Did you know that Virtual Private Networks (VPNs) are now dead and the rest of the world has moved to Software Defined Perimeter (SDP) solutions for secure remote access? So why are you still using a VPN?
Twenty-two years ago, I published the first vulnerability to Bugtraq on hacking VPN appliances by a company called RapidStream at the time, who hard-coded the root password into the SSH binary, giving you a root shell on their VPN appliances. One year later, I published another advisory on how to circumvent VPNet appliances from the internet into the VPN-protected internal network.
Since that time, a total of 564 vulnerabilities have been registered in the CVE database at MITRE. Worse yet, three days ago, as of this post, Viasat was compromised through their VPN and Quickfox was found to be leaking 1 million user records from its VPN. In September of last year, Fortinet made the news when a hacker named Orange breached the Fortinet VPN service, which contained the logins for nearly half a million users and the IP addresses of almost 13,000 devices.
So why are people still using VPNs?
CISOs and CTOs are doing the mass exodus away from VPNs, but what solutions are they going towards instead?
The continued explosion of zero trust, specifically zero trust network access (ZTNA) has created a new market of technology defined as software defined perimeter (SDP) solutions that have largely replaced VPNs. Coupling software defined microsegmentation that enables an organization to move away from flat networks to secure enclaves of systems and secure remote access leaves little reason for public discourse. It simply works and adopts a true zero trust framework where users, devices, and the data aren’t trusted; meeting the tenets of authentication and authorization. Simply being an employee or having a company-issued device doesn’t automatically grant you access to a system or its data.
SDP also finally makes segmenting large, pre-existing networks possible. Whereas historically, network administrators had to do segmentation at the switch level using pages and pages of VLAN access control lists (VACLs) or firewall rules, SDP enables administrators to implement SDP using software eliminating flat networks. The importance of this can only be told through the lens of numerous breaches, such as the infamous Target breach where the HVAC systems were on the same network segment as their point of sale (PoS) systems giving hackers the ability to deploy malware onto the PoS systems and capture credit card information for every transaction. SDP would have enabled Target to move its PoS systems into a secure enclave that could only be accessed by the systems and users that needed access to it.
The biggest threat to organizations using VPNs is account takeover (ATO) as a result of password dumps or a user being phished, especially when MFA hasn’t been coupled with the VPN. SDP solutions enable users to require MFA for every login as well as completely eliminate passwords.
Many solutions on the market expose the administrative interface to their solution, creating another attack vector using the VPN itself. If this login were to be successfully brute-forced or worse yet, guessed because the default login and password set by the vendor wasn’t changed, the solution itself can be used to compromise the network.
Maybe it’s because VPNs have become so ubiquitous today that they are still being used. I can’t think of another cybersecurity solution in the market that is still being used 22 years later despite a history of vulnerabilities and empirical data that points to breaches when a newer, faster, and more secure technology has replaced it. But for some reason, “we just love us some VPN.”
Perhaps it’s an “if it ain’t broke, don’t fix it” mindset where administrators just don’t want to replace their VPNs with something newer. Or maybe because VPNs are often offered for nearly free by their firewall vendor who has coupled their firewall technology with VPN technology. Still, I suppose the old adage “you pay for what you get” applies perfectly here in those cases.
But if a lot of what I’ve said here in this article is news to you and you’re wanting to quickly join the crowd running away from VPNs, read my white paper I recently published, In The Valley of Kings: The Rise of SDP and Fall of VPNs, which this article is largely based on, and download a free 90-day trial of BlastWave’s SDP solution here.
CVE - CVE. (n.d.). CVE at MITRE. Retrieved April 3, 2022, from https://cve.mitre.org
Stack, T. (2022, March 31). “Misconfigured” VPN used to breach Viasat satellite network, malicious commands wiped modems. The Stack. Retrieved April 3, 2022, from https://thestack.technology/viasat-attack-caused-by-misconfigured-vpn/
Bracken, B. (2021, October 20). VPN Exposes Data for 1M Users, Leading to Researcher Questioning. Threatpost. Retrieved April 3, 2022, from https://threatpost.com/vpn-exposes-data-1m/175612/