Why you don't need a VPN or not?



  • @scottalanmiller how do you not have VPN now?

    Nope, none.

    Methinks he's looking for an explanation of how you guys got rid of VPN.

    Me too.

    Just no need for it. Try it in reverse, what do you have that makes you want a VPN?

    Files on the LAN, for the LAN users?



  • Secure access to server management would make sense to secure with a VPN and 2FA.



  • @pete-s said in Why you don't need a VPN or not?:

    Files on the LAN, for the LAN users?

    So then the question becomes... why a need for the LAN? Is the LAN heavily entrenched and you can't get away from it yet? Is there some special need that only a LAN can support?

    Youtube Video



  • @pete-s said in Why you don't need a VPN or not?:

    Secure access to server management would make sense to secure with a VPN and 2FA.

    2FA helps anywhere, for sure. But we specifically avoid VPN for server management because of the big exposure and risk it creates compared to other methodologies.

    VPNs have the "open window" effect, data transfers directly between systems. We avoid VPN when possible to work from a "closed window" perspective that does a lot to prevent contamination from "extra-LAN" systems.

    This is far more heavily pronounced in an MSP scenario where systems at the MSP could end up acting as a transfer point for viruses between customers. But the risk is just more pronounced, not unique.



  • Few other VPN vids...

    Youtube Video





  • @pete-s said in Why you don't need a VPN or not?:

    @scottalanmiller how do you not have VPN now?

    Nope, none.

    Methinks he's looking for an explanation of how you guys got rid of VPN.

    Me too.

    Just no need for it. Try it in reverse, what do you have that makes you want a VPN?

    Files on the LAN, for the LAN users?

    The thing is the technology is here and free and well documented and used.
    But it is ancient abit, and there are new stuff like Certificate based authentication on many protocols now even HTTP, so check for those first, and try to implement something modern and less like I will reroute all the traffic to this client.



  • @emad-r said in Why you don't need a VPN or not?:

    @pete-s said in Why you don't need a VPN or not?:

    @scottalanmiller how do you not have VPN now?

    Nope, none.

    Methinks he's looking for an explanation of how you guys got rid of VPN.

    Me too.

    Just no need for it. Try it in reverse, what do you have that makes you want a VPN?

    Files on the LAN, for the LAN users?

    The thing is the technology is here and free and well documented and used.

    Yes, and well known to not be a good solution. The alternatives are also free and well documented and used. Choosing a bad approach just because it's not "that bad" isn't a good decision approach.



  • @emad-r said in Why you don't need a VPN or not?:

    But it is ancient abit, and there are new stuff like Certificate based authentication on many protocols now even HTTP, so check for those first, and try to implement something modern and less like I will reroute all the traffic to this client.

    All of it is ancient. LAN concepts and LANless are about as old as IT itself. It's not about new protocols, it's about a more modern understanding of the limitations, costs, and risks of LAN-centric security trust.



  • @scottalanmiller

    I have trouble understanding the problems you refer too (as typical VPN problems) as these are not typical uses that I have come into contact with.

    For example, I use a VPN client to connect into customers networks. Does that put my computer on their LAN? No, it puts my computer into their firewall where my access is heavily restricted to a few IP addresses and a few ports, specific to my actual needs. And my computer has to follow a long set of rules to be allowed to connect and customers also have their own VPN client (and 2FA) - which means I set up one VM for each customer I need to connect to.



  • And then we have site-to-site VPN. What is the problem? It's office to office connections so clients in one office can access resources on the LAN in the other. Firewalls limits traffic in both directions.

    It's unlikely that the link itself is compromised and the security has the same layers as it has as if you are in one of the security zones on the LAN.



  • Regarding LAN or not, that's just a matter of speed. Speed is time and time is money.

    If we could get local LAN speed on the WAN (internet) then there would be little point in having any resources on the LAN. Unless they need to local - like a printer, ip phone, manufacturing equipment for instance

    But we are far from that point. I consider gigabit LAN to be standard and very few have gigabit speed from end-point to server when the server is not on the LAN.

    For some things it doesn't matter because it's fast enough. Like office files that are often a few meg at most.



  • Also regarding LAN-centric security trust. All I see in modern installations are security zones where traffic get firewalled between different type of things on different VLANs. Just because something is connected on the LAN doesn't mean it's trusted or have full access to everything else.

    But maybe what I come in contact with is not what is commonly done. That's entirely possible.

    To me VPN is just a secure connection. It doesn't mean the end-points are secure.
    And we don't need to extend the LAN if we don't have network resources on the LAN that we need to access, or we can access them in another way.



