John Summerfield <[log in to unmask]> writes:
> Rather than run ssh on a non-standard port, my preference is to use
> a VPN,
One negative with VPN w.r.t. using SSH tunnels is that VPN allows all
network traffic from the remote system into your firewalled network.
If the VPN client machine has picked up any malware, it gets to see
all your internal network. Instead, SSH tunnels takes a default-deny
approach. At most, any malware can only access the specific ports of
specific internal machines that are made available.
We have been trying to get users off VPN and embrace tunnels. It
takes more case-by-case effort to set up than a one size fits all VPN,
but once it is done the day to day use is easy.
Regards,
-Brett.