Why you don't need a VPN or not?
-
@pete-s said in Why you don't need a VPN or not?:
@matteo-nunziati said in Why you don't need a VPN or not?:
@pete-s firewall os security flaws caused the damage.
If you loose couple thing you reduce probability of attacks that it. Just this.
But in a "LANless" environment you expose everything to the internet so your attack surface is huge. And many systems share the exact same security bugs. It may not take down all servers at the same time though.
To be honest though the end-points are a big problem regardless if you have a LAN or not.
@pete-s said in Why you don't need a VPN or not?:
@matteo-nunziati said in Why you don't need a VPN or not?:
@pete-s firewall os security flaws caused the damage.
If you loose couple thing you reduce probability of attacks that it. Just this.
But in a "LANless" environment you expose everything to the internet so your attack surface is huge. And many systems share the exact same security bugs. It may not take down all servers at the same time though.
To be honest though the end-points are a big problem regardless if you have a LAN or not.
Actually, it makes your attack surface tiny compared to a distributed network. @scottalanmiller made a good drawing in one of his Mangocon talks that should be available, it is just hard for me to look it up and link it on my phone at the moment.
LAN + site to site VPN = attack surface of every client and server.
LANless = attack surface of only servers
-
@pete-s said in Why you don't need a VPN or not?:
For example, I use a VPN client to connect into customers networks. Does that put my computer on their LAN? No, it puts my computer into their firewall where my access is heavily restricted to a few IP addresses and a few ports, specific to my actual needs. And my computer has to follow a long set of rules to be allowed to connect and customers also have their own VPN client (and 2FA) - which means I set up one VM for each customer I need to connect to.
Their firewall is on their LAN. Yes, it puts you on their LAN. And having different VPN clients for different customers does literally nothing for security benefits, just adds complication on your end. That you restrict machines attaching remotely to only a few ports does increase security, but just highlights that you recognize the dangers of a VPN and are attempting to mitigate as much as you can, which is a bit, but is still only a mitigation of a risk that need not exist at all.
VPNs, no matter how locked down, are still slightly more risky than not having a VPN. You can lock them down a lot, but this requires effort and requires that you get it right and requires that the attack vectors don't leverage what is left open.
The sole purpose of a VPN is to extend the LAN. Any use of a VPN adds risk for this reason.
-
@pete-s said in Why you don't need a VPN or not?:
And then we have site-to-site VPN. What is the problem? It's office to office connections so clients in one office can access resources on the LAN in the other. Firewalls limits traffic in both directions.
The problem is two fold...
First: It means you are using the LAN as a "safe zone" where you trust things. If you weren't, you'd have no reason to want to extend it, it would be illogical. This itself is a huge security risk, the one that modern ransomware preys on specifically. As do most hackers. So as a starting point, the desire to use a VPN flags that there is an underlying desire for a LAN space where security is assumed due to location, rather than being secured further.
Second: It "doubles" (assuming both offices are the same size) the risk pool of the LAN. If you have 50 PCs in one LAN, and 50 PCs in the other, and enact a site to site VPN you've increased the risk pool to 100 PCs. Any attack or infection has a vastly larger attack surface, and a larger chance of spreading.
Think of the LAN like a kindergarten. The more kids you put in one place, the more likely for disease to spread, for security to be breached.
-
@pete-s said in Why you don't need a VPN or not?:
Regarding LAN or not, that's just a matter of speed. Speed is time and time is money.
LAN based vs. LANless has no change, none, in speed. This is a misunderstanding of the concepts. Low security trusts of locality does not improve speed. This is a common excuse used, but is not valid. It's missed the point that we are talking concepts, not products.
-
@pete-s said in Why you don't need a VPN or not?:
Also regarding LAN-centric security trust. All I see in modern installations are security zones where traffic get firewalled between different type of things on different VLANs. Just because something is connected on the LAN doesn't mean it's trusted or have full access to everything else.
But maybe what I come in contact with is not what is commonly done. That's entirely possible.
IT is like anything else, the majority always do it horribly. What is common is never good. Functional, yes, but good, absolutely not. The average shop, from SMB to enterprise, overspends and underdelivers. They are at risk of failure, they leak data, they get hacked, they are afflicted with ransomware, and they spend easily 10x as much as they should without addressing any of those things well.
The same is true in all industries, it has nothing to do with IT. The majority of any pool of workers isn't competent enough to do a job well, there just aren't enough people interested or incentivized to work well to make this change. This is why the majority of companies don't want to hire great people, just cheap "good enough" people that can be managed through processes. There just isn't way for every company to only hire great people, if great people represent 1% of the market, at best 1% of companies can staff with them.
-
VLANs assist in security, but do very little. If those VLANs talk to each other (and most have to - because if they don't need to, chances are you didn't need them in the first place) then their goals are mostly defeated. And using VLANs tells us that LANs still exist, so while each VLAN is a smaller risk than before, the risk is just lessened, not removed. But why keep the risk at all?
