VPN vulnerabilities in products from popular vendors, such as Cisco and Pulse Secure, have recently been found...
to enable serious threats -- including remote and man-in-the-middle attacks. In light of these vulnerabilities, should organizations consider dropping VPNs altogether? If so, what VPN alternatives should they explore?
In terms of vulnerabilities, Pulse Secure LLC resolved Secure Sockets Layer (SSL) certificate validation issues for versions PULSE 5.3R4.2 and PULSE 5.2R9; however, kb.cert.org suggested that the Linux Pulse Secure client GUI should not be used on an untrusted internet network.
On Feb. 5, 2018, Cisco updated its security advisory to state that they fixed the SSL VPN -- also known as webvpn -- vulnerability in Cisco Adaptive Security Appliance software. The advisory did not acknowledge if webvpn should or should not be used on an untrusted network.
Public VPN terminals are so widely available that an attacker could find them on Shodan or through certificate transparency logs that list publicly trusted certificates from a certificate authority.
In addition to those VPN vulnerabilities, there are other issues of which enterprises should be aware. Organizations should consider dropping VPNs if a website hosting a VPN, such as PulseSecure.com, receives a very low grade from SecurityHeaders.io for not implementing the necessary HTTP security response headers. However, when a website receives a high grade, it does not guarantee that the operating system's VPN feature is protected against remote code execution and man-in-the-middle attacks.
An organization should explore VPN alternatives, such as a private physical network or application whitelisting. Private physical networks are networks between devices that exist physically rather than virtually. The network is at the physical layer with no shared virtual equipment, and the size of the network is limited by the components moving traffic from one place to another.
On the other hand, application whitelisting provides access control of approved applications and can report attempted changes to files by hackers. These applications, like AppLocker for enterprise-level Windows 10, are available free or as purchased products. However, the primary disadvantage of application whitelisting is that the software inventory of whitelisted applications can be difficult to manage in a large, geographically dispersed organization. If inventory is not managed properly, then hackers can still launch man-in-the-middle attacks.
Other VPN alternatives include Google's BeyondCorp or Cloudflare's Access, both of which use a reverse proxy approach. Instead of using VPN clients, endpoint device connections are run through platforms that authenticate the devices and secure the connections with HTTPS.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on VPN security
Related Q&A from Judith Myerson
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading