Eliminating Shadow Access: The Hidden Dangers of SSH and API Keys
Feb 20
Virtual
Register Now
Support
LOG IN
Teleport logo
Support
LOG IN

Table Of Contents

Home - Teleport Blog - Four Ways Teleport Overcomes the Limitations of VPNs and Bastions - Jan 27, 2025

Four Ways Teleport Overcomes the Limitations of VPNs and Bastions

by Eddie Glenn

VPN Bastion Limitations

As organizations evolve to embrace cloud-native architectures and distributed teams, the limitations of legacy access solutions like virtual private networks (VPNs) and bastion hosts have become apparent.

Once reliable for securing static, on-premises environments, these tools do not scale well for securing modern infrastructure, are expensive to maintain, increase security vulnerabilities, and can hinder regulatory compliance.

In this blog, we’ll explore the four primary limitations of VPNs and bastion hosts amid modern infrastructure environments, highlighting the ways that Teleport overcomes them by providing credential-less, ephemeral, and secure infrastructure access.

Key limitations of VPNs and bastions

VPNs and bastions do not scale to modern infrastructure needs

Modern infrastructure includes ephemeral resources (e.g., cloud instances, containers, Kubernetes pods) that are created and destroyed dynamically. VPNs and bastions struggle to keep up with the changing IPs and endpoints, requiring frequent manual updates to configurations and access policies.

In addition, VPNs and bastions are designed for static, on-premises environments and do not integrate well with cloud-native technologies like Kubernetes, serverless computing, or multi-cloud environments. This makes managing VPN configurations across multiple cloud providers and hybrid environments even more complex and error-prone — adding to the security challenges posed by these legacy access solutions.

VPNs and bastions are difficult to maintain

This lack of scalability can have unfortunate consequences. None feel the impact more than the teams tasked with configuring and managing VPNs and bastions.

The slow connections, repeated disconnections, and unpredictable unavailability commonly associated with legacy VPNs and bastions run counter to the work experiences employees depend on to stay productive. This doesn’t just inconvenience end users. IT and engineering teams must frequently troubleshoot these issues, dedicating valuable time and resources that could be better spent on projects that add value to the business.

Managing the security risks of these legacy solutions is no small feat, either. The static credentials used by VPNs and bastion hosts, such as passwords and keys, require strict oversight. Managing the lifecycle of these credentials — rotating, revoking, and distributing them — is a labor-intensive responsibility, especially across globally distributed teams. As infrastructure scales and user counts grow, so does the amount of overhead that gets attributed to credential management.

Any delays, lapses, or other human error factors in these processes can leave systems vulnerable to unauthorized access. This brings us to a critical limitation of VPNs and bastions: the security risks.

VPNs and bastions are a security risk

According to a 2024 Zscaler report, 56% of organizations experienced cyberattacks leveraging VPN vulnerabilities in the past year. That’s a staggering figure for any technology to be associated with — let alone technologies championed by cybersecurity strategies past and present. Throughout 2024, we were offered a firsthand glimpse into how these vulnerabilities were being exploited as several high-profile incidents like the Ivanti/CISA breach, Akira ransomware attacks, and TunnelVision unfolded — each involving VPN-centered exploits.

Bastion hosts are not exempt from these risks either, and remain susceptible to misconfigurations of access control, unpatched vulnerabilities, brute force attacks, and other SSH and secrets-based vulnerabilities. Just like a compromised VPN, a bastion host in the wrong hands can quickly provide attackers access to other resources on the network.

While it’s clear that VPN and bastion hosts vulnerabilities are not just theoretical, properly maintaining and securing these technologies is not so simple — and a major reason VPNs are a preferred target for cyberattacks.

Teleport overcomes legacy VPN and bastion limitations

Teleport offers a modern alternative to legacy VPN and bastion hosts, addressing the critical security and management challenges many organizations are struggling to contend with. As your infrastructure scales and user counts expand, Teleport replaces the need for VPN and bastions with a secure infrastructure access platform built on zero trust principles, overcoming many of the limitations, challenges, and risks, including:

  1. User friction and performance
  2. Broad privileges and static credentials
  3. Operational complexity and cost-effectiveness
  4. Visibility and compliance

1. User friction and performance bottlenecks

VPN and bastion limitations

Performance issues: VPNs often route traffic through centralized gateways, creating latency that frustrates users and slows productivity. Distributed teams accessing multi-region resources may experience frequent connection drops and sluggish performance.

Negative user experience: Performance bottlenecks, latency, and clunky access protocols can place significant strain on the user. These inconveniences not only hinder daily workflows and productivity, but can also encourage risky behaviors like backdoor workarounds, credential sharing, and other methods for bypassing security policies.

How Teleport overcomes these limitations

Teleport eliminates the need for centralized traffic routing. By providing direct, low-latency access to resources like Kubernetes clusters, servers, and databases, Teleport ensures simple connectivity without delays. Its distributed architecture keeps performance high, empowering engineers and developers to work without interruptions. This also greatly reduces the risks of backdoor access and other risky workarounds that are inadvertently enabled by VPNs.

2. Broad privileges and static credentials

VPN and bastion limitations

Overly-broad privileges: VPNs and bastion hosts typically grant broad, network-level access once users authenticate. This "all-or-nothing" approach violates least privileged principles and dramatically increases the attack surface. If credentials are compromised, attackers can move laterally across the network, easily gaining access to sensitive systems and data.

Static credentials: Static credentials like passwords, pre-shared keys, and SSH keys are common in VPN and bastion host environments. These credentials are prone to theft, reuse, and phishing attacks, and they’re difficult to manage at scale. Delays in revoking credentials — for former employees, contractors, or third-parties — leaves systems vulnerable to intrusion.

