ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Why you don't need a VPN or not?

    Scheduled Pinned Locked Moved IT Discussion
    109 Posts 12 Posters 10.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @wrx7m
      last edited by

      @wrx7m said in Why you don't need a VPN or not?:

      @travisdh1 said in Why you don't need a VPN or not?:

      @wrx7m said in Why you don't need a VPN or not?:

      @travisdh1 said in Why you don't need a VPN or not?:

      @wrx7m said in Why you don't need a VPN or not?:

      @Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.

      That involves making network services available with a different method.

      IE: Files served from NextCloud instead of a file server.

      OK, so if I am not doing that, there is no point to make a change?

      Yes, exactly.

      The takeaway is - The only way to be secure is to use a web app?

      No. Web isn't more secure. Web might be easier to secure and to make LANless, but only because people are used to thinking of web as LANless and SMB as LAN-based. So assumptions go a long way.

      NextCloud is not LANless only when used via web, but when used other ways, too.

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @wrx7m
        last edited by

        @wrx7m said in Why you don't need a VPN or not?:

        @travisdh1 said in Why you don't need a VPN or not?:

        @wrx7m said in Why you don't need a VPN or not?:

        @travisdh1 said in Why you don't need a VPN or not?:

        @wrx7m said in Why you don't need a VPN or not?:

        @travisdh1 said in Why you don't need a VPN or not?:

        @wrx7m said in Why you don't need a VPN or not?:

        @Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.

        That involves making network services available with a different method.

        IE: Files served from NextCloud instead of a file server.

        OK, so if I am not doing that, there is no point to make a change?

        Yes, exactly.

        The takeaway is - The only way to be secure is to use a web app?

        It's not the only way to be secure, but it does make it much easier.

        So, in your post - https://mangolassi.it/topic/15325/lanless-explained/2

        The second diagram shows the red security perimeter, housing "Servers, SANs, etc. All applications, files, and every other resource needed". What is securing the perimeter? alt text

        I think that this diagram can be misleading. It's showing a single service. But in a normal LANless infrastructure, you'd have a "red zone" for every workload, rather than just one, it might be dozens.

        JaredBuschJ 1 Reply Last reply Reply Quote 0
        • JaredBuschJ
          JaredBusch @scottalanmiller
          last edited by

          @scottalanmiller said in Why you don't need a VPN or not?:

          @wrx7m said in Why you don't need a VPN or not?:

          @travisdh1 said in Why you don't need a VPN or not?:

          @wrx7m said in Why you don't need a VPN or not?:

          @travisdh1 said in Why you don't need a VPN or not?:

          @wrx7m said in Why you don't need a VPN or not?:

          @travisdh1 said in Why you don't need a VPN or not?:

          @wrx7m said in Why you don't need a VPN or not?:

          @Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.

          That involves making network services available with a different method.

          IE: Files served from NextCloud instead of a file server.

          OK, so if I am not doing that, there is no point to make a change?

          Yes, exactly.

          The takeaway is - The only way to be secure is to use a web app?

          It's not the only way to be secure, but it does make it much easier.

          So, in your post - https://mangolassi.it/topic/15325/lanless-explained/2

          The second diagram shows the red security perimeter, housing "Servers, SANs, etc. All applications, files, and every other resource needed". What is securing the perimeter? alt text

          I think that this diagram can be misleading. It's showing a single service. But in a normal LANless infrastructure, you'd have a "red zone" for every workload, rather than just one, it might be dozens.

          Honestly, it is completely wrong and confusing IMO.

          wrx7mW 1 Reply Last reply Reply Quote 1
          • wrx7mW
            wrx7m @JaredBusch
            last edited by

            @JaredBusch said in Why you don't need a VPN or not?:

            @scottalanmiller said in Why you don't need a VPN or not?:

            @wrx7m said in Why you don't need a VPN or not?:

            @travisdh1 said in Why you don't need a VPN or not?:

            @wrx7m said in Why you don't need a VPN or not?:

            @travisdh1 said in Why you don't need a VPN or not?:

            @wrx7m said in Why you don't need a VPN or not?:

            @travisdh1 said in Why you don't need a VPN or not?:

            @wrx7m said in Why you don't need a VPN or not?:

            @Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.

