Written by Chris Scheels on September 03, 2019
Can VPNs Survive These Latest Exploits?
The latest in a string of zero-day and difficult-to-patch exploits for traditional VPNs may be the last straw needed for enterprises to kill their VPN and deploy a Software-Defined Perimeter to secure remote and third-party access.
UPDATE (September 5, 2019): Researchers confirm that the Chinese APT5 group is attacking vulnerable VPNs that still have not been patched. The state sponsored group is targeting two "pre-auth file read" vulnerabilities (CVE-2018-13379 and CVE-2019-11510) that enables retrieval of files from the VPN without authenticating.
Here we go again: another massive VPN security flaw that has been exposed and affects hundreds of thousands of devices, leaving companies worldwide vulnerable to attack and data exfiltration.
Some of the biggest players in the VPN market have been impacted, leading to a worldwide blanketing of code exploits in a spray-and-pray campaign targeting unpatched VPN servers. In a recent article by ARS Technica, researchers outline the exploits and ongoing attacks that have recently been detected.
This could be the final nail in the coffin of a 23-year-old technology that simply should not be in use today. With numerous limitations, such as its connect first, authenticate second technique, open ports, static and non-identity centric approach, and overall complexity, paired with the recent massive security issues, it is imperative that organizations stop relying on this outdated tech.
At Black Hat, Cyxtera did several booth presentations on why it is time to replace traditional VPN technology. We spoke about how VPNs were born in a bygone era of perimeter-based security, many of the common challenges of the decades-old approach, and the security issues that accompany with it. The session was so well attended that we lost count of how many VPN replacement conversations we had.
Enterprises are quickly moving to replace their traditional VPNs with Software-Defined Perimeters (SDP), a new but proven approach to secure network access, remote or otherwise. SDP was first ideated by the DoD (Department of Defense) to protect access to top secret systems. The movement to replace the VPN with SDP will only continue to escalate, especially with front page news that continues to discredit the antiquated tech. This is why our “Kill Your VPN” t-shirts were so popular at Black Hat this year. Users, admins, and auditors alike hate the VPN, but do you know who loves the VPN? Hackers!
The reality is that, with such a dispersed workforce and resources scattered everywhere, VPN replacement should be at the top of every organization’s security to-do list. VPNs inherently flawed and insecure, which is why it is time to Kill Your VPN with SDP.
Cyxtera havs been killing VPNs with AppGate SDP for 5 years now. There is a better approach to secure network access without the inherent flaws in legacy VPN technology. To learn more, take a look at our whitepaper on “Why it’s Time to Replace the VPN”.