LAS VEGAS -- Virtual private networks, whether SSL or IPsec VPNs, have been IT's ultimate set-and-forget technology. Once installed and configured, these remote access technologies are often left on auto-pilot providing secure, isolated access to backend applications, files and other resources.
If you have VPN clients out there, you have to make sure they are synched to management systems and are getting ongoing policy, configuration and management changes.
Martin Hack, executive vice president, NCP Engineering Inc.
Mobile devices such as BlackBerries, iPhones and Droid smartphones, however, are changing the remote access dynamic. Companies will soon have to take a second look at remote link-ups over VPNs, especially as users introduce new personal devices to the network and demand access to apps from a variety of operating systems and platforms. In turn, it's up to security operations to provide secure VPN connections for these myriad devices.
As a result, tried-and-true VPN connections and configurations aren't good enough. IT operations, complacent about their VPNs, need to take another look, according to research to be released this week at the Black Hat Briefings by NCP Engineering Inc. Attackers are already leveraging insecure VPN connections to access critical data inside the enterprise. The attacks on TJX, Heartland Payment Systems and even this year's attacks on Google, Adobe and more than 30 other large technology companies, defense contractors and big companies, were carried out remotely with legitimate access over VPN connections.
"The set-and-forget approach is flawed," said Martin Hack, executive vice president, NCP. "If you have VPN clients out there, you have to make sure they are synched to management systems and are getting ongoing policy, configuration and management changes. You need strong proactive remote access management to prevent these issues because otherwise, these connections become the first weapon for an attacker."
NCP's research indicates that complacency over VPNs is one of the primary drivers leading to VPNs becoming an attractive attack vector. Not only configuration issues, but out-of-date software is leading to severe vulnerabilities that could lead an attacker straight into an organization with legitimate access. For example, corrupted route targets in a VPN implementation could redirect traffic to an attack site. In SSL VPNs, organizations often overlook Same Origin Restriction. Failing to turn this on could enable attackers to carry out phishing attacks by routing legitimate traffic away from its intended destination and onto a phishing site.
"Attackers could hijack sessions or install keyloggers without the user's knowledge. They would think they're in a secure environment," Hack said. "If the Same Origin Restriction is turned on and configured properly, only trusted resources can connect to an SSL VPN. If not, anyone can interject themselves onto a website."
Password problems can also arise over improperly managed VPNs, Hack said. Many VPNs allow you to cache password log information, and in plain text. Attackers with access to the cache may read them in the registry or in memory. Admins must encrypt caches, if they're allowed.
The NCP research also points out potential denial-of-service scenarios where malformed packets moving over a VPN connection could cause a buffer overflow that could bring down a network. Hack said these types of messages can elude and intrusion detection system and cause a system to crash or indefinitely reboot.
"The requirements for remote access have changed; mobility has changed a lot of that," Hack said. "There's a big need to bring these problems out into the open and get rid of complacency about VPN management. Mobility has changed things and it's a big issue because companies are getting hammered and breached."