            That involves making network services available with a different method.

            IE: Files served from NextCloud instead of a file server.

            OK, so if I am not doing that, there is no point to make a change?

            Yes, exactly.

            The takeaway is - The only way to be secure is to use a web app?

            It's not the only way to be secure, but it does make it much easier.

            So, in your post - https://mangolassi.it/topic/15325/lanless-explained/2

            The second diagram shows the red security perimeter, housing "Servers, SANs, etc. All applications, files, and every other resource needed". What is securing the perimeter? alt text

            I think that this diagram can be misleading. It's showing a single service. But in a normal LANless infrastructure, you'd have a "red zone" for every workload, rather than just one, it might be dozens.

            Honestly, it is completely wrong and confusing IMO.

            So, would you say more like the previous comment where it would be services/servers with their own, respective perimeters? If so, what is the perimeter built from?

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • wrx7mW
              wrx7m @scottalanmiller
              last edited by wrx7m

              @scottalanmiller said in Why you don't need a VPN or not?:

              @wrx7m said in Why you don't need a VPN or not?:

              @Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.

              Do you really want "servers versus clients?" Making servers secure individually is great, but generally servers need to talk to clients more than to other servers. Keeping servers away from each other is often more important than keeping servers away from clients. Same deal with clients, they almost never should talk to each other, but constantly must talk to servers.

              Clients can't talk to other clients per the Windows firewall rules I've configured. I will have to audit the servers to identify and prevent unnecessary communication between them.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @wrx7m
                last edited by

                @wrx7m said in Why you don't need a VPN or not?:

                @JaredBusch said in Why you don't need a VPN or not?:

                @scottalanmiller said in Why you don't need a VPN or not?:

                @wrx7m said in Why you don't need a VPN or not?:

                @travisdh1 said in Why you don't need a VPN or not?:

                @wrx7m said in Why you don't need a VPN or not?:

                @travisdh1 said in Why you don't need a VPN or not?:

                @wrx7m said in Why you don't need a VPN or not?:

                @travisdh1 said in Why you don't need a VPN or not?:

                @wrx7m said in Why you don't need a VPN or not?:

                @Obsolesce - Right, I have an edge firewall for the WAN to the LAN where all endpoints on the wired network (servers and clients) reside, but I am wondering how to move to a tighter circle to get the servers segregated from the clients.

                That involves making network services available with a different method.

                IE: Files served from NextCloud instead of a file server.

                OK, so if I am not doing that, there is no point to make a change?

                Yes, exactly.

                The takeaway is - The only way to be secure is to use a web app?

                It's not the only way to be secure, but it does make it much easier.

                So, in your post - https://mangolassi.it/topic/15325/lanless-explained/2

                The second diagram shows the red security perimeter, housing "Servers, SANs, etc. All applications, files, and every other resource needed". What is securing the perimeter? alt text

                I think that this diagram can be misleading. It's showing a single service. But in a normal LANless infrastructure, you'd have a "red zone" for every workload, rather than just one, it might be dozens.

                Honestly, it is completely wrong and confusing IMO.

                So, would you say more like the previous comment where it would be services/servers with their own, respective perimeters? If so, what is the perimeter built from?

                Generally just firewall and service rules. The service should be secure itself without relying on access to the LAN on which it sits to protect it.

                1 Reply Last reply Reply Quote 1
                • scottalanmillerS
                  scottalanmiller
                  last edited by

                  There are two key aspects to this...

                  The first is security, which you are asking about now. LANless requires a "workload by workload security" approach. Instead of a "shared location security" approach.

                  The second is accessibility. Can it be accessed, or can it be accessed well, without a LAN to enable the access mechanisms?

                  1 Reply Last reply Reply Quote 1
                  • DashrenderD
                    Dashrender
                    last edited by

                    The speedbump in this whole discussion is the use of shared files. WebDav can create a SMB like connection (but is SMB/Samba really that much less secure than WebDav?)

                    Personal files are often resolved by a sync solution of some type, but shared files are a huge pain. Searching through GBs of shared files on a webapp, then downloading them to open using a local app is a huge PITA. At least with Office and SharePoint, it's integrated and works seemlessly.

