Hacker News new | past | comments | ask | show | jobs | submit login

Doesn’t that just move the problem?



Well, no. As evidenced SSH is a very exposed surface that is commonly brute-force attacked. A VPN is less exposed, less commonly attacked, it offers much more control of authorization (clients, devices, 2fa) and monitoring. And, now your server might not even need a public IP. It is with good reason companies have used this method as standard practice for decades for remote access.

Besides, for many use-cases, SSH is not the only service you need to access remotely.


VPN, or any other network segmentation does, indeed, just shift the attack surface, and often creates a false sense of security behind a network perimeter.

Google, for example, proposes a different school of thought – zero trust network, and strong contextual authentication of each individual request.

Precisely because you need to expose more services to more users, you need to be extremely conscious about treating singular network ingress point as a primary security gateway.

Check out https://beyondcorp.com, it’s a very interesting concept.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: