惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V2EX - 技术
V2EX - 技术
P
Privacy International News Feed
Security Latest
Security Latest
H
Hacker News: Front Page
T
Tenable Blog
The Hacker News
The Hacker News
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
S
Security @ Cisco Blogs
Project Zero
Project Zero
O
OpenAI News
AI
AI
Spread Privacy
Spread Privacy
C
CERT Recently Published Vulnerability Notes
The Last Watchdog
The Last Watchdog
G
GRAHAM CLULEY
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Scott Helme
Scott Helme
Application and Cybersecurity Blog
Application and Cybersecurity Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
C
CXSECURITY Database RSS Feed - CXSecurity.com
NISL@THU
NISL@THU
A
Arctic Wolf
T
Threat Research - Cisco Blogs
PCI Perspectives
PCI Perspectives
N
News and Events Feed by Topic
C
Cyber Attacks, Cyber Crime and Cyber Security
C
Cybersecurity and Infrastructure Security Agency CISA
Simon Willison's Weblog
Simon Willison's Weblog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Know Your Adversary
Know Your Adversary
Google Online Security Blog
Google Online Security Blog
罗磊的独立博客
L
LINUX DO - 最新话题
U
Unit 42
S
Security Affairs
有赞技术团队
有赞技术团队
WordPress大学
WordPress大学
博客园 - 【当耐特】
T
The Exploit Database - CXSecurity.com
S
Schneier on Security
月光博客
月光博客
Engineering at Meta
Engineering at Meta
腾讯CDC
F
Full Disclosure
Cyberwarzone
Cyberwarzone
S
SegmentFault 最新的问题
Recorded Future
Recorded Future
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
博客园 - 司徒正美
The Cloudflare Blog

