Re: Jenkins amplification

[Mike Meredith <mike.meredith () port ac uk>]

On Mon, 3 Feb 2020 16:13:34 -0500, Christopher Morrow
<morrowc.lists () gmail com> may have written:
> My experience, and granted it's fairly scoped, is that this sort of thing
> works fine for a relatively small set of 'persons' and 'resources'.

Seeing as managing this sort of thing is my primary job these days ...

> it ends up being about the cross-product of #users * #resources.

That's the interesting part of the job - coalescing rules in a way that
minimises the security impact but maximises the decrease of complexity. If
you don't, you get an explosion of complexity that results in a set of
rules (I know of an equivalent organisation that has over 1,000 firewall
rules) that becomes insanely complex to manage. 

> certainly a more holistic version of the story is correct.
> the relatively flippant answer way-back-up-list of: "vpn"

I think that "vpn" is the right answer - it's preferrable to publishing
services to the entire world that only need to be used by empoyees. But
it's not cheap or easy. 

-- 
Mike Meredith, University of Portsmouth
Hostmaster, Security, and Chief Systems Engineer

Attachment: _bin
Description: OpenPGP digital signature