If LAN is legacy, what is the UN-legacy...?
-
What I don't understand is why anyone with any IT knowledge in a business setting would treat their network as trusted? I don't even do this with my ZT netowork, and I manually authorized every device on there (granted it's only 10 so far, lol).
It is far too easy to bring in a personal device that may or may not be infected with a polymorphic bug / worm / trojan / crypto / other bad things and plug it in or connect it to the network at your business -- even if you are doing 802.11x or some other type of LAN security.
I generally keep things like the Windows Firewall and FirewallD enabled on my devices, and only punch holes in them for services that I want available on my lan or public network. This is also true of my ZT subnet as well. Why take the risk that one device could get a bug and easily share it with the rest of the systems on my ZT Subnet or LAN?
-
@dafyre said:
What I don't understand is why anyone with any IT knowledge in a business setting would treat their network as trusted? I don't even do this with my ZT netowork, and I manually authorized every device on there (granted it's only 10 so far, lol).
It is far too easy to bring in a personal device that may or may not be infected with a polymorphic bug / worm / trojan / crypto / other bad things and plug it in or connect it to the network at your business -- even if you are doing 802.11x or some other type of LAN security.
I generally keep things like the Windows Firewall and FirewallD enabled on my devices, and only punch holes in them for services that I want available on my lan or public network. This is also true of my ZT subnet as well. Why take the risk that one device could get a bug and easily share it with the rest of the systems on my ZT Subnet or LAN?
Yeah this is one of the worst parts of my network. I do monitor the LAN and run Wireshark every day but it's not great. My company will not purchase anything. I got them to buy ten raspberry pi's simply because they are cheap. I use them for all sorts of things. That's all I can really hope for (which isn't much)
-
@dafyre said:
I generally keep things like the Windows Firewall and FirewallD enabled on my devices...
Curious, what is FirewallD?
-
@FATeknollogee said:
@dafyre said:
I generally keep things like the Windows Firewall and FirewallD enabled on my devices...
Curious, what is FirewallD?
It's a Firewall front end for a few Linux distros. (It just does iptables commands for you).
-
Any recommendations for best books for network security in a windows network? I am creating a home library to educate myself.
-
@Dashrender Decentralization is not all or nothing. You can have a p2p network with a central database that it uses for persistence and missed connections.
If you want to go all-in on decentralization you can do that with a DHT and crypto, but it's more work and possibly less reliable or slower.
As far as the feds telling Skype to centralize: I personally doubt this and have always heard it was because they found p2p too hard on mobile. Another reason is they were bought by Microsoft. Centralization's cost decreases exponentially if you already own data centers. It's an economy of scale. So once MS bought them the economic incentive to decentralize was gone and centralization is a more standard way of doing things that more coders understand and it does make some problems simpler.
-
@adam.ierymenko said:
@Dashrender Decentralization is not all or nothing. You can have a p2p network with a central database that it uses for persistence and missed connections.
If you want to go all-in on decentralization you can do that with a DHT and crypto, but it's more work and possibly less reliable or slower.
As far as the feds telling Skype to centralize: I personally doubt this and have always heard it was because they found p2p too hard on mobile. Another reason is they were bought by Microsoft. Centralization's cost decreases exponentially if you already own data centers. It's an economy of scale. So once MS bought them the economic incentive to decentralize was gone and centralization is a more standard way of doing things that more coders understand and it does make some problems simpler.
Huh - that does make sense, but you're the first I've heard mention these points.
-
@Dashrender The economy of scale thing is what I meant by the p2p complexity tax being "regressive" in my presentation on firewalls. The bigger you are, the less it costs to either invest in the engineering required to do p2p well or just back-haul everything to the cloud. If (like MS) you own a bunch of your own data centers, then putting all traffic through your cloud is very cheap due to the scale you already have. So the cloud back-haul requirement intrinsically favors large vendors.
Personally I think Skype going central was just the MS economy of scale thing. You can do P2P on mobile-- ZeroTier has an Android app and soon an iOS one and they work fine. My phone is always pingable on our company LAN and the impact on battery life is in the fractions of a percent. Of course maybe that's more true today... Skype ported to mobile back when phones had slower single-core CPUs and smaller batteries. Radios have quietly gotten way more efficient too, so the constant low-grade peer-to-peer packet slinging doesn't eat as much battery as it might have with earlier generation LTE and WiFi chipsets.
