ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Why you don't need a VPN or not?

    Scheduled Pinned Locked Moved IT Discussion
    109 Posts 12 Posters 10.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • wrx7mW
      wrx7m @Obsolesce
      last edited by

      @Obsolesce - So they are not wide open (with the exception of the Windows firewall).

      1 Reply Last reply Reply Quote 0
      • wrx7mW
        wrx7m @travisdh1
        last edited by

        @travisdh1 said in Why you don't need a VPN or not?:

        @wrx7m said in Why you don't need a VPN or not?:

        @Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.

        That involves making network services available with a different method.

        IE: Files served from NextCloud instead of a file server.

        OK, so if I am not doing that, there is no point to make a change?

        travisdh1T scottalanmillerS 2 Replies Last reply Reply Quote 0
        • travisdh1T
          travisdh1 @wrx7m
          last edited by

          @wrx7m said in Why you don't need a VPN or not?:

          @travisdh1 said in Why you don't need a VPN or not?:

          @wrx7m said in Why you don't need a VPN or not?:

          @Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.

          That involves making network services available with a different method.

          IE: Files served from NextCloud instead of a file server.

          OK, so if I am not doing that, there is no point to make a change?

          Yes, exactly.

          wrx7mW 1 Reply Last reply Reply Quote 0
          • wrx7mW
            wrx7m @travisdh1
            last edited by

            @travisdh1 said in Why you don't need a VPN or not?:

            @wrx7m said in Why you don't need a VPN or not?:

            @travisdh1 said in Why you don't need a VPN or not?:

            @wrx7m said in Why you don't need a VPN or not?:

            @Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.

            That involves making network services available with a different method.

            IE: Files served from NextCloud instead of a file server.

            OK, so if I am not doing that, there is no point to make a change?

            Yes, exactly.

            The takeaway is - The only way to be secure is to use a web app?

            travisdh1T scottalanmillerS 2 Replies Last reply Reply Quote 0
            • travisdh1T
              travisdh1 @wrx7m
              last edited by

              @wrx7m said in Why you don't need a VPN or not?:

              @travisdh1 said in Why you don't need a VPN or not?:

              @wrx7m said in Why you don't need a VPN or not?:

              @travisdh1 said in Why you don't need a VPN or not?:

              @wrx7m said in Why you don't need a VPN or not?:

              @Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.

              That involves making network services available with a different method.

              IE: Files served from NextCloud instead of a file server.

              OK, so if I am not doing that, there is no point to make a change?

              Yes, exactly.

              The takeaway is - The only way to be secure is to use a web app?

              It's not the only way to be secure, but it does make it much easier.

              wrx7mW 1 Reply Last reply Reply Quote 0
              • wrx7mW
                wrx7m @travisdh1
                last edited by

                @travisdh1 said in Why you don't need a VPN or not?:

                @wrx7m said in Why you don't need a VPN or not?:

                @travisdh1 said in Why you don't need a VPN or not?:

                @wrx7m said in Why you don't need a VPN or not?:

                @travisdh1 said in Why you don't need a VPN or not?:

                @wrx7m said in Why you don't need a VPN or not?:

                @Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.

                That involves making network services available with a different method.

                IE: Files served from NextCloud instead of a file server.

                OK, so if I am not doing that, there is no point to make a change?

                Yes, exactly.

                The takeaway is - The only way to be secure is to use a web app?

                It's not the only way to be secure, but it does make it much easier.

                So, in your post - https://mangolassi.it/topic/15325/lanless-explained/2

                The second diagram shows the red security perimeter, housing "Servers, SANs, etc. All applications, files, and every other resource needed". What is securing the perimeter? alt text

                travisdh1T scottalanmillerS 2 Replies Last reply Reply Quote 0
                • travisdh1T
                  travisdh1 @wrx7m
                  last edited by

                  @wrx7m said in Why you don't need a VPN or not?:

                  @travisdh1 said in Why you don't need a VPN or not?:

                  @wrx7m said in Why you don't need a VPN or not?:

                  @travisdh1 said in Why you don't need a VPN or not?:

                  @wrx7m said in Why you don't need a VPN or not?:

                  @travisdh1 said in Why you don't need a VPN or not?:

                  @wrx7m said in Why you don't need a VPN or not?:

                  @Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.

