If LAN is legacy, what is the UN-legacy...?



  • @scottalanmiller says "This goes against my recent writings that the LAN is a legacy concept and being phased out for security and flexibility reasons. In the California IT scene, the LAN is already not the norm. The east coast IT scene is much more traditional, but as the LAN becomes increasingly unnecessary I see "enterprise" very much not the term for this model. Enterprises are the ones best equipped to move to more modern structural models."

    The world is becoming a "smaller" place, where physical boundaries no longer restrictive.
    What is the next gen "connect" should we looking at?


  • Service Provider

    The UnLAN! Or what I call the citadel model. Companies that move away from the LAN basically need to move from the idea that there is a special network on which security is low and access is high and you just throw data that you want hoping that people will be able to get to it and outsiders will not. The LAN was designed in the late 1980s and early 1990s when the Internet was not an issue and security was low. Fundamentally, the LAN is a weird thing. It only seems logical because it was the easiest way to grant access to resources and it has been passed down from generation to generation of IT Pros by their mentors.

    But if we step back, it has no reason to exist today. Or little reason, at least.

    We don't want resources to be exposed even on a LAN. We need to consider, and long have, our LANs to be enemy territory. Even if we try to protect them, we have to assume that they are compromised. Once we start thinking that way the LAN actually becomes nothing but overhead, a crutch. It stops adding value. Especially as we move to IPv6 and no longer need the LAN as an IPv4 efficiency scheme.


  • Service Provider

    I'll provide an example...

    NTG used to have a LAN. Everyone was in one of two offices, each with a physical LAN and an IPSec site to site VPN in between.

    Over the years the company grew and migrated to a complex hub and spoke VPN model and eventually to a full mesh software defined network.

    But as this happened, we stopped putting resources out on the LAN in an exposed way, while that is simple and lazy, it's not very useful. If the VPN fails, resources go offline. If the VPN is compromised, everything is exposed. And if you want any resource from a third party (like Google or Microsoft) then those are not on the LAN at all. So what's the point?

    We ended up dropping the VPN and LAN model completely and went to independent nodes. All of our services, whether internal or external is secured independently and delivered in a SaaS-like way. Whether it is Office 365 from MS, our accounting platform from a third party or ownCloud running on our own servers. All of it is engineered from beginning to end to be delivered over the Internet to wherever someone needs to consume the services.

    We gain security, flexibility, lower cost, etc. We can grow, move, switch services, and remain network agnostic. And things like Crypto virii, which still suck, are far more limited in scope since there is no SMB or NFS mapped drives to attach, no LAN to use for discovery, no "peer resources" to attack.


  • Service Provider

    Today, even most companies that are still completely addicted to and committed to the LAN model, those that would never consider something different, rarely have anything on their LAN that ties them two it except for two things: Active Directory and old fashioned LAN file shares.

    Both of these things are on the cusp of being legacy, in a way.

    Microsoft has already moved AD features into Office 365 and Azure once you go to Windows 10. While you don't (yet) get the full power of traditional AD you get AD for super cheap while needing no infrastructure of your own without any of the old LAN limitations of AD. It's a huge win. AD is only going to keep going in this way. And the California model was to drop AD and tight desktop controls already. So as AD penetration begins to decline (not going away, just dropping from the 99% saturation point it was at) and as AD begins to leave the LAN fold, that is dramatically changing.

    And LAN file sharing is getting demolished from two fronts. On one side products like Dropbox, ownCloud and OneDrive for Business are making users thing about storage differently and making IT step back and stop just "doing what we have always done." While on the other side ransomware is making traditional file sharing super risky. So the old method's inherent risks get exposed right as major alternative approaches arise. The LAN concept of storage is rarely needed any longer.

    Add to this the idea that networks are more complicated, people need to work remotely from home, the car, a phone, a hotel, etc. and suddenly the LAN is really just "in the way" and no longer enabling good IT but rather blocking it.


  • Service Provider

    None of this is to suggest that the physical LAN network of an office will go away or that we will not attempt to secure it (firewall, UTM, etc.) It is that we will stop thinking of it as a secure place to dump data willy nilly. And once we treat the LAN as a dangerous place like the Internet, suddenly we are not tied down to it any longer either.



  • @scottalanmiller said:

    None of this is to suggest that the physical LAN network of an office will go away or that we will not attempt to secure it (firewall, UTM, etc.) It is that we will stop thinking of it as a secure place to dump data willy nilly. And once we treat the LAN as a dangerous place like the Internet, suddenly we are not tied down to it any longer either.

