Tim Hergert
Very Hairy JerryI’m not saying that fortinet has employees that intentionally inject RCE vulnerabilities into their code, just that we couldn’t tell the difference.
AI6YR Ben
Paul_IPv6
Mercutio@paul_ipv6 @jerry
But remember Hanson's Law:
Never attribute to malice that which can be adequately explained by stupidity.
But remember Hanson's Law:
Never attribute to malice that which can be adequately explained by stupidity.
Angelino Desmet
rostundrad
John W. O'Brien@paul_ipv6 @jerry Any sufficiently advanced incompetence is indistinguishable from malice.
CyberFrog
the magnificent rhys@jerry I've not been a security professional for a long time, but outside in... This is the cheapest vendor by far with massive market penetration exhibiting very basic CVEs and poor post-KEV exposure management. Is this a case of, "This is bad and needs to be managed," or, "This is bad and we need a new vendor; boy that Ivanti seems to be great."
Risotto Bias
⊥ᵒᵚ⁄Cᵸᵎᶺᵋᶫ∸ᵒᵘ ☑️
christian mock@risottobias @rhys @jerry Well, let's put it like this: when another vendor had a critical vulnerability, we as a partner were proactively informed, and were given good information on how to handle it. With Fortinet, we get to know from the media that there's yet another CVSS 10.0, and nobody gives you any details.
@risottobias @rhys @jerry I don't know all of them, Sonicwall seems to also have a lot of CVEs recently.
@cm @risottobias @rhys in fairness, they’re all bad: Cisco, fortinet, juniper, f5, Palo Alto, etc. I can’t think of one that isn’t a problem.
@jerry @risottobias @rhys In which regard? If you measure by number and severity of CVEs, they sure differ; and from personal experience, we do a lot with Check Point and while their stuff is not perfect, they have a good and helpful team even in a small country such as Austria, and they run decades in between CVSS 10.0 vulns and not weeks... Expensive? Weird bugs that they can't resolve over months? Sure. But overall our customers are pretty happy...
NosirrahSec 🏴☠️ guillotine enthusiast@cm @jerry @risottobias @rhys more about management, proactive informed outreach, etc.
Many variables beyond the easily quantifiable cvss scoring, count of them, etc.
@jerry @cm @rhys wonder if the correct approach really is to do some sort of tailscale thing and make the outer gate block all incoming.
{inner firewall} <- {hole punching VPN} -> {outer appliance, no ports, no features, no smarts} -> web <- {roaming hole punching VPN} <- user's laptop
not saying full device-to-device networking necessarily, but the hole punching part.
can't hit {inner thing} if you need to have popped an existing employee laptop for it
@risottobias @jerry @rhys Isn't that what they call SASE these days? And: who would your mail server etc be reachable? How is that not just transferring the problem from your outer FW to the VPN server?
@risottobias @jerry @cm I do something close to this in a personal capacity outside of my enterprise role — but do we really think this is what large enterprise should do?
I'm not against that but we'd have to be clear this is a huge shift in how the world manages netsec if so.
@rhys @jerry @cm I don't necessarily like direct P2P hole punching SASE / tailscale things. I like having network appliances that can check the work of the endpoint daemons
I like having dumb routers as bulkheads between subnets.
getting past the outer one via hole punching would be nice - I realize that doesn't help if you have a service that needs to listen on a port (mail, webserver, etc)
Rogan Dawes@jerry @cm @risottobias @rhys from the outside looking in, TailScale appears to be a reasonable option for VPN access, if wireguard is not enough by itself.
@RoganDawes @jerry @cm @rhys right - tailscale is a VPN, but not a firewall (fortinet projects like fortigate or ivanti or whatever pull double duty and split a vendor's focus)
@jerry Someone comment on Ivanti, goddd...
@rhys I’m pretty sure Ivanti has metrics and targets around the number of RCEs each developer has to deliver every week and there are bonuses on the line for those that miss their targets.
@jerry One day I aspire to have a career path where I have a number of RCEs to hit each week.
Much love to you, Jerry. Your relay server is basically what makes the fediverse usable for folks like me :)
Grumble 🇺🇸 🇺🇦@jerry "Someone committed RCE code into our repo!"
has the same energy as
"Someone has shit the president's pants!"
Simon ZerafaAny sufficiently advanced incompetence is indistinguishable from malice 🫤🤷♂️
Megawatt@jerry They were once found to be using open source code in their software and intentionally obfuscating it to prevent anyone from finding out. They got caught.
@jerry I'll add one other thing about them and their products. I've seen a number of great sales reps buy into the story that their products were enterprise ready, then finding out first hand (egg on face) that they were not. In the process, damaging their own reputation in the enterprise space.
Just a bug, pinky swear. Will fix next release, pinky swear.
faebudo