Hello Nanog's I offer a question to help me settle an internal debate. As a network engineer for a large enterprise, do you choose ISP flexibility or ISP security when you build an OOB network? I was tasked to create an OOB network for my company. Realistically it would only be deployed to 25% of the companies sites as they are considered important enough to justify the cost. The design is simple enough. Hub and spoke using cellular routers. DMVPN will carry data from the spoke to the hub. The real debate arrives when it's time to choose a carrier to host the router. I choose to go with a major cell carrier using a "private" APN. It allows me to connect my cell routers to a private layer 2 network and my private IP addresses will be used to provide layer 3 connectivity. I know that there will be outliers that can't use this carrier or cellular at all. These outliers, in my opinion, shouldn't have a majority stake in the overall design. The APN overall cost is low and so is the data plan for the hosted routers. The private APN also eliminates the router as an internet attack vector. I don't believe routers are appropriate security appliances to defend and monitor against network threats. Some of my colleagues believe that the flexibility of public cellular access outweighs the security risks. The cellular internet will provide us with a solution for more of the outliers than a private APN. I don't agree with this philosophy even though it's not "technically" wrong. I am interested in a broader range of opinion and technical reasoning. Nanog member KELLYSP
On Tue, 12 Jan 2021 at 18:57, Sean Kelly <kellysp@gmail.com> wrote:
The real debate arrives when it's time to choose a carrier to host the router. I choose to go with a major cell carrier using a "private"
I'm not sure I see the sides of the debate. I personally see no utility at all in paying premium for APN, I see it as a way to pay a premium to get liability. There are no improvements in security posture but obviously if there is APN specific outage, outage in your APN is not going to be much of a priority compared to outage at consumer APN, which is fire drill. As well as you make it a lot harder to procure and negotiate, particularly if you expand to new markets. Compared to dial-home DMVPN where you have no requirements above most standard INET access offered. I assume you mean DMVPN with IPSEC. If you don't imply IPSEC, then I assume security wasn't a metric for this product. -- ++ytti
I probably would not choose the Private APN. I get the appeal, but I would probably use router ACLs to restrict traffic only to other endpoints in the VPN mesh. Exploits/methods that could get around this are few and far between, and the benefits are numerous, namely, you aren't tied to one cell provider, and you aren't even tied to the cellular medium (which might be important). If, for some reason, being tied to one carrier was not any concern, AND I had an amazingly good deal with my carrier on the APN, then my opinion might change, but that just seems unlikely to me. I do not think it is an excessive burden to remain on top of software releases, such that, if there was some exploit that could breach the ACL protection, you would be able to patch it very quickly. And since it's just OOB, you can test it on three or four boxes, then just blast the upgrade out to all of them at once using Ansible or whatever. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Jan 12, 2021 at 10:55 AM Sean Kelly <kellysp@gmail.com> wrote:
Hello Nanog's
I offer a question to help me settle an internal debate. As a network engineer for a large enterprise, do you choose ISP flexibility or ISP security when you build an OOB network? I was tasked to create an OOB network for my company. Realistically it would only be deployed to 25% of the companies sites as they are considered important enough to justify the cost. The design is simple enough. Hub and spoke using cellular routers. DMVPN will carry data from the spoke to the hub.
The real debate arrives when it's time to choose a carrier to host the router. I choose to go with a major cell carrier using a "private" APN. It allows me to connect my cell routers to a private layer 2 network and my private IP addresses will be used to provide layer 3 connectivity. I know that there will be outliers that can't use this carrier or cellular at all. These outliers, in my opinion, shouldn't have a majority stake in the overall design. The APN overall cost is low and so is the data plan for the hosted routers. The private APN also eliminates the router as an internet attack vector. I don't believe routers are appropriate security appliances to defend and monitor against network threats.
Some of my colleagues believe that the flexibility of public cellular access outweighs the security risks. The cellular internet will provide us with a solution for more of the outliers than a private APN. I don't agree with this philosophy even though it's not "technically" wrong. I am interested in a broader range of opinion and technical reasoning.
Nanog member KELLYSP
On Mon, 11 Jan 2021 at 19:27, Sean wrote:
I offer a question to help me settle an internal debate. As a network engineer for a large enterprise, do you choose ISP flexibility or ISP security when you build an OOB network? I was tasked to create an OOB network for my company. Realistically it would only be deployed to 25% of the companies sites as they are considered important enough to justify the cost. The design is simple enough. Hub and spoke using cellular routers. DMVPN will carry data from the spoke to the hub.
Maybe this talk from NLNOG 2020 is of interest to you concerning OOB. https://www.youtube.com/watch?v=72yccGg0h8g -- Chriztoffer
On Tue, Jan 12, 2021 at 8:55 AM Sean Kelly <kellysp@gmail.com> wrote:
The real debate arrives when it's time to choose a carrier to host the router. I choose to go with a major cell carrier using a "private" APN. It allows me to connect my cell routers to a private layer 2 network and my private IP addresses will be used to provide layer 3 connectivity. I know that there will be outliers that can't use this carrier or cellular at all. These outliers, in my opinion, shouldn't have a majority stake in the overall design. The APN overall cost is low and so is the data plan for the hosted routers. The private APN also eliminates the router as an internet attack vector. I don't believe routers are appropriate security appliances to defend and monitor against network threats.
Hi Sean, You want vendor lock-in on your emergency access path? Are you sure?
Some of my colleagues believe that the flexibility of public cellular access outweighs the security risks.
I think your colleagues are correct. Shoot for an OOB solution that allows you to pick the best technology and vendor for each site you choose to protect. That won't necessarily even be cellular everywhere. Regards, Bill Herrin -- Hire me! https://bill.herrin.us/resume/
participants (5)
-
Chriztoffer Hansen
-
Hunter Fuller
-
Saku Ytti
-
Sean Kelly
-
William Herrin