On Sunday 24 Jan 2016 13:44:12 Rich Freeman wrote: > On Sun, Jan 24, 2016 at 1:36 PM, Mick <michaelkintz...@gmail.com> wrote: > > On Sunday 24 Jan 2016 11:40:04 Rich Freeman wrote: > >> On Sun, Jan 24, 2016 at 10:56 AM, Grant <emailgr...@gmail.com> wrote: > >> > So the user is safe if I send all internet requests from her remote > >> > laptop through the Zerotier connection (instead of only sending > >> > requests to my server through Zerotier)? > >> > >> It depends on what you mean by "safe." If you mean that there is no > >> possibility of malware stealing or messing with your data this is the > >> case if: > >> > >> As long as: > >> 1. You ensure that no malware enters through zerotier. > >> 2. No malware is present before you set up zerotier. > >> 3. No network connections are ever used other than zerotier. > >> > >> If you mean safe to mean that nothing bad happens to the user's system > >> that wouldn't have happened if they use their own internet connect, > >> there is no real harm in using yours, assuming you don't leak your own > >> malware onto their system. > > > > As Rich alludes to if through Zerotier the user can only connect to your > > webserver and no connections of the user are forwarded (through your > > Zerotier- LAN, or your webserver) to the Internet, the XSS kind of > > threats will be contained. > > > > However, as I understand it the Zerotier provides a split tunnel > > arrangement. The user will be able to use their browser to connect > > through Zerotier to your LAN, while through another window on the same > > browser they will be able to connect to the Internet using their own > > network. > > That, and after they disconnect from zerotier the malware that has > been logging everything can go ahead and phone home to report in > without going through whatever protections you'd have on your own > network for outbound connections.
To cover most eventualities big corporates I know use: a) Company issued laptops, which are completely locked down in terms of applications and settings and connect to the corporate LAN via VPN with client SSL certificate authentication. b) For BYODs, Virtualised Citrix XenDesktop, totally controlled by the corporate sysadmins, with DPI and webfiltering at the corporate firewall for outgoing connections. Connections to Facebook, Twitter, prawn, etc. are blocked. Both of the above are provided as work tools and the users understand that restrictions are part of their employment contract and at company time they are not meant to spend their mornings organising junior's birthday party on Facebook. I don't know to what extent your users can be trusted and relied upon to follow good working practices. Full VPN tunnel to the corporate LAN, plus up to date antivirus products if they are using MSWindows and up to date Linux PCs should protect from most attack vectors. Alternatively, locked down Chrome books as Rich has already suggested and regular back ups should hopefully protect your corporate data from irretrievable damage. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.