“This is just a VPN.”
“Why are you even solving this?”
“Just lock it to a VLAN and move on.”
That was some of the feedback I got—after posting what I thought was a straightforward question on Reddit:
“How are you securing remote admin access to firewalls and routers these days?”
Within hours, the thread blew up. 30,000+ views, dozens of comments, and a firestorm of opinions ranging from:
“You should never allow remote admin access at all.”
“Just use Entra with device compliance and SSO.”
And: “This isn’t even a real problem.”
Some replies were thoughtful. Others dismissive. A few, downright hostile. While I expected a little heat, I didn’t expect that level of emotional intensity.
Turns out, remote access is still a battleground—and not just technically, but culturally.
The Problem
Here’s what I’ve seen—and what echoed loudly through the Reddit and LinkedIn replies:
VPNs with wide-open access are still common.
Jump boxes exposed to the internet, sometimes with default creds, are alive and well.
IAM tools like Entra or Intune are fantastic—if you live in the cloud wonderland. Many don’t.
Offboarding is broken. People retain admin access months after leaving.
Zero Trust is more aspiration than reality.
💬 One LinkedIn commenter shared they still had access to critical infrastructure after being offboarded—including systems tied to AI development and customers working with the SEC.
This isn’t a minor oversight.
It’s a systemic blind spot.
How People Are Actually Doing It
Based on feedback from Reddit, LinkedIn, and real-world conversations, here’s a rough breakdown of how remote admin access is being handled today:
➡️ VPN + Jump Box (Very Common)
The de facto standard in many high-stakes environments. But it comes with session-based vulnerabilities, poor auditability, and painful onboarding/offboarding processes. Temporary access is harder than it should be.
➡️ VLAN / IP Restriction (Common)
Simple in theory—messy in practice. Doesn’t scale, doesn’t solve offboarding, and often isn’t feasible for teams managing distributed gear.
➡️ Entra + Device Compliance (Idealized)
Works great if you’re all-in on Microsoft. But for many orgs, third-party reliance is a non-starter—due to policy, threat models, or practical deployment constraints.
➡️ ZTNA Solutions (Rare but growing)
Everyone claims “Zero Trust,” but most modern ZTNA tools depend on cloud brokers, external telemetry, etc. That’s not Zero Trust—it’s marketing.
➡️ Local-Only Access (Common)
Sure, it works. But only if you can afford to send someone onsite every time you need to reset a password or update a config. Most teams can’t.
The Reality: Not Everyone Has Their Head in the Clouds
The assumptions baked into modern remote access tooling don’t hold up everywhere.
VPNs have inherent security risks.
IAM and other security tools cant’t be deployed due to third-party risks.
But critical gear still needed remote access, management, and patching.
And in SMBs, MSPs, and hybrid orgs, the same themes repeat: complexity, cost, and compliance blind spots.
There’s a whole world of edge infrastructure and critical systems that can’t use cloud-first, third-party-reliant models.
So… we built something different.
What We Built—and Why It’s Not “Just a VPN”
We call it Custodes. Derived from the famous Latin quote "Quis custodiet ipsos custodes".
It’s a hardened remote access solution originally built for defense environments, now adapted for the private sector. The design goal? No external trust dependencies. No attack surface expansion.
Here’s how it works:
✅ No third-party traffic, not even for auth or key-rotation, everything is managed on the device itself
✅ No tunnel-based sessions (resistant to session hijack or key theft)
✅ No external SSO or cloud IAM dependencies, because this is just third-party trust in another form
✅ Per-user, per-device access that’s centrally managed (without touching the target network)
✅ Works in highly restrictive networks, even behind proxies or full egress blocks
This Isn’t for Everyone. And That’s the Point.
If your entire infrastructure is in Azure with Entra, EDR, and full device compliance? Custodes probably isn’t for you.
(Though, remember to keep your Azure admin portal safe 😅)
But if you:
Manage remote equipment in hard-to-reach areas
Support clients with limited tooling or strict compliance
Need to lock down access with zero third-party exposure…
Then this conversation matters.
And more importantly, it needs to happen in good faith.
The Takeaway: Challenge Assumptions, Don’t Echo Them
The Reddit blowback wasn’t fun—but it was incredibly useful.
It showed us:
The problem is real.
The solutions are still imperfect.
The industry needs to move past a checkbox mentality of “just use X” into “what’s actually possible, given the constraints?”
We’re not here to replace your stack.
We’re here to fill the gaps that no one else wants to touch.
It’s something new—for the places that need it most.
Want to Test It? Let’s Talk.
Custodes has launched. We’re onboarding users who are tired of the defaults and ready to try something different, especially if you’re managing critical or high-stakes infra in edge or remote deployments.
🛡️ If that’s you, you can learn more here:
👉 https://www.bastionne.com/custodes-secure-admin-access
Until then: stay curious. Challenge norms. And keep asking the hard questions.