In the quarter century that they have been around, VPNs (virtual private networks) have become an increasingly crucial part of critical online infrastructure. While personal VPNs for protecting browsing history and providing online anonymity have become extremely popular, so too are business or corporate VPNs targeting the enterprise market.
These latter VPNs refer to private network services for the use of enterprise customers, primarily for the purpose of accessing files or systems on office networks from remote locations. These remote access VPN solutions have, unsurprisingly, experienced a boon in popularity over the past 18-months while the coronavirus pandemic has swept the world. But while they have been a positive game-changer for businesses, they have also opened up new kinds of potential disruption. And not the “good” kind of disruption that tech experts like to get excited about.
Targeting VPN Vulnerabilities
Unfortunately, like any technology that suddenly proves its value to legitimate users, bad actors are ready and waiting to exploit VPNs in a way that can cause harm. Specifically, that means harnessing VPN vulnerabilities that could be used to perform actions such as backdoors, trojans, and web shells that could be used to allow remote control and access to a web server for executing arbitrary commands.
For example, at least a couple of major hacking groups have deployed malware designed to exploit vulnerabilities found in embattled VPN provider Pulse Connect Secure’s virtual private network solutions. By exploiting vulnerabilities such as the critical remote code execution flaw CVE-2021-22893 — which has been rated as a 10/10 in terms of its threat severity level — they have attempted to infiltrate U.S. defense companies. The attacks have been linked with China-backed groups.
The Patching Problem
Thanks to over-the-air updates, it’s now easier to solve software security problems. Once a vulnerability has been discovered, it can be “patched” with an update that plugs that particular vulnerability and leaves it no longer open to exploitation. However, this relies on the responsible party issuing a patch in a timely manner. Zero-day vulnerabilities, referring to vulnerabilities that are exploited without the developer being aware of the flaw, can leave them scrambling to solve the problem. There will then be a delay while they develop a patch or push out a workaround that can solve the problem.
But even when this is done it is not necessarily the end of the story. There have been ongoing attempts by bad actors to exploit vulnerabilities which have been disclosed and patched — some more than a year ago. Of the four Pulse Connect vulnerabilities currently being exploited, three have been known for some time and have patches that are readily available.
The issue is that, even when a vulnerability has been patched, this still relies upon end-user attention to install the necessary patches. Good practice may be to stay on top of the number of security patches that are issued, but this is not always possible. Patching can be difficult due to the number of patches, and, in some cases, the complexity of applying them. In short, patch-based vulnerability management isn’t working.
VPNs have become increasingly relied upon during the pandemic. But this has also highlighted some of their weaknesses. The number of stolen VPN credentials implicated as part of large-scale data breaches, and the growing number of CVEs (Common Vulnerabilities and Exposures) discovered each year for VPNs, show how this technology is not necessarily an optimal solution. So too does the opportunity for malware attacks involving VPNs. While the VPN tunnel — referring to the way that VPNs route traffic over a certain path — is encrypted, traffic that travels in those tunnels is not inspected for threats such as malware. This has the potential to be extremely problematic.
These aren’t the only challenges organizations face with VPNs. Scaling VPN capacity to support much larger proportions of their workforce working remotely has been a big problem during the pandemic. This rapid increase in VPN usage has made it tough to provide the requisite VPN links to allow for continuous connectivity with the explosive growth of remote sites that have to be served.
So, what do you do when you want the benefits VPN affords, but without the negatives? When it comes to simplifying security management, the best option available may well be SASE. Short for Secure Access Service Edge, and pronounced “sassy,” SASE was introduced by Gartner in mid-2019 as a new, cloud-native architectural framework designed to offer secure global connectivity to all users in all locations.
A Great Alternative to VPN
SASE serves as an ideal alternative to VPN. Combining VPN, firewall-as-a-service, data loss protection, antivirus and malware inspection, Secure Web Gateways, Cloud Access Security Brokers, and SW-WAN — all delivered via a single cloud service at the network edge — SASE offers optimized connectivity, scalable access, and in-build protection against threats. Being built on top of Points of Presence (PoPs) distributed around the world, it can deliver a plethora of decentralized security and networking services to any number of users working remotely — with no need for VPN concentrators or regional hubs.
These PoPs are connected with a private backbone for optimal routing from edge to application. Since every bit of traffic is passed through a full network security stack, it also incorporates security tools such as multi-factor authentication (MFA), full access control, and other modes of threat prevention. Admins are afforded consistent visibility and are able to control all traffic that passes throughout the enterprise WAN.
As a managed service, SASE can greatly simplify vulnerability management. It’s been a game-changer for network security and, only a couple of years old, it’s just getting started. The benefits that tools like VPN bring are clear for all to see. But there are challenges as well. SASE offers many of the same benefits to the end user, but with none of the downsides. That’s a win-win for all involved.