Eliminating inbound ports is a critical step in reducing the attack surface of an operational technology network. Traditional remote access often relies on open listeners or legacy virtual private networks, which make internal systems visible to automated scanners and malicious actors on the public internet. By replacing these with outbound-only reverse tunnels, you render the internal environment invisible to external threats while still allowing secure, authenticated access for authorized users. You can find more details on our comparison of identity-aware access and port-forwarding.

For more information, see Industrial Cyber Security Best Practices.