Optimal Routing Design by Russ White is a timeless resource also.
- Welcome to Networking-Forums.com.
We're Here to Help!
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
Certifications and Careers / Re: I want to learn Routing (OSPF,RIP,BGP) from scratch to depth?
June 03, 2024, 10:05:09 AM #2
Security / Re: VPN vs SASE: Is VPN Going Away?
February 18, 2022, 03:13:54 AM
SASE is a bit of a marketing term and comes from Gartner. Like anything from Gartner, its quite ambiguous. In some thought camps it was perceived to be closely related to SD-WAN, but I feel it further separated itself from SD-WAN when Covid lockdowns happened and pretty much the entire corporate office workforce (certainly in my country the UK) was working from home. If your branch offices are empty, why do you need an SD-WAN (infact why do you need a WAN?).
But you still need your workforce to access its applications. As Remote VPN is tried and tested, most people used this, and the Internet became the new Corporate WAN.
But as more applications move to the Cloud & SAAS, the amount of traffic needing to traverse the VPN tunnel reduces. Think Office365, then Workday for HR stuff, Box, Salesforce etc. And then Microsoft best practice for MS Teams traffic to employ split tunneling for better performance undermines the VPN model slightly. Why not do this for your other SAAS applications for better performance also? But, that also undermines the VPN model again.
Carry on in this direction and what do you end up with? Just a handful of in-house applications in your DC that warrant the use of VPN. How financially viable will it be to keep the VPN running just for these applications? Perhaps if its for Manufacturing/Retail industry, the axe will fall in its favor. But you'll likely be considering or POC testing these applications using a SASE private access solution or at least the question will arise.
When it comes to financials, my experience so far is the premium SASE provider products (ie; Zscaler ZIA & ZPA) are expensive compared to Remote Access with central Firewall/Concentrator if comparing line item against line item. But you have to accept you generally pay a premium to have the provider host and manage the infrastructure vs using your own rack space/power etc.
I agree its an interesting area. A paradigm shift in the way we think about network security. Its a fast emerging IT strategy and will be interesting to see where it goes over the next few years. It will take a cataclysmic event to push the direction of travel the other way, (ie; a global CASB outage), then maybe we will be glad to have VPN as a backup
But you still need your workforce to access its applications. As Remote VPN is tried and tested, most people used this, and the Internet became the new Corporate WAN.
But as more applications move to the Cloud & SAAS, the amount of traffic needing to traverse the VPN tunnel reduces. Think Office365, then Workday for HR stuff, Box, Salesforce etc. And then Microsoft best practice for MS Teams traffic to employ split tunneling for better performance undermines the VPN model slightly. Why not do this for your other SAAS applications for better performance also? But, that also undermines the VPN model again.
Carry on in this direction and what do you end up with? Just a handful of in-house applications in your DC that warrant the use of VPN. How financially viable will it be to keep the VPN running just for these applications? Perhaps if its for Manufacturing/Retail industry, the axe will fall in its favor. But you'll likely be considering or POC testing these applications using a SASE private access solution or at least the question will arise.
When it comes to financials, my experience so far is the premium SASE provider products (ie; Zscaler ZIA & ZPA) are expensive compared to Remote Access with central Firewall/Concentrator if comparing line item against line item. But you have to accept you generally pay a premium to have the provider host and manage the infrastructure vs using your own rack space/power etc.
I agree its an interesting area. A paradigm shift in the way we think about network security. Its a fast emerging IT strategy and will be interesting to see where it goes over the next few years. It will take a cataclysmic event to push the direction of travel the other way, (ie; a global CASB outage), then maybe we will be glad to have VPN as a backup
#3
Security / Re: VPN vs SASE: Is VPN Going Away?
February 17, 2022, 01:32:15 PM
In terms of application support via SASE, its hard to define and guarantee all inhouse applications will work, because sure, there will be some quirks unique to specific environments. However, if as an organisation you come across issues with lack of support for certain applications with unique behavior, the level of support you purchase from the SASE provider must be enough to hold them to account so their TAC support will drive resolution. Good SLAs and good POC testing are some of the approaches I would use to mitigate this because I also share your concern.
If the App connector that published the application to the CASB only does so via an outbound initiated SSL session, and the client connector does the same (establish SSL to the CASB), where will the attack vector be? Because no TCP/UDP ports get exposed or port forwarded. The SASE provider should use all of its capabilities to ensure an attacker does not compromise a client. This is where the other features of the SASE provider come into their own in terms of machine quarantine, posture assessment, Zero Day mitigation, TP, Sandboxing etc.
The other key is to ensure identity is not compromised, because this undermines the whole thing. So we have IdPs like Azure AD or Gemalto which take care of that with things like Multi-Factor authentication(MFA). And IDP/MFA also integrates with Remote VPN as well as SASE, but i'm finding SASE providers will prefer you integrate with a an IdP rather than an on-prem active directory/LDAP server.
