ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    MPLS alternative

    Scheduled Pinned Locked Moved IT Discussion
    mplsvpnmutli site
    172 Posts 13 Posters 30.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender @hobbit666
      last edited by

      @hobbit666 said in MPLS alternative:

      I only said VPN because Scott mentioned it several times in the other thread.

      If we didn't have VPN/MPLS how would we serve our Citrix farm at the main site?

      You serve Citrix directly on the internet, Citrix's protocol ICA includes encryption. Sending ICA over VPN is double encryption.

      hobbit666H 1 Reply Last reply Reply Quote 0
      • gjacobseG
        gjacobse
        last edited by gjacobse

        Just happened to think back,

        The emergency system (911) used MPLS between the county sites and the main server.

        How would a VPN have replaced this? Down time is one thing, but down time and no ability to get emergency calls passed,... that’s serious

        1 travisdh1T scottalanmillerS 3 Replies Last reply Reply Quote 0
        • 1
          1337 @gjacobse
          last edited by

          @gjacobse
          alt text

          1 1 Reply Last reply Reply Quote 0
          • 1
            1337 @1337
            last edited by

            Also the entire internet is a mesh of sorts.
            There are multiple ways to go from point A to point B if you are connected the right way.

            alt text

            1 Reply Last reply Reply Quote 1
            • 1
              1337
              last edited by 1337

              I don't know much about MPLS except that even with redundant links the entire connection goes down if the company that runs it has a problem. So it's some kind of half-redundancy.

              For real redundancy you need to have multiple links using different operators.

              scottalanmillerS 1 Reply Last reply Reply Quote 1
              • travisdh1T
                travisdh1 @gjacobse
                last edited by

                @gjacobse said in MPLS alternative:

                Just happened to think back,

                The emergency system (911) used MPLS between the county sites and the main server.

                How would a VPN have replaced this? Down time is one thing, but down time and no ability to get emergency calls passed,... that’s serious

                Well, you already have a SPOF in the MPLS. MPLS does not provide any redundancy. A backhoe cutting the ISP lines still takes them down.

                If the people running the 911 system wanted redundancy, they'd need two internet connections of some sort.

                gjacobseG 1 Reply Last reply Reply Quote 0
                • gjacobseG
                  gjacobse @travisdh1
                  last edited by

                  @travisdh1 said in MPLS alternative:

                  @gjacobse said in MPLS alternative:

                  Just happened to think back,

                  The emergency system (911) used MPLS between the county sites and the main server.

                  How would a VPN have replaced this? Down time is one thing, but down time and no ability to get emergency calls passed,... that’s serious

                  Well, you already have a SPOF in the MPLS. MPLS does not provide any redundancy. A backhoe cutting the ISP lines still takes them down.

                  If the people running the 911 system wanted redundancy, they'd need two internet connections of some sort.

                  There is a lot of redundancy built in- it’s an absolute must. And yes, a backhoe, homeowner and even Mother Nature will play havoc...

                  1 Reply Last reply Reply Quote 0
                  • hobbit666H
                    hobbit666 @Dashrender
                    last edited by hobbit666

                    @Dashrender said in MPLS alternative:

                    You serve Citrix directly on the internet, Citrix's protocol ICA includes encryption. Sending ICA over VPN is double encryption.

                    This is one thing management have never liked. Opening the server to the outside world 😁.
                    But times are changing so going a mix of VPN for some serves and direct serve (i.e. on the internet) might be an option.

                    scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 0
                    • dafyreD
                      dafyre @hobbit666
                      last edited by

                      @hobbit666 said in MPLS alternative:

                      How would multiple vpns be handled. Would it be a case each sites router would have multiple vpns to each site? Or a single VPN to a singe "master" site/device.

                      To make it simple, I'd do Each site's router would have a single VPN to HQ (the master site).

                      scottalanmillerS 1 Reply Last reply Reply Quote 2
                      • scottalanmillerS
                        scottalanmiller @hobbit666
                        last edited by

                        @hobbit666 said in MPLS alternative:

                        If we didn't have VPN/MPLS how would we serve our Citrix farm at the main site?

