Cisco’s Critical VPN Vulnerability Fuels the Mandate for Software-Defined Perimeters
Written by Jason Garbis on January 31, 2018
Cisco’s critical security vulnerability in its SSL VPN solution, Adaptive Security Appliance (ASA), is the latest proof that it’s time for a different approach to traditional network security.
Traditional VPNs like Cisco’s expose an open port to the internet, so that any remote user on the planet can connect to it. Due to this vulnerability, unauthenticated attackers can remotely execute code on the VPN box and potentially gain access to the corporate network.
Hundreds of thousands of these Cisco devices are deployed worldwide. And unfortunately there are no workarounds – organizations must manually identify and patch all Cisco ASA VPN servers to address this vulnerability.
Rod Soto, director of security research at JASK told SC Media the vulnerability is serious because the flaw means VPN devices can be probed from anywhere on the internet without the need of software or pre-existing certificates. He said:
“This is added to the fact that you can run commands via the web interface, which makes it even more dangerous. Attackers could use this to gather info on accounts, reset passwords or create their own and then access the affected companies' networks, or use routing commands to pivot from these devices or reroute traffic.“
Cloak the System from Attackers
This kind of vulnerability is exactly why organizations need to use a Software-Defined Perimeter. It addresses the perimeter-less enterprise by dynamically creating one-to-one network connections between users and the data they access.
According to Gartner*:
“Network designs that expose services and accept unsolicited connections present too much risk. Not meant for a complex and interconnected world, they're now obsolete… Favor software-defined perimeters (SDP) and other isolation technologies capable of precise, context-based, application-level access only after successful authentication.”
With an SDP, anyone attempting to access a resource must authenticate first. All unauthorized resources are invisible. This applies the principle of least privilege (or zero trust) to the network. This also completely reduces the attack surface.
AppGate SDP, Cyxtera’s Software-Defined Perimeter solution, includes Single-Packet Authorization that’s specifically designed to solve critical vulnerabilities that expose services such as VPNs to unauthorized users. This feature cryptographically cloaks the infrastructure so that only verified users can communicate with the system, making it invisible to port scans.
Software-Defined Perimeter: A Matter of When, Not If
If a widely deployed security product from a well-regarded company can have such a vulnerability, imagine the other unknown vulnerabilities that exist in all your other internet-facing services.
The fundamentally open nature of TCP/IP is a risk that security organizations must overcome - now. The Software-defined Perimeter is no longer a nice to have. It’s a practical and proven alternative for organizations that rely on VPNs to gate access their network.
*Gartner, It's Time to Isolate Your Services from the Internet Cesspool,Refreshed: 17 November 2017 | Published: 30 September 2016