BSidesChicago 2017 has ended
Saturday, July 15 • 1:00pm - 1:50pm
Between You and Me and the Network Security Boundary
Feedback form is now closed.
Many organizations have IT environments with zones of varying security requirements. These zones are usually networks that are created to encompass systems that serve different functions, from production web applications to PCI in-scope database servers.

An organization has to make a decision about implementing a security boundary that protects high-security areas from low-security areas. Designing and deploying these solutions can be a complex task, contending with hurdles from compliance requirements and management all the way to just making sure the users can remember how to access all the necessary systems. This complexity leaves many holes that can be exploited by bad guys to get access to the most sensitive data. Most penetration testers will tell you that getting past these barriers, even ones that implement fancy security features such as multi-factor authentication, become bypassable through race conditions and configuration flaws.

This talk will review several common solutions of separating and accessing network zones such as VPNs, bastion hosts, and virtualization along with each solution's most common pitfalls. As we review each implementation, I will talk about both low-hanging and high-hanging fruit in terms of bypass methodologies, while giving real-world examples of leveraging weaknesses such as race conditions and configurations flaws to gain access to secured networks. I will do a deep dive into the architectures that most efficiently secure protected networks such as Microsoft's Privilege Access Workstations (PAWs) as well the management practices that create effective long-term security barriers. 

avatar for Patrick Fussell

Patrick Fussell

Penetration Tester, Payment Software Company, Inc.
In preparation for his transition out of the Marine Corps in 2010 Patrick Fussell had his first exposure to the information security world working with the information assurance department. Over the past six years he has worked in numerous roles to increase the security of IT environments... Read More →

Saturday July 15, 2017 1:00pm - 1:50pm CDT
Williford A