Poor key management: Unfortunately, common key management practices, like storing credentials in plain text files, further exacerbates VPN security concerns. In some circumstances, poor key hygiene can be a byproduct of VPN itself. For example, research from Akamai found that sensitive SSH keys, user passwords, and other credentials could be exposed by disabling a feature with admin permissions.

How Teleport overcomes these limitations

Teleport enforces granular, role-based access controls (RBAC) aligned closely to zero trust principles. Instead of granting broad network permissions, Teleport allows users to access only the specific resources they need for their role.

Access is tied to ephemeral certificates that automatically expire, shrinking the attack window and reducing the risk of privilege abuse. This approach not only prevents lateral movement, but simplifies incident response by limiting the scope of potential breaches.

3. Operational complexity and cost-effectiveness

VPN and bastion limitations

Complexity and maintenance overhead: VPNs and bastions require constant management, including handling certificates, rotating keys, and ensuring software patches. These factors increase the management workload placed onto engineering teams, further exposing the network to risks like misconfigurations, unrotated credentials, and shadow IT.

Cost-effectiveness: In addition to the operational and workload costs associated with maintaining VPNs and bastions, they also rely on additional tools to earn basic monitoring, auditing, and access control functions. This adds significant licensing expenses and additional maintenance complexity, and can require additional VPN solutions altogether. Additionally, performance bottlenecks and inefficiencies reduce productivity, leading to indirect costs from frustrated users and delayed workflows.

How Teleport overcomes these limitations

By eliminating the need for manual VPN and bastion configurations, certificate management, and static credentials, Teleport significantly reduces the complexity involved in managing infrastructure access. This simplification allows IT teams to focus on more strategic, value-adding initiatives rather than be burdened with the ongoing and manual maintenance tasks associated with legacy VPN and bastion solutions.

4. Visibility and compliance

VPN and bastion limitations

Compliance complications: VPNs often lack the auditing and monitoring capabilities necessary to meet modern compliance requirements, and are unable to provide insight into activity. This lack of visibility can hinder the ability to conduct proper security assessments and demonstrate regulatory adherence.

Limited audit details: VPN logs typically provide basic information, like connection times, but fail to capture detailed activity within the network. This creates blind spots that make it difficult to detect suspicious behavior or investigate incidents. VPN logging is often insufficient or fragmented across systems, making it difficult to generate accurate activity logs or respond to incidents in real-time.

How Teleport overcomes these limitations

Teleport provides comprehensive audit logs and real-time session recording for all access events. These logs capture detailed insights, including commands executed and resources accessed, enabling proactive monitoring and streamlined compliance reporting.

Teleport integrates with SIEM tools, allowing security teams to detect anomalies and respond to threats quickly. By delivering complete visibility into infrastructure access, Teleport simplifies compliance and strengthens security posture.

Teleport: Secure infrastructure access

Teleport is a platform for secure infrastructure access that provides secure, ephemeral access to infrastructure like servers, Windows desktops, public/private clouds, Kubernetes clusters, databases, and web applications. It delivers on-demand, least privileged access to infrastructure on a foundation of cryptographic identity and zero trust, with built-in identity security and policy governance.

With Teleport, you eliminate the need for VPNs and bastion hosts with identity-authenticated, role-specific access and short-lived certificates — restricting access to only necessary resources for the necessary amount of time. This approach adheres to core zero trust principles, enhancing your organization’s security and compliance posture while reducing the complexity and overhead associated with manual infrastructure access control. Session logging and deep audit capabilities ensure traceability and compliance for all access events.

Alternatives to VPNs and Bastions
Alternatives to VPNs and Bastions
Figure 1: How infrastructure access works with Teleport, contrasted with infrastructure access with VPNs and bastions.

Teleport replaces VPNs and bastions

Teleport replaces VPNs and bastions by providing a unified platform for secure infrastructure access control across SSH, Kubernetes, databases, and web apps. While VPNs and bastions rely on credentials and keys which make them difficult and risky to maintain at scale, Teleport is built to provide direct, secure access to resources, scaling up or down alongside your infrastructure. Unlike traditional VPNs, which often grant broad network-level access, Teleport connects users only to the specific resources they need — without any added latency.

🛡️ Zero trust architecture: Teleport implements a zero trust model, limiting access to verified users and devices while continuously validating their identity.

🔒 Identity-authenticated access: Instead of using IP-based restrictions or static credentials, Teleport generates short-lived certificates tied to user identity, which ensures that access is strictly governed by policies.

📹 Audit and session recording: Teleport logs all access attempts and provides session recordings, making it easier for organizations to monitor access, enforce compliance, and conduct forensic analysis.

Conclusion

As infrastructure scales and teams become more distributed, the cracks in legacy VPNs and bastion hosts are becoming impossible to ignore. Performance issues, operational inefficiencies, and compliance gaps leave organizations exposed to unnecessary risks, overhead, and dampened productivity. These limitations are simply incompatible with the demands of modern infrastructure and business priorities.

Teleport solves these challenges by providing a unified platform for secure infrastructure access. Zero trust architecture, granular permissions, and built-in audit capabilities make it the smarter choice for modern environments. By eliminating the limitations of VPNs and bastion hosts with Teleport, your organization can embrace the scalable, secure, and productive infrastructure access needed to drive continued business innovation.

Ready to secure your infrastructure access?

Explore how Teleport can help your organization evolve past the VPN and secure your growing infrastructure with zero trust, dynamic scalability, and powerful engineer productivity.

Tags

Teleport Newsletter

Stay up-to-date with the newest Teleport releases by subscribing to our monthly updates.

CTA Background

Teleport Enterprise

Protect your infrastructure with essential security & compliance capabilities

background

Subscribe to our newsletter

PAM / Teleport