MPLS alternative

scottalanmiller

Are there any exceptions to leased lines being bad? Yes. But they are insanely rare and really come up when you are building your own Internet provider, basically.

Example: When I was on Wall St. the bank didn't feel that its connections from North America to the Middle East were good enough (as in... they didn't trust the ENTIRE Internet infrastructure of the Gulf States) and so they put in their own dual transatlantic cable (with the Internet via VPN as a backup) that took a different route than the national Internet infrastructure. They did this to replicate the entire Internet backbone of the country in question.

When the COUNTRY had a two day blackout, the bank was not affected and phones and Internet never missed a packet while the rest of the country was totally without Internet (including phones.)

When you get to this scale and are talking about competing with the ISPs because you don't trust the accumulation of all ISPs for a region or country. Yes, leased lines start to be the only option short of building your own ISP and at some point, what's the difference?

But when we are talking about something that CAN be done over the existing Internet and you aren't trenching your own custom fiber end to end, then we are back to our normal discussion.

Dashrender

Doesn't the likes of Microsoft/Amazon/Google all use leased lines for they syncing between DCs?

I'm almost positive they did in the past. I say this because I recall hearing that Google, etc were suddenly face slappingly aware of how not encrypted their syncing was between DCs with the Snowden reveal, and that the NSA was siphoning off copies of all of their flowing packets.

This leads me to believe Google/etc believed the leased lines were "secure enough" to not need to worry about encrypting the data in transit, which I can't personally believe they would consider acceptable if it was simply using Internet connections to do this.

scottalanmiller

@hobbit666 said in MPLS alternative:

BTW watched that Magolassi video on Lanless design. Also been looking at some Zero Trust stuff.......... i'm still confused

Think more reading and seeing some examples might help my little head compute it all might help

Well, think about ANY desire to have a VPN or MPLS connection and ask "why?" In modern (meaning post-2003) application design, there's no normal case where you'd have any reason for that kind of connection. What traffic is utilizing that for you? SMB and AD traffic certainly do, and both are vestiges of another era and represent massive security risks and fragility for the business. They also have advantages, so this isn't a all con, no pro situation. They are easy, fast, and well known. But they are designed entirely around businesses that fit in a single LAN. The moment you introduce a second site, they start to falter. They weren't designed for the multi-site business world, let alone the multi-region company. Neither handles WAN latency well, regardless of connectivity. And no "can claim to be a business app" would have any reason to need LAN connectivity, even by the late 1990s that was "you should fire anyone making software that way and no one should buy software with those kinds of problems."

And before people say that the real world doesn't do this stuff, I can tell you that firms with hundred of thousands of users were doing this by 2005 on a large scale, and small firms were doing it a decade earlier. Plus always those outliers that did it starting in the 60s or whatever. Sure, most firms will always do things poorly, that's assumed. But companies that were trying to do things well were able to pretty easily get to LANless or close to LANless a really long time ago without much challenge.

scottalanmiller

@Dashrender said in MPLS alternative:

Doesn't the likes of Microsoft/Amazon/Google all use leased lines for they syncing between DCs?

Sort of, they are their own ISPs. So you are basically asking if the Internet is built on leased lines. Yes, under the hood, ISPs use leased lines to form the Internet. But that's a meta-discussion.

scottalanmiller

@Dashrender said in MPLS alternative:

This leads me to believe Google/etc believed the leased lines were "secure enough" to not need to worry about encrypting the data in transit, which I can't personally believe they would consider acceptable if it was simply using Internet connections to do this.

Um, no, they put VPNs on those lines.

Dashrender

@scottalanmiller said in MPLS alternative:

@Dashrender said in MPLS alternative:

This leads me to believe Google/etc believed the leased lines were "secure enough" to not need to worry about encrypting the data in transit, which I can't personally believe they would consider acceptable if it was simply using Internet connections to do this.

Um, no, they put VPNs on those lines.

They did after Snowden - that was publicly acknowledged, but pre-snowden... not so sure. Definitely not in all cases.

Heck, I'd be surprised if Hobbit's company is encrypting data between sites - they are instead (management likely not realizing it) completely exposing their prints/fileshares with BT through their MPLS.

Dashrender

@scottalanmiller what would you do for a management solution for 300+ users on company owned equipment?
And what management solution for useraccounts would you use for Citrix?

scottalanmiller

@Dashrender said in MPLS alternative:

Heck, I'd be surprised if Hobbit's company is encrypting data between sites - they are instead (management likely not realizing it) completely exposing their prints/fileshares with BT through their MPLS.

I guarantee that they are not. But they are not an in-house ISP. They are doing it for LAN traffic, not to build their own Internet backbone.

scottalanmiller

@Dashrender said in MPLS alternative:

what would you do for a management solution for 300+ users on company owned equipment?

It's not that easy to say what TO do. That requires a lot of research. But knowing what NOT to do is a lot simpler. AD is absolutely not a good solution for a lot of sites. Even Microsoft hasn't recommended that in a long time. That's why they moved to Azure AD internally as their product for that long ago.

We have no reason to believe that they even need user management, there's no way to have that assumption. I've worked in companies that size that saw zero value to having that and I see that play out time and time again. The need for user management on the OS is probably around 50/50.

