VPN vulnerabilities in products from popular vendors, such as Cisco and Pulse Secure, have recently been found...
to enable serious threats -- including remote and man-in-the-middle attacks. In light of these vulnerabilities, should organizations consider dropping VPNs altogether? If so, what VPN alternatives should they explore?
In terms of vulnerabilities, Pulse Secure LLC resolved Secure Sockets Layer (SSL) certificate validation issues for versions PULSE 5.3R4.2 and PULSE 5.2R9; however, kb.cert.org suggested that the Linux Pulse Secure client GUI should not be used on an untrusted internet network.
On Feb. 5, 2018, Cisco updated its security advisory to state that they fixed the SSL VPN -- also known as webvpn -- vulnerability in Cisco Adaptive Security Appliance software. The advisory did not acknowledge if webvpn should or should not be used on an untrusted network.
Public VPN terminals are so widely available that an attacker could find them on Shodan or through certificate transparency logs that list publicly trusted certificates from a certificate authority.
In addition to those VPN vulnerabilities, there are other issues of which enterprises should be aware. Organizations should consider dropping VPNs if a website hosting a VPN, such as PulseSecure.com, receives a very low grade from SecurityHeaders.io for not implementing the necessary HTTP security response headers. However, when a website receives a high grade, it does not guarantee that the operating system's VPN feature is protected against remote code execution and man-in-the-middle attacks.
An organization should explore VPN alternatives, such as a private physical network or application whitelisting. Private physical networks are networks between devices that exist physically rather than virtually. The network is at the physical layer with no shared virtual equipment, and the size of the network is limited by the components moving traffic from one place to another.
On the other hand, application whitelisting provides access control of approved applications and can report attempted changes to files by hackers. These applications, like AppLocker for enterprise-level Windows 10, are available free or as purchased products. However, the primary disadvantage of application whitelisting is that the software inventory of whitelisted applications can be difficult to manage in a large, geographically dispersed organization. If inventory is not managed properly, then hackers can still launch man-in-the-middle attacks.
Other VPN alternatives include Google's BeyondCorp or Cloudflare's Access, both of which use a reverse proxy approach. Instead of using VPN clients, endpoint device connections are run through platforms that authenticate the devices and secure the connections with HTTPS.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on VPN security
Related Q&A from Judith Myerson
Air-gapped computers subject to PowerHammer attack: Proof-of-concept attack enables data exfiltration through control of current flow over power ... Continue Reading
Bastille researchers created the SirenJack proof of concept to show how a vulnerability could put San Francisco's emergency warning system at risk. ... Continue Reading
A QR code vulnerability was recently discovered in the Apple iOS 11 camera app. Learn how an attacker could exploit it and how to avoid the issue ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.