                  That involves making network services available with a different method.

                  IE: Files served from NextCloud instead of a file server.

                  OK, so if I am not doing that, there is no point to make a change?

                  Yes, exactly.

                  The takeaway is - The only way to be secure is to use a web app?

                  It's not the only way to be secure, but it does make it much easier.

                  So, in your post - https://mangolassi.it/topic/15325/lanless-explained/2

                  The second diagram shows the red security perimeter, housing "Servers, SANs, etc. All applications, files, and every other resource needed". What is securing the perimeter? alt text

                  Generally VPN in the form of HTTPS connections.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @wrx7m
                    last edited by

                    @wrx7m said in Why you don't need a VPN or not?:

                    @scottalanmiller So in a transitional phase of moving away from LAN-centric practices, I have Windows firewall enabled on all Windows clients and Windows servers. Is that it, or would I have servers behind a hardware firewall with an ACL?

                    Firewalls are nearly always a good thing. Not always necessary, but rarely "bad". Certainly you want the OS firewalls on servers and desktops, always. LANless won't mean necessarily dumping your hardware firewalls, they are necessary as the routing layer, anyway. So using ACLs and NATing are going to continue to be useful.

                    The key difference is ensuring that they are a "secondary defense layer" and not a primary one. Make sure you'd feel safe putting your server on the Internet... then add that hardware firewall as icing, not as your security cake.

                    1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @travisdh1
                      last edited by

                      @travisdh1 said in Why you don't need a VPN or not?:

                      LANless is about making everything accessible through web services.

                      And securing them as if they will be accessed over the Internet.

                      But not web services, necessarily, although commonly. Accessed as if they are remote is a better way to phrase it.

                      1 Reply Last reply Reply Quote 1
                      • scottalanmillerS
                        scottalanmiller @wrx7m
                        last edited by

                        @wrx7m said in Why you don't need a VPN or not?:

                        @Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.

                        Do you really want "servers versus clients?" Making servers secure individually is great, but generally servers need to talk to clients more than to other servers. Keeping servers away from each other is often more important than keeping servers away from clients. Same deal with clients, they almost never should talk to each other, but constantly must talk to servers.

                        wrx7mW 1 Reply Last reply Reply Quote 2
                        • scottalanmillerS
                          scottalanmiller @wrx7m
                          last edited by

                          @wrx7m said in Why you don't need a VPN or not?:

                          @travisdh1 said in Why you don't need a VPN or not?:

                          @wrx7m said in Why you don't need a VPN or not?:

                          @Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.

                          That involves making network services available with a different method.

                          IE: Files served from NextCloud instead of a file server.

                          OK, so if I am not doing that, there is no point to make a change?

                          LANless requires removing LAN-based approaches. I understand you are talking about a transition period.

                          But some things, like SMB shares and Active Directory are LAN-based at their cores and really have to effective way to be made LANless, even transitionally.

                          I mean you can do something like taking ZeroTier and encapsulating SMB and creating a poorly performing LANless file sharing service in that way. But it is hokey and won't behave all that well. SMB is just not suited to that, it was designed with the thought that LAN containment would always define it.

                          1 Reply Last reply Reply Quote 1
                          • scottalanmillerS
                            scottalanmiller @wrx7m
                            last edited by

                            @wrx7m said in Why you don't need a VPN or not?:

                            @travisdh1 said in Why you don't need a VPN or not?:

                            @wrx7m said in Why you don't need a VPN or not?:

                            @travisdh1 said in Why you don't need a VPN or not?:

                            @wrx7m said in Why you don't need a VPN or not?:

                            @Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.

                            That involves making network services available with a different method.

                            IE: Files served from NextCloud instead of a file server.

                            OK, so if I am not doing that, there is no point to make a change?

                            Yes, exactly.

                            The takeaway is - The only way to be secure is to use a web app?

                            No. Web isn't more secure. Web might be easier to secure and to make LANless, but only because people are used to thinking of web as LANless and SMB as LAN-based. So assumptions go a long way.

                            NextCloud is not LANless only when used via web, but when used other ways, too.

