Cyxtera Blog: Appgate

Written by Justin Yentile on June 13, 2019

Your VPN Is an Insecure Liability

VPN authentication and encryption methods can be easily intercepted and bypassed, allowing malicious actors to gain control over an organization's networks. Employing a Software-Defined Perimeter provides safety and security when accessing your organization's sensitive information.

The VPN was first deployed in the ‘90s to connect remote users and systems to an enterprise network in a manner that was safe from prying eyes. It served as a bridge over the murky water that is “the public internet”. Though modern protocols and standards (SSL VPN with AES-256 encryption, for example) are used today, the VPN’s original purpose remains the same.

Until recently, when security practitioners and executives questioned if the VPN was secure, the universal response was “yes” due to the authentication and encryption methods. But these methods can easily be intercepted and bypassed, especially with the evolution of more complex attacks. In 2016, Gartner predictd that by 2021, 60% of enterprises’ network VPNs will be replaced by Software-Defined Perimeters (SDP).

When investigating if a VPN is secure, organizations must start with a fundamental statement that should always be assumed to be true: malicious actors want to break into your network to disrupt your business, steal your data, or cost you money. Here are two scenarios in which a VPN becomes one of the biggest liabilities in a network.

1) The Hooded Hacker in the Shadows

In order to defend against attackers, you have to think like an attacker. If an attacker has an interest in your assets, they might start with a little recon in the form of a port scan to discover the compute resources available at the perimeter of your network. One of the open ports the attacker will find without fail is your VPN solution — which responds to any device that attempts to connect to it. The malicious actor will be eager to exploit this commonly vulnerable attack vector to gain access to every single node on your network. Even if there are no existing unpatched exploits for your VPN solution, the attacker now knows the IP address and listening ports on your VPN concentrator/appliance. This makes your organization susceptible to a DDoS attack at the very least. Depending on this hooded hackers intentions, a simple, but costly, DDoS disruption to your business just might do the trick in the short term.

2) The Opportunist at the Coffee Shop

Picture an employee: loyal, but carefree; motivated, but naïve; working hard at the coffee shop, but lacking caffeine. In the midst of their VPN-enabled remote working session, they unwittingly leave their laptop screen unlocked to refill their macchiato. That stranger beside them saw an opportunity and seized it. This coffee shop opportunist then snuck out the door with the laptop and is now sitting in the parking lot — still connected to the employee’s VPN. A VPN solution that probably serves its users far greater access to resources than what they actually need to do their jobs. This is because VPNs are difficult to administer, so they are often configured to grant broad access to entire subnets.

Is My Institution’s VPN Secure?

After considering the two possible malicious actor scenarios, you may be wondering how secure your institution’s VPN truly is. Consider asking yourself the following questions:

1. Is your organization’s VPN invisible to unverified users and devices?

(If not, then it can be easily attacked or made unavailable by a malicious entity.)

2. Does your organization allow users to access entire subnet(s) of resources?

(If yes, then your organization’s potential attack surface is too large, making you an incredibly susceptible target.)

3. Is your organization’s overall access based on static IP addresses? 

(If so, then what if IPs change? How are new resources added or deleted? This leads to vast amounts of security holes down the road and an immense amount of manual intervention.)

Should User X Have Access to the Production Server?

The VPN does not listen to advanced requirements and operates in a way where it merely affirms or rejects without context. For example, when asking if User X should be granted access to a production database server, the VPN will simply refuse or confirm.

In contrast, a proactive solution should respond with “it depends” based on business-specific conditions. The proactive solution would ask: Is User X’s machine patched? What time of day is it? Should User X be working on this project? Where is User X? What is User X’s current security posture? Does User X have the right SAP credentials?

This is only a small subset of questions that solutions should be asking before allowing User X access to a critical resource – questions that the VPN is unable to answer.

Software-Defined Perimeters for Modern IT

Stop the VPN from hindering your organization’s future security and success. Adopt a Software-Defined Perimeter: a proactive solution that has the ability to answer questions based on specific conditions.

Let’s introduce the benefits of employing AppGate SDP, the world’s most comprehensive software-defined perimeter.

  • Designed around the user, not an IP address, AppGate SDP builds a multi-dimensional profile of a user and device, seamlessly integrating with existing directory services and IAM solutions.
  • Enforcing Zero Trust, AppGate SDP applies the principle of least privilege to the network and completely reduces the attack surface. By default, users are not allowed to connect to anything. Zero Trust ensures that once the proper access criteria are met, a dynamic one-to-one connection is generated from the user's machine to the specific resource needed. All unauthorized resources are completely invisible and secure.
  • Utilizing Single-Packet Authorization (SPA) technology, App Gate SDP is able to cloak the infrastructure so that only verified users can communicate with the system. This makes it invisible to port scans and it is cryptographically hashed for additional defense. Gateways and Controllers are completely cloaked so they cannot be probed, scanned, or attacked. This significantly reduces the network attack surface, thwarting network reconnaissance and limiting lateral movement.

Do not allow your institution, employees, and clients to continue to be susceptible to malicious actors through the false security of a VPN. It is time to enlist in a reliable proactive solution: Software-Defined Perimeter.

Want to learn more about killing your VPN? Take a look at this webinar that showcases how Verdant replaced its industry leading VPN with AppGate SDP.