|
|
|
|
|
|
by windexh8er
4667 days ago
|
|
|
The real security this provides is that now your access polices for firewall are much simplified. You can maintain a very reasonable back end network of hosts that aren't exposed to the public Internet and spin up a droplet to be your jump/bastion box, run certificates and lock SSH down to a sane source to an individual host (only the jump/bastion and not public). Beyond that it adds no functional security - in fact port scanning on the inside will be much more fruitful with regard to services that default to starting on 0.0.0.0. With that in mind - make sure you're not exposing things that you don't mean to be on the backend. |
|
|