If LAN is legacy, what is the UN-legacy...?
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
@adam.ierymenko said:
Firewalls are dead. Thank the cloud.
huh - you're the first that I can recall ever saying that firewalls are dead. from your above post about IPV6 and killing local firewalls, I can see I think you really mean that.
https://community.spiceworks.com/topic/1409230-need-for-firewalls-on-home-networks
http://www.infoworld.com/article/2616931/firewall-software/why-you-don-t-need-a-firewall.htmlLOL - did you just want to see that others have said the firewall was dead for years?
I was just showing that it's a theory that has been going around.
-
@scottalanmiller said:
@Dashrender said:
That is no lie - So I can't get what I want, you'll give me this little thing over here, OK I'll just create a way to get what I want through that little thing.. done.. yeah - huge problem!
Which is a key reason why I don't promote "over blocking" end users. Blocking things they would never want but might stumble on (malware, for example) at work is fine, if they were trying to download malware you've got other issues. But if they are trying to read their email, check on the time to pick up their kids from school or see how their buddy in the hospital is doing and we block them we become a barrier to overcome, IT becomes the silent enemy and they will find ways around that security.
It is more secure to work with end users as security partners. In it together. Once we work against the end users, they are working against us.
While I do understand what you are getting at on the last point there - I just haven't brought myself to fully agree with the entirety of the message. The reason being is that I personally don't care if users are using their personal email, Facebook, random web surfing at work, that's an HR problem, not an IT problem. But I do care about keeping their often wrought with garbage traffic off my current LAN setup. My personal goals are different than my stated goals from my thread the other day.
In the hopefully not to distant future when the LAN is just another untrusted network it would be less of an issue.
-
What I don't understand is why anyone with any IT knowledge in a business setting would treat their network as trusted? I don't even do this with my ZT netowork, and I manually authorized every device on there (granted it's only 10 so far, lol).
It is far too easy to bring in a personal device that may or may not be infected with a polymorphic bug / worm / trojan / crypto / other bad things and plug it in or connect it to the network at your business -- even if you are doing 802.11x or some other type of LAN security.
I generally keep things like the Windows Firewall and FirewallD enabled on my devices, and only punch holes in them for services that I want available on my lan or public network. This is also true of my ZT subnet as well. Why take the risk that one device could get a bug and easily share it with the rest of the systems on my ZT Subnet or LAN?
-
@dafyre said:
What I don't understand is why anyone with any IT knowledge in a business setting would treat their network as trusted? I don't even do this with my ZT netowork, and I manually authorized every device on there (granted it's only 10 so far, lol).
It is far too easy to bring in a personal device that may or may not be infected with a polymorphic bug / worm / trojan / crypto / other bad things and plug it in or connect it to the network at your business -- even if you are doing 802.11x or some other type of LAN security.
I generally keep things like the Windows Firewall and FirewallD enabled on my devices, and only punch holes in them for services that I want available on my lan or public network. This is also true of my ZT subnet as well. Why take the risk that one device could get a bug and easily share it with the rest of the systems on my ZT Subnet or LAN?
Yeah this is one of the worst parts of my network. I do monitor the LAN and run Wireshark every day but it's not great. My company will not purchase anything. I got them to buy ten raspberry pi's simply because they are cheap. I use them for all sorts of things. That's all I can really hope for (which isn't much)
-
@dafyre said:
I generally keep things like the Windows Firewall and FirewallD enabled on my devices...
Curious, what is FirewallD?
-
@FATeknollogee said:
@dafyre said:
I generally keep things like the Windows Firewall and FirewallD enabled on my devices...
Curious, what is FirewallD?
It's a Firewall front end for a few Linux distros. (It just does iptables commands for you).
-
Any recommendations for best books for network security in a windows network? I am creating a home library to educate myself.
-
@Dashrender Decentralization is not all or nothing. You can have a p2p network with a central database that it uses for persistence and missed connections.
If you want to go all-in on decentralization you can do that with a DHT and crypto, but it's more work and possibly less reliable or slower.
As far as the feds telling Skype to centralize: I personally doubt this and have always heard it was because they found p2p too hard on mobile. Another reason is they were bought by Microsoft. Centralization's cost decreases exponentially if you already own data centers. It's an economy of scale. So once MS bought them the economic incentive to decentralize was gone and centralization is a more standard way of doing things that more coders understand and it does make some problems simpler.
-
@adam.ierymenko said:
@Dashrender Decentralization is not all or nothing. You can have a p2p network with a central database that it uses for persistence and missed connections.
If you want to go all-in on decentralization you can do that with a DHT and crypto, but it's more work and possibly less reliable or slower.
As far as the feds telling Skype to centralize: I personally doubt this and have always heard it was because they found p2p too hard on mobile. Another reason is they were bought by Microsoft. Centralization's cost decreases exponentially if you already own data centers. It's an economy of scale. So once MS bought them the economic incentive to decentralize was gone and centralization is a more standard way of doing things that more coders understand and it does make some problems simpler.
