Why you don't need a VPN or not?
-
@pete-s said in Why you don't need a VPN or not?:
I think you might be associating things that are not really tied together. LAN is a local area network. It doesn't implicate anything about security. It doesn't mean that everything inside the LAN is considered secure and everything outside is hostile.
LAN vs LANless is an architectural concept.
LAN thinking means you use the LAN to designate a security zone - the reason that extending the LAN with a VPN provides any functionality.
LANless doesn't mean that physical LAN does not exist, but that the security and access model is not designed around the LAN.
In traditional network design, LAN based design has us designing "safe areas" where things "inside the walls" are considered safe and things "outside the walls" are considered dangerous. Then in this model, to bring in other people or sites to our "walled garden" we use a VPN or MPLS or similar to "extend the LAN" to other locations.
LANless design treats systems on the LAN or not on the LAN equally - distrusting everything. In LANless design, a VPN is pointless since being on the LAN from a security standpoint would provide nothing.
-
@pete-s said in Why you don't need a VPN or not?:
How the architecture and security in the LAN is setup is a completely separate issue. Modern LAN practice is more network segmentation and inter-zone firewalling and monitoring. That is what I see customer LANs have as well. It's common for instance to have firewalls inside the LAN. Some variation of this is called zero trust network.
I would not call that modern. That's the same LAN security model we've had for decades. That's just the current state of legacy approaches.
Which is what we expect, the majority of networks just keep what has always been. Either because they were implemented long ago, or are implemented by people repeating known patterns.
-
@pete-s said in Why you don't need a VPN or not?:
Sometimes language is not precise enough and besides English is not my first language.
What's your first language, I had no idea?
-
@pete-s said in Why you don't need a VPN or not?:
Scott, I honestly don't understand what you mean by "LANless" if you don't mean put every client device and every service on the internet directly and use secure communication between everything.
LANless design doesn't require everything to be on the Internet, in fact, you can do LANless with nothing on the Internet. Few do that, but you sure can.
LANless is about treating each workload as if it were on the Internet. Even if they are not.
In some ways, if you are familiar with microservice architecture in software engineering, it's much like applying that concept to systems. Keep each unit isolated and secured and not merged when not necessary.
-
Thanks, I have to think about this some more.
-
@pete-s said in Why you don't need a VPN or not?:
Thanks, I have to think about this some more.
It's a big change. LAN-centric security thinking has been preached for so long, it's an assumed starting point to network design. Entire "must have" product families were based on it, like Active Directory and SMB protocols. Most people just assume that this kind of network will exist and some products nearly require it (Quickbooks, for example.) But as someone that has moved away from it for many years, it's so freeing to not have it.
-
@scottalanmiller So in a transitional phase of moving away from LAN-centric practices, I have Windows firewall enabled on all Windows clients and Windows servers. Is that it, or would I have servers behind a hardware firewall with an ACL?
-
@wrx7m said in Why you don't need a VPN or not?:
@scottalanmiller So in a transitional phase of moving away from LAN-centric practices, I have Windows firewall enabled on all Windows clients and Windows servers. Is that it, or would I have servers behind a hardware firewall with an ACL?
You always want firewalls. LAN-centric or LANless doesn't change that.
LANless is about making everything accessible through web services.
-
@travisdh1 Right, so I would want a firewall above and beyond the Windows firewall, that would be capable of speeds necessary to accommodate line speeds for file servers, etc?
-
@wrx7m said in Why you don't need a VPN or not?:
@travisdh1 Right, so I would want a firewall above and beyond the Windows firewall, that would be capable of speeds necessary to accommodate line speeds for file servers, etc?
A Windows or firewall in the OS serves a completely different purpose. You should always have both, even if just a router/firewall.
-
@Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.
-
@wrx7m said in Why you don't need a VPN or not?:
I am wondering how to move to a tighter circle to get the servers segregated from the clients.
Segregated how or in what sense? So they cannot communicate to each other?
-
@wrx7m said in Why you don't need a VPN or not?:
@Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.
That involves making network services available with a different method.
IE: Files served from NextCloud instead of a file server.
-
@Obsolesce - So they are not wide open (with the exception of the Windows firewall).
-
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.
That involves making network services available with a different method.
IE: Files served from NextCloud instead of a file server.
OK, so if I am not doing that, there is no point to make a change?
-
@wrx7m said in Why you don't need a VPN or not?:
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.
That involves making network services available with a different method.
IE: Files served from NextCloud instead of a file server.
OK, so if I am not doing that, there is no point to make a change?
Yes, exactly.
-
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.
That involves making network services available with a different method.
IE: Files served from NextCloud instead of a file server.
OK, so if I am not doing that, there is no point to make a change?
Yes, exactly.
The takeaway is - The only way to be secure is to use a web app?
-
@wrx7m said in Why you don't need a VPN or not?:
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.
That involves making network services available with a different method.
IE: Files served from NextCloud instead of a file server.
OK, so if I am not doing that, there is no point to make a change?
Yes, exactly.
The takeaway is - The only way to be secure is to use a web app?
It's not the only way to be secure, but it does make it much easier.
-
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.
That involves making network services available with a different method.
IE: Files served from NextCloud instead of a file server.
OK, so if I am not doing that, there is no point to make a change?
Yes, exactly.
The takeaway is - The only way to be secure is to use a web app?
It's not the only way to be secure, but it does make it much easier.
So, in your post - https://mangolassi.it/topic/15325/lanless-explained/2
The second diagram shows the red security perimeter, housing "Servers, SANs, etc. All applications, files, and every other resource needed". What is securing the perimeter?
-
@wrx7m said in Why you don't need a VPN or not?:
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.
That involves making network services available with a different method.
IE: Files served from NextCloud instead of a file server.
OK, so if I am not doing that, there is no point to make a change?
Yes, exactly.
The takeaway is - The only way to be secure is to use a web app?
It's not the only way to be secure, but it does make it much easier.
So, in your post - https://mangolassi.it/topic/15325/lanless-explained/2
The second diagram shows the red security perimeter, housing "Servers, SANs, etc. All applications, files, and every other resource needed". What is securing the perimeter?
Generally VPN in the form of HTTPS connections.
