Why you don't need a VPN or not?
-
Thanks, I have to think about this some more.
-
@pete-s said in Why you don't need a VPN or not?:
Thanks, I have to think about this some more.
It's a big change. LAN-centric security thinking has been preached for so long, it's an assumed starting point to network design. Entire "must have" product families were based on it, like Active Directory and SMB protocols. Most people just assume that this kind of network will exist and some products nearly require it (Quickbooks, for example.) But as someone that has moved away from it for many years, it's so freeing to not have it.
-
@scottalanmiller So in a transitional phase of moving away from LAN-centric practices, I have Windows firewall enabled on all Windows clients and Windows servers. Is that it, or would I have servers behind a hardware firewall with an ACL?
-
@wrx7m said in Why you don't need a VPN or not?:
@scottalanmiller So in a transitional phase of moving away from LAN-centric practices, I have Windows firewall enabled on all Windows clients and Windows servers. Is that it, or would I have servers behind a hardware firewall with an ACL?
You always want firewalls. LAN-centric or LANless doesn't change that.
LANless is about making everything accessible through web services.
-
@travisdh1 Right, so I would want a firewall above and beyond the Windows firewall, that would be capable of speeds necessary to accommodate line speeds for file servers, etc?
-
@wrx7m said in Why you don't need a VPN or not?:
@travisdh1 Right, so I would want a firewall above and beyond the Windows firewall, that would be capable of speeds necessary to accommodate line speeds for file servers, etc?
A Windows or firewall in the OS serves a completely different purpose. You should always have both, even if just a router/firewall.
-
@Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.
-
@wrx7m said in Why you don't need a VPN or not?:
I am wondering how to move to a tighter circle to get the servers segregated from the clients.
Segregated how or in what sense? So they cannot communicate to each other?
-
@wrx7m said in Why you don't need a VPN or not?:
@Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.
That involves making network services available with a different method.
IE: Files served from NextCloud instead of a file server.
-
@Obsolesce - So they are not wide open (with the exception of the Windows firewall).
-
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.
That involves making network services available with a different method.
IE: Files served from NextCloud instead of a file server.
OK, so if I am not doing that, there is no point to make a change?
-
@wrx7m said in Why you don't need a VPN or not?:
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.
That involves making network services available with a different method.
IE: Files served from NextCloud instead of a file server.
OK, so if I am not doing that, there is no point to make a change?
Yes, exactly.
-
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.
That involves making network services available with a different method.
IE: Files served from NextCloud instead of a file server.
OK, so if I am not doing that, there is no point to make a change?
Yes, exactly.
The takeaway is - The only way to be secure is to use a web app?
-
@wrx7m said in Why you don't need a VPN or not?:
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.
That involves making network services available with a different method.
IE: Files served from NextCloud instead of a file server.
OK, so if I am not doing that, there is no point to make a change?
Yes, exactly.
The takeaway is - The only way to be secure is to use a web app?
It's not the only way to be secure, but it does make it much easier.
-
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.
That involves making network services available with a different method.
IE: Files served from NextCloud instead of a file server.
OK, so if I am not doing that, there is no point to make a change?
Yes, exactly.
The takeaway is - The only way to be secure is to use a web app?
It's not the only way to be secure, but it does make it much easier.
So, in your post - https://mangolassi.it/topic/15325/lanless-explained/2
The second diagram shows the red security perimeter, housing "Servers, SANs, etc. All applications, files, and every other resource needed". What is securing the perimeter?
-
@wrx7m said in Why you don't need a VPN or not?:
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.
That involves making network services available with a different method.
IE: Files served from NextCloud instead of a file server.
OK, so if I am not doing that, there is no point to make a change?
Yes, exactly.
The takeaway is - The only way to be secure is to use a web app?
It's not the only way to be secure, but it does make it much easier.
So, in your post - https://mangolassi.it/topic/15325/lanless-explained/2
The second diagram shows the red security perimeter, housing "Servers, SANs, etc. All applications, files, and every other resource needed". What is securing the perimeter?
Generally VPN in the form of HTTPS connections.
-
@wrx7m said in Why you don't need a VPN or not?:
@scottalanmiller So in a transitional phase of moving away from LAN-centric practices, I have Windows firewall enabled on all Windows clients and Windows servers. Is that it, or would I have servers behind a hardware firewall with an ACL?
Firewalls are nearly always a good thing. Not always necessary, but rarely "bad". Certainly you want the OS firewalls on servers and desktops, always. LANless won't mean necessarily dumping your hardware firewalls, they are necessary as the routing layer, anyway. So using ACLs and NATing are going to continue to be useful.
The key difference is ensuring that they are a "secondary defense layer" and not a primary one. Make sure you'd feel safe putting your server on the Internet... then add that hardware firewall as icing, not as your security cake.
-
@travisdh1 said in Why you don't need a VPN or not?:
LANless is about making everything accessible through web services.
And securing them as if they will be accessed over the Internet.
But not web services, necessarily, although commonly. Accessed as if they are remote is a better way to phrase it.
-
@wrx7m said in Why you don't need a VPN or not?:
@Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.
Do you really want "servers versus clients?" Making servers secure individually is great, but generally servers need to talk to clients more than to other servers. Keeping servers away from each other is often more important than keeping servers away from clients. Same deal with clients, they almost never should talk to each other, but constantly must talk to servers.
-
@wrx7m said in Why you don't need a VPN or not?:
@travisdh1 said in Why you don't need a VPN or not?:
@wrx7m said in Why you don't need a VPN or not?:
@Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.
That involves making network services available with a different method.
IE: Files served from NextCloud instead of a file server.
OK, so if I am not doing that, there is no point to make a change?
LANless requires removing LAN-based approaches. I understand you are talking about a transition period.
But some things, like SMB shares and Active Directory are LAN-based at their cores and really have to effective way to be made LANless, even transitionally.
I mean you can do something like taking ZeroTier and encapsulating SMB and creating a poorly performing LANless file sharing service in that way. But it is hokey and won't behave all that well. SMB is just not suited to that, it was designed with the thought that LAN containment would always define it.
