← Risky Bulletin
Loading summary
Transcript23 lines
- [00:00]
Adam Pointon
Foreign.
- [00:06]
Patrick Gray
And welcome to this sponsored podcast. My name is Patrick Gray and sponsoring Risky Business News and Seriously Risky Business and the Risky Bulletin feed and all of this good stuff this week is Knock Knock, which is a company that I am quite involved in. I sit on its board of directors and it's super neat. It's super neato. People would have heard me talk about Knock Knock before. The product started off as a way to do dynamic IP allow listing, right? So you can do network restrictions through your existing firewalls, you know, seal everything off. And then if someone wants to access a resource, they go through their sso, they click a single button on a web application and bang, magically they are. Their IP address is added to an allow list and then they can access that resource. So it's really good just for minimizing Attack Surface on external resources. Very popular, as it turns out, on internal networks. And we're going to hear about that in just a moment in this interview. And also they've just released a new feature which is a pretty big one, which is a identity aware reverse proxy. And a lot of those things tend to be like cloud based. And not everyone wants a cloud based reverse proxy. You know, you sort of got your cloudflare stuff, Akamai, Zscaler and whatnot. So theirs is just like mega simple and you can put it everywhere and even use it to protect your crappy apps. Like, you know, use it to protect a web interface on an IP camera.
- [01:34]
Adam Pointon
Right?
- [01:34]
Patrick Gray
You can do that with this. That's not something you're going to use Zscaler for. But really the topic of this interview, which is with Knock Knock's chief executive, Mr. Adam Pointon, really this interview is just about how horrified he is now that he is out there in vendor land because he used to be a CISO who ran a very, you know, nicely put together network that he developed from greenfields. Now he's out there talking to customers and really it's a little bit horrifying. You know, the state of people's internal networks is a little bit horrifying and which is, I guess for him selling a solution like this is great, but is somewhat surprising. So, yeah, this is an interview about the state of networks out there, internal networks and how flat they are. And also a bit of a discussion about that new reverse proxy feature and, and why someone would need that. I hope you enjoy it.
- [02:22]
Unknown Speaker
Fifteen years ago, everybody was segmenting, arguably earlier and before that. But segmentation, especially internal, was just a thing you did, right? You separated your backup servers, your management VLANs. That's just what you did. And then you had good firewall controls around those. Turns out everybody just didn't actually do that. And I guess they focused on the cloud and they thought, we'll move everything to the cloud and focus up there and our internal walled garden will just be soft and squishy and we'll worry about that later. So we're coming into these environments and just horrified at the flat networks, horrified at lateral movement opportunities, just. And it's hard, it's a hard problem to change because there's a lot of internal movement that you don't understand. Lots of network flows that just happen and if you go in there and start turning them off, you know, it's a big project, it's a challenge for them.
- [03:08]
Adam Pointon
Yeah. And you really get the impression people don't quite understand their environments as well as they should because they tend to evolve over time. I think eventually we're going to see the same sort of problem with cloud infrastructure as well, where it's been around long enough that it's sort of evolved over time and no one knows what it should look like anymore. But I mean, you and I have both been surprised by some of these absolutely gargantuan, you know, household name companies with, you know, gigantic networks. And you think, oh, you know, they'll be in pretty good shape. And it's like, no.
- [03:37]
Unknown Speaker
Yeah. And it's really been surprising. I mean, some of them, you know, there's jokes that have been said to us like, these servers haven't seen the light of day, meaning they haven't seen the Internet for five years. Perplexed. What exactly do you mean by that? These things haven't gone out to get patches, these things haven't had updates. And yes, air gapping is part of that, but not always. These systems are just sitting in a corner. They're the boat anchor that no one knows, you know, the purpose. How do you, how do you have layered security controls around a device that you don't know exactly? It's its purpose and what it does, it's. It's a maintenance nightmare.
- [04:08]
Adam Pointon
Yeah, yeah. So, I mean, I was just thinking of one call you did the other day that you were telling me about where. Yeah, I mean, they were using like Gallo's humor on the call where you were suggesting that they could solve a couple of their problems with like, I'll just put that on a different vlan. They're like, we don't have any.
- [04:21]
Unknown Speaker
Yeah, that's right, that's right. Oh, that's on the management vlan. Why don't you just. And they cut me off and said, yeah, well you think we have VLANs? And I was like, okay, all right. You know, we do Just in Time network access control, which means you can segment things up dynamically and that's best layered on top of existing segmentation. But turns out there isn't a lot.
- [04:42]
Adam Pointon
Yeah. So okay, we could just do it on the flat network, that's fine. But yeah, ideally you would want to, you know, use some VLANs. So yeah, I mean, just thinking about this internal use case, another big thing that's happened is a lot of people are coming to Knock Knock for stuff like Just in Time network access into OT and ICS environments. Which is cool, right? It's a cool way to access those environments. You and I were chatting with our ICS and OT expert the other day and we're asking them, well, how do people normally do that? And they were saying that it's usually a bastion host in the IT network which connects through to a bastion host in the OT network. So it's like a double hop thing, like gets it done from a security perspective, little bit of a usability. But I think the interesting thing is of the people that you're talking to in ICS who are looking at using knock knock to segment between these two networks. Those networks are currently connected to each other. And again, this is just a surprising thing. Once you get out of enterprises where people really know this stuff and you look out there at the wider world, it's just, it is pretty shocking how bad it is.