-
@adam.ierymenko said:
As far as the feds telling Skype to centralize: I personally doubt this and have always heard it was because they found p2p too hard on mobile. Another reason is they were bought by Microsoft. Centralization's cost decreases exponentially if you already own data centers. It's an economy of scale. So once MS bought them the economic incentive to decentralize was gone and centralization is a more standard way of doing things that more coders understand and it does make some problems simpler.
And MS had to change how it worked for the merge into Lync. It's that Skype was phased out is really what happened, not that it changed.
-
@adam.ierymenko said:
Personally I think Skype going central was just the MS economy of scale thing. You can do P2P on mobile-- ZeroTier has an Android app and soon an iOS one and they work fine. My phone is always pingable on our company LAN and the impact on battery life is in the fractions of a percent. Of course maybe that's more true today... Skype ported to mobile back when phones had slower single-core CPUs and smaller batteries. Radios have quietly gotten way more efficient too, so the constant low-grade peer-to-peer packet slinging doesn't eat as much battery as it might have with earlier generation LTE and WiFi chipsets.
I'm extremely interesting in the ZeroTier on PBX concept. Hoping to test that in the sooner than later time frame. Would be nice to have laptops and cell phones talking to a PBX over ZT rather than some more cumbersome mechanism.
-
@scottalanmiller said:
@adam.ierymenko said:
Personally I think Skype going central was just the MS economy of scale thing. You can do P2P on mobile-- ZeroTier has an Android app and soon an iOS one and they work fine. My phone is always pingable on our company LAN and the impact on battery life is in the fractions of a percent. Of course maybe that's more true today... Skype ported to mobile back when phones had slower single-core CPUs and smaller batteries. Radios have quietly gotten way more efficient too, so the constant low-grade peer-to-peer packet slinging doesn't eat as much battery as it might have with earlier generation LTE and WiFi chipsets.
I'm extremely interesting in the ZeroTier on PBX concept. Hoping to test that in the sooner than later time frame. Would be nice to have laptops and cell phones talking to a PBX over ZT rather than some more cumbersome mechanism.
Except most phones can already handle OpenVPN natively. ZT would be nice but you have to figure out how to build it into a phone. or Phone App to make it useful.
The PBX side is easy.
-
@JaredBusch said:
Except most phones can already handle OpenVPN natively. ZT would be nice but you have to figure out how to build it into a phone. or Phone App to make it useful.
OpenVPN on iPhone, for example, has traditionally been a pain.
-
@scottalanmiller said:
@JaredBusch said:
Except most phones can already handle OpenVPN natively. ZT would be nice but you have to figure out how to build it into a phone. or Phone App to make it useful.
OpenVPN on iPhone, for example, has traditionally been a pain.
Have you used it in the last year? It has worked well for me.
When the family was in Japan last year, the wife did not even realize that it always turned itself back on when she put her phone on the wifi on the mobile hotspot in Japan.
The iPad that my kids used to watchnetflix simply always was on the VPN, darn near the entire trip.
-
No, not on the iPhone, I'll give it a fresh try, thanks.
-
@JaredBusch said:
Except most phones can already handle OpenVPN natively. ZT would be nice but you have to figure out how to build it into a phone. or Phone App to make it useful.
Are you talking about Android / IOS devices, or the desktop phones? There are already clients for Android devices. According to the Web Site, IOS clients are slated for release in "early 2016".
-
@scottalanmiller People already run PBXes and VOIP over ZeroTier and say it works great. No need to worry about NAT-t, etc.
-
@adam.ierymenko said:
@scottalanmiller People already run PBXes and VOIP over ZeroTier and say it works great. No need to worry about NAT-t, etc.
It works great on mine. I use it with my FreePBX and it works really well. My Nexus 5 is probably the slowest part of the whole thing.
-
@adam.ierymenko said:
@scottalanmiller People already run PBXes and VOIP over ZeroTier and say it works great. No need to worry about NAT-t, etc.
Never said that ZT would not work. The issue is the endpoints on the other end.
-
@adam.ierymenko said:
. No need to worry about NAT-t, etc.
Is that it? Is NAT traversal why you would want to run softphones over ZT instead of just connecting them directly to the internet?
-
@Dashrender said:
Is that it? Is NAT traversal why you would want to run softphones over ZT instead of just connecting them directly to the internet?
No, security is the main reason. NAT traversal is easy (ish) to deal with.