                    I haven't used NC enough to know - is there an Office add-in that allows this type of integration?

                    I see in the OnlyOffice thread that there is now talk of that kind of integration between NC and OnlyOffice local install - this will be a huge boon.

                    Assuming you can deal with the online versions of the apps - then NC webapp - auto-launching OnlyOffice in the same tab/new tab could be doable, and would solve a lot of issues. But I don't see that working very well for large files - say AutoCAD or even some graphics files.

                    ObsolesceO coliverC scottalanmillerS 7 Replies Last reply Reply Quote 0
                    • ObsolesceO
                      Obsolesce @Dashrender
                      last edited by

                      @Dashrender said in Why you don't need a VPN or not?:

                      WebDav can create a SMB like connection (but is SMB/Samba really that much less secure than WebDav?)

                      WebDav is a protocol that is an extension of http. It itself has nothing to do with SMB.

                      I know besides the point, just clarifying.

                      DashrenderD 1 Reply Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender @Obsolesce
                        last edited by

                        @Obsolesce said in Why you don't need a VPN or not?:

                        @Dashrender said in Why you don't need a VPN or not?:

                        WebDav can create a SMB like connection (but is SMB/Samba really that much less secure than WebDav?)

                        WebDav is a protocol that is an extension of http. It itself has nothing to do with SMB.

                        I know besides the point, just clarifying.

                        LOL - yep I know - my point was only that it allows people to map a drive like we've been doing forever in Windows and browse around, then launch directly from the share. Unlike searching a NC webpage, which would then require downloading the file, then opening it, saving it locally, then copying it back to the NC webpage.

                        ObsolesceO 1 Reply Last reply Reply Quote 0
                        • coliverC
                          coliver @Dashrender
                          last edited by

                          @Dashrender Kind of. SMB is an inherently LAN-Centric protocol that wouldn't work well over the WAN and can be much harder to secure without central authentication/authorization.

                          WebDAV is a protocol built on top of HTTP and thus has none of the latency related downfalls of SMB. It also can use dozens of different forms of authentication/authorization which makes it a bit more modular.

                          DashrenderD 1 Reply Last reply Reply Quote 1
                          • ObsolesceO
                            Obsolesce @Dashrender
                            last edited by Obsolesce

                            @Dashrender said in Why you don't need a VPN or not?:

                            @Obsolesce said in Why you don't need a VPN or not?:

                            @Dashrender said in Why you don't need a VPN or not?:

                            WebDav can create a SMB like connection (but is SMB/Samba really that much less secure than WebDav?)

                            WebDav is a protocol that is an extension of http. It itself has nothing to do with SMB.

                            I know besides the point, just clarifying.

                            LOL - yep I know - my point was only that it allows people to map a drive like we've been doing forever in Windows and browse around, then launch directly from the share. Unlike searching a NC webpage, which would then require downloading the file, then opening it, saving it locally, then copying it back to the NC webpage.

                            IMHO, you've paid more in resources putting together hardware, time, energy, maintenance, planning, etc... doing it yourself with NC/OnlyOffice/proxy/backup/etc, for up to 20 users with many limitations... than it would cost for a hand full of O365 licenses and be done with it.

                            Yeah it's great for home use or for a PoC before purchasing a non-CE edition, or just for simple basic needs in a small SMB up to 20 users... which I'm sure there are quite a bit of cases that would work great for.

                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @Dashrender
                              last edited by

                              @Dashrender said in Why you don't need a VPN or not?:

                              The speedbump in this whole discussion is the use of shared files. WebDav can create a SMB like connection (but is SMB/Samba really that much less secure than WebDav?)

                              SMB is a protocol. Samba is a server. WebDAV is a protocol.

                              Avoid SMB/Samba like terms, because they are different things. Like HTTP is a protocol, and Apache, IIS, and Nginx are HTTP servers.

                              You can compare SMB to WebDAV, but you can't compare Samba to WebDAV.

                              1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @Dashrender
                                last edited by scottalanmiller

                                @Dashrender said in Why you don't need a VPN or not?:

                                At least with Office and SharePoint, it's integrated and works seemlessly.