                        Directly. Citrix has no need for additional VPN/MPLS since the Citrix IPC protocol has the same security as a VPN already. You can't just tied it to AD, but that's a different issue. Citrix isn't meant to be used behind a VPN, that's an unnecessary layer of complication. You need some sort of protection, but neither of these do much to address the fundamental security flaw involved nor are they elegant solutions.

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @hobbit666
                          last edited by

                          @hobbit666 said in MPLS alternative:

                          @scottalanmiller said in MPLS alternative:

                          These are things you never want. "Managed"

                          This I kind of disagree with, if we have an issue with a connection we phone it in and they sort withing the SLA. Down time means £££ loss.
                          Currently with the MPLS we have 4hr replacement on hardware and high SLA with BT on the pstn lines.

                          Those are EXACTLY the reasons that I said what I said. SLAs and four hours of waiting to "maybe" have things fixed at super high cost, instead of a more reliable system at lower cost.

                          Remember "4 hr replacement" doesn't say that they WILL replace in 4hrs, it just tells you what they pay you if they don't. Very, VERY different from "keeping your business running."

                          The MPLS needs that SLA because it's so risky. If you didn't have the MPLS, you wouldn't have the same risks. That's part of the trick. Create the risk so that they can sell you the fix as well!

                          hobbit666H 1 Reply Last reply Reply Quote 1
                          • scottalanmillerS
                            scottalanmiller @hobbit666
                            last edited by

                            @hobbit666 said in MPLS alternative:

                            @scottalanmiller said in MPLS alternative:

                            @hobbit666 said in MPLS alternative:

                            3 sites have 20+ users these are served by 100mb leased lines, would like to keep these.

                            Why would you ever want a leased line? Leased lines essentially only exist today to make MPLS possible. They are costly and risky.

                            Because we "couldn't" get a line above 5mb so Replication to the DR site would be impossible. Also handling the traffic from all the sites, like print servers, smb shares etc
                            (most of these are getting replaced slowly with things like o365)

                            Anything you can get in a leased line you can get in an Internet line for the same or cheaper. Leased lines aren't magic, they are just the same lines without Internet access.

                            All that traffic from the sites can be handled by normal VPNs. But that begs the question, why are you doing things like printing over the WAN in the first place? Or SMB shares over the WAN? These are LAN-focused, 1990s technologies. I get that things linger, but this feels more and more like one basic mistake that no one evaluated and then piling mistakes on top of that layer after layer. None of it matches anything remotely modern, secure, or affordable but each mistake relies on another mistake as the excuse for itself.

                            1 Reply Last reply Reply Quote 1
                            • scottalanmillerS
                              scottalanmiller @hobbit666
                              last edited by

                              @hobbit666 said in MPLS alternative:

                              So what about SDWAN? Would this be an alternative too?

                              SDWAN is just a marketing term for managed VPN. So as a technology, it's just VPN which we said to use. But if you mean a product from the ISP that they call SDWAN, then see the "never, ever get any service like this from the ISP" advice.

                              Remember, if it's managed, it's bad. There's no way to have an exception to this. Market pressure would never allow it.

                              1 Reply Last reply Reply Quote 1
                              • scottalanmillerS
                                scottalanmiller @IRJ
                                last edited by

                                @IRJ said in MPLS alternative:

                                @hobbit666 said in MPLS alternative:

                                @scottalanmiller said in MPLS alternative:

                                1990's LAN-based thinking. Modern networks with security are zero-trust (aka LANless) in design and VPN/MPLS would not serve any purpose.

                                I'll put my hand up and agree this is me, but will be looking at LANless/zero-trust on Monday and learn what it means fully.

                                Yeah that's really the only route to go anymore

                                And it's not new, we've been talking about it here since day one and it wasn't new then. I know companies doing this for close to two decades now. And that means companies I don't know were way ahead of the curve.