                            1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @wrx7m
                              last edited by

                              @wrx7m said in Why you don't need a VPN or not?:

                              @travisdh1 said in Why you don't need a VPN or not?:

                              @wrx7m said in Why you don't need a VPN or not?:

                              @travisdh1 said in Why you don't need a VPN or not?:

                              @wrx7m said in Why you don't need a VPN or not?:

                              @travisdh1 said in Why you don't need a VPN or not?:

                              @wrx7m said in Why you don't need a VPN or not?:

                              @Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.

                              That involves making network services available with a different method.

                              IE: Files served from NextCloud instead of a file server.

                              OK, so if I am not doing that, there is no point to make a change?

                              Yes, exactly.

                              The takeaway is - The only way to be secure is to use a web app?

                              It's not the only way to be secure, but it does make it much easier.

                              So, in your post - https://mangolassi.it/topic/15325/lanless-explained/2

                              The second diagram shows the red security perimeter, housing "Servers, SANs, etc. All applications, files, and every other resource needed". What is securing the perimeter? alt text

                              I think that this diagram can be misleading. It's showing a single service. But in a normal LANless infrastructure, you'd have a "red zone" for every workload, rather than just one, it might be dozens.

                              JaredBuschJ 1 Reply Last reply Reply Quote 0
                              • JaredBuschJ
                                JaredBusch @scottalanmiller
                                last edited by

                                @scottalanmiller said in Why you don't need a VPN or not?:

                                @wrx7m said in Why you don't need a VPN or not?:

                                @travisdh1 said in Why you don't need a VPN or not?:

                                @wrx7m said in Why you don't need a VPN or not?:

                                @travisdh1 said in Why you don't need a VPN or not?:

                                @wrx7m said in Why you don't need a VPN or not?:

                                @travisdh1 said in Why you don't need a VPN or not?:

                                @wrx7m said in Why you don't need a VPN or not?:

                                @Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.

                                That involves making network services available with a different method.

                                IE: Files served from NextCloud instead of a file server.

                                OK, so if I am not doing that, there is no point to make a change?

                                Yes, exactly.

                                The takeaway is - The only way to be secure is to use a web app?

                                It's not the only way to be secure, but it does make it much easier.

                                So, in your post - https://mangolassi.it/topic/15325/lanless-explained/2

                                The second diagram shows the red security perimeter, housing "Servers, SANs, etc. All applications, files, and every other resource needed". What is securing the perimeter? alt text

                                I think that this diagram can be misleading. It's showing a single service. But in a normal LANless infrastructure, you'd have a "red zone" for every workload, rather than just one, it might be dozens.

                                Honestly, it is completely wrong and confusing IMO.

                                wrx7mW 1 Reply Last reply Reply Quote 1
                                • wrx7mW
                                  wrx7m @JaredBusch
                                  last edited by

                                  @JaredBusch said in Why you don't need a VPN or not?:

                                  @scottalanmiller said in Why you don't need a VPN or not?:

                                  @wrx7m said in Why you don't need a VPN or not?:

                                  @travisdh1 said in Why you don't need a VPN or not?:

                                  @wrx7m said in Why you don't need a VPN or not?:

                                  @travisdh1 said in Why you don't need a VPN or not?:

                                  @wrx7m said in Why you don't need a VPN or not?:

                                  @travisdh1 said in Why you don't need a VPN or not?:

                                  @wrx7m said in Why you don't need a VPN or not?:

                                  @Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.

                                  That involves making network services available with a different method.

                                  IE: Files served from NextCloud instead of a file server.

                                  OK, so if I am not doing that, there is no point to make a change?

                                  Yes, exactly.

                                  The takeaway is - The only way to be secure is to use a web app?

                                  It's not the only way to be secure, but it does make it much easier.

                                  So, in your post - https://mangolassi.it/topic/15325/lanless-explained/2

                                  The second diagram shows the red security perimeter, housing "Servers, SANs, etc. All applications, files, and every other resource needed". What is securing the perimeter? alt text

                                  I think that this diagram can be misleading. It's showing a single service. But in a normal LANless infrastructure, you'd have a "red zone" for every workload, rather than just one, it might be dozens.

                                  Honestly, it is completely wrong and confusing IMO.

                                  So, would you say more like the previous comment where it would be services/servers with their own, respective perimeters? If so, what is the perimeter built from?

