MPLS alternative
-
@Dashrender said in MPLS alternative:
WHAT? Are you implying that a company simply "would" have policies that users not run as local admins? Ok, honestly hadn't considered that. But that said - that will almost NEVER happen unless the company sets up the computer for the user, and creates the user's local account as a non admin for them. then the installer can decide wither or not to provide the local admin password to the user a well for when that's needed.
Setting up the computer initially (imaging it, for example) is different than having a big user management system for once they hand out the machines.
Also, pick a good OS and this problem solves itself
Only Windows shops can even end up having this discussion! And Windows is often an artifact of LAN thinking. Again, not always, but often.But by default, the Linux, Mac, and ChromeOS worlds have this solved right out of the gate.
-
@Dashrender said in MPLS alternative:
If I simply gave my users a brand new Windows machine - they would NEVER use any account other than the very first one that gets setup upon first boot, which by default is a local admin. This is the bit you have to get past in my mind.
Sure, so don't do that. That's, again, a different failure. You are assuming bad imaging or setup or handover, then using that as the basis for needing all this complication after the fact. Solve the problem at the root, rather than applying bandaids later.
-
@scottalanmiller said in MPLS alternative:
@Dashrender said in MPLS alternative:
@scottalanmiller said in MPLS alternative:
@Dashrender said in MPLS alternative:
@scottalanmiller said in MPLS alternative:
@hobbit666 said in MPLS alternative:
or accessing the Citrix farm
So this is already LANless, and requires no MPLS or VPN already. This only seems complex because it's already been made complex. But if you just deploy Citrix XenApp, it "just works". It's already functional with nothing more needed.
I know, because we do this here. This is another "it works by default", you have to break its default to have the issue.
Sure - but where does it's users come from? that server farm surely doesn't want to manage 300+ accounts across 15 machines...
Right, why manage them? The simple answer is... just don't. Managing accounts isn't actually something most companies need. It feels that way because we've always done it. But mostly, that's because of good marketing, not because it was actually a necessity. But the need for it has plummeted as well. In 2001, it made a lot more sense than it does in 2021.
You've completely lost me -
You SAM are standing up a Citrix farm of 15 servers for 300+ users - where does their logon information come from so those 300+ users can log into the Citrix app?
I think that's as simple a question as I can get.
Oh, specifically for Citrix. So in that case, I don't know what ALL options Citrix provides. In the case of RDS you are forced to use AD, but it can be "local AD" without any network connection. There is a LANless way to use AD for that.
But for our RDP farm, we use local users. Easier to do local than to do AD (by the tiniest amount.)
yeah to endpoints I could see the local bit - but that's really only for the user of the device - which is fine.
What is "Local AD"? how does that span the 15 servers in the Citrix Farm?
I just found an article that seems to talk about using AAD, but then it clearly starts out by saying
the use of an Active Directory domain continues to remain a requirement.
-
@scottalanmiller said in MPLS alternative:
@Dashrender said in MPLS alternative:
If I simply gave my users a brand new Windows machine - they would NEVER use any account other than the very first one that gets setup upon first boot, which by default is a local admin. This is the bit you have to get past in my mind.
Sure, so don't do that. That's, again, a different failure. You are assuming bad imaging or setup or handover, then using that as the basis for needing all this complication after the fact. Solve the problem at the root, rather than applying bandaids later.
No I wasn't assuming that - but I did want you to get MORE specific, which you seem to keep avoiding.
-
@Dashrender said in MPLS alternative:
As for your question on malware take over - really? So NC - you refuse to use local sync? - and targeted malware could still be on the machine and use the web browser to attack using the user's logon if the attacker wants to push it hard enough.... yeah, I know, that's a bit over the top though.
So NC, we don't use local sync, that's correct. We only use NC for giant files and that would be a problem if we synced them. Not sure how targeted malware would do what you are saying, but theoretically anything is a vector.
Not that people shouldn't use NC with local sync, it's a valid use case. Just we don't. No need.
We go farther than most companies to LANless. Zero Trust is more the security aspect of LANless. We also do fileless. Not 100%, but we are getting there. We use essentially no files any longer.
-
@Dashrender said in MPLS alternative:
What is "Local AD"? how does that span the 15 servers in the Citrix Farm?
AD DCs running in and only in, the cluster. This is a common pattern, actually, at least with RDS (which is the basis for XenApp). We do this for customers all the time. AD that's dedicated to the RDS/XA and isn't on the LAN itself.
-
@scottalanmiller said in MPLS alternative:
We use essentially no files any longer.
I love this -
So you have email
and what Rocket Chat for texting....Maybe your company has zero need for an individual to make a personal spreadsheet, etc... but if they did, how would you handle that?
-
@Dashrender said in MPLS alternative:
I just found an article that seems to talk about using AAD, but then it clearly starts out by saying
the use of an Active Directory domain continues to remain a requirement.
