zlacker

[parent] [thread] 1 comments
1. emptys+(OP)[view] [source] 2022-01-27 20:38:08
I don't like VPNs. I think there's better ways of protecting our infrastructure without them. AWS offers a lot of technologies for doing just that.

A VPN is another failure layer that when it goes down all of your remote workers are hosed. The productivity losses are immense. I've seen it first-hand. The same for bastion hosts. Some tiny misconfiguration that sneaks in and everybody is fubared.

Bastion hosts and VPNs: we have better ways of protecting our valuables that's also a huge win for worker mobility and security.

replies(1): >>tptace+N2
2. tptace+N2[view] [source] 2022-01-27 20:48:52
>>emptys+(OP)
That's true of legacy VPNs like OpenVPN, and less true of modern VPNs. But either way: a VPN is a meaningful attack surface reduction for all internal apps that don't require individual apps to opt-in or stage changes for, and doesn't require point-by-point auditing of every app. Most organizations I've worked with would be hard-pressed to even generate an inventory of all their internal apps, let alone an assurance that they're properly employing web application security techniques to ensure that they're safe to expose on the Internet.

We're just going to disagree about this.

[go to top]