|
|
|
|
|
|
by dinkdinkdink
1774 days ago
|
|
|
I know what I'm doing. I would be fine with this in some circumstances. There are legitimate reasons adding a VPN to a backdoor like this can make it worse. The trick to "knowing what you are doing" in this case is defense in depth and knowing what's actually accessible from a world-open interface, and how much of that would be really annoying to get to while simultaneously fixing your homebrew VPN that fell over six months ago and that you never got around to fixing. Most routers are perfectly fine with a limited set of knobs accessible to the public Internet behind reasonably secure access ports. Bastion it behind SSH and/or SOCKS if you're paranoid, but seriously, as long as we're not talking a $50 Target 'router', it's probably fine. My Ubiquiti gear is indexed. It also reliably e-mails me when it successfully authenticates a user and can distinguish between inside and outside access to ACL what it can do. Just saying, easy with the "if you know what you're doing" thing, because opinions differ (particularly with beyondcorp in an IT setting). Gluing a VPN back together through an SSH tunnel so you can get at the "fail over to my DSL connection" button inside your network is a really crappy deal at 3 a.m. with a few beers in you and 200ms in between. |
|
|
Maybe it’s just a matter of difference of criteria, but I would certainly not be fine with this. You have a lot of ways to prevent this from happening, and it only opens an attack surface to APTs.
Being indexed means being searchable, being searchable means exposing yourself to automated targeted attacks.