 Good morning at Gullisch programmier nach 21. This is day three of GPN. It's wonderful to see so many of you lovely people out there. This talk is about Pyramid the security. So you know what happens you deploy a new piece of software you get a new appliance. We have to make it secure. What's the default answer? Let's put it behind the firewall. Why this is maybe not a good idea and even more constructive what could be useful useful and Practical alternatives is going to be the topic of the next talk So please welcome with a very warm round of applause make fly with perimeter securities that get over it Thank you very much for showing up to my talk, which is so early in the day. I actually expected to have five people sitting here And everybody else being outside on the sunshine. So thank you for showing up. I give this talk in English because there is Two three people in the audience who doesn't speak German and more importantly, I'd like to have this at a proper recording because in my Day life, I get very often asked. What do you think about this topic? And Then this way actually would be to say here. There is a link to media that ccc the e please read that And yeah, I am in my living. I live in the Netherlands. I'm German I've hang around at the ccc for quite a while, but now I am security advisor At the port of Rotterdam when it comes to security and software development. So I just became the professional smart ass I Also, are you possibly most of you over here have more seen me in this environment? I At some point had the weird idea to start this many ways thing and then that escalated a bit But that summary is with that see you on camp all hopefully that will be nice Yeah, I Do a lot with Computers More on the side on of security in the beginning out of interest then I made it my job and then I turned to become one of those Professional smart asses in the company. I'm an NPC in a computer game. So I'm quest giver We can go to and that gives you a tax to do so. I like Hacker spaces. I've been involved in several of them In my past and covert made me also into a woodworker I'm old. I'm 49. I started in the whole bbs time still before this internet I On the same beat say bit in 1996. I think I walked over there I lived or grew up very close to the same bit. So as a young person You clearly got a ticket to go there I did run people from the case computer club because they had a stand there and that's actually where I signed up and thought that That's cool. I've been in the bbs Yeah, I like going to conferences talk a lot Yeah, and in since 2016 I am living in the Netherlands My wife is Dutch and at some point we had to make the decision of like do we go to the Netherlands to a Staj in Germany and you live in the Netherlands. That's not very practical On master on and on matrix. You will find me over there if you want to Yeah, let's come to the motivation of the talk I have meanwhile spent a bit while in this whole professional security thing and over the time I've helped build build Reviews all Penetrates being tested all of the other networks and with a lot of them are based on the parameter That is the solution. We are basically doing since a long time. I'll go in the stock over this Over the time we got better was that And we got more complex technology. I Didn't really out As a security consultant in the Netherlands in the Netherlands. I worked as a security consultant Was easy to find the day that's easy to remember my company got pwned by not petia From the first Indicators of compromise as that's nicely called then till all of our Windows systems were gone were eight minutes Um Just to give you an impression that's 45,000 desktop workplaces roughly We thought we had 5000 servers in the data center, but like and everything went silent because they switched themselves off and People counted in the data center and we found we had over 9,000 devices in the racks So Yeah, we had a very complex company network And actually a relatively modern broker firewall and shoes and detection systems all of that stuff Malware endpoint security and all of the dice devices none of that happened Helped and that gets you in the thinking of these solutions We are kind of recommending to kind of build are still the right things to do so not only technology Typo and ways of working need to change also darkmen in the ICT needs to change this talk is about this change So to go a bit into that who have you know what parameter and parameter security is Okay, who does not know who thinks they might know but also are not actually sure about that Okay That all things suits me The parameters in general the idea of defining an insight and outsides It applies to the company network where the inside is your company and your network and the outside is The world out there think as a castle's All right with walls and gates and stuff like that And if you have a more complicated setup So if you have a been on really big castles then you see that they have Multiple stacked areas and so when the enemy gets in here when you get to the first area and then there's a second gate and so on and so on So castles exist in different complexity systems Pretty sure you've seen this picture at some point Was one like that on the perimeter. I tried to define And my outside network my inside network and the gate between it. So where do I draw my line? The thinking of film a perimeter security comes actually from the military That is kind of the line you consider to be your home base In the same the larger sense also The lines your responsive of to defend for who of you is over 40 cool In the beginning the computers happened in companies And I've right here main frames and yes, I'm among nerds. I completely know that this is not a Absolutely correct term. There were lots of other systems that had different names But let's just categorize all of that stuff into main frames. I'm pretty sure of you than the ones that know what I mean Yeah, we can discuss it this overview about main frames You have a big machine sits in a room the room is basically built for it all AC system spills around this The parameter so to say is the room There were some few elected people that were actually allowed to touch the system and just considered to be like your outer areas of your computer To be the room There was not always correct kind of from the beginning because you had terminals You had