MPLS alternative

Dashrender

@hobbit666 said in MPLS alternative:

@scottalanmiller said in MPLS alternative:

No, not a leased line. Leased line means that the connection goes from site to site rather than site to the Internet. It's a cheaper Internet line rather than a leased line.

Still the same physical fiber, but when you go to the Internet it stops being leased.

Why is the word "leased" used to be "private site to private site", heaven only knows. But that's what the term means. A private fiber line that you install between you and the Internet is not called leased, even though there is no more or less logic to this name.

Think this is where the terminology comes in, for me (for the last 20+ years) "Leased Line" has always meant to me as a dedicated "internet" line that connects your building to the internet or MPLS or switching product.
So when i say we have 3 sites with leased lines they are fibre to the Exchange

yeah, that's why I wrote what I wrote - I wanted to make sure all understood that with or without the word "leased" the connection are all the same, using the same cabling, likely the same pricing.

It might be a UK thing to call anything not consumer grade to the internet a leased line - who knows, I'm not a UK native.. .

scottalanmiller

@hobbit666 said in MPLS alternative:

So when i say we have 3 sites with leased lines they are fibre to the Exchange

Right, that should be "dedicated fiber" to the exchange. BUT, if they are MPLS, then your use of leased is correct in your case right now.

scottalanmiller

@Dashrender said in MPLS alternative:

It might be a UK thing to call anything not consumer grade to the internet a leased line - who knows, I'm not a UK native.. .

Well I looked up the terms to make sure I wasn't crazy and it didn't mention any regional different usages. Telecom terms tend to be global.

hobbit666

BTW watched that Magolassi video on Lanless design. Also been looking at some Zero Trust stuff.......... i'm still confused

Think more reading and seeing some examples might help my little head compute it all might help

scottalanmiller

Are there any exceptions to leased lines being bad? Yes. But they are insanely rare and really come up when you are building your own Internet provider, basically.

Example: When I was on Wall St. the bank didn't feel that its connections from North America to the Middle East were good enough (as in... they didn't trust the ENTIRE Internet infrastructure of the Gulf States) and so they put in their own dual transatlantic cable (with the Internet via VPN as a backup) that took a different route than the national Internet infrastructure. They did this to replicate the entire Internet backbone of the country in question.

When the COUNTRY had a two day blackout, the bank was not affected and phones and Internet never missed a packet while the rest of the country was totally without Internet (including phones.)

When you get to this scale and are talking about competing with the ISPs because you don't trust the accumulation of all ISPs for a region or country. Yes, leased lines start to be the only option short of building your own ISP and at some point, what's the difference?

But when we are talking about something that CAN be done over the existing Internet and you aren't trenching your own custom fiber end to end, then we are back to our normal discussion.

Dashrender

Doesn't the likes of Microsoft/Amazon/Google all use leased lines for they syncing between DCs?

I'm almost positive they did in the past. I say this because I recall hearing that Google, etc were suddenly face slappingly aware of how not encrypted their syncing was between DCs with the Snowden reveal, and that the NSA was siphoning off copies of all of their flowing packets.

This leads me to believe Google/etc believed the leased lines were "secure enough" to not need to worry about encrypting the data in transit, which I can't personally believe they would consider acceptable if it was simply using Internet connections to do this.

scottalanmiller

@hobbit666 said in MPLS alternative:

BTW watched that Magolassi video on Lanless design. Also been looking at some Zero Trust stuff.......... i'm still confused

Think more reading and seeing some examples might help my little head compute it all might help

Well, think about ANY desire to have a VPN or MPLS connection and ask "why?" In modern (meaning post-2003) application design, there's no normal case where you'd have any reason for that kind of connection. What traffic is utilizing that for you? SMB and AD traffic certainly do, and both are vestiges of another era and represent massive security risks and fragility for the business. They also have advantages, so this isn't a all con, no pro situation. They are easy, fast, and well known. But they are designed entirely around businesses that fit in a single LAN. The moment you introduce a second site, they start to falter. They weren't designed for the multi-site business world, let alone the multi-region company. Neither handles WAN latency well, regardless of connectivity. And no "can claim to be a business app" would have any reason to need LAN connectivity, even by the late 1990s that was "you should fire anyone making software that way and no one should buy software with those kinds of problems."

And before people say that the real world doesn't do this stuff, I can tell you that firms with hundred of thousands of users were doing this by 2005 on a large scale, and small firms were doing it a decade earlier. Plus always those outliers that did it starting in the 60s or whatever. Sure, most firms will always do things poorly, that's assumed. But companies that were trying to do things well were able to pretty easily get to LANless or close to LANless a really long time ago without much challenge.

scottalanmiller

@Dashrender said in MPLS alternative:

Doesn't the likes of Microsoft/Amazon/Google all use leased lines for they syncing between DCs?

Sort of, they are their own ISPs. So you are basically asking if the Internet is built on leased lines. Yes, under the hood, ISPs use leased lines to form the Internet. But that's a meta-discussion.

scottalanmiller

@Dashrender said in MPLS alternative:

This leads me to believe Google/etc believed the leased lines were "secure enough" to not need to worry about encrypting the data in transit, which I can't personally believe they would consider acceptable if it was simply using Internet connections to do this.

