Why you don't need a VPN or not?

scottalanmiller

Youtube Video

Emad R

@pete-s said in Why you don't need a VPN or not?:

@scottalanmiller how do you not have VPN now?

Nope, none.

Methinks he's looking for an explanation of how you guys got rid of VPN.

Me too.

Just no need for it. Try it in reverse, what do you have that makes you want a VPN?

Files on the LAN, for the LAN users?

The thing is the technology is here and free and well documented and used.
But it is ancient abit, and there are new stuff like Certificate based authentication on many protocols now even HTTP, so check for those first, and try to implement something modern and less like I will reroute all the traffic to this client.

scottalanmiller

@emad-r said in Why you don't need a VPN or not?:

@pete-s said in Why you don't need a VPN or not?:

@scottalanmiller how do you not have VPN now?

Nope, none.

Methinks he's looking for an explanation of how you guys got rid of VPN.

Me too.

Just no need for it. Try it in reverse, what do you have that makes you want a VPN?

Files on the LAN, for the LAN users?

The thing is the technology is here and free and well documented and used.

Yes, and well known to not be a good solution. The alternatives are also free and well documented and used. Choosing a bad approach just because it's not "that bad" isn't a good decision approach.

scottalanmiller

@emad-r said in Why you don't need a VPN or not?:

But it is ancient abit, and there are new stuff like Certificate based authentication on many protocols now even HTTP, so check for those first, and try to implement something modern and less like I will reroute all the traffic to this client.

All of it is ancient. LAN concepts and LANless are about as old as IT itself. It's not about new protocols, it's about a more modern understanding of the limitations, costs, and risks of LAN-centric security trust.

1337

@scottalanmiller

I have trouble understanding the problems you refer too (as typical VPN problems) as these are not typical uses that I have come into contact with.

For example, I use a VPN client to connect into customers networks. Does that put my computer on their LAN? No, it puts my computer into their firewall where my access is heavily restricted to a few IP addresses and a few ports, specific to my actual needs. And my computer has to follow a long set of rules to be allowed to connect and customers also have their own VPN client (and 2FA) - which means I set up one VM for each customer I need to connect to.

1337

And then we have site-to-site VPN. What is the problem? It's office to office connections so clients in one office can access resources on the LAN in the other. Firewalls limits traffic in both directions.

It's unlikely that the link itself is compromised and the security has the same layers as it has as if you are in one of the security zones on the LAN.

1337

Regarding LAN or not, that's just a matter of speed. Speed is time and time is money.

If we could get local LAN speed on the WAN (internet) then there would be little point in having any resources on the LAN. Unless they need to local - like a printer, ip phone, manufacturing equipment for instance

But we are far from that point. I consider gigabit LAN to be standard and very few have gigabit speed from end-point to server when the server is not on the LAN.

For some things it doesn't matter because it's fast enough. Like office files that are often a few meg at most.

1337

Also regarding LAN-centric security trust. All I see in modern installations are security zones where traffic get firewalled between different type of things on different VLANs. Just because something is connected on the LAN doesn't mean it's trusted or have full access to everything else.

But maybe what I come in contact with is not what is commonly done. That's entirely possible.

To me VPN is just a secure connection. It doesn't mean the end-points are secure.
And we don't need to extend the LAN if we don't have network resources on the LAN that we need to access, or we can access them in another way.

matteo nunziati

I know big corps that have been killed by vpn .
A serious attach at 1 site killed all the services world wide. While this is mostly bad networking design this is also vpn propagating s**t

matteo nunziati

As a general rule you should open secured sessions on demand. Site to site is not ondemand

1337

@matteo-nunziati said in Why you don't need a VPN or not?:

I know big corps that have been killed by vpn .
A serious attach at 1 site killed all the services world wide. While this is mostly bad networking design this is also vpn propagating s**t

Yes, but that misleading to attribute that to VPN. You could just as easily argue that big corps have been killed by cat 6 cables as well.

matteo nunziati

I mean: if file were exchanged by https ondemand sessions no propagation was possible.

1337

@matteo-nunziati said in Why you don't need a VPN or not?:

I mean: if file were exchanged by https ondemand sessions no propagation was possible.

Yes, I understand. But if the firewall handling the VPN link just allowed http/https you would have the exact same thing.

matteo nunziati

@pete-s firewall os security flaws caused the damage.

If you loose couple thing you reduce probability of attacks that it. Just this.

1337

@matteo-nunziati said in Why you don't need a VPN or not?:

@pete-s firewall os security flaws caused the damage.

If you loose couple thing you reduce probability of attacks that it. Just this.

But in a "LANless" environment you expose everything to the internet so your attack surface is huge. And many systems share the exact same security bugs. It may not take down all servers at the same time though.