modems and you have something was called x25 Which were ways where you could a decent theory connect those systems, but Modern network routing as it is today was for most of the cases not really a thing yet think like this Right, so that's very early. This one is possibly a thing that some of you Might get the idea more so This was basically the first moments where computer connected to that to something in the main risks were people Were kids actually that just wanted to play chess and thermonuclear war A bit after that came the PCs and was PCs very quickly came novel network I'm pretty sure some of you've heard this who's had this term who had to touch something like this in the dark area Yeah The perimeter was basically the building in the building you build a LAN area where you connected all the PCs You had some servers you had and print servers were the common most common things and file servers in the beginning So a pyramid are still the building you change that to different technology you move over to TCP Because you can then use some more tolling that tooling that makes it easier the first times of this web pages Showed up some people some companies actually had something like that We built was something we called intranet applications at that point Which are basically applications that run on your local network without necessarily you even having to have internet But that use internet technology And suddenly the internet So The company was started to be connected to a larger great line network that is more and more public that couldn't be easily Accessed so people are the first thing that came out was then called a firewall in the beginning You had usually status There were firewalls for controlling network traffic And that is the moment where those Gates became kind of important like When you kind of build a gate in your house that you can go to the outside and your valuable things in there Then you sometimes tend to like put people at the gates and asking people who come in like Who are you and what do you want here? As said we built intranet applications so the service became more common And at some point the service from the basement of the company that we're still like this first one room and then multiple rooms next to each other So they're the center in the company that moved to a real data center somewhere else completely We're still connected to the company network But that is the first time where the physical and boundaries of the company and the network extension of the parameter actually becomes detached We and develop lots of funny technology on the way down there VLAN So you kind of separate your company network and virtual networks in the hope that when something plays Hamsen one area that doesn't necessarily swap over or directly to the others or you want to restrict access in some way Yeah Your network within the company gets more complicated and more complicated because you give nuts better tools that have more capabilities Suddenly you could have more than 16 VLANs. So people very quickly had a lot of them All of that is and then people usually from sales are the first one that say hey I'm always a tour at the customer or some service people that you have to send out to the field and a mechanical company Can I get a VPN access in the company? so suddenly Places all over the world where people from your company were working Became kind of part of the local parameter because those computers typically could still be reached within the network Yeah, we get more intelligent tools That got better and better over the different times and actually blocking and asset accessing rights inspecting traffic and stuff like that Yeah It also becomes more complex Then intranet applications and mail move into the internet and become cloud of applications office 365 So we try to set up office 365 in a way that access to the company Services over there are only possible from the company gateway Which also results that I still force everybody to be on the VPN But I have a cloud solution that can't be accessed from the internet right So this is also ways to if you have people that have a very strong parameter security thinking They will then also say let's access restrict the access of the office 365 to just our company Yeah, but who of you has such a solution in their company? Yeah, I see some hands, right? You know what I'm speaking about Service in the data center completely moved on the internet We basically gave up on the internet and they gave up on the idea that there is actually physical service There are a lot of companies do this whole idea of has different names. It's called shift left or So very often it really results and I'm building virtual machines with clouds tooling on AWS so I can still run my windows systems But also some services really become more modern things like your software developers play around with Kubernetes and with Docker containers and deployment pipelines and all of those stuff So all of those areas kind of also become part of the parameter, but also kind of not Everything is very complicated to meanwhile at some point several parts of your company have services Azure some effort AWS maybe somebody's in the Google cloud or so in your company So sometimes the network department just gives up includes all of the cloud services to be on the parameter More of your even physical stuff like in our company or printers are physical, but they work over a service That's on the cloud. I Think quite some people of you have also solutions. You can build your wireless That's basically a cloud service that is completely Administrative in some way and the sell it to you. It's come cloud-based, which is I know all of you know Yes, but never mind And then go what happens and everybody has to work from home So we connect all of the people of the company now over the VPN because we have a VPN anyway because the sales people so the parameter now contains the home networks of the people and The coffee place where they hang out like I live in the Netherlands. I'm not saying coffee shop here's but I think you get the idea and the co-working places and The hacker spaces and the places where they become cab become kind of a kind of not part of your parameter And let's just say it they should tell people can you draw your network and your parameter? That's an interesting example That's not a session and a