ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    MPLS alternative

    Scheduled Pinned Locked Moved IT Discussion
    mplsvpnmutli site
    172 Posts 13 Posters 30.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender @scottalanmiller
      last edited by

      @scottalanmiller said in MPLS alternative:

      @hobbit666 said in MPLS alternative:

      Those i get, but what about printing to office printers.....

      So printing is a weird one. Typically printing desires physical proximity and no security. The nature of printing is insecure. Do you really need printing security? And do you really need to print from one site to another instead of printing locally? These things are possible, just really rare.

      Printing does have options to use some LANless design, but typically we ignore this here as we are talking about a peripheral device that simply "doesn't matter" enough.

      So I guess the real question is... since you can "just print" without any discussion or design whatsoever, what's the actual problem that you are trying to solve? I'm not sure what the question is. Whether you have LANbased or LANless design, if you hook up a USB printer you just print, if you hook up a network printer, you just print. They really fall outside of this discussion unless there is some extra factor that we can't anticipate.

      We know they are old school setup - so we assume they are using Windows print queues to print (man I hope they are all local to each subnet and not flowing over the MPLS). with that type of thinking comes these questions.

      I agree - assuming insecure printing is OK - then just move to direct IP/network based printing or USB based printing. problem solved.

      1 Reply Last reply Reply Quote 1
      • DashrenderD
        Dashrender @scottalanmiller
        last edited by

        @scottalanmiller said in MPLS alternative:

        @hobbit666 said in MPLS alternative:

        or accessing the Citrix farm

        So this is already LANless, and requires no MPLS or VPN already. This only seems complex because it's already been made complex. But if you just deploy Citrix XenApp, it "just works". It's already functional with nothing more needed.

        I know, because we do this here. This is another "it works by default", you have to break its default to have the issue.

        Sure - but where does it's users come from? that server farm surely doesn't want to manage 300+ accounts across 15 machines...

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @hobbit666
          last edited by

          @hobbit666 said in MPLS alternative:

          @scottalanmiller said in MPLS alternative:

          What's doing it today? Not the MPLS, because that has zero security. So what's doing it now for you?

          We log into citrix workspace with our AD credentials

          Citrix themselves make a VPN alternative specifically for this. RedGate (I think) makes one for Microsoft RDP. AppGate makes a third party one for Citrix. There are lots of solutions to this that aren't VPNs. And loads upon loads of solutions that use VPNs as part of the mechanism.

          I think CloudFlare Teams does this, too.

          And all of that is to deal with legacy AD. Remove legacy AD and everything totally changes. If you use Okta instead, for example, I doubt any of that complexity is needed. The issue is using a LANbased system, then trying to figure out how to be LANless with one piece, but not the big piece, while staying tied together.

          1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender @scottalanmiller
            last edited by

            @scottalanmiller said in MPLS alternative:

            @Dashrender said in MPLS alternative:

            @scottalanmiller said in MPLS alternative:

            The need for user management at the OS level primarily comes from LAN-based design. Not 100%, but maybe 85%. Once you are LANless / Zero Trust, the need to control the users at the device level changes dramatically. There are good reasons to still want it, but it has to become a business need, not a "nice if all other things were equal." It comes at high cost and carries risks, so you have to have a value that supersedes those values to justify it.

            I completely agree - though I assume that the company will want people to not use local admin accounts - or is that even over reaching?

            Why would they care? Can someone care? of course. There are good cases for caring. There are good cases for not caring. In a LANless world, you don't necessarily care very often because you aren't in the business of trying to centrally control the device. But that doesn't mean you can't, or even shouldn't, but it's purely an option.

            malware gets onto the device because they have local admin - (more easily at least) and that malware takes over their LANless products - like OD4B... you don't think that's worth not running as admin for most?

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @Dashrender
              last edited by

              @Dashrender said in MPLS alternative:

              @scottalanmiller said in MPLS alternative:

              @hobbit666 said in MPLS alternative:

              or accessing the Citrix farm

              So this is already LANless, and requires no MPLS or VPN already. This only seems complex because it's already been made complex. But if you just deploy Citrix XenApp, it "just works". It's already functional with nothing more needed.

              I know, because we do this here. This is another "it works by default", you have to break its default to have the issue.

              Sure - but where does it's users come from? that server farm surely doesn't want to manage 300+ accounts across 15 machines...

              Right, why manage them? The simple answer is... just don't. Managing accounts isn't actually something most companies need. It feels that way because we've always done it. But mostly, that's because of good marketing, not because it was actually a necessity. But the need for it has plummeted as well. In 2001, it made a lot more sense than it does in 2021.

              DashrenderD 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @Dashrender
                last edited by

                @Dashrender said in MPLS alternative:

                @scottalanmiller said in MPLS alternative:

                @Dashrender said in MPLS alternative:

                @scottalanmiller said in MPLS alternative:

                The need for user management at the OS level primarily comes from LAN-based design. Not 100%, but maybe 85%. Once you are LANless / Zero Trust, the need to control the users at the device level changes dramatically. There are good reasons to still want it, but it has to become a business need, not a "nice if all other things were equal." It comes at high cost and carries risks, so you have to have a value that supersedes those values to justify it.

                I completely agree - though I assume that the company will want people to not use local admin accounts - or is that even over reaching?

                Why would they care? Can someone care? of course. There are good cases for caring. There are good cases for not caring. In a LANless world, you don't necessarily care very often because you aren't in the business of trying to centrally control the device. But that doesn't mean you can't, or even shouldn't, but it's purely an option.

                malware gets onto the device because they have local admin - (more easily at least) and that malware takes over their LANless products - like OD4B... you don't think that's worth not running as admin for most?

                Running as admin and giving admin access are two unrelated topics. You are leaping from one thing of who is in control to the person being in control will violate basic computing policies and HR won't do anything about it. You can't assume, in trying to design a good business, that all parts of the business other than the isolated piece we are looking at, will simply fail and be allowed to fail. That's illogical and contrived.

                But, then you always have to ask, why are you using products that that malware can take over? Why that exposure?

                DashrenderD 1 Reply Last reply Reply Quote 0
                • DashrenderD
                  Dashrender @scottalanmiller
                  last edited by

                  @scottalanmiller said in MPLS alternative:

                  @Dashrender said in MPLS alternative:

                  @scottalanmiller said in MPLS alternative:

                  @hobbit666 said in MPLS alternative:

                  or accessing the Citrix farm

                  So this is already LANless, and requires no MPLS or VPN already. This only seems complex because it's already been made complex. But if you just deploy Citrix XenApp, it "just works". It's already functional with nothing more needed.

                  I know, because we do this here. This is another "it works by default", you have to break its default to have the issue.

                  Sure - but where does it's users come from? that server farm surely doesn't want to manage 300+ accounts across 15 machines...

                  Right, why manage them? The simple answer is... just don't. Managing accounts isn't actually something most companies need. It feels that way because we've always done it. But mostly, that's because of good marketing, not because it was actually a necessity. But the need for it has plummeted as well. In 2001, it made a lot more sense than it does in 2021.

                  You've completely lost me -

                  You SAM are standing up a Citrix farm of 15 servers for 300+ users - where does their logon information come from so those 300+ users can log into the Citrix app?

                  I think that's as simple a question as I can get.

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender @scottalanmiller
                    last edited by

                    @scottalanmiller said in MPLS alternative:

                    @Dashrender said in MPLS alternative:

                    @scottalanmiller said in MPLS alternative:

                    @Dashrender said in MPLS alternative:

                    @scottalanmiller said in MPLS alternative:

                    The need for user management at the OS level primarily comes from LAN-based design. Not 100%, but maybe 85%. Once you are LANless / Zero Trust, the need to control the users at the device level changes dramatically. There are good reasons to still want it, but it has to become a business need, not a "nice if all other things were equal." It comes at high cost and carries risks, so you have to have a value that supersedes those values to justify it.

                    I completely agree - though I assume that the company will want people to not use local admin accounts - or is that even over reaching?

