[cisco-voip] DNS Friendly Names and URL Paths

[Anthony Holloway]

Yes, URL Shorteners.  That's essentially what I am talking about.

So, instead of this:

https://agent.company.com --->
https://someservername.company.com:8445/desktop

You might have this:

https://lets.go/agent ---> https://someservername.company.com:8445/desktop

At the end of the day, the results are the same, and they are achieved
technically identical.

You might even say that not changing the company domain is the better
solution.  Employees begin to trust "company.com" and as long as that's the
same, they shouldn't have to worry.  After all, with the introduction of
SSO in the Enterprise now, people are being redirected to authentication
pages on different URLs than where they initially landed, but as long as
it's within the company domain, it shouldn't be a concern.



On Fri, Oct 21, 2016 at 3:27 AM, Ankur Srivastava <ansrivastava at linkedin.com
> wrote:

> Best solution in my mind is a url shortener. Just tell people to type
> go/cuic or go/finesse and it points to the correct url and the port number.
> Takes the complications out of the picture.
>
> -Ankur
>
> On Fri, Oct 21, 2016 at 4:57 AM, Norton, Mike <mikenorton at pwsd76.ab.ca>
> wrote:
>
>> It is not so much about compromising the redirect server, or cloud vs
>> in-house, as compromising users' behaviour. Phishing is an attack on user
>> behaviour (getting them to believe a fake site is real). By teaching users
>> that it is perfectly normal to be redirected from the officially documented
>> URI that they remember, to some complicated technical-looking URI that they
>> don't comprehend, you are leaving them vulnerable to phishing. You want the
>> normal user experience to be immediately obviously different than that link
>> in the email message from "I.T. Department" asking to "verify your
>> account," that redirects to some sneaky obfuscated URI hosting a fake login
>> page. Redirects make it hard for users to tell if they actually ended up at
>> the page they intended to, thus it is a way by which they could be tricked
>> into using a fake page (phishing).
>>
>> -mn
>>
>> Sent from my Windows Phone
>> ________________________________
>> From: Anthony Holloway
>> Sent: 20/10/2016 5:05 PM
>> To: Norton, Mike
>> Cc: Cisco VoIP Group
>> Subject: Re: [cisco-voip] DNS Friendly Names and URL Paths
>>
>> So the cloud is a scary place, I see that.  I wouldn't want to expose
>> anyone to an extra risk.  You could just avoid the whole attack vector
>> thing by deploying a 100% on-prem solution though, no?  And if you cannot
>> trust your internal servers, then you're screwed either way.
>>
>> Also, you cannot just throw out "attack vector" and "phishing" without
>> backing that up.  What sources can you cite that URL redirects are security
>> risks?  And not open redirect services either.  The services I am referring
>> to would not be open redirects<https://en.wikipedia
>> .org/wiki/URL_redirection#Security_issues>, rather they are
>> protected/private, because you have to configure your own DNS to make it
>> happen.  URL shortening services are in use in our daily lives and they
>> rely on the same exact techniques<https://en.wikipedi
>> a.org/wiki/URL_shortening#Techniques> I'm talking about here: HTTP 3XX
>> Redirects.  So, I'm not saying I'm a security expert, but I don't think
>> it's fair to just say "It might get compromised, therefore it's bad."
>> Otherwise, everything we do is bad, because everything is at risk.  Even
>> SSL itself<http://heartbleed.com/>.
>>
>> The problem with the reverse proxy/L7 load balance might be seen at the
>> finesse level, as only a simple redirect is supported today, but otherwise,
>> I would love more intelligence in the routing decision versus static
>> redirects.
>>
>> And yes, of course, you could simply not bother, but seriously, I have
>> yet to see an environment where bookmarks are pushed and documentation says
>> "Look at your bookmarks to login to finesse."  Instead, it has been a URL
>> given to the users via documentation.
>>
>> Perhaps a landing page akin to Google's old iGoogle<
>> https://en.wikipedia.org/wiki/IGoogle> could be used to ease the
>> distribution and launching of app URLs.  Some apps already have something
>> simliar.  Like when you go to the UCCX landing page there's a link for
>> AppAdmin and CUIC.  Too bad there's no link for Finesse.  And too bad it
>> looks like garbage.  And too bad there's not like a single landing page for
>> CUCM, CUC, UCCX, etc.
>>
>> On Thu, Oct 20, 2016 at 5:14 PM, Norton, Mike <mikenorton at pwsd76.ab.ca
>> <mailto:mikenorton at pwsd76.ab.ca>> wrote:
>> I would be a bit wary of HTTP redirects being a convenient attack vector
>> for phishing. Especially if they are happening over unencrypted HTTP and
>> across the Internet. But even just behaviorally, I don’t think it is a good
>> practice to get users comfortable seeing the “official” URIs be redirected
