[greggman3]

https://www.beyondcorp.com/

Yes, basically you should consider all networks untrusted including your internal network. You can still have a VPN but it shouldn't be the thing that protects the services inside your corp net because if it is then any breach means the intruder gets access to all your stuff.

[peterlk]

This thread is a bit confusing to me. Have we moved past layered security for some reason?

The purpose of a VPN was never supposed to be the authentication layer to internal services. It's just a layer of security that makes it more difficult to carry out some types of attacks; thus increasing security defenses of an organization. Assuming that it has been breached is good practice, but doesn't mean that there's no point to it.... Unless layered security has been overturned?

[judge2020]

The issue is that, for any company without thousands of employees (heck, probably even some of these are guilty), the VPN is often the only barrier to the entire network. The BeyondCorp model makes you explicitly specify "John can access support.corp.com but not admin.corp.com", while setting up these explicit checks is the exception for VPN-based access, not the norm (and sometimes it isn't even done right - eg. relying on DNS filtering).

[trabant00]

> The issue is that, for any company without thousands of employees (heck, probably even some of these are guilty), the VPN is often the only barrier to the entire network.

Sorry, but what? I've worked in multiple small companies where the we where less than 5 system administrators and inside the vpn we had encrypted traffic and ldap auth on everything. It's a few days job for a single person to set everything up this way with open source tools that are extremely well known and documented.

[totony]

Yeah same, I have even seem 1-sysadmin small businesses have multilayer security

[lousken]

yea, we have the same setup

[celticninja]

In short:

VPN can be a security tool, as long as it is not your only security tool.

[lowwave]

Think of VPN, just a wifi router. Don't rely on it! Design your internal tools to be secure. Not trust any network or client submitted data.

For these big companies (FAANG, Twitter too), please spend all those money on your security instead of market please.

[raverbashing]

For real, no wonder security is such a crap fest, when we have people repeating this BS that "VPN is an antipattern"

I'm all for debate but some things are close and shut. Yes, don't trust your user just because they are in the internal network, but no, that doesn't mean everything has to be visible from the outside.

[VectorLock]

If the "layers" of your security use the same factors are they really layers or are they simply a time sink for you permitted users, and another thing to break?

My visceral reaction was "you got to have a VPN" as well but the more I thought about it the more I was convinced you don't _need_ a VPN.

[HaloZero]

Effectively are you saying: if I hacked your account I hacked your VPN username/password too? It's still an extra step that might trigger some sketchy senses of some people.

Not sure if it still doesn't work effectively for that.

[kortilla]

If your only threat model is leaked credentials and not vulnerabilities, sure.

[VectorLock]

Or if your threat model accounts for the prevalence of stolen credentials and end-point compromise vs. the vulnerability of your exposed application attack surface.

[trabant00]

> Have we moved past layered security for some reason?

Yes, yes we (more accurately "they") did. I don't know which schmuck with a blog came up with this idea that VPN is a thing of the past and a lot of people followed suit.

I bet there are IT shops out there that rely solely on VPN and the schmuck worked there, but that's like seeing somebody not lock their door and concluding doors are bad model for security and we should get rid of them.

[otabdeveloper4]

Security in 2020 is basically "if you can't be 100% guaranteed secure, then don't bother securing anything".

[ReganLaitila]

oh come on. Competent companies regard their internal networks untrusted with or without a vpn access solution. If your an incompetent company then there is no argument for a vpn vs no vpn because your incompetent, and will eventually succumb to the horrors of your insecurities regardless if your applications and network endpoints are directly exposed to the internet or behind a vpn solution.

your beyondcorp link has nothing to do with a well implemented vpn solution + standard access controls to network endpoints like the link suggests. Your clearly supporting a false dichotomy in which having a well constructed vpn solution is "wrong" and does not add to your overall security posture. Shenanigans.

vpn or not you still need to authorize/authenticate your network endpoints. But hey, you don't want a vpn so give me a list of your internet accessible ssh hosts and well see how well your "zero trust" gets you if you can't keep up with best practices. Good luck!

[kortilla]

That’s a shockingly dumb approach in the context of security today where zero days have to be included in your threat model. A VPN should be requisite to even get network connectivity to such critical services. Then on top of that, you should still have to auth to access them.