                    Why would they care? Can someone care? of course. There are good cases for caring. There are good cases for not caring. In a LANless world, you don't necessarily care very often because you aren't in the business of trying to centrally control the device. But that doesn't mean you can't, or even shouldn't, but it's purely an option.

                    malware gets onto the device because they have local admin - (more easily at least) and that malware takes over their LANless products - like OD4B... you don't think that's worth not running as admin for most?

                    Running as admin and giving admin access are two unrelated topics. You are leaping from one thing of who is in control to the person being in control will violate basic computing policies and HR won't do anything about it. You can't assume, in trying to design a good business, that all parts of the business other than the isolated piece we are looking at, will simply fail and be allowed to fail. That's illogical and contrived.

                    But, then you always have to ask, why are you using products that that malware can take over? Why that exposure?

                    WHAT? Are you implying that a company simply "would" have policies that users not run as local admins? Ok, honestly hadn't considered that. But that said - that will almost NEVER happen unless the company sets up the computer for the user, and creates the user's local account as a non admin for them. then the installer can decide wither or not to provide the local admin password to the user a well for when that's needed.

                    If I simply gave my users a brand new Windows machine - they would NEVER use any account other than the very first one that gets setup upon first boot, which by default is a local admin. This is the bit you have to get past in my mind.

                    As for your question on malware take over - really? So NC - you refuse to use local sync? - and targeted malware could still be on the machine and use the web browser to attack using the user's logon if the attacker wants to push it hard enough.... yeah, I know, that's a bit over the top though.

                    scottalanmillerS 3 Replies Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Dashrender
                      last edited by

                      @Dashrender said in MPLS alternative:

                      @scottalanmiller said in MPLS alternative:

                      @Dashrender said in MPLS alternative:

                      @scottalanmiller said in MPLS alternative:

                      @hobbit666 said in MPLS alternative:

                      or accessing the Citrix farm

                      So this is already LANless, and requires no MPLS or VPN already. This only seems complex because it's already been made complex. But if you just deploy Citrix XenApp, it "just works". It's already functional with nothing more needed.

                      I know, because we do this here. This is another "it works by default", you have to break its default to have the issue.

                      Sure - but where does it's users come from? that server farm surely doesn't want to manage 300+ accounts across 15 machines...

                      Right, why manage them? The simple answer is... just don't. Managing accounts isn't actually something most companies need. It feels that way because we've always done it. But mostly, that's because of good marketing, not because it was actually a necessity. But the need for it has plummeted as well. In 2001, it made a lot more sense than it does in 2021.

                      You've completely lost me -

                      You SAM are standing up a Citrix farm of 15 servers for 300+ users - where does their logon information come from so those 300+ users can log into the Citrix app?

                      I think that's as simple a question as I can get.

                      Oh, specifically for Citrix. So in that case, I don't know what ALL options Citrix provides. In the case of RDS you are forced to use AD, but it can be "local AD" without any network connection. There is a LANless way to use AD for that.

                      But for our RDP farm, we use local users. Easier to do local than to do AD (by the tiniest amount.)

                      DashrenderD 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Dashrender
                        last edited by

                        @Dashrender said in MPLS alternative:

                        WHAT? Are you implying that a company simply "would" have policies that users not run as local admins? Ok, honestly hadn't considered that. But that said - that will almost NEVER happen unless the company sets up the computer for the user, and creates the user's local account as a non admin for them. then the installer can decide wither or not to provide the local admin password to the user a well for when that's needed.

                        Setting up the computer initially (imaging it, for example) is different than having a big user management system for once they hand out the machines.

                        Also, pick a good OS and this problem solves itself 😉 Only Windows shops can even end up having this discussion! And Windows is often an artifact of LAN thinking. Again, not always, but often.

                        But by default, the Linux, Mac, and ChromeOS worlds have this solved right out of the gate.

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @Dashrender
                          last edited by

                          @Dashrender said in MPLS alternative:

                          If I simply gave my users a brand new Windows machine - they would NEVER use any account other than the very first one that gets setup upon first boot, which by default is a local admin. This is the bit you have to get past in my mind.

