There used to be a clear dividing line between employees and guests at a business location. Employees ran on one physical LAN (or VLAN) and guest traffic on another. But the line is being blurred by Cloud Services, SD-WAN and applications that operate the same way inside your LAN as they do over the open Internet.
The migration to remote workers, co-working facilities and applications written for use over the Internet have changed how and where security is deployed, stretched the limits of firewall technologies and fundamentally changed the way we work.
In the past, remote workers needed special VPN access and software in order to become a remote member of the corporate LAN. Employees would complain that applications and access that worked in the office did not work well, or at all, at home or in a hotel.
Today, the reverse is true. Employees complain that applications now used regularly for business are being tagged as “not allowed” in the company firewall from inside the LAN. This happens because the IT staff cannot keep up with the vast array of over-the-Internet applications that all look the same from a protocol and addressing standpoint, have their own end-to-end encryption, and often only show up as junk traffic on the corporate firewall. This spells the end of the application specific network, and the end of QOS by application.
Universities and co-working facilities have taken the approach that trying to control user traffic by application is simply a waste of equipment cost and effort. They treat all users as foreign (guests). Web traffic may still be filtered for inappropriate content. But even that is slowly fading away.
The simplicity in this approach is that everything works as well in one location as anywhere else over the Internet. Security now lives on the user device, and the need for deep packet inspection (DPI) engines for traffic flow control disappears. Policy management becomes narrower in focus and therefore much more effective. You can forget screening the WAN interfaces at L4-L7 since all the user traffic is end-to-end encrypted. Put your security dollars to work dealing with intrusion and taps to detect improper data flows.
This change in methodology does come at a cost – bandwidth. By pushing all the previously LAN hosted content into the Cloud, more WAN bandwidth is often required to keep up with all the user data flows.
Secondarily, you should begin to think about volumetric controls for user devices. Not rate capping (which is almost always a bad idea). But network solutions that keep single users from dominating WAN bandwidth in either direction.
So, are your users actually employees inside your LAN? Or are they becoming guests on your LAN?