>> to ugly technical-looking URIs. Makes it easier to trick them into using a
>> fake page. If they’re used to always seeing a memorable simple and pretty
>> URI, then they’re more likely to notice when something is amiss.
>>
>> An alternative would be to rewrite URIs with a reverse proxy (or L7 load
>> balancer). This would avoid the need for redirects and would keep the
>> user’s browser pointed at a nice pretty URI. As a security bonus, you’d be
>> able to firewall direct L3 access to the application service, and also your
>> client machines wouldn’t need to be allowed to access weird ports.
>>
>> Another option is to just not bother with friendly names, push
>> favourites/bookmarks into users’ browsers (e.g. via group policy, mdm) and
>> train them to get to the applications that way.
>>
>> -mn
>>
>>
>> From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net<mailto:
>> cisco-voip-bounces at puck.nether.net>] On Behalf Of Anthony Holloway
>> Sent: October-20-16 1:07 PM
>> To: Cisco VoIP Group <cisco-voip at puck.nether.net<mailto:
>> cisco-voip at puck.nether.net>>
>> Subject: [cisco-voip] DNS Friendly Names and URL Paths
>>
>> Since the list is slow this week....
>>
>> Ever since the push for DNS and FQDN over IP Address, I have been giving
>> application servers a Subject Alternative Name (SAN) so that users
>> accessing Self-Care Portal, Finesse, etc. do not have to be bothered with
>> server names.
>>
>> E.g.,
>> Instead of this:
>>
>> https://mspvmcucm001.company.com/ucmuser
>>
>> They would be able to use this:
>>
>> https://myphone.company.com/ucmuser
>>
>> That works pretty well, and Tomcat certs are easily signed to support the
>> extra alias.
>>
>> However, when it comes to UCCX, it's a little more complicated with the
>> following example:
>>
>> https://finesse.company.com:8445/desktop
>>
>> Because the alias is not exactly fitting for all things on UCCX, such as:
>>
>> https://finesse.company.com:8444/cuic
>>
>> That's confusing, and also because the user still has to remember the
>> port and path on the end.
>>
>> https://finesse.company.com will not automatically take you to
>> https://finesse.company.com:8445/desktop
>>
>> Today I had a co-worker ask me how it might be possible to have both:
>>
>> A) A different alias for each sub-component of the application server
>> (E.g., Finesse vs CUIC)
>>
>> B) Have the port and path appended automatically
>>
>> I decided that a shim would be appropriate here.  We would take the
>> various aliases, send them to a web server, which would then initiate an
>> HTTP Header Location redirect to the appropriate port and path.
>>
>> A PHP example could be:
>>
>> URL: https://agent.company.com/
>> PHP: <?php header('Location: https://mspvmuccx001.company.c
>> om:8445/desktop''); exit; ?>
>>
>> This uses the HTTP Location<https://en.wikipedia.org/wiki/HTTP_location>
>> header, which sends an HTTP 3XX response code to the client and let's them
>> know where to go to get the "right" page.  Unfortunately, that does mean
>> that the address changes in your browser from the first URL to the second
>> URL.  This isn't terrible, but it does mean that you'll still want a
>> friendly looking CNAME record for your host still, as I described above.
>>
>> But, this would require me to install a web server in each environment
>> and configure it, or ask for shared web server space.  A better solution?
>> The cloud!
>>
>> I stumbled across a public service that does just this.  The cloud
>> service I found is:
>>
>> https://www.easyredir.com/
>>
>> They have both paid and a free plans:
>>
>> https://www.easyredir.com/free-url-redirection
>>
>> I was able to set this up in about 10 minutes and it works exactly like I
>> have explained above.  I have no affiliation to them, and I'm sure there's
>> other services out there.
>>
>> Icing on the cake I suppose, I was even able to take a public domain
>> record (E.g., company.com<http://company.com>) and redirect it to a
>> private domain record (E.g., company.local), proving that your application
>> servers need not be accessible from the internet.
>>
>> In fact, your target url doesn't even have to be a public domain either.
>>
>> E.g.,
>> https://agent.company.local can point to https://mspvmuccx001.company.l
>> ocal:8445/desktop
>>
>> The only requirement is that your client PC can resolve the private
>> record (.local) to the public service host (on easyredir.com<
>> http://easyredir.com>), and that the returned redirect location (.local
>> again) is also accessible to your client PC.
>>
>> Has anyone come across something like this before?  How are you solving
>> all the different ports and paths now under your administrative domain?
>>
>> This does not replace your need for a smart load-balancer in the case of
>> a server failure, though Finesse should at least redirect you to the Master
>> node, should your DNS record point to the Slave.
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20161021/36366a8b/attachment.html>