  • I know big corps that have been killed by vpn .
    A serious attach at 1 site killed all the services world wide. While this is mostly bad networking design this is also vpn propagating s**t



  • As a general rule you should open secured sessions on demand. Site to site is not ondemand



  • @matteo-nunziati said in Why you don't need a VPN or not?:

    I know big corps that have been killed by vpn .
    A serious attach at 1 site killed all the services world wide. While this is mostly bad networking design this is also vpn propagating s**t

    Yes, but that misleading to attribute that to VPN. You could just as easily argue that big corps have been killed by cat 6 cables as well.



  • I mean: if file were exchanged by https ondemand sessions no propagation was possible.



  • @matteo-nunziati said in Why you don't need a VPN or not?:

    I mean: if file were exchanged by https ondemand sessions no propagation was possible.

    Yes, I understand. But if the firewall handling the VPN link just allowed http/https you would have the exact same thing.



  • @pete-s firewall os security flaws caused the damage.

    If you loose couple thing you reduce probability of attacks that it. Just this.



  • @matteo-nunziati said in Why you don't need a VPN or not?:

    @pete-s firewall os security flaws caused the damage.

    If you loose couple thing you reduce probability of attacks that it. Just this.

    But in a "LANless" environment you expose everything to the internet so your attack surface is huge. And many systems share the exact same security bugs. It may not take down all servers at the same time though.

    To be honest though the end-points are a big problem regardless if you have a LAN or not.



  • @pete-s said in Why you don't need a VPN or not?:

    @matteo-nunziati said in Why you don't need a VPN or not?:

    @pete-s firewall os security flaws caused the damage.

    If you loose couple thing you reduce probability of attacks that it. Just this.

    But in a "LANless" environment you expose everything to the internet so your attack surface is huge. And many systems share the exact same security bugs. It may not take down all servers at the same time though.

    To be honest though the end-points are a big problem regardless if you have a LAN or not.

    @pete-s said in Why you don't need a VPN or not?:

    @matteo-nunziati said in Why you don't need a VPN or not?:

    @pete-s firewall os security flaws caused the damage.

    If you loose couple thing you reduce probability of attacks that it. Just this.

    But in a "LANless" environment you expose everything to the internet so your attack surface is huge. And many systems share the exact same security bugs. It may not take down all servers at the same time though.

    To be honest though the end-points are a big problem regardless if you have a LAN or not.

    Actually, it makes your attack surface tiny compared to a distributed network. @scottalanmiller made a good drawing in one of his Mangocon talks that should be available, it is just hard for me to look it up and link it on my phone at the moment.

    LAN + site to site VPN = attack surface of every client and server.

    LANless = attack surface of only servers



  • @pete-s said in Why you don't need a VPN or not?:

    For example, I use a VPN client to connect into customers networks. Does that put my computer on their LAN? No, it puts my computer into their firewall where my access is heavily restricted to a few IP addresses and a few ports, specific to my actual needs. And my computer has to follow a long set of rules to be allowed to connect and customers also have their own VPN client (and 2FA) - which means I set up one VM for each customer I need to connect to.

    Their firewall is on their LAN. Yes, it puts you on their LAN. And having different VPN clients for different customers does literally nothing for security benefits, just adds complication on your end. That you restrict machines attaching remotely to only a few ports does increase security, but just highlights that you recognize the dangers of a VPN and are attempting to mitigate as much as you can, which is a bit, but is still only a mitigation of a risk that need not exist at all.

    VPNs, no matter how locked down, are still slightly more risky than not having a VPN. You can lock them down a lot, but this requires effort and requires that you get it right and requires that the attack vectors don't leverage what is left open.

    The sole purpose of a VPN is to extend the LAN. Any use of a VPN adds risk for this reason.



  • @pete-s said in Why you don't need a VPN or not?:

    And then we have site-to-site VPN. What is the problem? It's office to office connections so clients in one office can access resources on the LAN in the other. Firewalls limits traffic in both directions.

    The problem is two fold...

    First: It means you are using the LAN as a "safe zone" where you trust things. If you weren't, you'd have no reason to want to extend it, it would be illogical. This itself is a huge security risk, the one that modern ransomware preys on specifically. As do most hackers. So as a starting point, the desire to use a VPN flags that there is an underlying desire for a LAN space where security is assumed due to location, rather than being secured further.

    Second: It "doubles" (assuming both offices are the same size) the risk pool of the LAN. If you have 50 PCs in one LAN, and 50 PCs in the other, and enact a site to site VPN you've increased the risk pool to 100 PCs. Any attack or infection has a vastly larger attack surface, and a larger chance of spreading.

    Think of the LAN like a kindergarten. The more kids you put in one place, the more likely for disease to spread, for security to be breached.



  • @pete-s said in Why you don't need a VPN or not?:

    Regarding LAN or not, that's just a matter of speed. Speed is time and time is money.

    LAN based vs. LANless has no change, none, in speed. This is a misunderstanding of the concepts. Low security trusts of locality does not improve speed. This is a common excuse used, but is not valid. It's missed the point that we are talking concepts, not products.



