LANLess, the new thinking in network design.

First things first, the original idea here comes from Scott Alan Miller.  The first presentation on the topic can be seen at https://mangolassi.it/topic/11257/scott-alan-miller-the-brave-new-lanless-future


 

LANLess - the word.

Yes, the word.  It encapsulates an idea.  Yes, an idea, nothing more.

LAN - Yes, we're talking about designing a network.  Today this means much more than just a local LAN.

Less - Less LAN.  Yes, really, that's the whole idea.  Less of a LAN.

To get the idea, first let's look at a traditional LAN with some branch offices and remote access.

Traditional LAN

We can see a number of factors that make life more difficult for all involved here:

  1. The security perimeter is huge, and encompasses every device connected to the network.
  2. VPNs and/or remote access is difficult to do for a number of reasons:
    1. Every device must be secured.
    2. VPNs and/or remote access is a static thing, assigned per device or branch office connection.
    3. Applications can live anywhere, making management more difficult.
  3. Workstations access network services differently depending on where they're located.

 

Now let's take a look at this "Brave new LANLess world."

LANLess

A number of things should be immediately obvious here:

  1. The security perimeter is tiny, only encompassing network services.
  2. SSL/TLS is in common use rather than static VPN
    1. While every device is still a security risk, it is now only a risk for the limited amount of data and services that a particular user has access to.
    2. SSL/TLS is just an on-demand VPN.  It was originally called SSL-VPN: https://en.wikipedia.org/wiki/Virtual_private_network  Basically, we're replacing static VPN with dynamically assigned VPNs.
    3. All applications live within a single (hopefully) easily managed point.
  3. All workstations access the same things no matter where they are located.

    That's all great theory, how do I accomplish this?

The first key is to remember that, just because the servers, network servers and such are pictured within the main local LAN, does not mean they need or even should be hosted on-site or by yourself!  The quick and easy methods of implementing the LANLess idea are already available in the form of Office365 and G Suite.  If you're already utilizing one of these offerings, or a similar offering from another company, then you're already most of the way there.

If you absolutely must host everything yourself, then you have plenty of open source options available.  Weather it makes sense to get an entire environment setup, running, and maintained yourself is always a business decision, and frankly doesn't make much sense more often than not.  If you must, then I'd look at the following offerings:

  1. Zimbra = Email, LDAP/Single Sign On, Chat, possibly Calendars and Task management
  2. NextCloud = Files and File Shares
    1. Spreed.ME = Video Chat, Meetings, Online Whiteboard
    2. LOO/OnlyOffice = Online document creation, editing, and shared editing.  (LOO = Libreoffice Online)

This is what I'm currently working on getting setup in my home lab.  I don't see a reason for a business to go through all the hassle of integrating all of this and trying to secure it.  The large companies like Microsoft and Google can keep things much more secure than any purely local IT department.

Travis Hershberger
Oct. 14, 2017