VPN vulnerabilities in products from popular vendors, such as Cisco and Pulse Secure, have recently been found...
to enable serious threats -- including remote and man-in-the-middle attacks. In light of these vulnerabilities, should organizations consider dropping VPNs altogether? If so, what VPN alternatives should they explore?
In terms of vulnerabilities, Pulse Secure LLC resolved Secure Sockets Layer (SSL) certificate validation issues for versions PULSE 5.3R4.2 and PULSE 5.2R9; however, kb.cert.org suggested that the Linux Pulse Secure client GUI should not be used on an untrusted internet network.
On Feb. 5, 2018, Cisco updated its security advisory to state that they fixed the SSL VPN -- also known as webvpn -- vulnerability in Cisco Adaptive Security Appliance software. The advisory did not acknowledge if webvpn should or should not be used on an untrusted network.
Public VPN terminals are so widely available that an attacker could find them on Shodan or through certificate transparency logs that list publicly trusted certificates from a certificate authority.
In addition to those VPN vulnerabilities, there are other issues of which enterprises should be aware. Organizations should consider dropping VPNs if a website hosting a VPN, such as PulseSecure.com, receives a very low grade from SecurityHeaders.io for not implementing the necessary HTTP security response headers. However, when a website receives a high grade, it does not guarantee that the operating system's VPN feature is protected against remote code execution and man-in-the-middle attacks.
An organization should explore VPN alternatives, such as a private physical network or application whitelisting. Private physical networks are networks between devices that exist physically rather than virtually. The network is at the physical layer with no shared virtual equipment, and the size of the network is limited by the components moving traffic from one place to another.
On the other hand, application whitelisting provides access control of approved applications and can report attempted changes to files by hackers. These applications, like AppLocker for enterprise-level Windows 10, are available free or as purchased products. However, the primary disadvantage of application whitelisting is that the software inventory of whitelisted applications can be difficult to manage in a large, geographically dispersed organization. If inventory is not managed properly, then hackers can still launch man-in-the-middle attacks.
Other VPN alternatives include Google's BeyondCorp or Cloudflare's Access, both of which use a reverse proxy approach. Instead of using VPN clients, endpoint device connections are run through platforms that authenticate the devices and secure the connections with HTTPS.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on VPN security
Related Q&A from Judith Myerson
GE reported an improper authentication flaw in its PulseNet network management software for critical infrastructures. Discover how this flaw works ... Continue Reading
Researchers claim to have found a new attack against VMs that affects SEV technology. Expert Judith Myerson explains what this attack is and how it ... Continue Reading
The Wi-Fi Alliance released the updated WPA3 protocol, adding security enhancements to the Wi-Fi access process. Learn why enterprises should update ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.