    This was going to be my next question.
    If I understand correctly, the firewall/UTM/"insert fav mode" concept still exists & is valid.
    The old school "on prem" services (AD, File Shares, email) that were heavy on LAN kinda go away


  • Service Provider

    @FATeknollogee said:

    If I understand correctly, the firewall/UTM/"insert fav mode" concept still exists & is valid.
    The old school "on prem" services (AD, File Shares, email) that were heavy on LAN kinda go away

    Right, that is what I expect. Having a firewall to provide "as much protection as possible" will be valid for a long time (although some weird people are even arguing that that is a waste, but I don't buy it) but having services that assume you are on a LAN will go away.

    Email, AD, storage... we will continue to need those, but not in the old way. Right now we have to create this "special network" to deliver those services. SMB only works well over a low latency, high bandwidth connection. AD is complicated without local DNS controlling everything. Things like that. They are based on very limited assumptions that really curtail businesses.


  • Service Provider

    And, of course, things like cloud platforms change this too. Once you remove the LAN, suddenly you can easily leverage not just a platform like AWS whenever needed, but you can do so in a very flexible way. We don't need a private cloud, we can use a cheaper and more powerful public one. We don't need to work with a single provider, we can use any one that is good for the needed workload.

    Things get cheaper and more powerful.

    And WAN purchasing changes. We don't need expensive VPN accelerators, managed VPN or MPLS. We just need fast WAN links, at lower cost. The WAN becomes far simpler, too.


  • Service Provider

    And of course, just as the LAN never made sense for everyone, the LAN will likely always make sense for someone. But it is the assumption of a LAN, the foregone conclusion that the LAN is how businesses run and especially that it is how "enterprise" ones run, is already past its sell by date. Nothing wrong with LANs today, but they are not the cutting edge or something special. Companies that are skipping them are either forward thinking new entities or companies that had LANs that have worked hard to phase them out.



  • So there are two solutions for this that I know of Zero Tier and Pertino. What other options are there?

    What do you think about the fact that these SDNs aren't really free, yeah LANs aren't free you need a switch, but SDNs need a control node and switches and internet access.

    It seems like a lot more expensive.

    Are there other options?


  • Service Provider

    @Dashrender said:

    So there are two solutions for this that I know of Zero Tier and Pertino. What other options are there?

    The option is you do not need those either.

    Those are simply alternate VPN methods letting you cling to your extended LAN functionality.


  • Service Provider

    @Dashrender said:

    So there are two solutions for this that I know of Zero Tier and Pertino. What other options are there?

    Those are not solutions for what I am describing, those are just the most advanced uses of the legacy LAN concept. Those are all about remaining dedicated to the LAN even after your are physically in no way suitable for one. Great products, but designed solely around maintaining the LAN ideologically rather than replacing it.


  • Service Provider

    @Dashrender said:

    What do you think about the fact that these SDNs aren't really free, yeah LANs aren't free you need a switch, but SDNs need a control node and switches and internet access.

    ZeroTier is truly free and can be done without Internet access, if you want.


  • Service Provider

    @Dashrender said:

    Are there other options?

    The idea of the citadel (I call it this because the LAN was the castle) is that there is no "shared address range", or at least no dependency on it. Security is no handled by having a "safe zone" on which you put services, you assume all networks are suspect and secure data accordingly.

    I think that there are two key elements to removing the LAN dependency and ideology:

    • Secure everything as it everything was a suspect network.
    • Publish everything so that there is not a "local" network addressing dependency for resolution.


  • I would love to read more about the idea of

    but as the LAN becomes increasingly unnecessary I see "enterprise" very much not the term for this model. Enterprises are the ones best equipped to move to more modern structural models."

    Any links to articles on the subject and concept



  • @scottalanmiller said:

    @Dashrender said:

    What do you think about the fact that these SDNs aren't really free, yeah LANs aren't free you need a switch, but SDNs need a control node and switches and internet access.

    ZeroTier is truly free and can be done without Internet access, if you want.

    But if you are doing that, why bother with ZT?


  • Service Provider

    @Dashrender said:

    @scottalanmiller said:

    @Dashrender said:

    What do you think about the fact that these SDNs aren't really free, yeah LANs aren't free you need a switch, but SDNs need a control node and switches and internet access.

    ZeroTier is truly free and can be done without Internet access, if you want.

    But if you are doing that, why bother with ZT?

    If you are doing it for free? Just because you don't want to pay.

    Without Internet? Because you want software defined networking. Same basic reasons for OpenDaylight.


  • Service Provider

    @Dashrender said:

    @scottalanmiller said:

    @Dashrender said:

    What do you think about the fact that these SDNs aren't really free, yeah LANs aren't free you need a switch, but SDNs need a control node and switches and internet access.

    ZeroTier is truly free and can be done without Internet access, if you want.

    But if you are doing that, why bother with ZT?