VLANs, like the port limitations on your firewalls, are flags that the IT shops have recognized that LANs are the risk, but are unable or unwilling to stop depending on the LAN security zones so are just "making do" with bandaids to lessen the risk, rather than removing it.
So if you port limit on a VPN, or use a VLAN, then my view is that that shop has recognized that the LAN is the problem.
-
@pete-s said in Why you don't need a VPN or not?:
To me VPN is just a secure connection. It doesn't mean the end-points are secure.
Exactly, but the VPN connection itself is not the problem, is that it is a connection at all. The VPN itself is normally secure, but that's not the risk. The VPN is an additional thing, so even if it is 100% secure (and it is not) then its own level of security doesn't improve the existing risk. But the LAN extension that a VPN does is the real risk. By connecting two (or more) networks together, the risks or one network can spread to the other. The VPN creates a conduit by which risk can extend.
The very purpose of the VPN is to take one network and expose it to another. The value in a VPN is exposes good services. The problem with a VPN is that any exposure of good services exposes bad ones, too.
-
@matteo-nunziati said in Why you don't need a VPN or not?:
As a general rule you should open secured sessions on demand. Site to site is not ondemand
Site to site "can be" on demand. We used to do that all of the time. These days, there tends to be so much traffic that "on demand" is also "demanded all of the time." But site to site can be done on an on demand basis.
-
@pete-s said in Why you don't need a VPN or not?:
@matteo-nunziati said in Why you don't need a VPN or not?:
I know big corps that have been killed by vpn .
A serious attach at 1 site killed all the services world wide. While this is mostly bad networking design this is also vpn propagating s**tYes, but that misleading to attribute that to VPN. You could just as easily argue that big corps have been killed by cat 6 cables as well.
No, I don't think it is misleading. The CAT6 is a necessary component of attaching devices and doesn't cause or suggest the risk. The VPN is both a completely unnecessary risk itself, and it is a sign that they used LAN based security thinking and created the big risk.
It's true, if we removed teh cables, the risk would stop. But we can't remove the cables and still function. But it is also true that if we removed the VPN that the risk would stop, but we don't need the VPN to function. That's the difference.
It's like the difference between blaming lungs or smoking for lung cancer. Yes, we could kill the patient and remove the lungs and avoid lung cancer that way. But that's missing goal level thinking.
In one case, our real goal is a healthy patient. To have that, we know obviously to stop smoking, but keep the lungs.
In the other case we want a healthy, functioning business. To have that, we know obviously to stop LAN thinking and not use a VPN, but keep the CAT6 cables.
-
@pete-s said in Why you don't need a VPN or not?:
@matteo-nunziati said in Why you don't need a VPN or not?:
I mean: if file were exchanged by https ondemand sessions no propagation was possible.
Yes, I understand. But if the firewall handling the VPN link just allowed http/https you would have the exact same thing.
Yes, and that's completely true. BUT, if you did that, WHY would you have the VPN in the first place? What purpose is it there for, just to add a higher risk of outages? Just to cost more to maintain? If it isn't extending the LAN, or securing a connection, why add the overhead, cost, and risk (outage risk, not exposure risk, in that case?)
It's worth noting that SDN uses VPN under the hood and is sometimes used for this, but people don't call it a VPN when doing so, so we normally ignore it. But yes, people use products like ZT in LANless design to avoid needs for static IPs and such, not for security.
-
@pete-s said in Why you don't need a VPN or not?:
But in a "LANless" environment you expose everything to the internet so your attack surface is huge.
Nothing in LANless design suggests this. You are combining the concept of the architecture of LANless, with the concept of hosted. Of course they go well together, but they are not intrinsically linked or related.
This is like how people used "cloud" to mean hosted systems (a terrible term) and then confuse "cloud computing" with things being hosted. But in house cloud is extremely common and normal and in no way less cloud than hosted cloud. LANless doesn't imply hosted, you can do LANless design completely in house without any exposure to the Internet whatsoever.
Any exposure to the Internet if necessary, would be equal or less than the exposure needed for a VPN to cover the same linkages.
One could argue, but it would be silly, that VPN implies Internet facing systems, while LANless does not. Logically one has no connection, but a VPN's purpose is to be used over the Internet.
-
@scottalanmiller said in Why you don't need a VPN or not?:
@pete-s said in Why you don't need a VPN or not?:
But in a "LANless" environment you expose everything to the internet so your attack surface is huge.
Nothing in LANless design suggests this. You are combining the concept of the architecture of LANless, with the concept of hosted. Of course they go well together, but they are not intrinsically linked or related.
