Virtualization Technology News and Information
Working from Home or the Office - How to Avoid Backdoor VPN Security Risks
By Don Boxley, CEO and Co-Founder, DH2i 

If you are looking for news about the inherent vulnerabilities of virtual private networks (VPNs), you don't have to look far. Especially now, with so many of us working remotely. One of the many disconcerting reports of hackers succeeding where VPNs failed was reported just recently when that Iranian cybercrooks targeted organizations around the globe across a number of industries, including information technology, security, telecom, government, oil and gas, and aviation.

The hackers, who it was reported were backed by the Iranian government, had a mission to infiltrate targeted business organizations in order to pave the way for a future planting of backdoors-an objective that was made possible by VPN weaknesses that the hackers instantaneously exploited once the bugs were publicized.

Although some naysayers have previously suggested that Iranian hackers lack the sophistication and talent of other groups for inflicting such mass attacks and destruction via cyberattacks, the most recent exposure of VPN failings-and the hackers' ability to leverage them-implies otherwise. It took just hours for this group of Iranian hackers to infiltrate the VPN servers, weaponizing the vulnerabilities in a prolongation of attacks that commenced in the summer of 2019. It was reported that the hackers underwent a two-prong approach with their attacks against VPNs, starting with breaching and then progressed rather easily into lateral movement.

The security glitches were found in not just one enterprise VPN server, but numerous, with well-known names like Fortinet, Citrix, Palo Alto Networks, and Pulse Secure headlining the list.

The moral of the story? If you are an organization that depends upon a VPN server, you should rightfully be concerned. The truth is that reports on the Iranian hacking events exposed that these factions are now teaming up rather than working alone, which means double or triple suffering for the victims. The most recent global attacks on VPN servers demonstrate that a minimum of three such Iranian groups were in fact working in partnership.

Although the recent mission of the hackers was to plant backdoors for information gathering, there's a great deal more to fear once your network has been infiltrated by unauthorized parties like these, from data theft and data wiping to entire networks being held hostage and business operations grinding to a halt.

There seems no end to the novel VPN flaws being brought to light, that appear to be primed and ready for exploitation. And, if we use recent history as our guide, it seems rather clear that based on the speed at which the Iranian hackers were able to infiltrate and exploit previous VPN flaws and weaknesses, we can no doubt expect more of the same each time new vulnerabilities come to light, like the latest exposures of weaknesses in SonicWall SRA and SMA VPN servers.

VPNs - Not Built for The Way We Work Today

Let's take a step back and look at why VPNs are unable to support the way we work today, and why VPN servers lack the security needed to keep enterprise networks safe and private. Engineered for traditional perimeter enterprise security such as opening up firewalls with a direct-link method, they're becoming obsolete in today's cloud environment. In a hybrid cloud and multi-cloud world of public and private clouds-a world that involves distributed clients and applications that are no longer just on-premise-organizations have much greater chances of getting hacked via a data-exposing VPN backdoor when they rely on VPN for infrastructure access.

The problems originate from the fact that by their very nature, VPNs are built on an unprotected attack surface. Instead of giving different users access just to the specific applications and information needed to do business, VPNs instead expose a "slice of the network." Additional VPN issues stem from their inability to segment at the app level-they segment at the level of the entire network instead - leaving the network unprotected. Moreover, inbound connections generate other attack surfaces.

And when we get right down to it, VPNs are also a complex headache to configure (highly prone to virtually invisible misconfigurations - you don't realize it until its too late). VPN remote access requires dedicated routers, access control lists (ACLs), firewall policies, and the list goes on. As if this wasn't enough, VPNs are also expensive and time consuming to manage and maintain as a result of these complexities, particularly compared with the cost of more modern solutions.

But what's the answer?

SDPs Slam that Backdoor Shut, and Lock It Tight

A software-defined perimeter (SDP) approach is an alternative to untrustworthy VPN security. SDP delivers "zero trust" security even in cloud-based environments, offering "micro-perimeters" (or micro-tunnels) that allow application-level segmentation. If you're concerned about backdoor access-and you should be if you're on a VPN server-an SDP solves that problem by making applications and services invisible to untrusted access eliminating the risk of lateral network attacks that have become synonymous with VPNs.

SDP solutions ensure much better security than VPNs when it comes to remote users accessing the network. This is a critical note, given how many of us are working today. With SDP solutions, outside parties are segmented to specific, applications. It's like being in an application specific ‘escape room' with no way out, which means there's no need for headache-producing ACLs or firewall policies.

An SDP solution also enable organizations to virtually eliminate risk in the event of an outage, as they are adept at moving operations between various clouds and then creating secure communication links between IoT edge devices and IoT hubs. Specific types of SDP software can leverage "always-on" application infrastructures, further empowering the micro-tunnels to find their best execution path.

Like many technologies that preceded them, VPNs were at one time truly cutting-edge unrivaled technology. However, over time as the world's IT and business climate has progressed, VPNs have remained largely unchanged. Today, VPNs are not only unable to keep hackers at bay, they may inadvertently make their jobs easier for them. To keep networks secure in today's multi-cloud world, IoT, world where so much computing is being done at the edge, it has become imperative to deploy SDP software that creates secure perimeters between trusted users/devices and just the services they need to access, virtually slamming the backdoor in the face of would be hackers, and bolting it tight.


About the Author

Don Boxley 

Don Boxley is a DH2i co-founder and CEO. Prior to DH2i, Boxley spent more than 20 years in management positions for leading technology companies. Don earned his MBA from the Johnson School of Management, Cornell University.

Published Thursday, June 04, 2020 7:25 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<June 2020>