ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Napkin design...let's go LAN'less

    Scheduled Pinned Locked Moved IT Discussion
    lanlessnu skewl
    40 Posts 8 Posters 9.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @dafyre
      last edited by

      @dafyre said:

      Would you put things like Jump boxes into the LAN-centric category as well?

      No, that's a different kind of thing. A security aggregation point is not the same as a LAN. There is a relationship there for sure. And a LAN is a form of security aggregation, but one based on physical networking (bad) instead of logical security (better.)

      dafyreD 1 Reply Last reply Reply Quote 1
      • dafyreD
        dafyre @scottalanmiller
        last edited by

        @scottalanmiller said:

        @dafyre said:

        Would you put things like Jump boxes into the LAN-centric category as well?

        No, that's a different kind of thing. A security aggregation point is not the same as a LAN. There is a relationship there for sure. And a LAN is a form of security aggregation, but one based on physical networking (bad) instead of logical security (better.)

        What makes a VPN (ignoring ZT and Pertino for the moment) any different than a Jumpbox in that light?

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @dafyre
          last edited by

          @dafyre said:

          What makes a VPN (ignoring ZT and Pertino for the moment) any different than a Jumpbox in that light?

          A lot of things. One is that it is purely designed (all VPNs which means ZT and Pertino too) with the sole intent of replicating a LAN where a physical limitation would have prevented it before. The name VPN itself means that. The purpose of a VPN is to encrypt data in flight, nothing more. It "can" be leveraged to do more than that which is why using a VPN does not necessarily stop you from being LANless, but the fundamental goal of a VPN is LAN extension through data encryption. That's what makes it a VPN.

          A Jump Box is a user centric authentication mechanism used as an aggregation and control system for security. It mimics many mechanisms in a VPN but is not a VPN. A VPN extends a LAN, a Jump Box proxies to it. Proxying with user authentication vs. network extension using many of the same tools and some not the same.

          dafyreD 1 Reply Last reply Reply Quote 1
          • dafyreD
            dafyre @scottalanmiller
            last edited by dafyre

            @scottalanmiller said:

            @dafyre said:

            What makes a VPN (ignoring ZT and Pertino for the moment) any different than a Jumpbox in that light?

            A lot of things. One is that it is purely designed (all VPNs which means ZT and Pertino too) with the sole intent of replicating a LAN where a physical limitation would have prevented it before. The name VPN itself means that. The purpose of a VPN is to encrypt data in flight, nothing more. It "can" be leveraged to do more than that which is why using a VPN does not necessarily stop you from being LANless, but the fundamental goal of a VPN is LAN extension through data encryption. That's what makes it a VPN.

            Okay, that above paragraph makes sense.

            A Jump Box is a user centric authentication mechanism used as an aggregation and control system for security. It mimics many mechanisms in a VPN but is not a VPN. A VPN extends a LAN, a Jump Box proxies to it. Proxying with user authentication vs. network extension using many of the same tools and some not the same.

            Wouldn't an RD Gateway function essentially the same as a JumpBox (differences in technology & OS choice aside)? It handles the user authentication, and then bounces the user to the specified host that they wanted to connect to -- the same as a JumpBox.

            scottalanmillerS 1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @dafyre
              last edited by

              @dafyre said:

              Wouldn't an RD Gateway function essentially the same as a JumpBox (differences in technology & OS choice aside)? It handles the user authentication, and then bounces the user to the specified host that they wanted to connect to -- the same as a JumpBox.

              Yes, an RDG can be a form of jump box.

              1 Reply Last reply Reply Quote 0
              • dafyreD
                dafyre
                last edited by

                Time to suddenly reverse gears, ha ha ha. Why would you need a JumpBox or RDGateway in a LANless design (Legacy apps and lab setups aside)?

                Your services are designed to be accessed via the internet...and those that can are cloud-hosted, right?

                scottalanmillerS coliverC 2 Replies Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @dafyre
                  last edited by

                  @dafyre said:

                  Your services are designed to be accessed via the internet...and those that can are cloud-hosted, right?

                  And one of the ways to access them is.... RDP 🙂

                  dafyreD 1 Reply Last reply Reply Quote 0
                  • coliverC
                    coliver @dafyre
                    last edited by

                    @dafyre said:

                    Time to suddenly reverse gears, ha ha ha. Why would you need a JumpBox or RDGateway in a LANless design (Legacy apps and lab setups aside)?

                    Your services are designed to be accessed via the internet...and those that can are cloud-hosted, right?

                    Centralized authorization/authentication and logging. You can easily know who logged into what system at what point in time. This is a bit harder, although not impossible, with disparate logs and systems. You also only have to lock people out of one location when/if they leave or are let go.

                    dafyreD 1 Reply Last reply Reply Quote 1
                    • dafyreD
                      dafyre @scottalanmiller
                      last edited by

                      @scottalanmiller said:

                      @dafyre said:

                      Your services are designed to be accessed via the internet...and those that can are cloud-hosted, right?

                      And one of the ways to access them is.... RDP 🙂

                      Touche, lol.

                      1 Reply Last reply Reply Quote 0
                      • dafyreD
                        dafyre @coliver
                        last edited by

                        @coliver said:

                        @dafyre said:

                        Time to suddenly reverse gears, ha ha ha. Why would you need a JumpBox or RDGateway in a LANless design (Legacy apps and lab setups aside)?

                        Your services are designed to be accessed via the internet...and those that can are cloud-hosted, right?

