Network Security - UTM
-
@hobbit666 said:
@scottalanmiller said:
And don't think of it as LAN vs. Enterprise. It's legacy (LAN) vs. future (LANless.) Not about size.
Do you have any links/tips/guides for designing a Site with Future LANless in mind?
The biggest thing to change, IMHO, is your thinking around "network dependencies." Whenever you design something new, make a change or consider how things work and tie together... how do you think about your dependencies?
For NTG, for years, we have had people working outside of the core offices. We were always thinking... how will I get their phones to work or how will they authenticate or how will they reach this application. At first the answer was often "we will deploy a hardware firewall with VPN capabilities to their home for them" but this was limiting and only partially solved problems. Eventually we moved towards a LANless design. With zero concept of a LAN, things change very quickly. How you think about computers that you work on changes completely.
A few things that we did over the years that really made us reevaluate how we thought about our LAN:
- Unpredicatable, mobile workers who need full functionality no matter where they are.
- Not wanting to be tied to a single OS if possible.
- Not hosting services in house, colo is hard, cloud is harder, multiple clouds is nearly impossible without being LANless.
- Don't consider the LAN as safe, assume it can be, will be and likely is compromised. Consider the LAN just a faster WAN... secure it when you can, but never assume it is secure.
-
@scottalanmiller said:
The biggest thing to change, IMHO, is your thinking around "network dependencies." Whenever you design something new, make a change or consider how things work and tie together... how do you think about your dependencies?
God that sound pain full
-
It takes rather a bit of a change of thinking, that is true. But really, once you do it, life gets much easier.
Suddenly that one guy working remotely becomes... just like everyone else. That unexpected new office or change in company direction... you are prepared for that. The LAN model is very limiting and makes all kinds of things really hard.
Think about everything you have going on with MPLS, VPNs, authentication... all of that goes away.
-
@scottalanmiller said:
It takes rather a bit of a change of thinking, that is true. But really, once you do it, life gets much easier.
Suddenly that one guy working remotely becomes... just like everyone else. That unexpected new office or change in company direction... you are prepared for that. The LAN model is very limiting and makes all kinds of things really hard.
Think about everything you have going on with MPLS, VPNs, authentication... all of that goes away.
So in this LANless thinking how do NTG handle AD? Or don't you have Active Directory anymore? Or Authentication in general?
-
@hobbit666 said:
So in this LANless thinking how do NTG handle AD? Or don't you have Active Directory anymore? Or Authentication in general?
I need to write a paper on NTG's journey
NTG no longer has AD. We have a mixed environment of Windows, Mac and Linux Mint. The Windows was 100% Windows 10 before we started moving off of AD. All of the Windows 10 is on Azure AD, not AD. Azure AD has no LAN dependency. We are looking at testing Linux Mint on Azure AD as that is now available and very exciting.
-
@scottalanmiller said:
@hobbit666 said:
So in this LANless thinking how do NTG handle AD? Or don't you have Active Directory anymore? Or Authentication in general?
I need to write a paper on NTG's journey
NTG no longer has AD. We have a mixed environment of Windows, Mac and Linux Mint. The Windows was 100% Windows 10 before we started moving off of AD. All of the Windows 10 is on Azure AD, not AD. Azure AD has no LAN dependency. We are looking at testing Linux Mint on Azure AD as that is now available and very exciting.
Look forward to reading. Will look more closely at Azure AD maybe instead of migrating our 2003 AD onto a 2012 machine.
-
Azure AD requires Windows 10. Because NTG stays up to date, we get big features sometimes decades ahead of other companies. Little things like allowing an old version of Windows to linger can have massive repercussions that are not well understood when companies evaluate cost and risk.
-
@scottalanmiller said:
Azure AD requires Windows 10. Because NTG stays up to date, we get big features sometimes decades ahead of other companies. Little things like allowing an old version of Windows to linger can have massive repercussions that are not well understood when companies evaluate cost and risk.
Hence the Fog project, also looking at visiting all sites over the next few months to do refresh and tidy up. So maybe Windows 10 could be included.
-
@hobbit666 said:
Look forward to reading. Will look more closely at Azure AD maybe instead of migrating our 2003 AD onto a 2012 machine.
@scottalanmiller Do you know if Azure Sync works with 2003? If not, and you don't want to have to manually recreate all of the users in Azure, you would have to upgrade your AD anyway.
-
@Dashrender said:
@hobbit666 said:
Look forward to reading. Will look more closely at Azure AD maybe instead of migrating our 2003 AD onto a 2012 machine.
@scottalanmiller Do you know if Azure Sync works with 2003? If not, and you don't want to have to manually recreate all of the users in Azure, you would have to upgrade your AD anyway.
I definitely do not know. My guess is that it does not. I would guess, but am purely guessing, that 2008 and newer will work. We did it with 2012 R2. Obviously that works
If you have more than a handful of users and do not already have Office 365 then one option is to do a temporary update to 2012 R2, sync and then drop 2012 R2.
-
@scottalanmiller said:
@Dashrender said:
@hobbit666 said:
Look forward to reading. Will look more closely at Azure AD maybe instead of migrating our 2003 AD onto a 2012 machine.
@scottalanmiller Do you know if Azure Sync works with 2003? If not, and you don't want to have to manually recreate all of the users in Azure, you would have to upgrade your AD anyway.
I definitely do not know. My guess is that it does not. I would guess, but am purely guessing, that 2008 and newer will work. We did it with 2012 R2. Obviously that works
If you have more than a handful of users and do not already have Office 365 then one option is to do a temporary update to 2012 R2, sync and then drop 2012 R2.
Yeah, but if you don't already have a license, that's not a cheap solution either. choices choices.
-
@GregoryHall or @PSX_Defector probably know the answer to this one. It might be as simple as "2003 works."
-
We do have all our users being Sync'd to Office365 at the moment with the sync tool, would that work?
-
@hobbit666 said:
We do have all our users being Sync'd to Office365 at the moment with the sync tool, would that work?
Then you've already got Azure AD and just don't know it.
-
@scottalanmiller said:
@GregoryHall or @PSX_Defector probably know the answer to this one. It might be as simple as "2003 works."
I guess that answers that question - yes it works with 2003
-
@hobbit666 said:
We do have all our users being Sync'd to Office365 at the moment with the sync tool, would that work?
Azure AD is what Office 365 uses behind the scenes. O365 hosted products are all on Azure.