NetBird - Networking Knowledge Hub - RSS Feed

NetBird Is Now on the Vultr Marketplace Native NetBird on the GL.iNet Comet Pro (GL-RM10) NetBird v0.71 - IPv6 Overlay Addressing NetBird Exit Nodes - Appear at Home, or Anywhere Else Reporting Bugs and Requesting Features in NetBird Setup and Use Local AdGuard Home Anywhere with NetBird DNS How to Set Up NetBird on PiKVM for Secure Remote KVM Access NetBird v0.69 - CrowdSec IP Reputation for the Reverse Proxy Cloudflare Mesh vs NetBird vs Tailscale: Performance Compared Self-Hosting Nextcloud with Docker and NetBird Implementing Zero Trust with NetBird NetBird v0.67 - Layer 4 Proxy Support for TCP, UDP, and TLS Solwr Enhances Remote Connectivity with NetBird Self-Hosting NetBird with Authentik Jellyfin Media Server - Self-Host Your Movies, TV, and Music Cloudflare Tunnels vs. NetBird Reverse Proxy INFITX Builds Zero-Touch Kubernetes Networking with NetBird NetBird v0.66 - Expose Local Services to the Internet from the CLI Pangolin vs. NetBird Home Assistant Setup Guide with EASY Remote Access NetBird v0.65 - Built-in Reverse Proxy with Custom Domains Docker for Beginners - Everything You Need to Get Started NetBird for SOC 2 Compliance NetBird v0.63 - Custom DNS Zones for Private Network Resolution Vibecode This in a Weekend and Take 5% of the Company NetBird v0.62 - Built-in Local Users with Optional IdP Integration NetBird v0.61.0 - Granular SSH Access Control and Automatic Updates Top 5 Alternatives to OpenVPN Top 5 Open Source Alternatives to Tailscale Top 5 Alternatives to ZeroTier How to Set Up ZeroByte and REST Server for Backups with NetBird How to Install n8n v2.0 with NPM and PM2 ZeroTier vs. NetBird The Ultimate Immich Guide - Ditch Google and Amazon Photos for Good NetBird as Your Help with ISO 27001 Compliance NetBird and Huntress - Secure Network Access for MSPs How to Access Windows Shares from Anywhere with NetBird netgo Relies on Modern ZTNA with NetBird Connect to Your Homelab from Anywhere with a Raspberry Pi NetBird SSH - A New, Identity-Aware Approach The AI Mega Mesh: How to Connect 30+ GPU Cloud Providers Connect Multiple Ollama GPUs to OpenWebUI with NetBird Top 5 Tailscale Alternatives SSH and RDP, now in your browser NetBird–Acronis Integration: Empowering MSPs for Advanced Ransomware and Threat Defense Introducing the Control Center - Remote Access, Beautifully Visualized NetBird at MSP Global 2025 Understanding Overlay Networks - The Basics NetBird and SentinelOne Singularity™ - Automate Threat Response NetBird and Microsoft Intune - Enforcing Device Compliance for Zero Trust Rethinking Zero Trust Security with NetBird and pfSense Improving Unidirectional Access Control Proxmox VE for Beginners Guide with NetBird LXC Stronger Security: NetBird + GitHub Secure Open Source Fund NetBird's MSP Partner Program Signicat Enhances Cross-Cloud Accessibility with NetBird SonicWall SSL VPN NetExtender vs. NetBird NetBird Is Embracing the AGPLv3 License NetBird Profiles Have Landed - Manage Multiple Accounts Effortlessly Rethinking Access Control to Secure Your On-Premises SharePoint Servers Sport Alliance Increases Efficiency with Zero Trust Networking at Scale Rethinking Network Access: qwertiko Goes Zero Trust with NetBird Optimizing Network Efficiency with NetBird's Lazy Connections Use Port Ranges in Access Control Policies Generic HTTP Endpoint for Network Events Streaming NetBird’s Response to Spear-Phishing Campaign Targeting Financial Executives Zero-Trust Access to Internal Resources Without Installing Agents Enhance Network Visibility with NetBird’s Traffic Events Logging TrueNAS Made Easy - Install, Set Up, and Access From Anywhere Top 5 Alternatives for WireGuard Jump Hosts. Gateways for Remote Access NetBird Network Routes and Exit Nodes Security for All - SSO and MFA for Free Enhancing Network Access Control with NetBird's Identity Provider Feature Twingate vs. NetBird Limit Network Access Based on Running Applications FortiClient ZTNA vs. NetBird OpenVPN vs. NetBird Tailscale vs. NetBird Getting Started with an Azure Site-to-Site VPN Getting Started with an On-premise-to-AWS Site-to-Site VPN Secure Remote Access to VPCs, LANs, and Offices regreSSHion - A New OpenSSH Server Remote Code Execution Vulnerability Evolve Bank & Trust Data Breach. What Happened? What Is a Site-to-Site VPN? IPSec Tunneling Demystified. Enhancing Data Security Across Networks Understanding IPSec Tunnel and Transport Modes Understanding the Differences Between IKEv1 and IKEv2 Understanding the IKEv1 Protocol in IPSec ZeroTier versus NetBird - Which Should You Choose? AWS Lambda Serverless Security. Mistakes, Oversights, and Potential Vulnerabilities Using NetBird for Kubernetes Access Serverless Security Vulnerabilities and Best Practices to Mitigate Them Security Best Practices for Serverless Azure Functions IoT Security Essentials. How to Achieve Secure Remote Access Open Source Zero Trust Networking Using SSH for Secure Remote Access How We Integrated Rosenpass in NetBird The First Quantum-Resistant Mesh VPN Using eBPF and XDP to Share Default DNS Port Between Multiple Resolvers
A Guide to Remote Access Security for SMEs
Written byJoshua Marks · 2024-03-29 · via NetBird - Networking Knowledge Hub - RSS Feed

Enabling remote access creates new opportunities for small-to-medium enterprises (SMEs), empowering employees to work from anywhere. IT resources that used to only be accessible on-premise are now accessible from anywhere with an internet connection! This flexibility enables SMEs to attract the best talent as employees no longer need to be in a specific location.

Secure remote access also helps enhance business continuity and takes into account situations where physical locations become unsuitable for work, as was seen with COVID-19. Providing access to private resources over a public network without security measures leaves your network vulnerable and makes it an easy target for cyberattacks.

In this article, you'll learn about some of the options available to network admins of smaller businesses to help implement secure remote access.

Considerations for Remote Access

Before implementing a remote access solution, there are several things you need to consider to facilitate a secure and seamless adoption process.

One of the most important things you need to do before implementing remote access is to educate users regarding how to securely access remote networks. This helps reduce the risk of human error.

Education should be your first line of defense when safeguarding your network. Users should be trained to recognize phishing attempts, handle sensitive information safely, and actively contribute to the security of the business.

Authentication also plays a primary role in securing remote access by identifying a user or device before receiving any access (ie who gets access to what). Consider authenticating users with single sign-on (SSO) , which allows you to centrally provision and authenticate user identities while users are required to maintain only a single set of credentials.

