Navigation

    ML
    • Register
    • Login
    • Search
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups

    Napkin design...let's go LAN'less

    IT Discussion
    lanless nu skewl
    8
    40
    7554
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • FATeknollogee
      FATeknollogee last edited by

      See diagram of very simple old school LAN design (black dots = switches)

      Let's go "nu skewl" & transition LAN'less.

      Comment away or draw up your napkin design..

      0_1456354758081_upload-c21c92fe-346f-481e-bd19-bef1a8c1eff7

      0_1456354709890_LANless.pdf

      1 Reply Last reply Reply Quote 0
      • scottalanmiller
        scottalanmiller last edited by

        No physical servers of course :)

        1 Reply Last reply Reply Quote 0
        • FATeknollogee
          FATeknollogee last edited by

          I agree no physical.
          I only added "physical" 'coz of Server 2k3/Legacy apps

          1 Reply Last reply Reply Quote 0
          • scottalanmiller
            scottalanmiller last edited by

            What's stopping those from virtualization?

            FATeknollogee 1 Reply Last reply Reply Quote 1
            • gjacobse
              gjacobse last edited by

              With so few users - why do you need such hardware.

              FATeknollogee 1 Reply Last reply Reply Quote 0
              • FATeknollogee
                FATeknollogee @scottalanmiller last edited by

                @scottalanmiller said:

                What's stopping those from virtualization?

                Nothing, I was just trying to "broaden" the use case

                1 Reply Last reply Reply Quote 0
                • FATeknollogee
                  FATeknollogee @gjacobse last edited by

                  @gjacobse said:

                  With so few users - why do you need such hardware.

                  It could be 50 or 100, that's why it's a design on a napkin!

                  1 Reply Last reply Reply Quote 1
                  • hobbit666
                    hobbit666 last edited by

                    I've been thinking of starting a thread about designing a network with the "LAN'less" way of thinking :D

                    Question to all (mainly Scott :D )
                    What would you put in the firewall box? Would a Ubiquiti EdgeRouter be fine as you mentioned UTM devices are over rated and not really needed?

                    Our MPLS is coming up for renewal and I'm considering dumping it and going LAN'less but still need good "Edge" devices. Might start a new thread once I've finished a few projects on the whole infrastructure and see what people think

                    scottalanmiller 1 Reply Last reply Reply Quote 0
                    • scottalanmiller
                      scottalanmiller @hobbit666 last edited by

                      @hobbit666 said:

                      What would you put in the firewall box? Would a Ubiquiti EdgeRouter be fine as you mentioned UTM devices are over rated and not really needed?

                      Ubiquiti EdgeRouter IS a firewall. What would you replace the firewall with?

                      hobbit666 1 Reply Last reply Reply Quote 0
                      • hobbit666
                        hobbit666 @scottalanmiller last edited by

                        @scottalanmiller said:

                        @hobbit666 said:

                        What would you put in the firewall box? Would a Ubiquiti EdgeRouter be fine as you mentioned UTM devices are over rated and not really needed?

                        Ubiquiti EdgeRouter IS a firewall. What would you replace the firewall with?

                        Sophos UTM? :D

                        scottalanmiller 1 Reply Last reply Reply Quote 0
                        • scottalanmiller
                          scottalanmiller @hobbit666 last edited by

                          @hobbit666 said:

                          @scottalanmiller said:

                          @hobbit666 said:

                          What would you put in the firewall box? Would a Ubiquiti EdgeRouter be fine as you mentioned UTM devices are over rated and not really needed?

                          Ubiquiti EdgeRouter IS a firewall. What would you replace the firewall with?

                          Sophos UTM? :D

                          Going the opposite direction there, I think.

                          1 Reply Last reply Reply Quote 2
                          • dafyre
                            dafyre last edited by

                            I could choose older posts to resurrect... But recent topics have got me thinking about this again...

                            In the realm of a LANless design... What actually constitutes a LANless design?

                            1. Everyone being able to work from anywhere?
                            2. Treating all devices like they are untrusted (even your own servers)?
                            3. Treating only client devices like they are untrusted?
                            4. Allowing VPN / ZT / Pertino to access servers from off-site?
                            5. Some combination of all of the above?
                            scottalanmiller coliver 4 Replies Last reply Reply Quote 1
                            • scottalanmiller
                              scottalanmiller @dafyre last edited by

                              @dafyre said:

                              1. Allowing VPN / ZT / Pertino to access servers from off-site?

                              This is actually LAN-centric thinking, not LANless. You can so LANless and keep those services, but they encourage LAN thinking.