                        Centralized authorization/authentication and logging. You can easily know who logged into what system at what point in time. This is a bit harder, although not impossible, with disparate logs and systems. You also only have to lock people out of one location when/if they leave or are let go.

                        That is what tools like ELK are for. 8-) Centralized logging. But you do have a point about locking people out of multiple systems when they leave / are let go.

                        1 Reply Last reply Reply Quote 1
                        • DashrenderD
                          Dashrender
                          last edited by

                          @scottalanmiller said:

                          ics many mechanisms in a VPN but is not a VPN. A VPN extends a LAN, a Jump Box proxies to it. Proxying with user

                          As for the Jump boxes, Why make administration something that can be done from anywhere? Sure, those managed boxes might provide other services to the internet at large, like web service, but why open port 22 to the internet at large? Instead you can put all those port 22's behind the jump box allowing logon only from the jump box. Hopefully this provides better security.

                          coliverC 1 Reply Last reply Reply Quote 0
                          • coliverC
                            coliver @Dashrender
                            last edited by

                            @Dashrender said:

                            @scottalanmiller said:

                            ics many mechanisms in a VPN but is not a VPN. A VPN extends a LAN, a Jump Box proxies to it. Proxying with user

                            As for the Jump boxes, Why make administration something that can be done from anywhere? Sure, those managed boxes might provide other services to the internet at large, like web service, but why open port 22 to the internet at large? Instead you can put all those port 22's behind the jump box allowing logon only from the jump box. Hopefully this provides better security.

                            I thought that was kind of the point. Proxy the management through a jump box.

                            scottalanmillerS 1 Reply Last reply Reply Quote 2
                            • scottalanmillerS
                              scottalanmiller @coliver
                              last edited by

                              @coliver said:

                              @Dashrender said:

                              @scottalanmiller said:

                              ics many mechanisms in a VPN but is not a VPN. A VPN extends a LAN, a Jump Box proxies to it. Proxying with user

                              As for the Jump boxes, Why make administration something that can be done from anywhere? Sure, those managed boxes might provide other services to the internet at large, like web service, but why open port 22 to the internet at large? Instead you can put all those port 22's behind the jump box allowing logon only from the jump box. Hopefully this provides better security.

                              I thought that was kind of the point. Proxy the management through a jump box.

                              Exactly.

                              DashrenderD 1 Reply Last reply Reply Quote 1
                              • DashrenderD
                                Dashrender @scottalanmiller
                                last edited by

                                @scottalanmiller said:

                                @coliver said:

                                @Dashrender said:

                                @scottalanmiller said:

                                ics many mechanisms in a VPN but is not a VPN. A VPN extends a LAN, a Jump Box proxies to it. Proxying with user

                                As for the Jump boxes, Why make administration something that can be done from anywhere? Sure, those managed boxes might provide other services to the internet at large, like web service, but why open port 22 to the internet at large? Instead you can put all those port 22's behind the jump box allowing logon only from the jump box. Hopefully this provides better security.

                                I thought that was kind of the point. Proxy the management through a jump box.

                                Exactly.

                                Yup, that's where I was going with that. It has nothing to do with being LANless, and as Scott already said, everything to do with security.

                                1 Reply Last reply Reply Quote 0
                                • travisdh1T
                                  travisdh1
                                  last edited by

                                  LAN'less napkin design, something like this?

                                  FATeknollogeeF 1 Reply Last reply Reply Quote 0
                                  • FATeknollogeeF
                                    FATeknollogee @travisdh1
                                    last edited by

                                    @travisdh1 Who/what is in charge of "controlling" all those users & their access?

                                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @FATeknollogee
                                      last edited by

                                      @FATeknollogee said:

                                      @travisdh1 Who/what is in charge of "controlling" all those users & their access?

                                      ownCloud.

                                      dafyreD FATeknollogeeF 2 Replies Last reply Reply Quote 0
                                      • dafyreD
                                        dafyre @scottalanmiller
                                        last edited by dafyre

                                        @scottalanmiller said:

                                        @FATeknollogee said:

                                        @travisdh1 Who/what is in charge of "controlling" all those users & their access?

                                        ownCloud.

                                        Or the System Admin who manages that server.

                                        Edit: Ideally the oC Server would be integrated into some form of central authentication -- AD, AzureAD, or something.

                                        scottalanmillerS travisdh1T 2 Replies Last reply Reply Quote 1
                                        • FATeknollogeeF
                                          FATeknollogee @scottalanmiller
                                          last edited by

                                          @scottalanmiller said:

                                          @FATeknollogee said:

                                          @travisdh1 Who/what is in charge of "controlling" all those users & their access?

                                          ownCloud.

                                          I assumed the users will access more than oC even though the drawing doesn't show that?

                                          scottalanmillerS 1 Reply Last reply Reply Quote 1
                                          • scottalanmillerS
                                            scottalanmiller @dafyre
                                            last edited by

                                            @dafyre said:

                                            @scottalanmiller said:

                                            @FATeknollogee said:

                                            @travisdh1 Who/what is in charge of "controlling" all those users & their access?

                                            ownCloud.

                                            Or the System Admin who manages that server.

                                            Edit: Ideally the oC Server would be integrated into some form of central authentication -- AD, AzureAD, or something.

                                            Maybe not ideally. If that is the only service, use it as the authentication authority.

                                            1 Reply Last reply Reply Quote 2
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post