Why you don't need a VPN or not?
-
VLANs assist in security, but do very little. If those VLANs talk to each other (and most have to - because if they don't need to, chances are you didn't need them in the first place) then their goals are mostly defeated. And using VLANs tells us that LANs still exist, so while each VLAN is a smaller risk than before, the risk is just lessened, not removed. But why keep the risk at all?
VLANs, like the port limitations on your firewalls, are flags that the IT shops have recognized that LANs are the risk, but are unable or unwilling to stop depending on the LAN security zones so are just "making do" with bandaids to lessen the risk, rather than removing it.
So if you port limit on a VPN, or use a VLAN, then my view is that that shop has recognized that the LAN is the problem.
-
@pete-s said in Why you don't need a VPN or not?:
To me VPN is just a secure connection. It doesn't mean the end-points are secure.
Exactly, but the VPN connection itself is not the problem, is that it is a connection at all. The VPN itself is normally secure, but that's not the risk. The VPN is an additional thing, so even if it is 100% secure (and it is not) then its own level of security doesn't improve the existing risk. But the LAN extension that a VPN does is the real risk. By connecting two (or more) networks together, the risks or one network can spread to the other. The VPN creates a conduit by which risk can extend.
The very purpose of the VPN is to take one network and expose it to another. The value in a VPN is exposes good services. The problem with a VPN is that any exposure of good services exposes bad ones, too.
-
@matteo-nunziati said in Why you don't need a VPN or not?:
As a general rule you should open secured sessions on demand. Site to site is not ondemand
Site to site "can be" on demand. We used to do that all of the time. These days, there tends to be so much traffic that "on demand" is also "demanded all of the time." But site to site can be done on an on demand basis.
-
@pete-s said in Why you don't need a VPN or not?:
@matteo-nunziati said in Why you don't need a VPN or not?:
I know big corps that have been killed by vpn .
A serious attach at 1 site killed all the services world wide. While this is mostly bad networking design this is also vpn propagating s**tYes, but that misleading to attribute that to VPN. You could just as easily argue that big corps have been killed by cat 6 cables as well.
No, I don't think it is misleading. The CAT6 is a necessary component of attaching devices and doesn't cause or suggest the risk. The VPN is both a completely unnecessary risk itself, and it is a sign that they used LAN based security thinking and created the big risk.
It's true, if we removed teh cables, the risk would stop. But we can't remove the cables and still function. But it is also true that if we removed the VPN that the risk would stop, but we don't need the VPN to function. That's the difference.
It's like the difference between blaming lungs or smoking for lung cancer. Yes, we could kill the patient and remove the lungs and avoid lung cancer that way. But that's missing goal level thinking.
In one case, our real goal is a healthy patient. To have that, we know obviously to stop smoking, but keep the lungs.
In the other case we want a healthy, functioning business. To have that, we know obviously to stop LAN thinking and not use a VPN, but keep the CAT6 cables.
-
@pete-s said in Why you don't need a VPN or not?:
@matteo-nunziati said in Why you don't need a VPN or not?:
I mean: if file were exchanged by https ondemand sessions no propagation was possible.
Yes, I understand. But if the firewall handling the VPN link just allowed http/https you would have the exact same thing.
Yes, and that's completely true. BUT, if you did that, WHY would you have the VPN in the first place? What purpose is it there for, just to add a higher risk of outages? Just to cost more to maintain? If it isn't extending the LAN, or securing a connection, why add the overhead, cost, and risk (outage risk, not exposure risk, in that case?)
It's worth noting that SDN uses VPN under the hood and is sometimes used for this, but people don't call it a VPN when doing so, so we normally ignore it. But yes, people use products like ZT in LANless design to avoid needs for static IPs and such, not for security.
-
@pete-s said in Why you don't need a VPN or not?:
But in a "LANless" environment you expose everything to the internet so your attack surface is huge.
Nothing in LANless design suggests this. You are combining the concept of the architecture of LANless, with the concept of hosted. Of course they go well together, but they are not intrinsically linked or related.
This is like how people used "cloud" to mean hosted systems (a terrible term) and then confuse "cloud computing" with things being hosted. But in house cloud is extremely common and normal and in no way less cloud than hosted cloud. LANless doesn't imply hosted, you can do LANless design completely in house without any exposure to the Internet whatsoever.
Any exposure to the Internet if necessary, would be equal or less than the exposure needed for a VPN to cover the same linkages.
One could argue, but it would be silly, that VPN implies Internet facing systems, while LANless does not. Logically one has no connection, but a VPN's purpose is to be used over the Internet.
-
@scottalanmiller said in Why you don't need a VPN or not?:
@pete-s said in Why you don't need a VPN or not?:
But in a "LANless" environment you expose everything to the internet so your attack surface is huge.
Nothing in LANless design suggests this. You are combining the concept of the architecture of LANless, with the concept of hosted. Of course they go well together, but they are not intrinsically linked or related.
I think you might be associating things that are not really tied together. LAN is a local area network. It doesn't implicate anything about security. It doesn't mean that everything inside the LAN is considered secure and everything outside is hostile. That is not the definition of a LAN. It's just an arbitrary geographical boundary of a network, that used to end when you had a leased line and then it became a WAN.
How the architecture and security in the LAN is setup is a completely separate issue. Modern LAN practice is more network segmentation and inter-zone firewalling and monitoring. That is what I see customer LANs have as well. It's common for instance to have firewalls inside the LAN. Some variation of this is called zero trust network.