                                I haven't used NC enough to know - is there an Office add-in that allows this type of integration?

                                Same with LibreOffice and NextCloud.

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @Dashrender said in Why you don't need a VPN or not?:

                                  I see in the OnlyOffice thread that there is now talk of that kind of integration between NC and OnlyOffice local install - this will be a huge boon.

                                  Been around for a long time, they are just improving it.

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @Dashrender
                                    last edited by

                                    @Dashrender said in Why you don't need a VPN or not?:

                                    But I don't see that working very well for large files - say AutoCAD or even some graphics files.

                                    True, but SMB doesn't work great for that, either.

                                    DashrenderD 1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender @coliver
                                      last edited by

                                      @coliver said in Why you don't need a VPN or not?:

                                      @Dashrender Kind of. SMB is an inherently LAN-Centric protocol that wouldn't work well over the WAN and can be much harder to secure without central authentication/authorization.

                                      WebDAV is a protocol built on top of HTTP and thus has none of the latency related downfalls of SMB. It also can use dozens of different forms of authentication/authorization which makes it a bit more modular.

                                      Again - I KNOW. /sigh. The point wasn't the underlying security function - it was the user interaction. Users don't give a shit about security - they only care about function. They HATE the idea of having to download a file, then edit it, then upload it again to a website. Using WebDAV allows their old SMB workflows to function exactly as they did before. This was my one and only point.
                                      I'm irked I had to go all JB here.

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Obsolesce
                                        last edited by

                                        @Obsolesce said in Why you don't need a VPN or not?:

                                        @Dashrender said in Why you don't need a VPN or not?:

                                        @Obsolesce said in Why you don't need a VPN or not?:

                                        @Dashrender said in Why you don't need a VPN or not?:

                                        WebDav can create a SMB like connection (but is SMB/Samba really that much less secure than WebDav?)

                                        WebDav is a protocol that is an extension of http. It itself has nothing to do with SMB.

                                        I know besides the point, just clarifying.

                                        LOL - yep I know - my point was only that it allows people to map a drive like we've been doing forever in Windows and browse around, then launch directly from the share. Unlike searching a NC webpage, which would then require downloading the file, then opening it, saving it locally, then copying it back to the NC webpage.

                                        IMHO, you've paid more in resources putting together hardware, time, energy, maintenance, planning, etc... doing it yourself with NC/OnlyOffice/proxy/backup/etc, for up to 20 users with many limitations... than it would cost for a hand full of O365 licenses and be done with it.

                                        Yeah it's great for home use or for a PoC before purchasing a non-CE edition, or just for simple basic needs in a small SMB up to 20 users... which I'm sure there are quite a bit of cases that would work great for.

                                        The resources to build that stuff isn't that much, and saves a ton of money quickly, even with 20 users. O365 requires a lot of management work that people often overlook. Maybe not as much as building your own, but a lot more than people actually consider. Zimbra takes some work to maintain, but saves us more on management time versus O365 Hosted Exchange. So not only do we save the monthly cost and get a better email system (okay, that bit is subjective, but we've found it way better), but you lower the management time on top of that savings!

                                        DashrenderD ObsolesceO 2 Replies Last reply Reply Quote 0
                                        • coliverC
                                          coliver @Dashrender
                                          last edited by

                                          @Dashrender said in Why you don't need a VPN or not?:

                                          But I don't see that working very well for large files - say AutoCAD or even some graphics files.

                                          AutoDesk and Dessault both have toolkits to get around SMB limitations. I think most CAD vendors do actually.

                                          scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @coliver
                                            last edited by

                                            @coliver said in Why you don't need a VPN or not?:

                                            @Dashrender said in Why you don't need a VPN or not?:

                                            But I don't see that working very well for large files - say AutoCAD or even some graphics files.

                                            AutoDesk and Dessault both have toolkits to get around SMB limitations. I think most CAD vendors do actually.

                                            Yes, CAD is something that basically always does LANless on its own. It has special needs and normally handles them. You don't use NextCloud or anything like it, nor do you use SMB or anything like that.

                                            DonahueD 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 5 / 6
                                            • First post
                                              Last post