[peterlk]

This thread is a bit confusing to me. Have we moved past layered security for some reason?

The purpose of a VPN was never supposed to be the authentication layer to internal services. It's just a layer of security that makes it more difficult to carry out some types of attacks; thus increasing security defenses of an organization. Assuming that it has been breached is good practice, but doesn't mean that there's no point to it.... Unless layered security has been overturned?

[judge2020]

The issue is that, for any company without thousands of employees (heck, probably even some of these are guilty), the VPN is often the only barrier to the entire network. The BeyondCorp model makes you explicitly specify "John can access support.corp.com but not admin.corp.com", while setting up these explicit checks is the exception for VPN-based access, not the norm (and sometimes it isn't even done right - eg. relying on DNS filtering).

[trabant00]

> The issue is that, for any company without thousands of employees (heck, probably even some of these are guilty), the VPN is often the only barrier to the entire network.

Sorry, but what? I've worked in multiple small companies where the we where less than 5 system administrators and inside the vpn we had encrypted traffic and ldap auth on everything. It's a few days job for a single person to set everything up this way with open source tools that are extremely well known and documented.

[totony]

Yeah same, I have even seem 1-sysadmin small businesses have multilayer security

[lousken]

yea, we have the same setup

[celticninja]

In short:

VPN can be a security tool, as long as it is not your only security tool.

[lowwave]

Think of VPN, just a wifi router. Don't rely on it! Design your internal tools to be secure. Not trust any network or client submitted data.

For these big companies (FAANG, Twitter too), please spend all those money on your security instead of market please.

[raverbashing]

For real, no wonder security is such a crap fest, when we have people repeating this BS that "VPN is an antipattern"

I'm all for debate but some things are close and shut. Yes, don't trust your user just because they are in the internal network, but no, that doesn't mean everything has to be visible from the outside.

[VectorLock]

If the "layers" of your security use the same factors are they really layers or are they simply a time sink for you permitted users, and another thing to break?

My visceral reaction was "you got to have a VPN" as well but the more I thought about it the more I was convinced you don't _need_ a VPN.

[HaloZero]

Effectively are you saying: if I hacked your account I hacked your VPN username/password too? It's still an extra step that might trigger some sketchy senses of some people.

Not sure if it still doesn't work effectively for that.

[kortilla]

If your only threat model is leaked credentials and not vulnerabilities, sure.

[VectorLock]

Or if your threat model accounts for the prevalence of stolen credentials and end-point compromise vs. the vulnerability of your exposed application attack surface.

[trabant00]

> Have we moved past layered security for some reason?

Yes, yes we (more accurately "they") did. I don't know which schmuck with a blog came up with this idea that VPN is a thing of the past and a lot of people followed suit.

I bet there are IT shops out there that rely solely on VPN and the schmuck worked there, but that's like seeing somebody not lock their door and concluding doors are bad model for security and we should get rid of them.

[otabdeveloper4]

Security in 2020 is basically "if you can't be 100% guaranteed secure, then don't bother securing anything".