Q
Problem solve Get help with specific problems with your technologies, process and projects.

What VPN alternatives should enterprises consider using?

VPN vulnerabilities in products from popular vendors were recently found to enable serious threats. Discover how detrimental these threats are and alternatives to the use of VPNs.

VPN vulnerabilities in products from popular vendors, such as Cisco and Pulse Secure, have recently been found...

to enable serious threats -- including remote and man-in-the-middle attacks. In light of these vulnerabilities, should organizations consider dropping VPNs altogether? If so, what VPN alternatives should they explore?

In terms of vulnerabilities, Pulse Secure LLC resolved Secure Sockets Layer (SSL) certificate validation issues for versions PULSE 5.3R4.2 and PULSE 5.2R9; however, kb.cert.org suggested that the Linux Pulse Secure client GUI should not be used on an untrusted internet network.

On Feb. 5, 2018, Cisco updated its security advisory to state that they fixed the SSL VPN -- also known as webvpn -- vulnerability in Cisco Adaptive Security Appliance software. The advisory did not acknowledge if webvpn should or should not be used on an untrusted network.

Public VPN terminals are so widely available that an attacker could find them on Shodan or through certificate transparency logs that list publicly trusted certificates from a certificate authority.

In addition to those VPN vulnerabilities, there are other issues of which enterprises should be aware. Organizations should consider dropping VPNs if a website hosting a VPN, such as PulseSecure.com, receives a very low grade from SecurityHeaders.io for not implementing the necessary HTTP security response headers. However, when a website receives a high grade, it does not guarantee that the operating system's VPN feature is protected against remote code execution and man-in-the-middle attacks.

An organization should explore VPN alternatives, such as a private physical network or application whitelisting. Private physical networks are networks between devices that exist physically rather than virtually. The network is at the physical layer with no shared virtual equipment, and the size of the network is limited by the components moving traffic from one place to another.

On the other hand, application whitelisting provides access control of approved applications and can report attempted changes to files by hackers. These applications, like AppLocker for enterprise-level Windows 10, are available free or as purchased products. However, the primary disadvantage of application whitelisting is that the software inventory of whitelisted applications can be difficult to manage in a large, geographically dispersed organization. If inventory is not managed properly, then hackers can still launch man-in-the-middle attacks.

Other VPN alternatives include Google's BeyondCorp or Cloudflare's Access, both of which use a reverse proxy approach. Instead of using VPN clients, endpoint device connections are run through platforms that authenticate the devices and secure the connections with HTTPS.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

This was last published in March 2018

Dig Deeper on VPN security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Has your organization been exposed to VPN vulnerabilities? If so, what was done to mitigate the issues?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close