Vulnerabilities such as Ivanti’s Connect Secure illustrate why VPN security risks have become too prevalent and impactful to ignore
If you’re working in network and data security for an enterprise, Ivanti’s multi-faceted VPN solution vulnerabilities in January 2024 underscore a serious question: Have VPNs worn out their welcome? (And is zero trust security the exciting newcomer with both style and substance?)
I’ll explain my thoughts on this in a moment, but first, here’s what happened: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) required all U.S. government agencies to take Ivanti VPN products offline, in response to news from Ivanti that hackers were exploiting four zero-day vulnerabilities within Ivanti Connect Secure and Ivanti Policy Secure.
For many companies using legacy security technologies, the announcement served as a real-world reminder of some simple truths about VPN security risks that experts have been opining about for a while:
- VPNs give too many people too much access to too much of an enterprise network.
- Zero trust solutions solve many of the problems associated with VPNs.
- Alternatives to VPN for IoT and other types of remote network access should be implemented sooner, not later.
Why are security risks in highly distributed enterprise networks so pervasive?
A vast majority of organizations still use one of the following two practices for security to access private resources in distributed enterprise networks:
Security by obscurity borders on absurdity
Using static IP addresses and port forwarding technology has been a common strategy for hiding connected devices and applications on the LAN that are sitting behind a router at a dispersed branch store or office.
Hiding is one way to go, but it’s no longer a prudent ,long-term solution. Static IPs expose your attack surface to the internet. Hackers are creative and savvy about using sophisticated tools to scan and compromise resources behind a public static IP. And they’re becoming smarter by the day.
Once a server or a resource is compromised, hackers can "laterally move" and get access to other resources — putting the entire enterprise network in danger of being compromised.
Plus, each static IP costs money, which can become uncomfortably expensive as an enterprise expands its footprint of connected sites, vehicles, and IoT instances. Managing all of those static IPs is challenging, too. It’s labor-intensive and prone to human error (think detailed, exhaustive spreadsheets that someone on staff has to update manually).
Legacy VPN technology should be gone but not forgotten
Legacy VPN technologies such as DMVPN have had a good run in securing distributed enterprise networks. They’ve put in good work, and they deserve a round of applause for their years of service in private networks. That said, legacy VPNs need to be retired.
The blanket access that VPNs usually provide equates to unfettered network access. The legacy VPN technology is frequently likened to a moat surrounding a castle. If breached, the entire perimeter, along with its contents, becomes vulnerable. This serves as an illustration of the substantial impact of breaches that occur when hackers infiltrate a perimeter-based VPN, allowing unrestricted movement across private resources. In addition, incorrectly configured VPNs or complex VPN setups can introduce security vulnerabilities
Traditional VPNs also present significant operational challenges for enterprises. Highly distributed organizations face a notable obstacle due to the requirement for distinct static IP addresses for resources at each site.
Now, about that large attack surface ... Here’s where the Ivanti situation is quite illustrative. The multiple zero-day exploits that besieged Ivanti’s VPN products in December 2023 involved attackers performing mass scanning for vulnerable devices and potential automated exploitation.
- Credential Stealing: The attackers injected a custom JavaScript-based malware, called WARPWIRE, into a login page used by the users to capture and exfiltrate plaintext credentials.
- Lateral Movement: The attackers moved laterally, using compromised credentials to connect to internal systems via RDP, SMB, and SSH.
In short, VPNs simply weren’t capable of preventing the sophisticated measures that these hackers carried out.
Why is zero trust better than VPN?
OK, so we’ve established that finding alternatives to VPNs is imperative. But what’s the best VPN alternative? Zero trust security solutions have emerged as the best option, for multiple reasons:
Zero trust reduces the attack surface. Zero trust networking reduces the attack surface by allowing only inside-out connections and effectively hiding internal resources, making resources invisible to the internet.
Zero trust prevents lateral movement. Zero trust operates under the assumption that no user or system, whether inside or outside the network, should be automatically trusted. This model aims to minimize the risk of lateral movement, where an attacker, once inside a network, attempts to move laterally to gain access to other systems or sensitive data. Rather than granting access to the entire network, zero trust connects users and devices with specific IT resources on an individual basis. Zero trust enforces the principle of least privilege, ensuring that users and systems only have access to the resources and data they absolutely need to perform their tasks. This limits the potential impact of a compromised account on lateral movement.
Zero trust stops zero-day exploits. The zero trust architecture incorporates continuous inspection and authentication by inspecting all traffic in-line, automatically preventing zero-day exploits, malware, and other advanced threats. It also employs ongoing authentication and authorization processes, with users and devices continually verified throughout their sessions based on contextual information.
How Cradlepoint helps distributed enterprises securely transform their networks
Cradlepoint provides a range of services enabling enterprises to transition their networks to a zero trust architecture.
Secure Connect: NCX Secure Connect allows enterprises to build large distributed networks with simplicity and zero trust connectivity.
ZTNA: With a zero trust network in place using Secure Connect, enterprises can use a ZTNA solution to securely extend granular access to remote employees and third-party contractors. ZTNA employs ongoing authentication and authorization processes and enables granular, flexible, and powerful policies based on user attributes and context.
Hybrid Mesh Firewall: Cloud-based hybrid mesh firewalls perform continuous inspection of in-line traffic using IDS/IPS, effectively preventing zero-day exploits.
Remote Browser Isolation: To protect users and devices from internet-borne zero-day threats, Cradlepoint offers a Remote Browser Isolation (RBI) service. RBI creates a digital air gap using a remote container environment. When a user clicks on a link, all web content — including sites accessed through email — is executed in an isolated, virtual browser hosted in the cloud and distinct from the user’s device or network, thereby protecting users and devices from zero-day threats.