Very Hairy JerryI’m not saying that fortinet has employees that intentionally inject RCE vulnerabilities into their code, just that we couldn’t tell the difference.
the magnificent rhys@jerry I've not been a security professional for a long time, but outside in... This is the cheapest vendor by far with massive market penetration exhibiting very basic CVEs and poor post-KEV exposure management. Is this a case of, "This is bad and needs to be managed," or, "This is bad and we need a new vendor; boy that Ivanti seems to be great."
Risotto Bias
christian mock@risottobias @rhys @jerry Well, let's put it like this: when another vendor had a critical vulnerability, we as a partner were proactively informed, and were given good information on how to handle it. With Fortinet, we get to know from the media that there's yet another CVSS 10.0, and nobody gives you any details.
@risottobias @rhys @jerry I don't know all of them, Sonicwall seems to also have a lot of CVEs recently.
@cm @risottobias @rhys in fairness, they’re all bad: Cisco, fortinet, juniper, f5, Palo Alto, etc. I can’t think of one that isn’t a problem.
@jerry @risottobias @rhys In which regard? If you measure by number and severity of CVEs, they sure differ; and from personal experience, we do a lot with Check Point and while their stuff is not perfect, they have a good and helpful team even in a small country such as Austria, and they run decades in between CVSS 10.0 vulns and not weeks... Expensive? Weird bugs that they can't resolve over months? Sure. But overall our customers are pretty happy...
NosirrahSec 🏴☠️ guillotine enthusiast@cm @jerry @risottobias @rhys more about management, proactive informed outreach, etc.
Many variables beyond the easily quantifiable cvss scoring, count of them, etc.
@jerry @cm @rhys wonder if the correct approach really is to do some sort of tailscale thing and make the outer gate block all incoming.
{inner firewall} <- {hole punching VPN} -> {outer appliance, no ports, no features, no smarts} -> web <- {roaming hole punching VPN} <- user's laptop
not saying full device-to-device networking necessarily, but the hole punching part.
can't hit {inner thing} if you need to have popped an existing employee laptop for it
@risottobias @jerry @rhys Isn't that what they call SASE these days? And: who would your mail server etc be reachable? How is that not just transferring the problem from your outer FW to the VPN server?
@risottobias @jerry @cm I do something close to this in a personal capacity outside of my enterprise role — but do we really think this is what large enterprise should do?
I'm not against that but we'd have to be clear this is a huge shift in how the world manages netsec if so.
@rhys @jerry @cm I don't necessarily like direct P2P hole punching SASE / tailscale things. I like having network appliances that can check the work of the endpoint daemons
I like having dumb routers as bulkheads between subnets.
getting past the outer one via hole punching would be nice - I realize that doesn't help if you have a service that needs to listen on a port (mail, webserver, etc)
Rogan Dawes@jerry @cm @risottobias @rhys from the outside looking in, TailScale appears to be a reasonable option for VPN access, if wireguard is not enough by itself.
@RoganDawes @jerry @cm @rhys right - tailscale is a VPN, but not a firewall (fortinet projects like fortigate or ivanti or whatever pull double duty and split a vendor's focus)