medium-sized company that will go over and under two hours and people will still be discussing some points on this map That's basically where we are today And yeah comes to the point of Problems with parameter security First of all Defining an outside on the inside turns into something that the security ruling on the inside of the system Just less tight so Lara said it in the introduction we have this thing their pentests found lots of security issues with that It's not so bad. It's just on the internal network, right? We've ever heard something any variation of this in in their life. Yeah, I thought so I Guess that's why you're here Well, and in the end that's the idea of a protected area Right when I have a castle in the medieval ages. I wanted to kind of look at the gates So I don't have to look on the inside the whole time That's the thought behind that and Yes, it sounds very very easy like I have an outside of an in-night please draw a line But it's really really complicated in the end and that gets us to some of the problems first of then obviously is malware I said I one of the motivations for this was a talk Was an experience I had about the company being completely sunk by a malware attack It was a parcel shipment company was worldwide offices And like if you have parcels in a parcel company, that's very very much like a network system Right so the depots could buffer parcels from roughly half a day And they had trucks for two days arriving all over the world and people couldn't even talk to each other because all of our Tooling tooling was done. Just finding out what the phone numbers of the foreign offices was a pain in the ass So that's things you actually want to have some backups from that Yeah backup. I saw somebody had a thing saying kind backup commit like sure. We had a backup We had a really modern fancy backup Solution that was windows and cloud-based Yeah, we had at that point also an old backup tape Solution and the basically everything that was built before that was still backing up in the tapes all that was fine But everything the last three years after the cloud backup solution is the cloud backup the On-premise windows-based cluster backup solution that we had everything that was on there was gone Think employee contracts Right every one of us had to hand in their contract like their personal copy because company didn't have it anymore Think those things like there's like just Yeah, if you find my LinkedIn and then look on the time periods and then look in the press after this quite a lot Of that is actually public and shareholder notices and it reads interesting. There's a shareholder notice saying We might or might not be able to give an accurate text declaration by the end of the year I was true We didn't know if it was accurate so The I've a parameter security. Let's back to the get that because I click forward already by playing around here I have a company network. Everybody is on the same network Typically in our C1918 range where at least routing in between us enabled so every system in this network can in theory Ignoring firewall and stuff like this see other systems So we can at least say it enables lateral movement because it creates a route between all the different machines that you have in a company network, right? Do you know what I mean by this? Okay, I see nodding There is a centralized user management That comes in two ways one of them is Active directory and the groups and the people that are domain administrator or stuff like that because they need to do something In the company like actually administrate things and the other problem is in large company networks You roll out your windows typically by building images that you kind of image on the workplaces that all of the pre-installed software is already up to date Or already on there at least and all of that gets updated then the laptop gets put in the hand of the employee Who has a company system setup that is working some of this way that you roll out the image these systems were windows What's the fact so that very often results in that all of those machine have the same local administrator password That is in an envelope on the wall of the boss of the security Nobody's supposed to know it maybe five people in the company de facto know it But in general that thing is super high protected and most of the even workers that work with the systems Don't know the local the local administrator password That's the same one all of those machines or different groups have different local admin passwords or different images or so The last side security on the internal network makes my lateral movement by malware easier That's a point in the direction of we block all the traffic between the villains accept all the traffic that we need for Windows administration And all of the active directory ports because if we close them then active directory isn't working anymore Happens to be also the parts that all the malware likes to use So yes, you have firewalling and strict rules in that but specifically the ports that malware uses to kind of move along in the network are actually the parts That you have open anyway because you use windows also to happen as straight your boxes So the nice idea that you had of lots of segregated networks that are all separate from each other Falls completely apart as soon as you really start to look a bit closer on that and ransomware exploited started to exploit this kind of problems on a larger scale around 2015 We had the real Petia It was becoming one of the more famous cases of that has ever one of the ever seen this picture Yeah, see it's easily 15 people in this talk here Not Petia is the thing that kind of new the company where I worked in on there and that's a nice I worked at TNT, but I also knew mask and partially DHL and a lot of other companies It was very fast. It had zero days on board, but what really did it came in the update of the alpha tech software Which finance people had to have on their computer when you had employees in the Ukraine and they Exploited the whole deployment pipeline. So it was correctly signed All of those security mechanisms kind of even if you had them enabled weren't placed It got into the system the local administrator purchase updates the system because that's what they do and Many cuts in there then many cuts as a tool that can extract the password of the running user I'm