To VPN or Not to VPN?
27 October 2020

Over the past few years, VPN vulnerabilities have been in the spotlight and talked about everywhere. There is always some vulnerability being abused by opportunists and criminals, but VPNs still remain the majority solution of choice for remote access across the globe. The main risk lies in how VPNs work, and they haven’t changed in 20 years; they extend the boundary to the user/device and connect them as if they were now physically on the network. The trust is implicit in the solution, which presents a problem: in this modern world, with numerous devices and users connecting at all hours, who/what should we trust?

Zero-trust is rapidly becoming the new paradigm because of these over exposures and the broad attack surfaces these legacy solutions allow. With zero-trust, the user is verified first, and only then connected to the network – something a VPN was never designed to do. VPNs should still be used, but steps must be taken to ensure secure VPN deployment. It is highly recommended to investigate available security advice by your local governing bodies[1] on how to manage your VPN remote access technologies.

The following recommendations are a good place to start:

  •  Make sure your VPN solutions are patched and up to date, both at the gateway side and at the client side.
  •  Ensure VPN platform configurations haven’t changed, including the SSH Authorization Key files.
  •  Monitor and analyze your logs on a very regular basis.
  •  Make sure the accounts you’re using on your VPN gateway are isolated from your domain-authenticated accounts.
  •  Add multi-factor authentication (MFA) to your VPN solutions to make them more complicated to break into via the accounts.
  •  Include device authentication when authenticating users.
  •  If possible, limit the ports exposed by your VPN to only those ports that need to be used.
  •  Enable split tunneling when users are finally connected to the network so that external networks are not directly exposed to the sensitive internal protected networks.
  •  Terminate your VPN connection in the DMZ so that full analysis and inspection can take place.

While a good place to start, the above list is just that – a start. The attacks increase in volume every day, making clear that a VPN on its own is no longer enough. Safe-T delivers a solution called ZoneZero, which allows you to add this level of resolution to your existing infrastructure to enhance your VPN, enable true multi-factor and continuous authentication to your service consumption sessions, and grant those individual sessions on a positive authentication basis at the point of consumption, and for that consumption. ZoneZero will achieve this clientless, with seamless integration into your infrastructure, and minimum intrusion with the quickest set up time in the industry; typically, services are deployed into production in under 2 hours.

One of the most important actions mentioned above involves adding MFA to your VPN solutions to enhance and improve your security. This is critical to protect all your applications, both legacy as well as new services. Most, if not all, legacy applications are not MFA-ready. When choosing an MFA, you are typically limited to only one MFA because it is bound to your IdP. ZoneZero enhances MFA, making it true Multi-Factor Authentication so that you can use it with all your applications and services (those supporting MFA and those that don’t). It can be used regardless of where the services are hosted, or the users are located. It can be applied when you choose to use it and not just at the beginning of a session, delivering continuous authentication.

Additionally, you will want to reduce your attack surface and lateral movement within your IT infrastructure by exposing services only when they are being used by authorized users. This is done by adopting a “least access privilege” model, and strictly enforcing access control in which all traffic is logged and inspected to ensure all resources are accessed securely regardless of their location. This is Zero Trust Network Access (ZTNA), an approach that considers all traffic a threat unless determined otherwise (i.e., everything starts with zero-trust). This prevents most risks you would typically face in an IT environment and allows you to move forward with a higher degree of IT and business agility.

Adopt a least-access privilege model and strictly enforce access control while inspecting and logging all traffic to ensure all resources are accessed security regardless of location – this can only be achieved with ZoneZero’s zero-trust network access (ZTNA) solution.


Original article from: Safe-t

Post by: siteadmin
More Articles from Network Security | User Security