So without even knowing if the need user management, it's impossible to even start to guess how best to approach it.

scottalanmiller

The need for user management at the OS level primarily comes from LAN-based design. Not 100%, but maybe 85%. Once you are LANless / Zero Trust, the need to control the users at the device level changes dramatically. There are good reasons to still want it, but it has to become a business need, not a "nice if all other things were equal." It comes at high cost and carries risks, so you have to have a value that supersedes those values to justify it.

scottalanmiller

@hobbit666 said in MPLS alternative:

Think more reading and seeing some examples might help my little head compute it all might help

Two simple examples...

LANbased Legacy User Management: Active Directory
LANless Alternative: JumpCloud, AzureAD

LANbased Legacy File Management: SMB or NFS Mapped Drives / Shares
LANless Alternatives: OneDrive, NextCloud, Google Drive, DropBox

scottalanmiller

Another example of LANbased vs LANless thinking or approach...

Old Days: Log into your desktop and the desktop gives you immediate access to files, applications, etc.

Modern Way: Log into desktop, then log into applications so that the applications are not trusting the device but authenticate the user.

hobbit666

@scottalanmiller said in MPLS alternative:

@hobbit666 said in MPLS alternative:

Think more reading and seeing some examples might help my little head compute it all might help

Two simple examples...

LANbased Legacy User Management: Active Directory
LANless Alternative: JumpCloud, AzureAD

LANbased Legacy File Management: SMB or NFS Mapped Drives / Shares
LANless Alternatives: OneDrive, NextCloud, Google Drive, DropBox

Those i get, but what about printing to office printers, or accessing the Citrix farm.
As i said E-mails and files are getting slowly moved to o365 and OD4B

hobbit666

@scottalanmiller said in MPLS alternative:

Another example of LANbased vs LANless thinking or approach...

Old Days: Log into your desktop and the desktop gives you immediate access to files, applications, etc.

Modern Way: Log into desktop, then log into applications so that the applications are not trusting the device but authenticate the user.

So how to you handle the "log into dekstop"? AzureAD or local user?
Then if we are using Office 365 Desktop apps like Word Excel can we use Single Sign On from AzureAD or would it be best to get the users to log in everytime? Same with OneDrive

scottalanmiller

@hobbit666 said in MPLS alternative:

Those i get, but what about printing to office printers.....

So printing is a weird one. Typically printing desires physical proximity and no security. The nature of printing is insecure. Do you really need printing security? And do you really need to print from one site to another instead of printing locally? These things are possible, just really rare.

Printing does have options to use some LANless design, but typically we ignore this here as we are talking about a peripheral device that simply "doesn't matter" enough.

So I guess the real question is... since you can "just print" without any discussion or design whatsoever, what's the actual problem that you are trying to solve? I'm not sure what the question is. Whether you have LANbased or LANless design, if you hook up a USB printer you just print, if you hook up a network printer, you just print. They really fall outside of this discussion unless there is some extra factor that we can't anticipate.

Dashrender

@scottalanmiller said in MPLS alternative:

@Dashrender said in MPLS alternative:

Heck, I'd be surprised if Hobbit's company is encrypting data between sites - they are instead (management likely not realizing it) completely exposing their prints/fileshares with BT through their MPLS.

I guarantee that they are not. But they are not an in-house ISP. They are doing it for LAN traffic, not to build their own Internet backbone.

sure - but do you want your ISP snooping through your traffic? I definitely don't want Cox or anyone Cox allows on their network to see my traffic.

scottalanmiller

@hobbit666 said in MPLS alternative:

or accessing the Citrix farm

So this is already LANless, and requires no MPLS or VPN already. This only seems complex because it's already been made complex. But if you just deploy Citrix XenApp, it "just works". It's already functional with nothing more needed.

I know, because we do this here. This is another "it works by default", you have to break its default to have the issue.

scottalanmiller

@Dashrender said in MPLS alternative:

@scottalanmiller said in MPLS alternative:

@Dashrender said in MPLS alternative:

Heck, I'd be surprised if Hobbit's company is encrypting data between sites - they are instead (management likely not realizing it) completely exposing their prints/fileshares with BT through their MPLS.

I guarantee that they are not. But they are not an in-house ISP. They are doing it for LAN traffic, not to build their own Internet backbone.

sure - but do you want your ISP snooping through your traffic? I definitely don't want Cox or anyone Cox allows on their network to see my traffic.

And that's why YOU should never used a leased line!

Dashrender

@scottalanmiller said in MPLS alternative:

@Dashrender said in MPLS alternative:

what would you do for a management solution for 300+ users on company owned equipment?

It's not that easy to say what TO do. That requires a lot of research. But knowing what NOT to do is a lot simpler. AD is absolutely not a good solution for a lot of sites. Even Microsoft hasn't recommended that in a long time. That's why they moved to Azure AD internally as their product for that long ago.

We have no reason to believe that they even need user management, there's no way to have that assumption. I've worked in companies that size that saw zero value to having that and I see that play out time and time again. The need for user management on the OS is probably around 50/50.

So without even knowing if the need user management, it's impossible to even start to guess how best to approach it.

Don't limit this to just user management - what about device management?

hobbit666

@scottalanmiller said in MPLS alternative:

So this is already LANless, and requires no MPLS or VPN already. This only seems complex because it's already been made complex. But if you just deploy Citrix XenApp, it "just works". It's already functional with nothing more needed.

I know, because we do this here. This is another "it works by default", you have to break its default to have the issue.

How are they logging in? What authenticating the users?