Additionally, implementing multifactor authentication (MFA) greatly enhances authentication security by requiring a second mode of user verification before accepting credentials, including email or SMS verification and authenticator apps, which require a soft token or biometrics (eg fingerprint or Face ID).

Defining the services and resources that will be remotely accessed allows you to design the required connectivity flows using zero-trust principles (ie removing the implicit trust from a device or user based on their network location or ownership status). Classifying endpoints by roles and attributes and applying strict access policies based on zero-trust principles ensures that users and devices are given the exact access to the resources they require and no more.

Requiring devices to meet security hardening and posture checks before allowing remote access mitigates the risk of data breaches and helps identify and remediate security vulnerabilities. Make sure you establish a strict device compliance policy that includes endpoint security best practices as well as any unique security measures necessary to meet your organization's compliance requirements.

Common device context and security posture checks include but are not limited to the following:

  • Physical location
  • Device management tools present
  • Operating system patch state
  • Hard disk encryption

SMEs must also understand the capabilities and implications of the available virtual private network (VPN) protocols. These include the following:

  • Internet Protocol Security (IPsec) is a widely adopted tunneling protocol providing strong encryption and authentication, robust security features, and wide compatibility. Being an older protocol, IPsec typically has increased overhead and lower efficiency than more modern protocols.
  • OpenVPN is a popular open source VPN protocol known for its flexibility, broad support across systems, and strong authentication and key exchange mechanisms. However, keep in mind that deployment with OpenVPN can be complex, and there is limited infrastructure support.
  • WireGuard is a newer VPN protocol specifically designed to provide faster speeds and lower overhead compared to legacy protocols. Modern cryptographic techniques help it achieve enhanced performance and efficiency without sacrificing security.

Additionally, the scalability of the prospective VPN solution should be assessed—particularly the differences between a gateway and client VPN and point-to-point mesh network architectures:

VPN gateway / client vs. peer-to-peer mesh network architecture, courtesy of Joshua Marks

A VPN gateway typically terminates all VPN connections at a centralized hub, which mediates connectivity between remote devices and enterprise resources. Historically, this architecture scales poorly as it can present a single point of failure and is limited by the capacity of the device(s) terminating the VPN tunnels. This leads to performance bottlenecks where users experience slow connection and application speeds.

Alternatively, point-to-point mesh networks decouple the VPN data and control planes, allowing devices to connect directly and securely without relying on a gateway. This becomes inherently scalable as new nodes can be added to the network without impacting performance. SMEs can scale point-to-point mesh networks more cost-effectively than with VPN gateway solutions as there is no bottleneck.

Now that you've learned about some pre-implementation considerations and available VPN protocols, let's discuss some options for providing secure remote access.

VPN Gateway and Client

A WireGuard VPN client connected to a VPN gateway

A traditional VPN uses a gateway appliance residing on the enterprise network to create a bridged connection to remote resources. Client software is installed on client computers to establish a secure connection to the gateway and handle routing decisions. VPN clients offer secure authentication methods, with most vendors integrating with SSO providers and supporting MFA for user authentication.

Traditional VPNs provide options for split-tunneling traffic, allowing a selection of internet traffic to route directly (usually to improve application performance) while the rest transits the VPN gateway for security inspection. Some VPNs also allow an always-on experience, where a VPN tunnel is always maintained between the client and gateway to ensure all traffic transits the gateway whether or not a user is logged in.

When using managed computers to connect to the VPN, the process of installing and managing VPN clients becomes smooth because all components of the device are controlled. However, if the VPN is installed on unmanaged or personal devices, then issues can arise from antivirus software, device/operating system compatibility, and network security posture (ie an unhardened computer has access to the network).

VPN gateway and client remote access rely on the VPN gateway always being available to receive connections and forward VPN traffic. As more remote computers require VPN access, VPN gateways can become congested if they reach their client capacity limits. For smaller businesses, this typically isn't an issue, especially if the number of VPN clients is stable. However, in businesses experiencing rapid growth as well as larger organizations, the need for additional VPN gateways and more powerful appliances becomes urgent once users are affected by congestion issues.

Additionally, using high-bandwidth applications over a VPN can lead to slow performance as large amounts of data may be required to transfer files or display content over the encrypted connection.