  • @pete-s said in Why you don't need a VPN or not?:

    Also regarding LAN-centric security trust. All I see in modern installations are security zones where traffic get firewalled between different type of things on different VLANs. Just because something is connected on the LAN doesn't mean it's trusted or have full access to everything else.

    But maybe what I come in contact with is not what is commonly done. That's entirely possible.

    IT is like anything else, the majority always do it horribly. What is common is never good. Functional, yes, but good, absolutely not. The average shop, from SMB to enterprise, overspends and underdelivers. They are at risk of failure, they leak data, they get hacked, they are afflicted with ransomware, and they spend easily 10x as much as they should without addressing any of those things well.

    The same is true in all industries, it has nothing to do with IT. The majority of any pool of workers isn't competent enough to do a job well, there just aren't enough people interested or incentivized to work well to make this change. This is why the majority of companies don't want to hire great people, just cheap "good enough" people that can be managed through processes. There just isn't way for every company to only hire great people, if great people represent 1% of the market, at best 1% of companies can staff with them.



  • VLANs assist in security, but do very little. If those VLANs talk to each other (and most have to - because if they don't need to, chances are you didn't need them in the first place) then their goals are mostly defeated. And using VLANs tells us that LANs still exist, so while each VLAN is a smaller risk than before, the risk is just lessened, not removed. But why keep the risk at all?

    VLANs, like the port limitations on your firewalls, are flags that the IT shops have recognized that LANs are the risk, but are unable or unwilling to stop depending on the LAN security zones so are just "making do" with bandaids to lessen the risk, rather than removing it.

    So if you port limit on a VPN, or use a VLAN, then my view is that that shop has recognized that the LAN is the problem.



  • @pete-s said in Why you don't need a VPN or not?:

    To me VPN is just a secure connection. It doesn't mean the end-points are secure.

    Exactly, but the VPN connection itself is not the problem, is that it is a connection at all. The VPN itself is normally secure, but that's not the risk. The VPN is an additional thing, so even if it is 100% secure (and it is not) then its own level of security doesn't improve the existing risk. But the LAN extension that a VPN does is the real risk. By connecting two (or more) networks together, the risks or one network can spread to the other. The VPN creates a conduit by which risk can extend.

    The very purpose of the VPN is to take one network and expose it to another. The value in a VPN is exposes good services. The problem with a VPN is that any exposure of good services exposes bad ones, too.



  • @matteo-nunziati said in Why you don't need a VPN or not?:

    As a general rule you should open secured sessions on demand. Site to site is not ondemand

    Site to site "can be" on demand. We used to do that all of the time. These days, there tends to be so much traffic that "on demand" is also "demanded all of the time." But site to site can be done on an on demand basis.



  • @pete-s said in Why you don't need a VPN or not?:

    @matteo-nunziati said in Why you don't need a VPN or not?:

    I know big corps that have been killed by vpn .
    A serious attach at 1 site killed all the services world wide. While this is mostly bad networking design this is also vpn propagating s**t

    Yes, but that misleading to attribute that to VPN. You could just as easily argue that big corps have been killed by cat 6 cables as well.

    No, I don't think it is misleading. The CAT6 is a necessary component of attaching devices and doesn't cause or suggest the risk. The VPN is both a completely unnecessary risk itself, and it is a sign that they used LAN based security thinking and created the big risk.

    It's true, if we removed teh cables, the risk would stop. But we can't remove the cables and still function. But it is also true that if we removed the VPN that the risk would stop, but we don't need the VPN to function. That's the difference.

    It's like the difference between blaming lungs or smoking for lung cancer. Yes, we could kill the patient and remove the lungs and avoid lung cancer that way. But that's missing goal level thinking.

    In one case, our real goal is a healthy patient. To have that, we know obviously to stop smoking, but keep the lungs.

    In the other case we want a healthy, functioning business. To have that, we know obviously to stop LAN thinking and not use a VPN, but keep the CAT6 cables.



  • @pete-s said in Why you don't need a VPN or not?:

    @matteo-nunziati said in Why you don't need a VPN or not?:

    I mean: if file were exchanged by https ondemand sessions no propagation was possible.

    Yes, I understand. But if the firewall handling the VPN link just allowed http/https you would have the exact same thing.

    Yes, and that's completely true. BUT, if you did that, WHY would you have the VPN in the first place? What purpose is it there for, just to add a higher risk of outages? Just to cost more to maintain? If it isn't extending the LAN, or securing a connection, why add the overhead, cost, and risk (outage risk, not exposure risk, in that case?)

    It's worth noting that SDN uses VPN under the hood and is sometimes used for this, but people don't call it a VPN when doing so, so we normally ignore it. But yes, people use products like ZT in LANless design to avoid needs for static IPs and such, not for security.


Log in to reply