How Secure is your VPN?

Published April 08, 2020

Perennially important, virtual private network (VPN) security is now imperative given the current COVID-19 pandemic. Remote working has fast become the new normal and, correspondingly, the demand for VPN capabilities has skyrocketed. Unfortunately—if unsurprisingly—attacks on VPNs have risen sharply alongside. Underscoring the severity, in March the United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued Alert AA20-073A on Enterprise VPN Security.

Essentially, VPNs extend the enterprise network perimeter and allow users to access corporate applications anywhere. On-premises infrastructure effectively becomes “one hop” (or one click) away from the user device. Similarly, the security risk to corporate assets also becomes one hop away. Attackers may no longer have to compromise sophisticated layers of perimeter security (proxies, WAF, intrusion detection, and so on) but merely a single vulnerability or an insecure implementation of a VPN could expose corporate assets and personal information.

In this article, we’ll focus on some of the key areas that are critical in evaluating the security of your VPN.

Endpoint Security Posture

Users typically initiate an SSL VPN tunnel from their endpoint devices, such as desktops, laptops, and mobiles. These endpoints become both entry points and prime targets for bad actors attempting to use them as attack vectors. Therefore, it's important that you always ensure that an endpoint is safe prior to establishing a VPN tunnel. Endpoint security is a strategic approach for ensuring that a client device does not present a security risk before it is granted a remote access connection to the network. Such a strategy may imply systematic verification of the client machine certificate and verification of the client type and/or the version of the client browser, patch verification of the anti-spyware and antivirus software, and the inspection of the client firewall rules—as examples.

Endpoint security posture assessment generally occurs at the session initiation, prior to establishing a VPN tunnel, but it can also happen periodically during the user's VPN session. Continuous endpoint security posture assessment mitigates subsequent risks by checking that endpoints have not become compromised after the initial VPN tunnel was established.

User Authentication and Authorization

Authentication consists of verifying the identity of users prior to establishing a VPN tunnel. Verifying remote workers’ credentials ensures that only legitimate users have access to internal resources and applications.

However, with the rise of credential stuffing and account takeover (ATO) methods, an attacker could ostensibly be in possession of valid user credentials and bypass single factor authentication. It, therefore, becomes essential to implement multi-factor authentication for your VPN.

Multi-Factor Authentication (MFA)

MFA enhances security by requesting that users provide two or more verifiable authentication factors before establishing a VPN tunnel. This approach effectively enables MFA to block 99.9% of account takeover (ATO) attacks, according to industry estimates. Common authentication factors are:

  • Something the user knows, like a password, a PIN, or a touchpad gesture
  • Something the user has, like a physical or software token or a certificate
  • Something the user is, meaning a biometric input, such as fingerprint, retina scan, or facial or voice recognition

After a user is authenticated, authorization policies evaluate the permission set of the user to grant specific access to internal resources and applications, as well as enforce appropriate restrictions. Access is granted using different permission models, such as role-based access control (RBAC). Specific privileges and preferences can be enforced for VPN users by implementing additional security controls like ACLs during the VPN tunnel establishment.

Data Confidentiality and Integrity

Encryption provides data confidentially and integrity as corporate data is transmitted over shared or public networks through the VPN tunnel.

To disclose confidential data, malicious actors can attempt to steal private keys, exploit known vulnerabilities in cryptographic implementation, or break weak cryptographic parameters.

When configuring an SSL VPN, you should consider key exchange management and the strength of cryptographic ciphers. Versions prior to TLS1.3 contain known flaws in the protocol definition and in their implementation. Other exploits include abusing client renegotiation and the use of weak cryptographic primitives, such as RC4 stream and export-grade ciphers.

DDoS Attacks on VPN

When most or all of your employees are remote workers, the availability of your VPN server (sometimes referred to as a VPN concentrator) also becomes critical for business continuity. Conversely, VPN servers can be a prime target for malicious actors attempting to overwhelm your VPN servers with random distributed automated requests, hence making the VPN unavailable for legitimate users.

SSL VPN are accessible through an IP address/URL (in the web browser or configured in a VPN client), making them susceptible to the same DDoS attack patterns that target web servers such as HTTP flood, SSL flood, SSL renegotiation, TCP blend attack, and so on.

Therefore, to ensure business continuity through your VPN, it may be essential to configure your VPN to detect and mitigate DDoS attacks as part of your broader security strategy.

More Resources: