No, no, no. The whole point of a VPN or SSH jumpbox is to airgap critical infrastructure with unknown vulnerabilities behind a hardened point of access. Putting production infrastructure on the public internet is beyond idiotic and regressive, and an invitation to be hacked by an unlimited and unknown number of exploits. It took forever to get departmental firewalls at a big name university where I worked because systems put in before my time like nutrition/meal planner, housing lottery draw, facilities management system and retail POS systems were getting owned left-and-right by remote malware.
I'll keep using fwknop-protected OpenSSH on OpenBSD and WireGuard, others can do whatever they want without thinking about the security vs. convenience.
Many of our customers use SSH jumpboxes - its a natively supported feature of Okta Advanced Server Access / ScaleFT.
From a post awhile back about using Bastions with ScaleFT:
> One of our values at ScaleFT is to do our best to support our users where they are, with the decisions and tools they’ve already selected. This means treating SSH bastions as an SSH feature, parameterizing and centralizing the associated configurations, and seamlessly integrating it into our users’ daily workflows.
> The whole point of a VPN or SSH jumpbox is to airgap critical infrastructure with unknown vulnerabilities behind a hardened point of access
Yes, I completely agree. This post is literally an endorsement of that idea, with enterprise port knocking mixed in for additional security. At no point in this post do I advocate simply opening all servers to the Internet. Quite the opposite.
If you have suggestions for how I could be clearer in the post, please let me know.
Yeap. There is a night and day difference in attack surfaces between isolating access to a single (or HA pair) jumpbox and N boxes on the internet with no real DMZ or private admin network. Feelings and fashions don't make stupid configurations better. If you have a problem with honest opinions from someone with 25 years of experience, I think you need thicker skin or I can choose to simply not comment and let stupid fashions propagate.
I wish you had come into this discussion with constructive criticism, instead of simply swinging a hammer. I, for one, am happy to learn from somebody with a number of years of experience. However showing up on a thread and spewing negativity and name calling isn't a great way to earn respect in this industry.
Yep. Putting everything directly on the public Internet is 90's style. I remember it well. Whole offices with public IP addresses. No firewall. It's amazing anyone ever considered this sane, but it was a different time.
Better bust out the JNCO jeans and Offspring CDs because IPv6 is on it's way and you can bet some deployments will have everything accessible to everything.
I'll keep using fwknop-protected OpenSSH on OpenBSD and WireGuard, others can do whatever they want without thinking about the security vs. convenience.