Yes, like the VPN discussion, AD is a tool. There is a difference between have an AD network (user end points are on AD) and using AD as a tool for RDS/XA. Just like our original discussion of VPNs was about site to site MPLS style replacement. But then you can use a VPN for something absolutely different, as 2FA for RDS/XA.
So AD as a "network authentication design" is LANbased. And AD itself is intended only for use on a LAN. So to LANless-ify LANbased software you have to encapsulate it. For AD and RDS, that means that the RDS/XA farm gets its own isolated AD just for it. Now your AD is a LANbased tool being used LANlessly.
-
@Dashrender said in MPLS alternative:
@scottalanmiller said in MPLS alternative:
We use essentially no files any longer.
I love this -
So you have email
and what Rocket Chat for texting....Maybe your company has zero need for an individual to make a personal spreadsheet, etc... but if they did, how would you handle that?
That is personal by definition. So they should not be doing it anyway. This is work.
Work "documents" are Excel Online, or WTFever ZoHo is. Not files.
-
@Dashrender said in MPLS alternative:
@scottalanmiller said in MPLS alternative:
We use essentially no files any longer.
I love this -
So you have email
and what Rocket Chat for texting....Maybe your company has zero need for an individual to make a personal spreadsheet, etc... but if they did, how would you handle that?
So we have email and no one should be sending files on it internally. We have Cliq for internal chat. Again, no one should send files (not counting memes, of course, gotta send those.)
We have spreadsheets, but we don't use legacy file based ones. Ours are all database managed with no files behind them as it should be. If we had to send a file to an outside entity, you for example, we would generate a file to send just for you. It's not a file we use internally, we don't have that file on our network. We generate it at the time that we are sending it to you.
-
@scottalanmiller said in MPLS alternative:
@Dashrender said in MPLS alternative:
What is "Local AD"? how does that span the 15 servers in the Citrix Farm?
AD DCs running in and only in, the cluster. This is a common pattern, actually, at least with RDS (which is the basis for XenApp). We do this for customers all the time. AD that's dedicated to the RDS/XA and isn't on the LAN itself.
Fantastic! This is exactly what I had envisioned.
So your earlier comment about
@scottalanmiller said in MPLS alternative:
Someone accidentally ties the Citrix ICA authentication to AD. They then expose AD to the Internet.
you meant that they somehow exposed those AD servers directly to the Internet - which is just crazy. But leaving them in the background behind the RDS/ICA servers should be pretty secure.?
-
@JaredBusch said in MPLS alternative:
@Dashrender said in MPLS alternative:
@scottalanmiller said in MPLS alternative:
We use essentially no files any longer.
I love this -
So you have email
and what Rocket Chat for texting....Maybe your company has zero need for an individual to make a personal spreadsheet, etc... but if they did, how would you handle that?
That is personal by definition. So they should not be doing it anyway. This is work.
Work "documents" are Excel Online, or WTFever ZoHo is. Not files.
Right, exactly. Excel Online and Zoho Sheets and Google whatever it is called all work without files. Very different from MS Office local files or LibreOffice local files.
If you look at our Zoho storage, there are no files. Just pointer references to database synthetic files that represent part of the database to let people "think" of them like files.
-
@Dashrender said in MPLS alternative:
you meant that they somehow exposed those AD servers directly to the Internet
No, he clearly meant they used the existing local AD and made that the login for the Citrix farm.
Thus exposing it to the internet via the citrix log on process. No different than RDS..
Of course the fucking DC was not directly on the internet.. WTF, this was clear as a bell when he stated it.
-
@Dashrender said in MPLS alternative:
you meant that they somehow exposed those AD servers directly to the Internet - which is just crazy. But leaving them in the background behind the RDS/ICA servers should be pretty secure.?
So sadly, no. That's the problem with RDS. It exposes AD directly! That's why it sucks so much. It requires AD and then exposes it! WTF MS?!?!?
That's why we either have to isolate AD away from the LAN to being used only for RDS, or we need to replace AD, or we need to harden it significantly.
In NTG's RDP farm case, we do it by running without AD. But everyone has different needs.
-
@scottalanmiller said in MPLS alternative:
@Dashrender said in MPLS alternative:
@scottalanmiller said in MPLS alternative:
We use essentially no files any longer.
I love this -
So you have email
and what Rocket Chat for texting....Maybe your company has zero need for an individual to make a personal spreadsheet, etc... but if they did, how would you handle that?
So we have email and no one should be sending files on it internally. We have Cliq for internal chat. Again, no one should send files (not counting memes, of course, gotta send those.)
We have spreadsheets, but we don't use legacy file based ones. Ours are all database managed with no files behind them as it should be. If we had to send a file to an outside entity, you for example, we would generate a file to send just for you. It's not a file we use internally, we don't have that file on our network. We generate it at the time that we are sending it to you.
Nice - yeah, I'd love to get us there with several things we do here... we pull data out of our EHR and then use Excel to bend it to the reports we want (the EHR can't), I assume you're OK with that. the problem is - our users don't want to give up the excel file they've created after they massaged the data.
-
@JaredBusch said in MPLS alternative:
@Dashrender said in MPLS alternative:
you meant that they somehow exposed those AD servers directly to the Internet
No, he clearly meant they used the existing local AD and made that the login for the Citrix farm.
Thus exposing it to the internet via the citrix log on process. No different than RDS..
Of course the fucking DC was not directly on the internet.. WTF, this was clear as a bell when he stated it.
My Fucking bad - the idea of standing up a completely separate AD just for Citrix completely escaped me until his more recent post. That just seems CRAZY complex... UNTIL you get rid of AD for users as well. users already complain about having to log into 37 different things every day, splitting AD from local logon vs Citrix logon means just one more set of creds to remember.. users will definitely complain..
yeah yeah - JB says F the user.
-
@Dashrender said in MPLS alternative:
@scottalanmiller said in MPLS alternative:
@Dashrender said in MPLS alternative:
@scottalanmiller said in MPLS alternative:
We use essentially no files any longer.
I love this -
So you have email
and what Rocket Chat for texting....Maybe your company has zero need for an individual to make a personal spreadsheet, etc... but if they did, how would you handle that?
So we have email and no one should be sending files on it internally. We have Cliq for internal chat. Again, no one should send files (not counting memes, of course, gotta send those.)
We have spreadsheets, but we don't use legacy file based ones. Ours are all database managed with no files behind them as it should be. If we had to send a file to an outside entity, you for example, we would generate a file to send just for you. It's not a file we use internally, we don't have that file on our network. We generate it at the time that we are sending it to you.
Nice - yeah, I'd love to get us there with several things we do here... we pull data out of our EHR and then use Excel to bend it to the reports we want (the EHR can't), I assume you're OK with that. the problem is - our users don't want to give up the excel file they've created after they massaged the data.
It's not that using files is "wrong", but it is a "thing" to be considered. Files like that are big attack vectors and make you have to worry about a lot of things that we don't have to worry about.
For example, if Valentina does something and gets infected, at no time does a file transfer from her to someone else in the company. That doesn't mean that the malware couldn't leverage her email somehow, or her IM somehow or grab her keyboard or whatever. Malware can certainly do damage. But the fear of the "open window" infection where infected files just flow from her to someone else doesn't happen in our workflows and there is no mechanism connecting us together that we just are avoiding using. There's no file sharing system under normal circumstances.
-
@scottalanmiller said in MPLS alternative:
@Dashrender said in MPLS alternative:
you meant that they somehow exposed those AD servers directly to the Internet - which is just crazy. But leaving them in the background behind the RDS/ICA servers should be pretty secure.?
So sadly, no. That's the problem with RDS. It exposes AD directly! That's why it sucks so much. It requires AD and then exposes it! WTF MS?!?!?
That's why we either have to isolate AD away from the LAN to being used only for RDS, or we need to replace AD, or we need to harden it significantly.
In NTG's RDP farm case, we do it by running without AD. But everyone has different needs.
yeah, this points back to the multiple credentials needed I just pointed out, driving users crazy - and to the use of aweful passwords. of course we can mitigate the passwords to a point, but that leads to other issues.
Basically if Hobbit is going to do this - he needs to get management to buy into a completely new paradigm of the design. which would be great, but a hard sell.
-
@Dashrender said in MPLS alternative:
@JaredBusch said in MPLS alternative:
@Dashrender said in MPLS alternative:
you meant that they somehow exposed those AD servers directly to the Internet
No, he clearly meant they used the existing local AD and made that the login for the Citrix farm.
Thus exposing it to the internet via the citrix log on process. No different than RDS..
Of course the fucking DC was not directly on the internet.. WTF, this was clear as a bell when he stated it.
My Fucking bad - the idea of standing up a completely separate AD just for Citrix completely escaped me until his more recent post. That just seems CRAZY complex... UNTIL you get rid of AD for users as well. users already complain about having to log into 37 different things every day, splitting AD from local logon vs Citrix logon means just one more set of creds to remember.. users will definitely complain..
yeah yeah - JB says F the user.
So that's the logic most companies use. They say...
We have AD already. All users are in AD. RDS needs AD. Let's just use the AD that we already have.
Makes sense, this isn't stupid or anything. It's so common and so obvious, this is why people assume RDS/XA have certain risks inherently when they actually don't.
But often you either needs lots of users on RDS and not on the LAN or vice versa and separating the two can be done. Or in a lot of our cases, AD exists nowhere and we have to stand it up just for RDS. So it becomes just another form of "local" users for RDS. It's just that RDS' required you store the local users that exists only for it in AD. And they recommend it be on a separate VM, which is dumb. But for a cluster / farm it makes sense. Local "to the farm".
-
So in a way thinking about just Citrix, we would drop AD and move the devices to local users.
Then either create a "New Local AD" with the users credentials just for Citrix use?
Or use one of those 3rd party VPN things (AppGate)
We have 600+ devices out there, but only 300 odd need Citrix Access.This would make Citrix LANless/Zero Trust as the user will need to authorize them selves via the "Local AD" credentials or that AppGate thing?
