15. Direct access - Demo World access
Trusted access
Client Admin access
Client network
(Managed) Client
World
Secure Access Layer DA Srv
Accessible
File Srv
Internal
Sql Srv
16. Server isolation - Demo World access
Trusted access
Client Admin access
Client network
(Managed) Client
World
Secure Access Layer DA Srv
Accessible
File Srv
Internal Front-end
Sql Srv
Internal back-end
17. So, if the clients are on the ”internet” all the time..
• Physical access Client
• Firewall
User
• Patching
• Non-admin
• Malware protection
• Secure transport
Web Srv
19. Local Firewall
• Is there ANY reason why the Client
client firewall must allow
inbound traffic at any time? User
Client
User
Web Srv
20. Patching, of course, but what about the 0-days?
• Non-Admin Client
• Early mitigations
User
• Patching strategy
Client
User
Web Srv
21. Malware protection
• Macro settings
• Antivirus? Yes or No?
• Remember applocker?
Client
User
22. Secure transports….
• Weak protocols… Client
– Clear text
– NTLM configurations User
Client
• Direct access!
• IPSEC! User
Web Srv
23. So, what about BYOD? World access
Trusted access
Admin access
Client network Client network
Client
(Internet) (Managed)
World
Cloud Front-end Internet Front-end Secure Access Layer
Accessible
Client
Cloud back-end Internet back-end Internal Front-end
Internal back-end
• Application classification
• Data classification
24. ..and… adminclients
• Should an adminuser/computer be Client
on the ”internet”?
• Should an admin user read email? Admin
• Safe admin access
– Non compromized computer
– Trusted communication channel
– Robust exposure of admin interface
• Robust services DC
• Limited number of administrators
– Authentication
– Authorization
25. And let´s talk about server services.
• Robust service Client
– Authentication
– Authorization User
• Firewall
• Patching
• privs
• depencencies
• Admin exposure Web Srv