[Joel_Mckay]

Depends on the use-case, IPsec is often not supported by many LANs. Also, network crossing is 1 badly configured client away from full infrastructure worming.

At some point, the idealism of white-listed pears and VPN will fail due to maintenance service costs. Two things may be true at the same time friend. =3

https://www.poetry.com/poem/101535/the-blind-men-and-the-ele...

[frumplestlatz]

Yes, and those two true things are:

- You should be using WireGuard.

- “Port knocking” is pointless theater.

[Joel_Mckay]

CVE-2024-26950 is also true, and while I respect your opinion... a VPN has a lot of additional links in the chain trivially broken by competent hostiles or incompetent client installations.

IPSec is simply a luxury unavailable on some LANs =3

[tptacek]

I don't understand what you think CVE-2024-26950 has to do with this thread. Do you understand what that vulnerability actually is, or did you just go search "WireGuard CVE" to find ammunition?

[Joel_Mckay]

Firewall administrative network port traffic priority is important for systems under abnormal stress.

[tptacek]

I don't know what this even means. Do you understand the vulnerability you cited? Can you explain it here?

[Joel_Mckay]

The relatively benign legacy kernel level pointer-bug CVE chosen is hardly the worst thing from WireGuard or strongSwan over the years. However, it makes the point a priority reliable network side-channel administrative login is more robust under some use-cases.

Adding layers of complexity rarely improves security, and doesn't usually address the underlying issue of accountability. And I often ponder if a bastion host is even still meaningful in modern clouds. =3