                              dafyre 1 Reply Last reply Reply Quote 1
                              • scottalanmiller
                                scottalanmiller @dafyre last edited by

                                @dafyre said:

                                1. Everyone being able to work from anywhere?

                                Not required but would nearly always happen naturally.

                                1 Reply Last reply Reply Quote 1
                                • scottalanmiller
                                  scottalanmiller @dafyre last edited by

                                  @dafyre said:

                                  1. Treating all devices like they are untrusted (even your own servers)?
                                  2. Treating only client devices like they are untrusted?

                                  These two are what matter. #2 is absolutely a requirement. #3 is a requirement to "go all the way." Think of it like database normalization. Getting the clients LANless is getting to first order normalization. Getting the servers LANless too would be second order.

                                  1 Reply Last reply Reply Quote 1
                                  • coliver
                                    coliver @dafyre last edited by

                                    @dafyre said:

                                    I could choose older posts to resurrect... But recent topics have got me thinking about this again...

                                    In the realm of a LANless design... What actually constitutes a LANless design?

                                    1. Everyone being able to work from anywhere?

                                    My thinking is yes, this happens as a result of the initial design.

                                    1. Treating all devices like they are untrusted (even your own servers)?

                                    I think servers would be hardened to not trust any client device unless authenticated or authorized.

                                    1. Treating only client devices like they are untrusted?

                                    Yes.

                                    1. Allowing VPN / ZT / Pertino to access servers from off-site?

                                    LAN-esque design you wouldn't really use them in this instance.

                                    1. Some combination of all of the above?
                                    1 Reply Last reply Reply Quote 1
                                    • dafyre
                                      dafyre @scottalanmiller last edited by

                                      @scottalanmiller said:

                                      @dafyre said:

                                      1. Allowing VPN / ZT / Pertino to access servers from off-site?

                                      This is actually LAN-centric thinking, not LANless. You can so LANless and keep those services, but they encourage LAN thinking.

                                      This is what I was thinking. Just throwing thoughts out there to see what everybody else is thinking.

                                      Would you put things like Jump boxes into the LAN-centric category as well?

                                      scottalanmiller 1 Reply Last reply Reply Quote 0
                                      • scottalanmiller
                                        scottalanmiller @dafyre last edited by

                                        @dafyre said:

                                        Would you put things like Jump boxes into the LAN-centric category as well?

                                        No, that's a different kind of thing. A security aggregation point is not the same as a LAN. There is a relationship there for sure. And a LAN is a form of security aggregation, but one based on physical networking (bad) instead of logical security (better.)

                                        dafyre 1 Reply Last reply Reply Quote 1
                                        • dafyre
                                          dafyre @scottalanmiller last edited by

                                          @scottalanmiller said:

                                          @dafyre said:

                                          Would you put things like Jump boxes into the LAN-centric category as well?

                                          No, that's a different kind of thing. A security aggregation point is not the same as a LAN. There is a relationship there for sure. And a LAN is a form of security aggregation, but one based on physical networking (bad) instead of logical security (better.)

                                          What makes a VPN (ignoring ZT and Pertino for the moment) any different than a Jumpbox in that light?

                                          scottalanmiller 1 Reply Last reply Reply Quote 0
                                          • scottalanmiller
                                            scottalanmiller @dafyre last edited by

                                            @dafyre said:

                                            What makes a VPN (ignoring ZT and Pertino for the moment) any different than a Jumpbox in that light?

                                            A lot of things. One is that it is purely designed (all VPNs which means ZT and Pertino too) with the sole intent of replicating a LAN where a physical limitation would have prevented it before. The name VPN itself means that. The purpose of a VPN is to encrypt data in flight, nothing more. It "can" be leveraged to do more than that which is why using a VPN does not necessarily stop you from being LANless, but the fundamental goal of a VPN is LAN extension through data encryption. That's what makes it a VPN.

                                            A Jump Box is a user centric authentication mechanism used as an aggregation and control system for security. It mimics many mechanisms in a VPN but is not a VPN. A VPN extends a LAN, a Jump Box proxies to it. Proxying with user authentication vs. network extension using many of the same tools and some not the same.

                                            dafyre 1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post