simplifying this here now a bit, but that is roughly what it does so By this point the attack as one of the few people in the company that actually do know the per the password of the local App in a straight up account Because many parts cuts tells you that when you run an update Yeah That's then escalates very quickly very fastly as you said in our own company took eight minutes So it spread really really really fast fast in the network And it started basically with a person in the Ukraine was two time zones ahead of us I think got to their work in the mornings which on their computer worked in the finance had an update from the government from the tech Software and that was the first science that something went wrong when that computer was out They actually called the help desk and the help deck was routed over a Windows help desk system where the phone services were integrated So the call died because the Windows systems from that systems were basically gone But yeah VP and in all of the branches We VP and in a lot of the employees with their laptops So everybody who was connected to the company network at that point and was running Windows and their system their system was gone With an eight minutes that was impressive So I actually was sick at that time and I had a car accident two days before Now woke up in the morning and look my phone had like 25 messages and kind of the the secretary of our CTO was real dragon right and I had a voice call from her asking in the most nicest and Politis to the way I have ever heard her talking If there is any chance if I could come to the company at that day And yeah, that was that was an interesting day. I didn't leave the company for seven days after that It is very difficult to actually know why your parameter actually goes to complexity The parameter got complex the solutions are complex our toolings is complex and complexity enables mistakes There is so many things in here It was an active directory How many users do you have? Do you have more do you have more groups or less groups than users? Just asking right because the current values like anyone has more than five times as many groups as users One knows something like that That's a very common industry value in larger companies because also that kind of is very distributed all over the company Nobody knows what the groups are doing, but you also can't really look into the logging because there's processes that run once a year So if you just looked at the last three months Then you don't know if they're used and it's sometimes really difficult to find that out as soon as the situation escalated Lots of your active installations will be something like 20 to 25 years by now I guess and I still you're still on the first and maybe the second user base and Kudos to all of you are on the face that they would say they have a properly reviewed users or user groups Assets That needs to change and one of the way out That you hear very often that I would really recommend people to at least consider and there is what's called zero trust This is a talk of its own Seriously, I might maybe scratch on some surface over here in some parts, but if you want to really sleep really Think and look into this idea. I strongly recommend you to read up a lot of stuff before you walk into the company and say We need to really urgently change our networks Um, there's some principles it was last never trust or verify implement these privilege and the same breach that is like so the three core principles So for example never trust It's based on the point for one of the parts is on there You don't trust people just because they happen to have the certain IP address All right You verify user and devices that want to Access your data and your resources Users relatively simple device you can verify with for example client certificates Who hasn't looked in that by now? I strongly recommend that And yeah It is that you don't get access based on the point that you're in a company network So you treat the whole internal network that you will still have at the point where you try to Get over to different solution You treat that like the internet Implement these privilege that is something that we in theory should already do We in practice don't that's why I bought the example of the groups in the active directory Because so I for example in the bin I started in the company had rights based on the job history of my boss Because my account was cloned from his Right, so and that is clearly not least privileges I have access in the systems where he used to work in the within the same company before that That is very common that when like you have movers in the company that this doesn't get done in a proper way You assume breach so plan breaching of the system have plans what happens when certain systems are doubting when the data has gone How do you recover? Everybody who has had any kind of ISO certification or stuff like that There is lots of things that you possibly can mention But in general the main idea of this is plan for the point that somebody breaches your system and have Plans what you do when that happens and when you do that try to you will find out what the impact of an attack is And you can try to reduce that mostly that means decoupling the systems Segment the network more into the application standpoints and the reduced dependencies and the biggest dependency will be your active directory and parameter security Application security becomes way more critical as soon as you put the systems really on More on the internet and that we say I want to have this the same approach that I want to have in the internet You all have heard we are just putting this on the local network because we don't trust it That's over them Right because that's the idea behind that But again, that's one talk or likely multiple talks of its own You verify users and applications instead of trusting on IPs and maybe then also top of that users Strong encryption I say because the tool of your choice isn't that point very often than a client set the client certificate based system that together was a user connection of Yeah, it works actually right if you could How do we get out there? We have a lot of users in our company that use clouds of only anyway So you will have in any case any one of you who has office 365 in that company? Yeah, it's a serious amount of people you will have a lot