The rise in telework due to the COVID-19 pandemic means that the use of remote access solutions has grown significantly in recent months. However, remote access solutions like virtual private networks (VPNs) are intended to provide remote workers with secure network connectivity doesn’t mean that they are actually secure. Several attack vectors against VPNs exist that cybercriminals can use to disrupt an organization’s business operations or gain access to the enterprise network themselves. As telework becomes “business as usual”, organizations need to consider modern remote access solutions that enable their employees to do their job without compromising enterprise security.
Software-defined wide-area networking (SD-WAN) and secure access service edge (SASE) are both solutions that are designed to improve upon legacy VPN solutions, in terms of both network performance and security.
Telework Surge Drives Widespread VPN Usage
The COVID-19 pandemic has had a number of different impacts on “business as usual”, and obviously one of the greatest changes that businesses face is the need to suddenly support a mostly or wholly remote workforce.
These employees working from home require access to the enterprise network in order to do their jobs, yet many organizations are using the infrastructure that they already have in place to do so, providing their employees with VPN access to their networks.
As a result, the number of VPN endpoints exposed to the public Internet have increased significantly. Additionally, these VPN endpoints have become “critical infrastructure” for many businesses since they are the primary means by which employees connect to the enterprise network and complete their duties.
VPNs are a Prime Target for Cybercriminals
The combination of greater usage and increased criticality has made VPNs a common target for cybercriminals. VPNs can be targeted by a number of attacks, including:
- Credential Stuffing: A VPN endpoint exposes an authentication page for users to gain access to the service. Attackers can take advantage of this authentication page to test potential passwords for an account. If successful, the attacker has the same level of access and permissions as the legitimate user on the enterprise network.
- Distributed Denial of Service: A VPN endpoint is a single point of failure within an organization’s network and needs to be publicly accessible to do its job. A DDoS attack against this endpoint can deny legitimate users access to the VPN service and the enterprise network.
These potential attack vectors only serve to exacerbate VPNs’ existing limitations. VPNs’ poor scalability limits network performance without a credential stuffing or DDoS attack and the lack of integrated access control or content inspection makes VPNs a severe risk to insider threats.
The exploitation of VPN Vulnerabilities Gives Attackers Initial Access
Beyond being a prime target for attack, VPN systems are also notoriously prone to vulnerabilities. Suppose an organization has not installed updates that patch these vulnerabilities. In that case, an attacker can exploit them to gain access to an organization’s network. From there, an attacker can take advantage of the provided access to install malware, steal sensitive data, or take other actions on the target network.
This type of attack has become common during the COVID-driven surge in remote work. One example of this is an attack against US government networks that combined known VPN vulnerabilities with the Zerologon vulnerability that was discovered in Windows Domain Controllers (DCs). By chaining these two vulnerabilities together, an attacker could move from having no access to the target network to complete control over it with Domain Administrator permissions.
SD-WAN Eliminates VPN Shortcomings
VPNs are a legacy remote access solution that is unscalable, insecure, and complex to configure, monitor, and maintain. SD-WAN – and its successor SASE – are designed to provide an alternative that eliminates these issues.
One of VPNs’ primary shortcomings is that they are a point-to-point connectivity solution, making them extremely unscalable. SD-WAN eliminates this issue by providing optimized routing between an array of SD-WAN appliances over multiple transport media. This ensures that traffic is routed efficiently over the corporate WAN and that additional users and locations can be easily added.
From a security perspective, the fact that a VPN is only a networking solution with no built-in security is a significant issue. This means that all VPN connections must be routed through the enterprise network for security inspection, causing major routing inefficiencies for remote cloud services users. Secure SD-WAN, which integrates a full security stack into each SD-WAN appliance, is capable of routing traffic directly to its destination.
SASE Provide a Secure Remote Access Solution
Despite its advantages over VPNs, Secure SD-WAN has one major shortcoming. Its effectiveness is limited to the footprint of the SD-WAN network. Optimized routing and security can only be deployed where an organization has deployed an SD-WAN endpoint.
SASE, however, eliminates this issue by deploying a Secure SD-WAN solution in the cloud. Remote users can connect to a local SASE point of presence (PoP) and have their traffic optimally routed to the PoP nearest its destination. With encrypted PoP to PoP links and an integrated security stack in each PoP, this provides a secure, efficient alternative to legacy, vulnerable VPN solutions.
loading...
loading...