I think you might be associating things that are not really tied together. LAN is a local area network. It doesn't implicate anything about security. It doesn't mean that everything inside the LAN is considered secure and everything outside is hostile. That is not the definition of a LAN. It's just an arbitrary geographical boundary of a network, that used to end when you had a leased line and then it became a WAN.
How the architecture and security in the LAN is setup is a completely separate issue. Modern LAN practice is more network segmentation and inter-zone firewalling and monitoring. That is what I see customer LANs have as well. It's common for instance to have firewalls inside the LAN. Some variation of this is called zero trust network.
Scott, I honestly don't understand what you mean by "LANless" if you don't mean put every client device and every service on the internet directly and use secure communication between everything. Technical speaking LAN-less would be a misnomer if you have more than one device in the same area would it not? Do you have a network diagram describing what LANless is? Sometimes language is not precise enough and besides English is not my first language.
-
@pete-s said in Why you don't need a VPN or not?:
@scottalanmiller said in Why you don't need a VPN or not?:
@pete-s said in Why you don't need a VPN or not?:
But in a "LANless" environment you expose everything to the internet so your attack surface is huge.
Nothing in LANless design suggests this. You are combining the concept of the architecture of LANless, with the concept of hosted. Of course they go well together, but they are not intrinsically linked or related.
I think you might be associating things that are not really tied together. LAN is a local area network. It doesn't implicate anything about security. It doesn't mean that everything inside the LAN is considered secure and everything outside is hostile. That is not the definition of a LAN. It's just an arbitrary geographical boundary of a network, that used to end when you had a leased line and then it became a WAN.
How the architecture and security in the LAN is setup is a completely separate issue. Modern LAN practice is more network segmentation and inter-zone firewalling and monitoring. That is what I see customer LANs have as well. It's common for instance to have firewalls inside the LAN. Some variation of this is called zero trust network.
Scott, I honestly don't understand what you mean by "LANless" if you don't mean put every client device and every service on the internet directly and use secure communication between everything. Technical speaking LAN-less would be a misnomer if you have more than one device in the same area would it not? Do you have a network diagram describing what LANless is? Sometimes language is not precise enough and besides English is not my first language.
-
@pete-s said in Why you don't need a VPN or not?:
I think you might be associating things that are not really tied together. LAN is a local area network. It doesn't implicate anything about security. It doesn't mean that everything inside the LAN is considered secure and everything outside is hostile.
LAN vs LANless is an architectural concept.
LAN thinking means you use the LAN to designate a security zone - the reason that extending the LAN with a VPN provides any functionality.
LANless doesn't mean that physical LAN does not exist, but that the security and access model is not designed around the LAN.
In traditional network design, LAN based design has us designing "safe areas" where things "inside the walls" are considered safe and things "outside the walls" are considered dangerous. Then in this model, to bring in other people or sites to our "walled garden" we use a VPN or MPLS or similar to "extend the LAN" to other locations.
LANless design treats systems on the LAN or not on the LAN equally - distrusting everything. In LANless design, a VPN is pointless since being on the LAN from a security standpoint would provide nothing.
-
@pete-s said in Why you don't need a VPN or not?:
How the architecture and security in the LAN is setup is a completely separate issue. Modern LAN practice is more network segmentation and inter-zone firewalling and monitoring. That is what I see customer LANs have as well. It's common for instance to have firewalls inside the LAN. Some variation of this is called zero trust network.
I would not call that modern. That's the same LAN security model we've had for decades. That's just the current state of legacy approaches.
Which is what we expect, the majority of networks just keep what has always been. Either because they were implemented long ago, or are implemented by people repeating known patterns.
-
@pete-s said in Why you don't need a VPN or not?:
Sometimes language is not precise enough and besides English is not my first language.
What's your first language, I had no idea?
-
@pete-s said in Why you don't need a VPN or not?:
Scott, I honestly don't understand what you mean by "LANless" if you don't mean put every client device and every service on the internet directly and use secure communication between everything.
LANless design doesn't require everything to be on the Internet, in fact, you can do LANless with nothing on the Internet. Few do that, but you sure can.
LANless is about treating each workload as if it were on the Internet. Even if they are not.
In some ways, if you are familiar with microservice architecture in software engineering, it's much like applying that concept to systems. Keep each unit isolated and secured and not merged when not necessary.
-
Thanks, I have to think about this some more.
-
@pete-s said in Why you don't need a VPN or not?:
Thanks, I have to think about this some more.
It's a big change. LAN-centric security thinking has been preached for so long, it's an assumed starting point to network design. Entire "must have" product families were based on it, like Active Directory and SMB protocols. Most people just assume that this kind of network will exist and some products nearly require it (Quickbooks, for example.) But as someone that has moved away from it for many years, it's so freeing to not have it.
-
@scottalanmiller So in a transitional phase of moving away from LAN-centric practices, I have Windows firewall enabled on all Windows clients and Windows servers. Is that it, or would I have servers behind a hardware firewall with an ACL?