of people in your company that don't need to be in the company network They only need access to office 365 and the only reason why they're on the company network Is because HR still has a shitty system that where you kind of write your hours But besides and that you don't need that Then there's a lot of company software that you in those environments often have and our company was Power BI That was a system that needed to be available And then we could put basically everybody who's in management and around that topic But also everybody who is secretary or some of the some kind of this stuff out of the network So they didn't need to be on your company network anymore And that's a nice group of people because that's usually the group of people who knows least about computers So it's actually the people you actually want to get out of your company network first so Possibly you can then think on this is like a further talks. I heard I'm nearly at 10 minutes and I wanted to enable questions This also goes for software development. There is Ways like your software development like she has something something see ICD anyway And maybe you're in Github or you can get up enterprise And you will reach very quickly a point where your software developers don't need to be on the company network anymore because they also Only work with cloud service. They just have different names Yeah As said Not only technology and ways of work needs to change also dog me on of the ICT work That's a Dutch term of the IT work needs to change And in this case, this is about the dog mouth of we build a parameter security this talk was about this change and Yeah, I'd really liked the comparison of the parameter security with a castle Who of you knows a castle that is still used for defense like sorry Okay, that is possibly an example I can let go but the answer was foot knocks Yeah, I know for the stream for the recording. Okay, so the answer was foot knocks and that is possibly one of the few examples But nearly all of them are museums All piles of rubble basically on you to choose which year is this But yeah, this is the end of the talk I have six minutes left so Does anyone of you have a question If you have a question and hopefully there are there will be one or two or three, please raise your hand I will get the microphone to you Thank you for your talk You mentioned that you in the first incident you have eight minutes time until everything is gone Yeah, what do you you change something and what do you expect is now the time When it comes again Parts of the parameter security and part of the problem is that a parameter is actually a requirement for a company white malware attack because otherwise There's no routing. There's no direct connections There's no like users and so on if the same would happen again today and that user would be on sitting on such a network His computer will explode true But all of the others wouldn't so it is actually in this part breaking the lateral movement chain of a malware to express it this way by taking away the network that has a route between all of those computers and Just connect them over the internet where they over their browser and other tooling communicate to services where they need to have a client Certificate whether if you use our part on 2 of a you can because everything is modern software then you don't need to Take your really old shitty system somewhere the Czech Republic that runs on some old version of some juniper thingy to still have Not so nice encryption that's put it this way you can really rely on modern encryption standards And I would argue that in a lot of cases this Encryption will be better than what you have in your VPN connection Yes, I think that's the way you have to get more time until everything is going down Yeah, I would even argue that of an attack of this type That's not possible anymore. If you don't have a route between the computers Because it becomes very specific that's to be able to attack that so you still do a lot of End-point protection stuff about something that for example in our company we use intunes. That's a common tool from that That's from Intel. So yes, there is still things I could think of but The time becomes a lot longer because it becomes a lot more difficult for an attacker to actually achieve the same thing I mean, so you run an update you have local administrator Just PSX and every IP address you can ping and you have three quarters of the company network already And then you can over mini cuts also You can also extract the passwords of other running processes as local administrator so you can then use that to Possibly get credential of somebody who hopefully might be domain administrator or something like that Yeah, so I got your idea of making the parameter smaller I mean we cannot get rid of it completely because they're still will be Mostly on on premise servers and so on maybe hybrid cloud whatever But take it away from the single user developer secretary, whatever of your company What are your thoughts on device management and so on because they still will interact with like Credentials or data or whatever you do not want gone So in tune is a tool There are several tools where you can still do that where you do a lot of making sure that people install updates that some security requirements are met and so on and so on but This gets at least a bit easier Right because their computer explodes not the whole company networks the impact is a lot smaller It's the difference between somebody can't work in the company is basically gone if we're unlucky The the generic term would be endpoint management right for Indians and point management So exist in multiple variants from multiple vendors with multiple capabilities Yeah, hello. Thanks for the talk I was Trying to keep this brief. Do systems exist that manage the Per user per device Permissions to resources and things like that And which ones did are they Basically a lot of the tooling that you can use in your tool chain like office the Azure Stuff for example everything that's office 365 and co-co can do that You can restrict I access to that to IP addresses, but you can also restrict access to certificates that need to be signed from that the bottle brother needs to be Present that I can spread we are we are in tunes then for example Or the people get a USB stick in there your laptop when they're in the