Recently, we heard about two major vulnerabilities in VPN gateways and enterprise firewalls that demonstrate the extent to which these time-tested security products are not immune to exploitation.
At the beginning of October, the US National Security Agency (NSA) sent out a warning to admins about patching old security bugs that were being exploited. The vulnerabilities were allowing “remote arbitrary file downloads and remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways,” warned the agency. Additional vulnerabilities allowed encrypted traffic sessions to be intercepted or hijacked. They explained that exploit code was publicly available online through the Metasploit Framework and GitHub and that malicious cyber actors were actively using it.
In another instance, a well-known vendor announced that they were fixing a vulnerability in their firewall appliances which might allow an attacker to gain access to a company’s internal network without a password.
One respected media outlet explained that the vulnerability allowed “an attacker to remotely gain ‘root’ permissions on a vulnerable device, giving them the highest level of access, by sending malicious commands across the internet.” This kind of attack exploits the web-based OS on the firewall.
Protecting Enterprise Remote Access
Best practices say that in order to protect and secure access to the enterprise, one needs to keep all security software up to date. Vendors often provide software updates for known vulnerabilities, and applying these updates is a first step to prevent bad actors from exploiting them.
A better approach would be to move the firewall and VPN to the cloud. Choose SaaS products so that the vendors, rather than the organization’s IT team, are responsible for updates. When a company’s IT team is responsible for updates, vendors have to develop patches that are then packaged and distributed to the enterprise and all of their other customers who then need to make or find time for someone on the team to deploy and test. This creates a complicated and error-prone work process that can sometimes take days or weeks to complete, leaving businesses wide open to exploits and creating costly and disruptive downtime. With a SaaS solution, patches can be deployed as soon as the vendor is alerted to a vulnerability in a way that is transparent to users and effortless for IT. In an ideal setup, software on user devices (e.g. agents) is also as simple as possible, requiring rare upgrades and minimal maintenance from the IT team.
The best and most efficient option is to upgrade the VPN to a Software-Defined Perimeter (SDP) which is redefining the perimeter, moving it from physical offices and data centers to follow the user and his or her device… wherever they go.
SDP Changes the Game from the Cloud
SDP offers access specific to each app, not to a full network. This provides a big security advantage over VPNs, which offer open access to potentially broad sections of the enterprise network. SDP enables a company to create granular security policies that associate specific employees or contractors with the exact applications and/or services that they actually need access to. With SDP, each individual employee or contractor’s device is assigned an authenticated, unique identity that is continuously verified and authorized for every packet in real-time. Only resources that a specific employee or contractor is authorized to access are visible to that individual – and everything else remains invisible – thus reducing the surface for potential attacks.
VPN appliance configuration can also be quite complex – especially for organizations with multiple data centers and clouds. SDPs significantly simplify management, maintenance, and availability processes. Administrators only need one cloud console to manage the access policies for all enterprise cloud or datacenter resources.
SDPs also make user onboarding easier and allow clientless web-based access for contractors and unmanaged personal devices.
In general, SDPs enable a more consistent and reliable user experience and easy, transparent, worldwide access compared to VPNs. From the IT perspective, an SDP solution offers central policy management for all applications and data.
By leveraging “need to know” access through a zero-trust approach offered by an SDP solution from the cloud, users will benefit from heightened security, zero patching cycles, and reduced risk and cost that today’s competitive enterprises need and that traditional VPNs can no longer support.
About the Author
Micha Rave is the Senior Director of Zero-Trust Product Management for Proofpoint and former VP of Products of Meta Networks. Mr. Rave is an experienced strategic product manager and team leader with substantial experience managing innovative product lines such as Proofpoint’s Software-Defined Perimeter (SDP) platform