Why you don't need a VPN or not?
-
Secure access to server management would make sense to secure with a VPN and 2FA.
-
@pete-s said in Why you don't need a VPN or not?:
Files on the LAN, for the LAN users?
So then the question becomes... why a need for the LAN? Is the LAN heavily entrenched and you can't get away from it yet? Is there some special need that only a LAN can support?
-
@pete-s said in Why you don't need a VPN or not?:
Secure access to server management would make sense to secure with a VPN and 2FA.
2FA helps anywhere, for sure. But we specifically avoid VPN for server management because of the big exposure and risk it creates compared to other methodologies.
VPNs have the "open window" effect, data transfers directly between systems. We avoid VPN when possible to work from a "closed window" perspective that does a lot to prevent contamination from "extra-LAN" systems.
This is far more heavily pronounced in an MSP scenario where systems at the MSP could end up acting as a transfer point for viruses between customers. But the risk is just more pronounced, not unique.
-
-
-
@pete-s said in Why you don't need a VPN or not?:
@scottalanmiller how do you not have VPN now?
Nope, none.
Methinks he's looking for an explanation of how you guys got rid of VPN.
Me too.
Just no need for it. Try it in reverse, what do you have that makes you want a VPN?
Files on the LAN, for the LAN users?
The thing is the technology is here and free and well documented and used.
But it is ancient abit, and there are new stuff like Certificate based authentication on many protocols now even HTTP, so check for those first, and try to implement something modern and less like I will reroute all the traffic to this client. -
@emad-r said in Why you don't need a VPN or not?:
@pete-s said in Why you don't need a VPN or not?:
@scottalanmiller how do you not have VPN now?
Nope, none.
Methinks he's looking for an explanation of how you guys got rid of VPN.
Me too.
Just no need for it. Try it in reverse, what do you have that makes you want a VPN?
Files on the LAN, for the LAN users?
The thing is the technology is here and free and well documented and used.
Yes, and well known to not be a good solution. The alternatives are also free and well documented and used. Choosing a bad approach just because it's not "that bad" isn't a good decision approach.
-
@emad-r said in Why you don't need a VPN or not?:
But it is ancient abit, and there are new stuff like Certificate based authentication on many protocols now even HTTP, so check for those first, and try to implement something modern and less like I will reroute all the traffic to this client.
All of it is ancient. LAN concepts and LANless are about as old as IT itself. It's not about new protocols, it's about a more modern understanding of the limitations, costs, and risks of LAN-centric security trust.
-
I have trouble understanding the problems you refer too (as typical VPN problems) as these are not typical uses that I have come into contact with.
For example, I use a VPN client to connect into customers networks. Does that put my computer on their LAN? No, it puts my computer into their firewall where my access is heavily restricted to a few IP addresses and a few ports, specific to my actual needs. And my computer has to follow a long set of rules to be allowed to connect and customers also have their own VPN client (and 2FA) - which means I set up one VM for each customer I need to connect to.
-
And then we have site-to-site VPN. What is the problem? It's office to office connections so clients in one office can access resources on the LAN in the other. Firewalls limits traffic in both directions.
It's unlikely that the link itself is compromised and the security has the same layers as it has as if you are in one of the security zones on the LAN.
-
Regarding LAN or not, that's just a matter of speed. Speed is time and time is money.
If we could get local LAN speed on the WAN (internet) then there would be little point in having any resources on the LAN. Unless they need to local - like a printer, ip phone, manufacturing equipment for instance
But we are far from that point. I consider gigabit LAN to be standard and very few have gigabit speed from end-point to server when the server is not on the LAN.
For some things it doesn't matter because it's fast enough. Like office files that are often a few meg at most.
-
Also regarding LAN-centric security trust. All I see in modern installations are security zones where traffic get firewalled between different type of things on different VLANs. Just because something is connected on the LAN doesn't mean it's trusted or have full access to everything else.
But maybe what I come in contact with is not what is commonly done. That's entirely possible.
To me VPN is just a secure connection. It doesn't mean the end-points are secure.
And we don't need to extend the LAN if we don't have network resources on the LAN that we need to access, or we can access them in another way. -
I know big corps that have been killed by vpn .
A serious attach at 1 site killed all the services world wide. While this is mostly bad networking design this is also vpn propagating s**t -
As a general rule you should open secured sessions on demand. Site to site is not ondemand
-
@matteo-nunziati said in Why you don't need a VPN or not?:
I know big corps that have been killed by vpn .
A serious attach at 1 site killed all the services world wide. While this is mostly bad networking design this is also vpn propagating s**tYes, but that misleading to attribute that to VPN. You could just as easily argue that big corps have been killed by cat 6 cables as well.
-
I mean: if file were exchanged by https ondemand sessions no propagation was possible.
-
@matteo-nunziati said in Why you don't need a VPN or not?:
I mean: if file were exchanged by https ondemand sessions no propagation was possible.
Yes, I understand. But if the firewall handling the VPN link just allowed http/https you would have the exact same thing.
-
@pete-s firewall os security flaws caused the damage.
If you loose couple thing you reduce probability of attacks that it. Just this.
-
@matteo-nunziati said in Why you don't need a VPN or not?:
@pete-s firewall os security flaws caused the damage.
If you loose couple thing you reduce probability of attacks that it. Just this.
But in a "LANless" environment you expose everything to the internet so your attack surface is huge. And many systems share the exact same security bugs. It may not take down all servers at the same time though.
To be honest though the end-points are a big problem regardless if you have a LAN or not.
-
@pete-s said in Why you don't need a VPN or not?:
@matteo-nunziati said in Why you don't need a VPN or not?:
@pete-s firewall os security flaws caused the damage.
If you loose couple thing you reduce probability of attacks that it. Just this.
But in a "LANless" environment you expose everything to the internet so your attack surface is huge. And many systems share the exact same security bugs. It may not take down all servers at the same time though.
To be honest though the end-points are a big problem regardless if you have a LAN or not.
@pete-s said in Why you don't need a VPN or not?:
@matteo-nunziati said in Why you don't need a VPN or not?:
@pete-s firewall os security flaws caused the damage.
If you loose couple thing you reduce probability of attacks that it. Just this.
But in a "LANless" environment you expose everything to the internet so your attack surface is huge. And many systems share the exact same security bugs. It may not take down all servers at the same time though.
To be honest though the end-points are a big problem regardless if you have a LAN or not.
Actually, it makes your attack surface tiny compared to a distributed network. @scottalanmiller made a good drawing in one of his Mangocon talks that should be available, it is just hard for me to look it up and link it on my phone at the moment.
LAN + site to site VPN = attack surface of every client and server.
LANless = attack surface of only servers