Scott, I honestly don't understand what you mean by "LANless" if you don't mean put every client device and every service on the internet directly and use secure communication between everything. Technical speaking LAN-less would be a misnomer if you have more than one device in the same area would it not? Do you have a network diagram describing what LANless is? Sometimes language is not precise enough and besides English is not my first language.
-
@pete-s said in Why you don't need a VPN or not?:
@scottalanmiller said in Why you don't need a VPN or not?:
@pete-s said in Why you don't need a VPN or not?:
But in a "LANless" environment you expose everything to the internet so your attack surface is huge.
Nothing in LANless design suggests this. You are combining the concept of the architecture of LANless, with the concept of hosted. Of course they go well together, but they are not intrinsically linked or related.
I think you might be associating things that are not really tied together. LAN is a local area network. It doesn't implicate anything about security. It doesn't mean that everything inside the LAN is considered secure and everything outside is hostile. That is not the definition of a LAN. It's just an arbitrary geographical boundary of a network, that used to end when you had a leased line and then it became a WAN.
How the architecture and security in the LAN is setup is a completely separate issue. Modern LAN practice is more network segmentation and inter-zone firewalling and monitoring. That is what I see customer LANs have as well. It's common for instance to have firewalls inside the LAN. Some variation of this is called zero trust network.
Scott, I honestly don't understand what you mean by "LANless" if you don't mean put every client device and every service on the internet directly and use secure communication between everything. Technical speaking LAN-less would be a misnomer if you have more than one device in the same area would it not? Do you have a network diagram describing what LANless is? Sometimes language is not precise enough and besides English is not my first language.
-
@pete-s said in Why you don't need a VPN or not?:
I think you might be associating things that are not really tied together. LAN is a local area network. It doesn't implicate anything about security. It doesn't mean that everything inside the LAN is considered secure and everything outside is hostile.
LAN vs LANless is an architectural concept.
LAN thinking means you use the LAN to designate a security zone - the reason that extending the LAN with a VPN provides any functionality.
LANless doesn't mean that physical LAN does not exist, but that the security and access model is not designed around the LAN.
In traditional network design, LAN based design has us designing "safe areas" where things "inside the walls" are considered safe and things "outside the walls" are considered dangerous. Then in this model, to bring in other people or sites to our "walled garden" we use a VPN or MPLS or similar to "extend the LAN" to other locations.
LANless design treats systems on the LAN or not on the LAN equally - distrusting everything. In LANless design, a VPN is pointless since being on the LAN from a security standpoint would provide nothing.
-
@pete-s said in Why you don't need a VPN or not?:
How the architecture and security in the LAN is setup is a completely separate issue. Modern LAN practice is more network segmentation and inter-zone firewalling and monitoring. That is what I see customer LANs have as well. It's common for instance to have firewalls inside the LAN. Some variation of this is called zero trust network.
I would not call that modern. That's the same LAN security model we've had for decades. That's just the current state of legacy approaches.
Which is what we expect, the majority of networks just keep what has always been. Either because they were implemented long ago, or are implemented by people repeating known patterns.
-
@pete-s said in Why you don't need a VPN or not?:
Sometimes language is not precise enough and besides English is not my first language.
What's your first language, I had no idea?
-
@pete-s said in Why you don't need a VPN or not?:
Scott, I honestly don't understand what you mean by "LANless" if you don't mean put every client device and every service on the internet directly and use secure communication between everything.
LANless design doesn't require everything to be on the Internet, in fact, you can do LANless with nothing on the Internet. Few do that, but you sure can.
LANless is about treating each workload as if it were on the Internet. Even if they are not.
In some ways, if you are familiar with microservice architecture in software engineering, it's much like applying that concept to systems. Keep each unit isolated and secured and not merged when not necessary.
-
Thanks, I have to think about this some more.
-
@pete-s said in Why you don't need a VPN or not?:
Thanks, I have to think about this some more.
It's a big change. LAN-centric security thinking has been preached for so long, it's an assumed starting point to network design. Entire "must have" product families were based on it, like Active Directory and SMB protocols. Most people just assume that this kind of network will exist and some products nearly require it (Quickbooks, for example.) But as someone that has moved away from it for many years, it's so freeing to not have it.
-
@scottalanmiller So in a transitional phase of moving away from LAN-centric practices, I have Windows firewall enabled on all Windows clients and Windows servers. Is that it, or would I have servers behind a hardware firewall with an ACL?
-
@wrx7m said in Why you don't need a VPN or not?:
@scottalanmiller So in a transitional phase of moving away from LAN-centric practices, I have Windows firewall enabled on all Windows clients and Windows servers. Is that it, or would I have servers behind a hardware firewall with an ACL?
You always want firewalls. LAN-centric or LANless doesn't change that.
LANless is about making everything accessible through web services.
-
@travisdh1 Right, so I would want a firewall above and beyond the Windows firewall, that would be capable of speeds necessary to accommodate line speeds for file servers, etc?
-
@wrx7m said in Why you don't need a VPN or not?:
@travisdh1 Right, so I would want a firewall above and beyond the Windows firewall, that would be capable of speeds necessary to accommodate line speeds for file servers, etc?
A Windows or firewall in the OS serves a completely different purpose. You should always have both, even if just a router/firewall.
-
@Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.
-
@wrx7m said in Why you don't need a VPN or not?:
I am wondering how to move to a tighter circle to get the servers segregated from the clients.
Segregated how or in what sense? So they cannot communicate to each other?