    Encryption is the first thing that comes to mind.



  • @scottalanmiller said:

    @Dashrender said:

    @scottalanmiller said:

    @Dashrender said:

    What do you think about the fact that these SDNs aren't really free, yeah LANs aren't free you need a switch, but SDNs need a control node and switches and internet access.

    ZeroTier is truly free and can be done without Internet access, if you want.

    But if you are doing that, why bother with ZT?

    If you are doing it for free? Just because you don't want to pay.

    Without Internet? Because you want software defined networking. Same basic reasons for OpenDaylight.

    OpenDaylight? (searching internet)

    If your network isn't attached to the internet, then why would you need SDN? What do you gain? I definitely see why you use SDN for internet connected devices/services...



  • @JaredBusch said:

    @Dashrender said:

    @scottalanmiller said:

    @Dashrender said:

    What do you think about the fact that these SDNs aren't really free, yeah LANs aren't free you need a switch, but SDNs need a control node and switches and internet access.

    ZeroTier is truly free and can be done without Internet access, if you want.

    But if you are doing that, why bother with ZT?

    Encryption is the first thing that comes to mind.

    most systems already have their own encryption built in, so that shouldn't be a problem.

    Windows can run completely encrypted on the LAN side if you want - enable certs/keys, etc...


  • Service Provider

    @Dashrender said:

    Windows can run completely encrypted on the LAN side if you want - enable certs/keys, etc...

    Right... and you are just building a complicated, proprietary SDN :)



  • My biggest concerns about having things like AD on Azure would be that traffic (encrypted or not) being hit by a MITM type attack. It makes your information more vulnerable to that, than if you were, say... Running your business infrastructure on ZeroTier.


  • Service Provider

    @dafyre said:

    My biggest concerns about having things like AD on Azure would be that traffic (encrypted or not) being hit by a MITM type attack. It makes your information more vulnerable to that, than if you were, say... Running your business infrastructure on ZeroTier.

    Tell me how ZT makes you immune to a MITM?


  • Service Provider

    @JaredBusch said:

    @dafyre said:

    My biggest concerns about having things like AD on Azure would be that traffic (encrypted or not) being hit by a MITM type attack. It makes your information more vulnerable to that, than if you were, say... Running your business infrastructure on ZeroTier.

    Tell me how ZT makes you immune to a MITM?

    Or at least less susceptible than Azure AD.



  • @dafyre said:

    My biggest concerns about having things like AD on Azure would be that traffic (encrypted or not) being hit by a MITM type attack. It makes your information more vulnerable to that, than if you were, say... Running your business infrastructure on ZeroTier.

    Azure AD doesn't have this issue because Azure AD assumes all networks are untrusted, and as such transmits data only in a secure/encrypted manner to the endpoint.

    Now of course this doesn't mean it's impossible for a MITM to get in there, its much more difficult.

    ZT is really only useful for systems that don't have their secure communication method already in place. And example would be traditional LAN based AD. By default this communication is not encrypted, so using ZT would provide a level of protection that the LAN does not, while at the same time enabling you to be much more mobile at the same time.



  • @scottalanmiller said:

    @JaredBusch said:

    @dafyre said:

    My biggest concerns about having things like AD on Azure would be that traffic (encrypted or not) being hit by a MITM type attack. It makes your information more vulnerable to that, than if you were, say... Running your business infrastructure on ZeroTier.

    Tell me how ZT makes you immune to a MITM?

    Or at least less susceptible than Azure AD.

    Less susceptible is definitely a better way of stating that.



  • This is an interesting concept. Does anyone have any documentation on this? I'd love to read about what it would take to actually implement something like this.


  • Service Provider

    @wirestyle22 said:

    This is an interesting concept. Does anyone have any documentation on this? I'd love to read about what it would take to actually implement something like this.

    Sadly, no. But it is coming soon :) You heard it here first!!


  • Service Provider

    Oh, we could do a case study pretty easily, though. @ntg does this and has kind of stepped through the "best of breed" network design for a modern company over the years so we are good for that.

    I've worked at several companies that have done this, as well, so I have some decent insight into what others are doing, not just one company.



  • @scottalanmiller I have a serious lack of knowledge that I am fervently attempting to make up for so please excuse any misinformation.

    Currently we are set-up with a primary Domain and a VM secondary replicated domain at the same site (as well as a few remotely replicated domains for our bigger sites). A file Server, SQL Server using Financial Edge/Blackbaud, A terminal server for remote sites to access e-mail as well as the Network Share, etc. My question would be how would Active Directory look with this? I'm assuming I would I be able to actually connect all of my remote sites to a remote domain with something like this and everything would be managed through the cloud?

    Any information at this point is very appreciated :) Thank you as always.


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.