teacher: she said the phone restrictions aren't going to be as effective as one would think with all the kids having watches with data plans. Dude...

For anyone interested in compliance and hardening, here's some links to the DOD/US GOV standards for information systems. This information is available to the public.

Security Technical Implementation Guides (STIGs)

This is a document that has recommended settings, methods, etc to make a product the most secure it can reasonably be. STIGs break things or turn off features people might be accustomed to. You have to do testing and figure out how to either make something work with STIG settings applied, or do exceptions. These are similar to Internet Security (CIS) Benchmarks.

STIG Viewer

The STIG viewer is a Java app that basically makes the list into a checklist where you can track applying settings.

SCAP

Going farther with automation, Security Content Automation Protocol (SCAP) can be used to conduct automated checked against systems to determine compliance with a setting. Install the SCAP tool, load the automated checks into it, and then take the results from SCAP tool and import them into the STIG viewer. It will knock out anything that could be checked automatically. The remaining checks would be things that are manually checked.

Compare

Here's a good article that compares STIGs and CIS benchmarks: https://nira.com/stig-vs-cis/#:~:text=The%20Center%20for%20Internet%20Security%20offers%20a%20tool%20similar%20to,robust%20than%20the%20STIG%20tool.

Download STIGs for products: https://public.cyber.mil/stigs/downloads/

STIG Viewer: https://public.cyber.mil/stigs/srg-stig-tools/

Security Content Automation Protocol (SCAP) content: https://public.cyber.mil/stigs/scap/

https://public.cyber.mil/stigs/supplemental-automation-content/

For anyone who's interested in pen. testing, there's a business from MN that does a podcast where the host and business owner, Brian, talks about doing tests, tells stories, and is generally goofy.

Brian made a podcast intro song, kinda funny. He talks about testing successes, tips for security, personal things, and running the business. They do live streaming where they sometimes get into the weeds and teach some techniques.

(I am not affiliated with 7 Minute Security, just enjoy the podcast/learning)

Looks like Indiana is getting happy hour back.

Article says senators tried to kill carry out drink options.

Indiana allowed carry out drinks during COVID to help businesses during lockdown.

• Did you experience, or come across data that supports the claim that carry out will lead to increasing drunk driving?

• How do you feel about carry out?

• How do you feel about happy hour offerings and encouragement of more or just cheaper alcohol consumption?

For anyone who's interested in IDS, this is a product that's open source, with support.

It can be run as a single standalone, but it's meant to be run tiered, where you can deploy sensors doing packet capture, analysis, which gets sent to a central manager, and then can be retained in search nodes.

It's incredibly powerful, just have to be willing to learn how to tune it.

https://docs.securityonion.net/en/2.4/ https://blog.securityonion.net/

I am not affiliated with the product, just a user of it. I like it.