Um, no, they put VPNs on those lines.

Dashrender

@scottalanmiller said in MPLS alternative:

@Dashrender said in MPLS alternative:

This leads me to believe Google/etc believed the leased lines were "secure enough" to not need to worry about encrypting the data in transit, which I can't personally believe they would consider acceptable if it was simply using Internet connections to do this.

Um, no, they put VPNs on those lines.

They did after Snowden - that was publicly acknowledged, but pre-snowden... not so sure. Definitely not in all cases.

Heck, I'd be surprised if Hobbit's company is encrypting data between sites - they are instead (management likely not realizing it) completely exposing their prints/fileshares with BT through their MPLS.

Dashrender

@scottalanmiller what would you do for a management solution for 300+ users on company owned equipment?
And what management solution for useraccounts would you use for Citrix?

scottalanmiller

@Dashrender said in MPLS alternative:

Heck, I'd be surprised if Hobbit's company is encrypting data between sites - they are instead (management likely not realizing it) completely exposing their prints/fileshares with BT through their MPLS.

I guarantee that they are not. But they are not an in-house ISP. They are doing it for LAN traffic, not to build their own Internet backbone.

scottalanmiller

@Dashrender said in MPLS alternative:

what would you do for a management solution for 300+ users on company owned equipment?

It's not that easy to say what TO do. That requires a lot of research. But knowing what NOT to do is a lot simpler. AD is absolutely not a good solution for a lot of sites. Even Microsoft hasn't recommended that in a long time. That's why they moved to Azure AD internally as their product for that long ago.

We have no reason to believe that they even need user management, there's no way to have that assumption. I've worked in companies that size that saw zero value to having that and I see that play out time and time again. The need for user management on the OS is probably around 50/50.

So without even knowing if the need user management, it's impossible to even start to guess how best to approach it.

scottalanmiller

The need for user management at the OS level primarily comes from LAN-based design. Not 100%, but maybe 85%. Once you are LANless / Zero Trust, the need to control the users at the device level changes dramatically. There are good reasons to still want it, but it has to become a business need, not a "nice if all other things were equal." It comes at high cost and carries risks, so you have to have a value that supersedes those values to justify it.

scottalanmiller

@hobbit666 said in MPLS alternative:

Think more reading and seeing some examples might help my little head compute it all might help

Two simple examples...

LANbased Legacy User Management: Active Directory
LANless Alternative: JumpCloud, AzureAD

LANbased Legacy File Management: SMB or NFS Mapped Drives / Shares
LANless Alternatives: OneDrive, NextCloud, Google Drive, DropBox

scottalanmiller

Another example of LANbased vs LANless thinking or approach...

Old Days: Log into your desktop and the desktop gives you immediate access to files, applications, etc.

Modern Way: Log into desktop, then log into applications so that the applications are not trusting the device but authenticate the user.

hobbit666

@scottalanmiller said in MPLS alternative:

@hobbit666 said in MPLS alternative:

Think more reading and seeing some examples might help my little head compute it all might help

Two simple examples...

LANbased Legacy User Management: Active Directory
LANless Alternative: JumpCloud, AzureAD

LANbased Legacy File Management: SMB or NFS Mapped Drives / Shares
LANless Alternatives: OneDrive, NextCloud, Google Drive, DropBox

Those i get, but what about printing to office printers, or accessing the Citrix farm.
As i said E-mails and files are getting slowly moved to o365 and OD4B

hobbit666

@scottalanmiller said in MPLS alternative:

Another example of LANbased vs LANless thinking or approach...

Old Days: Log into your desktop and the desktop gives you immediate access to files, applications, etc.

Modern Way: Log into desktop, then log into applications so that the applications are not trusting the device but authenticate the user.

So how to you handle the "log into dekstop"? AzureAD or local user?
Then if we are using Office 365 Desktop apps like Word Excel can we use Single Sign On from AzureAD or would it be best to get the users to log in everytime? Same with OneDrive

scottalanmiller

@hobbit666 said in MPLS alternative:

Those i get, but what about printing to office printers.....

So printing is a weird one. Typically printing desires physical proximity and no security. The nature of printing is insecure. Do you really need printing security? And do you really need to print from one site to another instead of printing locally? These things are possible, just really rare.

Printing does have options to use some LANless design, but typically we ignore this here as we are talking about a peripheral device that simply "doesn't matter" enough.

So I guess the real question is... since you can "just print" without any discussion or design whatsoever, what's the actual problem that you are trying to solve? I'm not sure what the question is. Whether you have LANbased or LANless design, if you hook up a USB printer you just print, if you hook up a network printer, you just print. They really fall outside of this discussion unless there is some extra factor that we can't anticipate.

Dashrender

@scottalanmiller said in MPLS alternative:

@Dashrender said in MPLS alternative:

Heck, I'd be surprised if Hobbit's company is encrypting data between sites - they are instead (management likely not realizing it) completely exposing their prints/fileshares with BT through their MPLS.

I guarantee that they are not. But they are not an in-house ISP. They are doing it for LAN traffic, not to build their own Internet backbone.

sure - but do you want your ISP snooping through your traffic? I definitely don't want Cox or anyone Cox allows on their network to see my traffic.