- [05:48]
Unknown Speaker
Yeah, honestly I was quite surprised. I mean large networks, yes, they age, they become brownfields pretty quickly. It's hard to change them. And ICS adds another layer of complexity. Right. You can't just go and change things and turn them off because bad things happen. Critical infrastructure has a critical role. Whether it's powering life support systems, energy, critical functions, it has real world consequences. The whole bastion vpn, bastion VPN layers to get through is great and you know, that's pre existing it works. But the problem is there's a lot of support that's needed or maintenance from product providers. So they put solutions in and then say we need to remotely access this thing to be able to give you enterprise support. So here's our thing that pierces the network, goes outbound or here's our solution, here's our remote access to this environment and, and they each enforce their own. So you have to then support all of these different technologies and you can't really carve them up either. It just becomes a real problem. So you can see why a flat ish network but in an air gap safe ish world happens and then it's very difficult to change.
- [06:55]
Adam Pointon
Now look, I'm going to change the topic for a second. You've just shipped a new feature. We did a YouTube demo of this one a week or two ago. People can go and find that one on YouTube.
- [07:04]
Patrick Gray
Risky Business Media is the channel page.
- [07:06]
Adam Pointon
And yeah, you give a whole walkthrough of it. But you demoed the new feature which has been coming for a while, which, which is an identity aware proxy which is tied into the knock knock platform. Right? So if you've got something horrible like a file transfer appliance or like a horrible internal web application or even something in the cloud that you don't fully trust and you want to just lock away all of that pre authentication like Attack surface, you want to lock that up so that unauthenticated users can't see it. You can do that. Now funnily enough though, like the way people have traditionally solved this problem has been very much focused on core enterprise apps. Right. So they'll go Zscaler or something and it'll be a big dollar spend to roll out those access to those very critical applications. But what happens is the less critical applications that don't actually get maintained, which are the ones that are more likely to get you owned, don't tend to be prioritized in the same way. Right. So you're not going to do a Zscaler project to plumb through access to crappy apps.
- [08:12]
Patrick Gray
Right.
- [08:12]
Adam Pointon
So I guess this is kind of like you could do this for your critical apps, but you could also do it for your crappy apps I guess. So is this the crappy app? The crappy app reverse proxy I don't think is a great brand, but yeah, that's kind of what it is, right?
- [08:23]
Unknown Speaker
Yeah, well it supports any app I guess, and a lot of them, a lot of them are good, but majority are actually crappy. I think where it's really powerful is that application that's used by some staff, some third parties, like a car booking system, you know, very business specific application. The developer that wrote it has moved on. It's still sitting there needing to be supported. It's on the Internet, it's relying on security through obscurity, it's on some, you know, path that hopefully nobody knows about.
- [08:53]
Adam Pointon
And it's full of PHP file include vulnerabilities. Right?
- [08:56]
Unknown Speaker
Yeah. Well it's full of all sorts of things, right? And no one really knows and no one really, if they're discovered, who's going to fix it? So there's a lot of security, you know, security through obscurity there. Hope is not a strategy. Right. We all, you know, I sort of said that before. You can't, you can't rely on that and rolling out some enterprise app for the 15 people or you know, 5% or fewer of the organization that uses that. But it still needs to be on the Internet. That's where something like Knock Knock solves that access. You sort of mentioned the identity Aware proxy solution we built recently. We call it Knock Knock Access Tokens Kat, because you know, we needed a three letter acronym. But our philosophy is removing attack surface and then the other one is direct access. So rather than going through a cloud proxy, going through a VPN server, that's a chokepoint. We're all about low latency direct access. So we needed a way to allow the user to do IP address based trust plus something else, which is where we introduce this token idea. We hand it off to the user, they provide it as part of their engagement to the application. The crappy application to book a car, the application that's navigating or a timeshare or schedule scheduling system that's been built internally and they get that additional layer of trust at layer seven.
- [10:10]
Adam Pointon
But you see my point about like you're not going to go a full Zscaler project just to get access to that app. Do you know what I mean? Like that's not what it's for. I mean this isn't a throwing shade at Zscaler at all. Like it's a really good product but you're not going to roll Zscaler to everybody so that they can use the car booking app. That's kind of what I meant by like you can just roll this out for crappy apps.
- [10:31]
Unknown Speaker
Yeah, that's fair. It's very focused and targeted as opposed to an enterprise wide deployment. And the other thing with Zscaler, I like the product. There's a lot of good features in it, I think it's great. But you can't deploy that off to the third party outsourced consultant. It's non soe device. How do they access it? They can't install anything. They just need to click on the thing and then get through and book the car. They're an engineer that needs to turn up, get onto a site, they need to book the car. They can't install some software. They're on an iPhone or an iPad. You know, they can't necessarily go down that path. And that's where we're seeing a lot of customers saying, well, knock, knock. Okay, you can remove our VPN attack service. We can use you internally. But you know what? We've got this crappy app that we all know is a horror show, and we'd love to do something about it. Can you solve it? And we're like, well, actually, yes, we can.
- [11:18]
Adam Pointon
All right, Adam, great to chat to you, my friend. All good stuff. And, yeah, again, people can check out the demo on YouTube. I'll drop a link into the show notes for this podcast, but that's it. We're going to wrap it up there, pal. Good to see. See you.
- [11:29]
Unknown Speaker
You too, mate. Catch you soon.