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @hobbit666
                                  last edited by

                                  @hobbit666 said in MPLS alternative:

                                  Any link to good reading on zero-trust stuff?

                                  MangoCon 2016. One of the three most viewed MC talks ever.

                                  Youtube Video

                                  1 Reply Last reply Reply Quote 1
                                  • scottalanmillerS
                                    scottalanmiller @hobbit666
                                    last edited by

                                    @hobbit666 said in MPLS alternative:

                                    @Dashrender said in MPLS alternative:

                                    You serve Citrix directly on the internet, Citrix's protocol ICA includes encryption. Sending ICA over VPN is double encryption.

                                    This is one thing management have never liked. Opening the server to the outside world 😁.
                                    But times are changing so going a mix of VPN for some serves and direct serve (i.e. on the internet) might be an option.

                                    Another fundamental flaw of the business in general: "management have never liked." Management's job here is to make sure that "what is good for the business" is what is chosen, not what someone "likes" emotionally. An emotional manager is a saboteur. They have no place in IT or business. Their job is to protect against this, not do it themselves. This is like the security card stealing from the till. It's doing exactly the thing that they are paid to protect against. In one case it is stealing, in the other it is illogical and reckless decision making.

                                    It's nothing to do with the times changing. It's about common myths being finally exposed often enough. ICA has always, or at least for a really long time been secure. But people constantly misconfiguring it is the issue, not the protocol. You know what else is a huge risk from misconfiguration? VPNs and MPLS!!

                                    1 Reply Last reply Reply Quote 1
                                    • scottalanmillerS
                                      scottalanmiller @dafyre
                                      last edited by

                                      @dafyre said in MPLS alternative:

                                      @hobbit666 said in MPLS alternative:

                                      How would multiple vpns be handled. Would it be a case each sites router would have multiple vpns to each site? Or a single VPN to a singe "master" site/device.

                                      To make it simple, I'd do Each site's router would have a single VPN to HQ (the master site).

                                      AKA hub and spoke.

                                      1 Reply Last reply Reply Quote 2
                                      • scottalanmillerS
                                        scottalanmiller @1337
                                        last edited by

                                        @Pete-S said in MPLS alternative:

                                        I don't know much about MPLS except that even with redundant links the entire connection goes down if the company that runs it has a problem. So it's some kind of half-redundancy.

                                        For real redundancy you need to have multiple links using different operators.

                                        Exactly. MPLS is for companies who don't care about reliability. It's the polar opposite of reliable. Everything about it is unnecessarily fragile and risky.

                                        I know Fortune 100s that have it and it's 99% the cause of their downtime. It fails way more often than any other link, and it takes way longer to fix than any other link. Bigger outages, more often. Plus high cost. The worst of all worlds.

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @gjacobse
                                          last edited by

                                          @gjacobse said in MPLS alternative:

                                          Just happened to think back,

                                          The emergency system (911) used MPLS between the county sites and the main server.

                                          How would a VPN have replaced this? Down time is one thing, but down time and no ability to get emergency calls passed,... that’s serious

                                          Well, since a VPN beats an MPLS is every way... any risk you have with the MPLS is reduced with a VPN. So there's nothing for VPN to do. If MPLS is acceptable, literally anything is acceptable. There's nothing worse.

                                          1 Reply Last reply Reply Quote 1
                                          • DashrenderD
                                            Dashrender @hobbit666
                                            last edited by

                                            @hobbit666 said in MPLS alternative:

                                            @Dashrender said in MPLS alternative:

                                            You serve Citrix directly on the internet, Citrix's protocol ICA includes encryption. Sending ICA over VPN is double encryption.

                                            This is one thing management have never liked. Opening the server to the outside world 😁.
                                            But times are changing so going a mix of VPN for some serves and direct serve (i.e. on the internet) might be an option.

                                            They are missing the point then... the VPN is exposed directly to the web...why is it better than the Citrix server?

                                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 8
                                            • 9
                                            • 2 / 9
                                            • First post
                                              Last post