Huh - that does make sense, but you're the first I've heard mention these points.
-
@Dashrender The economy of scale thing is what I meant by the p2p complexity tax being "regressive" in my presentation on firewalls. The bigger you are, the less it costs to either invest in the engineering required to do p2p well or just back-haul everything to the cloud. If (like MS) you own a bunch of your own data centers, then putting all traffic through your cloud is very cheap due to the scale you already have. So the cloud back-haul requirement intrinsically favors large vendors.
Personally I think Skype going central was just the MS economy of scale thing. You can do P2P on mobile-- ZeroTier has an Android app and soon an iOS one and they work fine. My phone is always pingable on our company LAN and the impact on battery life is in the fractions of a percent. Of course maybe that's more true today... Skype ported to mobile back when phones had slower single-core CPUs and smaller batteries. Radios have quietly gotten way more efficient too, so the constant low-grade peer-to-peer packet slinging doesn't eat as much battery as it might have with earlier generation LTE and WiFi chipsets.
-
@adam.ierymenko said:
As far as the feds telling Skype to centralize: I personally doubt this and have always heard it was because they found p2p too hard on mobile. Another reason is they were bought by Microsoft. Centralization's cost decreases exponentially if you already own data centers. It's an economy of scale. So once MS bought them the economic incentive to decentralize was gone and centralization is a more standard way of doing things that more coders understand and it does make some problems simpler.
And MS had to change how it worked for the merge into Lync. It's that Skype was phased out is really what happened, not that it changed.
-
@adam.ierymenko said:
Personally I think Skype going central was just the MS economy of scale thing. You can do P2P on mobile-- ZeroTier has an Android app and soon an iOS one and they work fine. My phone is always pingable on our company LAN and the impact on battery life is in the fractions of a percent. Of course maybe that's more true today... Skype ported to mobile back when phones had slower single-core CPUs and smaller batteries. Radios have quietly gotten way more efficient too, so the constant low-grade peer-to-peer packet slinging doesn't eat as much battery as it might have with earlier generation LTE and WiFi chipsets.
I'm extremely interesting in the ZeroTier on PBX concept. Hoping to test that in the sooner than later time frame. Would be nice to have laptops and cell phones talking to a PBX over ZT rather than some more cumbersome mechanism.
-
@scottalanmiller said:
@adam.ierymenko said:
Personally I think Skype going central was just the MS economy of scale thing. You can do P2P on mobile-- ZeroTier has an Android app and soon an iOS one and they work fine. My phone is always pingable on our company LAN and the impact on battery life is in the fractions of a percent. Of course maybe that's more true today... Skype ported to mobile back when phones had slower single-core CPUs and smaller batteries. Radios have quietly gotten way more efficient too, so the constant low-grade peer-to-peer packet slinging doesn't eat as much battery as it might have with earlier generation LTE and WiFi chipsets.
I'm extremely interesting in the ZeroTier on PBX concept. Hoping to test that in the sooner than later time frame. Would be nice to have laptops and cell phones talking to a PBX over ZT rather than some more cumbersome mechanism.
Except most phones can already handle OpenVPN natively. ZT would be nice but you have to figure out how to build it into a phone. or Phone App to make it useful.
The PBX side is easy.
-
@JaredBusch said:
Except most phones can already handle OpenVPN natively. ZT would be nice but you have to figure out how to build it into a phone. or Phone App to make it useful.
OpenVPN on iPhone, for example, has traditionally been a pain.
-
@scottalanmiller said:
@JaredBusch said:
Except most phones can already handle OpenVPN natively. ZT would be nice but you have to figure out how to build it into a phone. or Phone App to make it useful.
OpenVPN on iPhone, for example, has traditionally been a pain.
Have you used it in the last year? It has worked well for me.
When the family was in Japan last year, the wife did not even realize that it always turned itself back on when she put her phone on the wifi on the mobile hotspot in Japan.
The iPad that my kids used to watchnetflix simply always was on the VPN, darn near the entire trip.
-
No, not on the iPhone, I'll give it a fresh try, thanks.
-
@JaredBusch said:
Except most phones can already handle OpenVPN natively. ZT would be nice but you have to figure out how to build it into a phone. or Phone App to make it useful.
Are you talking about Android / IOS devices, or the desktop phones? There are already clients for Android devices. According to the Web Site, IOS clients are slated for release in "early 2016".
-
@scottalanmiller People already run PBXes and VOIP over ZeroTier and say it works great. No need to worry about NAT-t, etc.
-
@adam.ierymenko said:
@scottalanmiller People already run PBXes and VOIP over ZeroTier and say it works great. No need to worry about NAT-t, etc.
It works great on mine. I use it with my FreePBX and it works really well. My Nexus 5 is probably the slowest part of the whole thing.
-
@adam.ierymenko said:
@scottalanmiller People already run PBXes and VOIP over ZeroTier and say it works great. No need to worry about NAT-t, etc.
Never said that ZT would not work. The issue is the endpoints on the other end.