                                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                                  • wrx7mW
                                    wrx7m @scottalanmiller
                                    last edited by wrx7m

                                    @scottalanmiller said in Why you don't need a VPN or not?:

                                    @wrx7m said in Why you don't need a VPN or not?:

                                    @Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.

                                    Do you really want "servers versus clients?" Making servers secure individually is great, but generally servers need to talk to clients more than to other servers. Keeping servers away from each other is often more important than keeping servers away from clients. Same deal with clients, they almost never should talk to each other, but constantly must talk to servers.

                                    Clients can't talk to other clients per the Windows firewall rules I've configured. I will have to audit the servers to identify and prevent unnecessary communication between them.

                                    1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @wrx7m
                                      last edited by

                                      @wrx7m said in Why you don't need a VPN or not?:

                                      @JaredBusch said in Why you don't need a VPN or not?:

                                      @scottalanmiller said in Why you don't need a VPN or not?:

                                      @wrx7m said in Why you don't need a VPN or not?:

                                      @travisdh1 said in Why you don't need a VPN or not?:

                                      @wrx7m said in Why you don't need a VPN or not?:

                                      @travisdh1 said in Why you don't need a VPN or not?:

                                      @wrx7m said in Why you don't need a VPN or not?:

                                      @travisdh1 said in Why you don't need a VPN or not?:

                                      @wrx7m said in Why you don't need a VPN or not?:

                                      @Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.

                                      That involves making network services available with a different method.

                                      IE: Files served from NextCloud instead of a file server.

                                      OK, so if I am not doing that, there is no point to make a change?

                                      Yes, exactly.

                                      The takeaway is - The only way to be secure is to use a web app?

                                      It's not the only way to be secure, but it does make it much easier.

                                      So, in your post - https://mangolassi.it/topic/15325/lanless-explained/2

                                      The second diagram shows the red security perimeter, housing "Servers, SANs, etc. All applications, files, and every other resource needed". What is securing the perimeter? alt text

                                      I think that this diagram can be misleading. It's showing a single service. But in a normal LANless infrastructure, you'd have a "red zone" for every workload, rather than just one, it might be dozens.

                                      Honestly, it is completely wrong and confusing IMO.

                                      So, would you say more like the previous comment where it would be services/servers with their own, respective perimeters? If so, what is the perimeter built from?

                                      Generally just firewall and service rules. The service should be secure itself without relying on access to the LAN on which it sits to protect it.

                                      1 Reply Last reply Reply Quote 1
                                      • scottalanmillerS
                                        scottalanmiller
                                        last edited by

                                        There are two key aspects to this...

                                        The first is security, which you are asking about now. LANless requires a "workload by workload security" approach. Instead of a "shared location security" approach.

                                        The second is accessibility. Can it be accessed, or can it be accessed well, without a LAN to enable the access mechanisms?

                                        1 Reply Last reply Reply Quote 1
                                        • DashrenderD
                                          Dashrender
                                          last edited by

                                          The speedbump in this whole discussion is the use of shared files. WebDav can create a SMB like connection (but is SMB/Samba really that much less secure than WebDav?)

                                          Personal files are often resolved by a sync solution of some type, but shared files are a huge pain. Searching through GBs of shared files on a webapp, then downloading them to open using a local app is a huge PITA. At least with Office and SharePoint, it's integrated and works seemlessly.

                                          I haven't used NC enough to know - is there an Office add-in that allows this type of integration?

                                          I see in the OnlyOffice thread that there is now talk of that kind of integration between NC and OnlyOffice local install - this will be a huge boon.

                                          Assuming you can deal with the online versions of the apps - then NC webapp - auto-launching OnlyOffice in the same tab/new tab could be doable, and would solve a lot of issues. But I don't see that working very well for large files - say AutoCAD or even some graphics files.

                                          ObsolesceO coliverC scottalanmillerS 7 Replies Last reply Reply Quote 0
                                          • ObsolesceO
                                            Obsolesce @Dashrender
                                            last edited by

                                            @Dashrender said in Why you don't need a VPN or not?:

                                            WebDav can create a SMB like connection (but is SMB/Samba really that much less secure than WebDav?)

                                            WebDav is a protocol that is an extension of http. It itself has nothing to do with SMB.

                                            I know besides the point, just clarifying.

                                            DashrenderD 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 6 / 6
                                            • First post
                                              Last post