0

I recently had to bypass my company policy by establishing a VPN connection from a LAN device (raspberry pi) located inside my company, to a WAN server.

As devices accessible from outside must be placed in the DMZ, I couldn't get a proper authorization to do this. In fact, it is too complex and it requires to many approvals. So, because I am lazy, I am just using openvpn to connect my Raspberry Pi to the outside through a virtual machine located on the cloud. Then from this VM I can reach my device without opening any port on the master firewall.

Just to avoid any problem with the IT, I am not using the standard 1194 port, but a more standard one : 443.

With this I realized how weak is that concept of DMZ. Even with a strong firewall, it is still possible to place a spying mole inside a company. Is this my company IT security policies really bad or is this just really hard to prevent such mechanism to be put in place?

nowox
  • 347
  • 2
  • 11

1 Answers1

11

"from a LAN device (raspberry pi) located inside my company"

Depending on how strict your company or any company is, LAN connections to the Companies infrastructure should not be that easy. Some companies automatically block ports on employees desks, only when needed then its opened by the sysadmins.

"using OpenVPN to connect my Raspberry Pi to the outside through a virtual machine" ....

"Just to avoid any problem with the IT, I am not using the standard 1194 port, but a more standard one : 443."

Again, it varies from companies to companies on how strict their outbound connections are. Just so happens these connections was allowed & just so happen that you were on a network that allows internet access hence 443 being up. They can't just block that, you were able to go out because they allowed you to go out!

To determine the security posture of a company stems from its purpose of its different segment of networks, internet-facing networks, intranets etc.

There's a reason why there are these measures in place, the company placed a certain level of trust on you. You see anything wrong here?

"As devices accessible from outside must be placed in the DMZ, I couldn't get a proper authorization to do this. In fact, it is too complex and it requires too many approvals. So, because I am lazy, I am just using..."

Employees are the weakest link in any company and you've just proved that.

Community
  • 1
mallocation
  • 1,668
  • 5
  • 20
  • Or perhaps, the amount of paperwork required to let me do my job is the weakest link in a company, because I have two options : 1. I wait for the IT to give me a good solution to finish my project and the company lose money on all sides, 2. I bypass the system and the project is finished on time and the client is happy... – nowox May 13 '20 at 10:45
  • 3
    Yes I understand you, but you also have to grasp that with convenience you compromise security and in my opinion safety/security should be placed above anything else. Companies policies needs to change, authorization methods needs to be fixed & sped-up BUT until this is addressed, never fall short on security. You have to let your client AND your boss know about this, why is it taking longer etc.... "Yo boss, it's very inefficient without the proper clearance, I got a deadline coming up" something along those lines, I hope you can figure it out! – mallocation May 13 '20 at 10:52
  • By the way: A setup which allows web browsing from within the network but without allowing users to create direct outside connections is to have them use a proxy server in the DMZ. That proxy server can also be used to filter web access. While content-based filtering became difficult with widespread use of HTTPS, you can at least still do IP-based and DNS-based filtering. – Philipp May 13 '20 at 14:24
  • 3
    @nowox - I can appreciate your frustration as I've been there many times. My experience has been that defeating corporate strictures will not be well received. If the TPTB insist that their rules are more important than project success then they are, it's not your call. Do the paperwork, jump through the hoops required and make the ramifications clear. It's possible that they may have alternate resources they will make available, or maybe they don't care. Either way, unless lives are on the line, remind yourself *It's not your money.* – user10216038 May 13 '20 at 17:00