                          Sure, so don't do that. That's, again, a different failure. You are assuming bad imaging or setup or handover, then using that as the basis for needing all this complication after the fact. Solve the problem at the root, rather than applying bandaids later.

                          DashrenderD 1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender @scottalanmiller
                            last edited by

                            @scottalanmiller said in MPLS alternative:

                            @Dashrender said in MPLS alternative:

                            @scottalanmiller said in MPLS alternative:

                            @Dashrender said in MPLS alternative:

                            @scottalanmiller said in MPLS alternative:

                            @hobbit666 said in MPLS alternative:

                            or accessing the Citrix farm

                            So this is already LANless, and requires no MPLS or VPN already. This only seems complex because it's already been made complex. But if you just deploy Citrix XenApp, it "just works". It's already functional with nothing more needed.

                            I know, because we do this here. This is another "it works by default", you have to break its default to have the issue.

                            Sure - but where does it's users come from? that server farm surely doesn't want to manage 300+ accounts across 15 machines...

                            Right, why manage them? The simple answer is... just don't. Managing accounts isn't actually something most companies need. It feels that way because we've always done it. But mostly, that's because of good marketing, not because it was actually a necessity. But the need for it has plummeted as well. In 2001, it made a lot more sense than it does in 2021.

                            You've completely lost me -

                            You SAM are standing up a Citrix farm of 15 servers for 300+ users - where does their logon information come from so those 300+ users can log into the Citrix app?

                            I think that's as simple a question as I can get.

                            Oh, specifically for Citrix. So in that case, I don't know what ALL options Citrix provides. In the case of RDS you are forced to use AD, but it can be "local AD" without any network connection. There is a LANless way to use AD for that.

                            But for our RDP farm, we use local users. Easier to do local than to do AD (by the tiniest amount.)

                            yeah to endpoints I could see the local bit - but that's really only for the user of the device - which is fine.

                            What is "Local AD"? how does that span the 15 servers in the Citrix Farm?

                            I just found an article that seems to talk about using AAD, but then it clearly starts out by saying

                            the use of an Active Directory domain continues to remain a requirement.

                            scottalanmillerS 2 Replies Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender @scottalanmiller
                              last edited by

                              @scottalanmiller said in MPLS alternative:

                              @Dashrender said in MPLS alternative:

                              If I simply gave my users a brand new Windows machine - they would NEVER use any account other than the very first one that gets setup upon first boot, which by default is a local admin. This is the bit you have to get past in my mind.

                              Sure, so don't do that. That's, again, a different failure. You are assuming bad imaging or setup or handover, then using that as the basis for needing all this complication after the fact. Solve the problem at the root, rather than applying bandaids later.

                              No I wasn't assuming that - but I did want you to get MORE specific, which you seem to keep avoiding.

                              1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @Dashrender
                                last edited by

                                @Dashrender said in MPLS alternative:

                                As for your question on malware take over - really? So NC - you refuse to use local sync? - and targeted malware could still be on the machine and use the web browser to attack using the user's logon if the attacker wants to push it hard enough.... yeah, I know, that's a bit over the top though.

                                So NC, we don't use local sync, that's correct. We only use NC for giant files and that would be a problem if we synced them. Not sure how targeted malware would do what you are saying, but theoretically anything is a vector.

                                Not that people shouldn't use NC with local sync, it's a valid use case. Just we don't. No need.

                                We go farther than most companies to LANless. Zero Trust is more the security aspect of LANless. We also do fileless. Not 100%, but we are getting there. We use essentially no files any longer.

                                DashrenderD 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @Dashrender said in MPLS alternative:

                                  What is "Local AD"? how does that span the 15 servers in the Citrix Farm?

                                  AD DCs running in and only in, the cluster. This is a common pattern, actually, at least with RDS (which is the basis for XenApp). We do this for customers all the time. AD that's dedicated to the RDS/XA and isn't on the LAN itself.