company and you quickly click through of them So, yes, that does exist The point that comes with this is that you very often start with a new did a new user base and way less complex system And it enables it more so before you always had the need to kind of dig something together in this one Group of this is our company employees So everybody who has an account of the companies and you can have that more distributed You don't have to we can still build if you really want to your big one company in work But in most cases that contains that also this whole area is rethought and reset up and Yeah so It is very likely to get your Direct AD server poem Compromised so from there this AD server has has a connection to everyone. Yes, every so What's the way around the biggest problem actually is not your ad server the biggest problem is users that are domain administrators Because you're putting all of the boxes over the local administrator stuff and then you can extract passwords of the people running processes on that with mini cuts and At some point you have the laptop of the person that runs the company network That is your local administrator asset We have small groups of very very powerful people in our company and soon as those are affected and their machines are affected then It gets more interesting so in our cases it happened to be that Very quickly such a machine got Used and then we saw also logins later three weeks later when we could access the logs again Yeah Thank you for the talk if there are already five times more Like access groups in a company than Employers, what do you think should be done about it? Is it in any way affordable to reduce these groups to the minimum? Required for sure. It's a gigantic process that takes up lots of resources lots of time that doesn't give a direct immediate It benefits to the company and has risk of disturbing operations So sure everybody knows how to fix it that works in this environment Just nobody gets that product that project approved by the PO or I was responsible for that because for him There is close to zero benefits in there. It takes up tons of resources Everybody needs to talk to everybody which the groups up for you. You need to go through a lot of configurations to see where groups are actually used Yeah, it should be done. It's just a gigantic project and close to nobody ever does it This is the only reason why it's not done. I see and on the more more personal note How did you end up as an MPC in a video game because it's quite curious in the beginning That's a funny discussion that has to do with Millie ways But yeah, it's It happens Game is called off-grid the game Okay, thanks for we talk You mentioned supply chain attacks and I'm looking at even zero trust environments My blast radius is still the entire user base of applications So what can you do to improve security of your supply chain? There's other topics in there and looking at the time. I'll just say yes There's it's not that was zero trust all of your risks are gone. That's not how it works But one very specific and very impactful and very much for an attacker enabling risk is gone So it's like it's not that you can stop working and go home then. I'm sorry We still got four minutes so we still got time for three questions By the way, one of the interesting parts of that is if you have an 80 driven company like this It says parameter security a lot of shit on the perimeter security also doesn't work anymore So when the pyramid attack in our company started we had to smash in all gates Like where glass gates that open when we put our badge on there that contains our D that was a look I'm in the active directory and if you're then still unable to photo that you could actually enter the building So we're actually hard to use fire fighters like thingies to smack in like gates and those opening glass doors So people could actually physically get to the company The parking house wasn't working anymore You have no idea what that means if you have a building where there is 8,000 people living in there You do not have parking place for all of them Things like this are really really interesting like the story of Facebook where they needed to break in their own data center Because they had locked them out. I totally so much feel with them. All of your switches are configured against the active directory Right none of that will work anymore Just when you have an overview of systems in your company and your dependencies as anywhere active directory Consider that thing fucked when the company white malware tech happens to you Thank you again, and did you ever saw in your career until today? and medium-sized or large company with the brownfield deployment which Moved from the complete a perimeter security to a zero trust Point of view I have at least worked and at least one company where I'm confident that by the end of this year They are in a complete zero trust networks architecture without any Kind of local network anymore, and I know a lot of companies that have moved a certain way into this direction Specifically at some points you have to move like a lot of people are working with office 365 anymore any array and They kind of in a company the first sign to actually stop that is actually very often with the network admins Because they see how much traffic goes from the outside of the company through the VPN Over the connection to the Azure so it gets into the company network and then out again That is pretty awesome for your network link that you have and you really need the bigger network link because everything is Too slow, and then you start saying okay Why don't we allow those people to connect directly, and you will see benefits very quickly in there So if you get to the point that you just say I'll just kick out everybody Like I try to identify the internal systems that are used by everybody very commonly HR is your system over there, and Then the first thing you need to do is have my HR throw a bunch of money on to Reviting their old Stinky smelly software that they have for administrating the users That is then the first step because that is in the main thing in the companies that I've seen that suddenly enables you to put large Amounts of users out of your company network Well, and that's all the time we had so please thank you very much McFly and please give him a very warm round of a lot Thanks very much