This article originally appeared in Dark Reading on April 17, 2019.
VPNs are the primary tool for securing remote access, but recently disclosed vulnerabilities point out the weakness of relying on them as the only tool.
“Encryption Everywhere” has become one of the rallying cries of enterprise security in the waning days of this millennium’s second decade. But when one of the foundation technologies of enterprise encryption is broken, the repercussions can spread far beyond the security team to cover everything the systems are supposed to protect.
That’s why the recent DHS CISA notice of vulnerabilities in four VPN applications is worrying and the details of the vulnerability particulars are so eye-opening. As it turns out, the vulnerabilities aren’t really in the basic encryption engines at work in the VPNs — they’re in the way the information on whether a particular session has been authenticated is stored and protected.
So what does it mean when an instrument of security is insecurely implemented? And aside from the obvious solution of patching the vulnerabilities (in Cisco, Palo Alto Networks, F5 Networks, and Pulse Secure products) as quickly as the patches become available, what is a security team to do?
“If we’ve made any collective mistakes in our use of VPNs, they’re around treating VPNs like infallible silver bullets,” says Amy Herzog, field CSO at Pivotal. “As with the firewalls of a couple of decades ago, VPNs are just one part of a company’s security posture. CISOs and CSOs should ensure their VPN use is as secure as possible, but they should also ensure their VPN fits into a larger system of security capabilities that’s resilient to disruption.”
It’s that feeling of VPN invincibility that experts warn against. “What [VPN] users don’t know is that VPNs are also prone to attacks and malware because bad actors know they are being used to convey sensitive information,” says Usman Rahim, digital security and operations manager for The Media Trust. “If bad actors are able to exploit vulnerabilities, they will be able to access, steal, and misuse VPN logging data.”
The Bad VPN?
As the security industry has seen with Amazon S3 buckets, problems explode when possibly secure products and services are implemented in a horribly insecure fashion.
“Unless businesses created multiple VPN profiles that restrict access to individual network resources, a VPN connection can allow carte blanche access to every network resource that would normally be available to users on the physical network,” says Justin Jett, director of audit and compliance at Plixer. “This means that hackers connecting over the VPN will be just as effective at stealing network resources on the VPN as they would be if they had physical access to the network.”
In the case of these vulnerabilities, it’s as if the system developers built a nice, strong door, then left the key under the big rock directly under the doorbell. It’s possible, some experts say, that the developers lost sight of the “key” importance because they exist as Web cookies rather than authentication certificates.
“As a developer, it’s easy to overlook that a cookie needs the same protections as a password because their format is already hashed or encrypted, but this is a common misnomer. Once someone has your cookie, they can just replay it and assume your Web identity,” explains Jason Haddix, vice president of researcher growth at Bugcrowd. He says it’s critical that those cookies be handled in the same secure manner used for authentication keys and certificates.
The problem is, “any exploit based on extracting keys or cookies and transferring them to another machine means that the VPN implementation on the gateway side does lack some additional countermeasures that I believe should have been implemented,” says Etay Bogner, co-founder and CEO of Meta Networks. But which countermeasures or additional security measures should the victims have put into place?
Beyond the VPN
Software-defined perimeter (SDP) systems have begun to appear in the market, and some say they offer the possibility of security beyond the limitations and vulnerabilities of VPNs. They may be part of the solution set that meets the requirements of the Tursted Internet Connection (TIC) 3.0 initiative of the Office of the Federal CIO.
“Solutions such as Zero Trust Networking through a software-defined perimeter will make a strong use case and promote how TIC 3.0 gives agencies greater flexibility and the ability to move quicker,” ZScaler’s Kovac says. “The SDP approach is to implement cloud-based access services to route traffic directly to the cloud. Using three core components — the application, the broker, and the connector — this method enables a ‘trust-to-trust’ approach, meaning a specific trusted user is connected to a specific trusted environment.”
This approach reduces risk by giving users specific access to specific applications, he said.
Added Bogner: “The unique capability of SDPs is that they redefine the perimeter as a solution that follows the user device wherever it is, rather than an office or data center.”
Better VPN Security Today
Technologies such as SDPs may be the solution for the future, but what can a security team do today to make sure its VPN is a security tool, rather than a vulnerability?
“System administrators have an important role to contribute to defense in-depth by using appropriate controls in the VPN configuration,” says Fausto Oliveira, principal security architect at Acceptto. “It is not enough to trust on the security of the endpoint. My advice is to use defense-in-depth to help keep your information secure and continue to raise the level of effort required for an attacker to be able to exploit this type of vulnerability.”
Jett agrees, and goes further. “VPNs are a great resource, but reviewing VPN policies is critical to making them function correctly and with security as a first priority,” he says. “Finally, VPNs should not be the last stop in the security equation. After a user has authenticated via the VPN, additional safeguards should be in place to prevent access to resources.”