                                  DashrenderD 1 Reply Last reply Reply Quote 0
                                  • DashrenderD
                                    Dashrender @scottalanmiller
                                    last edited by

                                    @scottalanmiller said in MPLS alternative:

                                    We use essentially no files any longer.

                                    I love this -

                                    So you have email
                                    and what Rocket Chat for texting....

                                    Maybe your company has zero need for an individual to make a personal spreadsheet, etc... but if they did, how would you handle that?

                                    JaredBuschJ scottalanmillerS 2 Replies Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Dashrender
                                      last edited by

                                      @Dashrender said in MPLS alternative:

                                      I just found an article that seems to talk about using AAD, but then it clearly starts out by saying

                                      the use of an Active Directory domain continues to remain a requirement.

                                      Yes, like the VPN discussion, AD is a tool. There is a difference between have an AD network (user end points are on AD) and using AD as a tool for RDS/XA. Just like our original discussion of VPNs was about site to site MPLS style replacement. But then you can use a VPN for something absolutely different, as 2FA for RDS/XA.

                                      So AD as a "network authentication design" is LANbased. And AD itself is intended only for use on a LAN. So to LANless-ify LANbased software you have to encapsulate it. For AD and RDS, that means that the RDS/XA farm gets its own isolated AD just for it. Now your AD is a LANbased tool being used LANlessly.

                                      1 Reply Last reply Reply Quote 0
                                      • JaredBuschJ
                                        JaredBusch @Dashrender
                                        last edited by

                                        @Dashrender said in MPLS alternative:

                                        @scottalanmiller said in MPLS alternative:

                                        We use essentially no files any longer.

                                        I love this -

                                        So you have email
                                        and what Rocket Chat for texting....

                                        Maybe your company has zero need for an individual to make a personal spreadsheet, etc... but if they did, how would you handle that?

                                        That is personal by definition. So they should not be doing it anyway. This is work.

                                        Work "documents" are Excel Online, or WTFever ZoHo is. Not files.

                                        scottalanmillerS 1 Reply Last reply Reply Quote 1
                                        • scottalanmillerS
                                          scottalanmiller @Dashrender
                                          last edited by

                                          @Dashrender said in MPLS alternative:

                                          @scottalanmiller said in MPLS alternative:

                                          We use essentially no files any longer.

                                          I love this -

                                          So you have email
                                          and what Rocket Chat for texting....

                                          Maybe your company has zero need for an individual to make a personal spreadsheet, etc... but if they did, how would you handle that?

                                          So we have email and no one should be sending files on it internally. We have Cliq for internal chat. Again, no one should send files (not counting memes, of course, gotta send those.)

                                          We have spreadsheets, but we don't use legacy file based ones. Ours are all database managed with no files behind them as it should be. If we had to send a file to an outside entity, you for example, we would generate a file to send just for you. It's not a file we use internally, we don't have that file on our network. We generate it at the time that we are sending it to you.

                                          DashrenderD 1 Reply Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender @scottalanmiller
                                            last edited by

                                            @scottalanmiller said in MPLS alternative:

                                            @Dashrender said in MPLS alternative:

                                            What is "Local AD"? how does that span the 15 servers in the Citrix Farm?

                                            AD DCs running in and only in, the cluster. This is a common pattern, actually, at least with RDS (which is the basis for XenApp). We do this for customers all the time. AD that's dedicated to the RDS/XA and isn't on the LAN itself.

                                            Fantastic! This is exactly what I had envisioned.

                                            So your earlier comment about

                                            @scottalanmiller said in MPLS alternative:

                                            Someone accidentally ties the Citrix ICA authentication to AD. They then expose AD to the Internet.

                                            you meant that they somehow exposed those AD servers directly to the Internet - which is just crazy. But leaving them in the background behind the RDS/ICA servers should be pretty secure.?

                                            JaredBuschJ scottalanmillerS S 3 Replies Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 5
                                            • 6
                                            • 7
                                            • 8
                                            • 9
                                            • 7 / 9
                                            • First post
                                              Last post