Quote from: deanwebb on February 17, 2022, 10:24:23 AM
And just as VPNs can have their communication chains broken, what do we do if some attacker pops a SASE client or communication flow? Same as with VPN, patch and pray that the damage wasn't too bad.
If the App connector that published the application to the CASB only does so via an outbound initiated SSL session, and the client connector does the same (establish SSL to the CASB), where will the attack vector be? Because no TCP/UDP ports get exposed or port forwarded. The SASE provider should use all of its capabilities to ensure an attacker does not compromise a client. This is where the other features of the SASE provider come into their own in terms of machine quarantine, posture assessment, Zero Day mitigation, TP, Sandboxing etc.
The other key is to ensure identity is not compromised, because this undermines the whole thing. So we have IdPs like Azure AD or Gemalto which take care of that with things like Multi-Factor authentication(MFA). And IDP/MFA also integrates with Remote VPN as well as SASE, but i'm finding SASE providers will prefer you integrate with a an IdP rather than an on-prem active directory/LDAP server.
#4
Security / Re: VPN vs SASE: Is VPN Going Away?
February 17, 2022, 10:01:54 AM
I've been working a bit around this so here's my take on it.
VPN is a perimeter based technology, and if you consume enough Zscaler content, they will convince you the perimeter is dead because the users and applications are all moving to the cloud. I kind of agree with them because if you think about it, its inefficient to backhaul your data back to your VPN concentrator only for it to go back out to the Internet again to consume the SAAS service.
Another point is VPN concentrators expose ports to the Internet. I know its secure and everything (IKE P1/2, PKI etc) but that is dependent on patching the OS against vulnerabilities and exploits. Heres an example:
https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials
Isn't it better not to expose the ports in the first place and instead negotiate the session though a CASB (ie; Zscaler, Netskope), therefore only permitting outbound initiated sessions through the firewall?
Then there is Zero Trust messaging which suggests we do not simply allow an authenticated VPN user access to entire network subnets, instead just give them access to the applications that are published to the users on a need to access basis.
VPN is a perimeter based technology, and if you consume enough Zscaler content, they will convince you the perimeter is dead because the users and applications are all moving to the cloud. I kind of agree with them because if you think about it, its inefficient to backhaul your data back to your VPN concentrator only for it to go back out to the Internet again to consume the SAAS service.
Another point is VPN concentrators expose ports to the Internet. I know its secure and everything (IKE P1/2, PKI etc) but that is dependent on patching the OS against vulnerabilities and exploits. Heres an example:
https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials
Isn't it better not to expose the ports in the first place and instead negotiate the session though a CASB (ie; Zscaler, Netskope), therefore only permitting outbound initiated sessions through the firewall?
Then there is Zero Trust messaging which suggests we do not simply allow an authenticated VPN user access to entire network subnets, instead just give them access to the applications that are published to the users on a need to access basis.
#5
Certifications and Careers / Re: Doing ITIL4 certification training this week
December 17, 2020, 03:03:23 AM
Good luck! This is also on my list for 2021, followed by ITIL Service design.
What material are you using may I ask?
What material are you using may I ask?
#6
Programming Goodies and Software-Defined Networking / Re: No excuses now - Learning Python deal!
March 09, 2018, 09:42:08 AM
Check out "https://www.codecademy.com". Best thing is its free and you can do little modules when you have aspare 10-15 mins.
#7
Forum Lobby / Re: New Member Introductions Thread
March 09, 2018, 09:21:08 AM
Stumbled across this forum and felt a bit of nostalgia as I saw some of the same usernames from Steve's old forum so thought I would sign up.
Bit about me, i'm from the UK, been in Networking since 2007 (Been in IT since 2001 if you count my student & intern years).
Currently working in the Enterprise arm of an ISP in a customer facing consultancy role.
The "system" tried to tame me by getting me to be a pen pusher but I have refused to let my hard earned skills from over the years atrophy and I still take any opportunity I can to get onto a good old CLI.
Currently trying to teach myself Python on the side. I have dabbled slightly in Bash/Perl scripting over the years and find the recent industry momentum in this space quite exciting.
Bit about me, i'm from the UK, been in Networking since 2007 (Been in IT since 2001 if you count my student & intern years).
Currently working in the Enterprise arm of an ISP in a customer facing consultancy role.
The "system" tried to tame me by getting me to be a pen pusher but I have refused to let my hard earned skills from over the years atrophy and I still take any opportunity I can to get onto a good old CLI.
Currently trying to teach myself Python on the side. I have dabbled slightly in Bash/Perl scripting over the years and find the recent industry momentum in this space quite exciting.
Pages1