Despite some of the limitations regarding gateway scalability and unmanaged devices, the VPN gateway and client model remain popular choices for secure remote access.

Secure Shell

Securely accessing a remote server using SSH

Secure Shell (SSH) is a common method of remote terminal access using secure encryption and authentication techniques. This protocol is suitable for administering remote servers and IoT devices , and it is commonly used to provide secure connectivity for the following tasks:

  • Command line access
  • File transfers
  • Connection tunneling

SSH is often used for large-scale administration of systems using shell commands to execute remote actions. Orchestration software like Ansible can be used to run commands and scripts over SSH for multiple machines at a time. This large-scale administration comes with the challenge of managing SSH keys for dozens or hundreds of machines. Additionally, remote connectivity using SSH requires exposing the server or the device's public IP address to the internet, which can be left exposed if the devices aren't hardened properly.

Remote Desktop

Accessing an Ubuntu remote desktop using RDP

Remote desktops or virtual desktop infrastructure (VDI) provide a centralized, user-friendly option for secure remote access. Users access a desktop environment, typically deployed with a standard set of applications enabling an on-premise desktop experience over a remote connection. Transport Layer Security (TLS) is used to secure the data between the client and the remote desktop, facilitating a multi-user desktop environment.

Remote desktops can be useful when consuming large amounts of data, as the remote data remains on the enterprise network and never needs to traverse the remote connection. Conversely, the user experience is never truly the same as the local computer, especially when working with high-detail programs requiring pixel-perfect precision.

VDIs share compute resources between users, meaning the higher the number of users connected to a host, the less optimal the performance can become. If the load on the system is consistently higher than anticipated, it can be offset by increasing the capacity of the VDI, which requires additional investment.

Remote desktops also provide a means for accessing the enterprise network from managed and unmanaged devices alike. Because the VDI can be hardened to prevent data from being exfiltrated from the remote desktop to the local computer, end users have the option to use a personal device for remote connectivity.

Peer-to-Peer Network

NetBird Peers dashboard with devices connected across continents

Peer-to-peer mesh networks use a new approach to remote access by leveraging a decentralized architecture, decoupling the VPN control and data planes to provide seamless VPN connectivity without the need for a centralized gateway. The mesh network control plane is hosted in the cloud, while lightweight client software is installed on end devices (known as peers). This means no hardware investment is required. Peers authenticate to the network and share their connectivity information with other peers through the control plane. Once information like IP addresses and cryptographic keys are exchanged, peers can establish line-of-sight connections using point-to-point WireGuard tunnels. Network address translation (NAT) traversal capabilities relieve devices from requiring static public IP addresses, port forwarding, or holes in firewalls.

Mesh network technologies, like NetBird , provide integration with identity providers for modern authentication and zero-trust use cases as well as connectivity for headless servers and devices. Mesh networks create highly scalable and resilient remote networks suitable for a variety of use cases, from users accessing corporate applications to administration of remote servers and IoT devices, regardless of the location and hardware.

Domain Name System (DNS) is typically included as an overlay service to provide automatic name resolution between peers on the mesh network. To secure connections in the fabric-style mesh network, access control policies can be defined to implement a zero-trust network, restricting lateral flows around the network. These policies can discriminate based on source and destination users, devices, and ports, as well as real-time device posture . This enables both managed and unmanaged devices to access the network and receive differentiated access according to the security state of the device.

This distributed mode of connectivity provides a solution to the scalability issues inherent in gateway and client VPNs by removing bottlenecks and relieving the public IP addressing and protocol hardening requirements of SSH.

Conclusion

SMEs looking to implement secure remote access are advised to plan and make strategic decisions based on their own specific use cases and security requirements.

Legacy VPN gateway and client implementations have served businesses well in the past; however, increased demand from a dispersed workforce can create performance and reliability issues. SSH and remote desktop connectivity offer solutions to specific remote access use cases, including shell access and multi-user desktop computing. However, in the case of SSH, improper implementation may lead to resources being left vulnerable. In contrast, remote desktops relying on centralized resources may perform poorly under higher-than-expected load.

Peer-to-peer mesh networks eliminate the traditional client-server remote connectivity architecture with a decentralized overlay network providing secure and direct connectivity between endpoints. Carrier-grade NAT capabilities in products like NetBird allow any device with an internet connection to dynamically establish secure peer-to-peer connections for any remote access use case.

Sign up for free peer-to-peer network remote access with NetBird today.