Dark Reading published a timely article titled, “Attackers Heavily Targeting VPN Vulnerabilities” this week. A slew of high-profile published vulnerabilities over the past several months, along with the increasing dependence on VPNs with remote work over the last year-plus have converged to make the VPN a highly attractive target to enter the wider enterprise.
I know that technology dies hard, but the real question should be, “Why are organizations still using VPNs?” VPNs are a relic of a bygone era before we knew better. They aren’t very secure. If they’re compromised, they can open access to the entire network, which would be bad. I had some commentary on this point published in the CyberWire this week:
"The VPN is dead, or should be. It's a gateway to a network that when breached provides extensive access to the rest of the organization. There are better approaches that can eliminate these vulnerabilities that include end-to-end encryption, cryptographically-verified identities of remote users and accessible devices, and shutting down the spread of threats that do penetrate the network perimeter with micro-segmentation. It's taking a long time for mainframes to die, so we’ll probably see the same with VPN's."
Wired followed up with an article out April 26 titled, “VPN Hacks are a Slow-Motion Disaster”. It notes the transition from IPsec VPN to the easier and more seamless SSL/TLS VPNs have left organizations more vulnerable and probably more careless.
Also this past week, we had the opportunity to discuss Tempered and our Airwall solution on a Packet Pushers podcast this week. The host, Greg Ferro, commented (at about the 41:35 minute mark), “(Airwall) is an intriguing way to think about where VPNs might have gone if (the industry) hadn’t gone down a different path”. What was he referring to? He was alluding to the advantages of encrypted overlay networks as remote access solutions compared to IPsec or SSL/TLS VPN.
Imagine a remote access solution that didn’t just check your credentials at the edge of the network or the cloud, but took you all the way to individual endpoints, applications or devices, that you were specifically authorized for, and nowhere else. You could allow the manufacturer or technician of an industrial control system access into your network, but they can only access their specific device on the network.
The IPsec VPN protocol encrypts packets and authenticates systems with cryptographic keys, but it’s not designed to encrypt traffic all the way to the destination. Tempered Airwall operates as an end-to-end encrypted overlay network tunnel, providing much more granular network protection and the ability to restrict movement completely to unauthorized devices if the network is ever breached or an internal system is compromised. This is typical of any Zero Trust micro-segmentation solution where policies are applied to specific endpoints, not to network segments, unlike VPNs.
Some of the recent VPN breaches are not necessarily the fault of the technology, quite frankly, but rather user error, particularly with passwords. We have seen passwords be simple or reused by many users, or not reset from the initial settings. This isn’t possible with Airwall, or the Host Identity Protocol (HIP) in general. Identities are associated with unique cryptographic identifiers, which serve as keys to the encrypted overlay tunnel. They are never simple, standard or re-used. Common errors are simply not possible, unlike a VPN.
Imagine a remote access system that was easy to administer policies with point-and-click convenience. You could group devices and users together to simplify remote access policies, such as, all the employees in a particular support group can access any video camera at any site, but no other applications or services. Straightforward rules like this align easily with business or security objectives, unlike the limited scope of VPN rules, which are more tedious to manage, and thus more error prone.
Imagine a system that orchestrated your network device setup automatically, automated remote access policy configuration updates, and took the human error out of the equation? That, in essence, is a benefit of Airwall systems that are software-defined platforms with a centralized orchestration engine, called the Conductor. As in software-defined networking (SDN), the Conductor automates all the device updates, tunnel setup, and authorized access enforcement across the entire network. Although Zero Trust remote access policies are more granular, more secure, and more aligned with business requirements, they can be easier to manage and orchestrate than a VPN.
It’s clear that organizations are embracing Zero Trust for a range of use cases, and remote access VPN replacement is just one, if not the most common. The Federal Government is encouraging organizations to embrace Zero Trust architectures and nearly 75% of organizations overall have plans or are currently implementing Zero Trust architectures according to a recent Cybersecurity Insiders report. This is great news since it will be a much better way of alleviating all of the existing VPN vulnerabilities, configuration errors and poor management that is out there today.