To be honest though the end-points are a big problem regardless if you have a LAN or not.

travisdh1

@pete-s said in Why you don't need a VPN or not?:

@matteo-nunziati said in Why you don't need a VPN or not?:

@pete-s firewall os security flaws caused the damage.

If you loose couple thing you reduce probability of attacks that it. Just this.

But in a "LANless" environment you expose everything to the internet so your attack surface is huge. And many systems share the exact same security bugs. It may not take down all servers at the same time though.

To be honest though the end-points are a big problem regardless if you have a LAN or not.

@pete-s said in Why you don't need a VPN or not?:

@matteo-nunziati said in Why you don't need a VPN or not?:

@pete-s firewall os security flaws caused the damage.

If you loose couple thing you reduce probability of attacks that it. Just this.

But in a "LANless" environment you expose everything to the internet so your attack surface is huge. And many systems share the exact same security bugs. It may not take down all servers at the same time though.

To be honest though the end-points are a big problem regardless if you have a LAN or not.

Actually, it makes your attack surface tiny compared to a distributed network. @scottalanmiller made a good drawing in one of his Mangocon talks that should be available, it is just hard for me to look it up and link it on my phone at the moment.

LAN + site to site VPN = attack surface of every client and server.

LANless = attack surface of only servers

scottalanmiller

@pete-s said in Why you don't need a VPN or not?:

For example, I use a VPN client to connect into customers networks. Does that put my computer on their LAN? No, it puts my computer into their firewall where my access is heavily restricted to a few IP addresses and a few ports, specific to my actual needs. And my computer has to follow a long set of rules to be allowed to connect and customers also have their own VPN client (and 2FA) - which means I set up one VM for each customer I need to connect to.

Their firewall is on their LAN. Yes, it puts you on their LAN. And having different VPN clients for different customers does literally nothing for security benefits, just adds complication on your end. That you restrict machines attaching remotely to only a few ports does increase security, but just highlights that you recognize the dangers of a VPN and are attempting to mitigate as much as you can, which is a bit, but is still only a mitigation of a risk that need not exist at all.

VPNs, no matter how locked down, are still slightly more risky than not having a VPN. You can lock them down a lot, but this requires effort and requires that you get it right and requires that the attack vectors don't leverage what is left open.

The sole purpose of a VPN is to extend the LAN. Any use of a VPN adds risk for this reason.

scottalanmiller

@pete-s said in Why you don't need a VPN or not?:

And then we have site-to-site VPN. What is the problem? It's office to office connections so clients in one office can access resources on the LAN in the other. Firewalls limits traffic in both directions.

The problem is two fold...

First: It means you are using the LAN as a "safe zone" where you trust things. If you weren't, you'd have no reason to want to extend it, it would be illogical. This itself is a huge security risk, the one that modern ransomware preys on specifically. As do most hackers. So as a starting point, the desire to use a VPN flags that there is an underlying desire for a LAN space where security is assumed due to location, rather than being secured further.

Second: It "doubles" (assuming both offices are the same size) the risk pool of the LAN. If you have 50 PCs in one LAN, and 50 PCs in the other, and enact a site to site VPN you've increased the risk pool to 100 PCs. Any attack or infection has a vastly larger attack surface, and a larger chance of spreading.

Think of the LAN like a kindergarten. The more kids you put in one place, the more likely for disease to spread, for security to be breached.

scottalanmiller

@pete-s said in Why you don't need a VPN or not?:

Regarding LAN or not, that's just a matter of speed. Speed is time and time is money.

LAN based vs. LANless has no change, none, in speed. This is a misunderstanding of the concepts. Low security trusts of locality does not improve speed. This is a common excuse used, but is not valid. It's missed the point that we are talking concepts, not products.

scottalanmiller

@pete-s said in Why you don't need a VPN or not?:

Also regarding LAN-centric security trust. All I see in modern installations are security zones where traffic get firewalled between different type of things on different VLANs. Just because something is connected on the LAN doesn't mean it's trusted or have full access to everything else.

But maybe what I come in contact with is not what is commonly done. That's entirely possible.

IT is like anything else, the majority always do it horribly. What is common is never good. Functional, yes, but good, absolutely not. The average shop, from SMB to enterprise, overspends and underdelivers. They are at risk of failure, they leak data, they get hacked, they are afflicted with ransomware, and they spend easily 10x as much as they should without addressing any of those things well.

The same is true in all industries, it has nothing to do with IT. The majority of any pool of workers isn't competent enough to do a job well, there just aren't enough people interested or incentivized to work well to make this change. This is why the majority of companies don't want to hire great people, just cheap "good enough" people that can be managed through processes. There just isn't way for every company to only hire great people, if great people represent 1% of the market, at best 1% of companies can staff with them.