I am facing some issues along these lines.
I have configured the gateway page to minimize it’s footprint/visibility.
Is there any plans at all to implement a failed login “lockout” mechanism at the project and gateway levels.
Right now, if I wanted to, I could brute force script login attempts to the gateway “configure” section and I can’t see where those login failures are logged or that there is any lockout mechanism either by IP or something else that would slow down a brute force attack.
I do have an alarm set up on projects where I have a tag set to query the audit events table looking for events where the action is login and the status code <> 0 and send out an alarm every time that count increments, but that only affects projects themselves and not the gateway.
The solution of VPN or other methods gets messy with cross platform devices (IOS/Android/Windows) accessing screens from out in the field.