Teleport (also known as Gravitational Teleport) is a certificate authority and an open infrastructure access platform for securing access to the organization’s infrastructure. Organizations use Teleport to secure access to SSH servers and Kubernetes clusters via a centralized authentication method through an authentication proxy. Teleport wants to replace sshd and OpenSSH for servers with their SSH client, remove the need for VPNs and provide a WebUI.
The tool enables administrators to provision access for users to server clusters through role-based access control (RBAC), allowing for different levels of access privileges based on the request target. This does not assign or give individual server credentials to users, which means there is no maintenance necessary where credentials are rotated or removed.
The result is a tool that provides privileged access management (PAM) for cloud-native infrastructure.
Assuming you are comfortable replacing OpenSSH, we recommend utilizing Teleport for enhancing the security of databases and servers, particularly when there is a requirement to capture comprehensive session replay logs for SSH or RDP sessions. While Pomerium also offers support for tunneling TCP traffic through HTTP_CONNECT, its primary strength lies in securing all HTTP-based services, including internal web applications and remote development.
Teleport is a unified access plane for infrastructure. Pomerium is an identity and context-aware reverse proxy that enables secure access to internal applications.
Given that Teleport is primarily a Layer 4 tool, it is great for accessing databases and servers and less capable when it comes to securing web applications at Layer 7.
Use cases
Unified access plane for all infrastructure such as servers, databases, RDP, and Kubernetes
SSH access to same username across server clusters
NextGen VPN with session recording
Teleport Strengths
Flexible access — You can use Teleport with an existing OpenSSH infrastructure. SSH access is also available via web UI on proxy server. That being said, Teleport really wants you to replace sshd with teleport (we’ll go into why that’s a bad idea).
Onboard automation — Single sign-on (SSO) for SSH/Kubernetes and your organization identities via Github Auth, OpenID Connect or SAML with endpoints like Okta or Active Directory.
Camcorder on — Every SSH, desktop, or Kubernetes shell session is recorded and can be replayed later. (This is accomplished with their own teleport agent.)
Teleport Weaknesses
Why replace SSHD? — SSHD is a piece of infrastructure that no one should be replacing.
Client necessary everywhere — Teleport claims to have agentless mode, but to get the full use requires installing their agent onto every machine, which involves lots of updates and is burdensome on the machines. Make this easy with Pomerium’s clientless access — no agents, no clients, nothing to maintain!
Cluster of things — Clusters here, clusters there… Teleport’s architecture is a cluster of Teleport Auth Service, Teleport Proxy Service, and “optional” Teleport Agents.
The Perimeter Problem — Teleport still requires tunneling (even for web apps), which is confusing since Teleport proposes replacing the VPN tunnel by… being a SSH tunnel between your devices and your servers. Pomerium avoids this data backhauling and latency issue by being deployed at edge, no tunneling required.
Unreliable Availability — If you use Teleport’s Enterprise Cloud, you’re signing up for potential downtimes during which you may lose access to your services or even audit logs. Self-hosting Pomerium means you are always in full control.
Hard to Audit Recording Logs — Teleport’s session recording logs are not request-based and can be difficult to audit if you don’t know the exact timestamp of an event you are looking for.
Evaluators Should Know
We want to highlight the alarming aspects of Teleport:
Replacing SSHD and OpenSSH is terrifying
Session recording sounds great but is impractical
Agent management is a scaling burden
Replacing OpenSSH and SSHD Is Terrifying
Don’t reinvent the wheel.
OpenSSH, based on Secure Shell (SSH) protocol, is supported almost universally as a way to establish a secure channel. It is open source and has been continuously audited over two decades, making its security impeccable.
SSHD is the Secure Shell Daemon, the component for establishing SSH for server machines.
Put together, OpenSSH and SSHD are the core components which allow remote administration to servers. Most of the world uses OpenSSH and it is considered the foundational bedrock for modern technology.
Teleport is proposing to replace one of the most trusted and secure pieces of software on the planet because they want to offer session recording. Which could be understandable, except…
Session recording sounds great but is impractical
Recorded sessions are great in theory and terrible to sift through in practice.
We meant it literally when we said “camcorder on” for session recording. Teleport replaces OpenSSH and SSHD to record every session’s screen for audits. Check out Teleport’s video on session recording to see it in action – it captures individual sessions on video.
Now imagine scaling that for multiple servers over hundreds of users as administrators hunt down a problem.
Session recording is useful in limited situations — specifically, you should know:
Which session you should be looking at
When during the session the act(s) occurred
What you are looking for
Otherwise, auditing session recordings are an expensive time-sink of watching recordings in the hope of finding what you may or may not be looking for. Imagine searching through hours of recordings for a zero-day vulnerability affecting your SSHD client from Teleport, which you’re using instead of the one that the rest of the world is using.
This is exacerbated by the fact that Teleport’s audit logs are not request-based. You also do not get key-for-key keystroke logging since it’s important to log control characters such as backspace or other non-printable characters. This means that searching Teleport’s audit logs for something as simple as root can have significant oversight if hackers used ro backspace oo backspace ot to reach root.
Pomerium’s audit logs fix this problem by logging the details of every request including why an action was approved or denied, resulting in faster time to identify or fix security protocols. And time is money, which makes Teleport’s architecture noteworthy because…
Screenshot from Teleport’s documentation. Taken September 12, 2023
So according to Teleport themselves:
Hard and inconvenient if you don’t use our agents!
Burdensome if you do use our agents!
Automatic updates only for certain distributions!
NextGen VPNs and tunneling solutions try to downplay the fact that agents and clients are cumbersome to maintain. It’s an inherent design problem which cost upkeep time from IT teams, resulting in inhibited growth and scale.
If you have many web apps and services to secure, Pomerium’s clientless access frees up resources for efficiency and productivity.
Revolutionize Your Security: Achieve Compliance Hassle-Free!
Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.
