It’s time to rethink using remote access VPNs for third-party access
No longer safely operating behind the traditional corporate perimeter, business productivity today depends on integrating external members of the extended enterprise into the work processes. This means giving access to critical business applications – a risky aspect of doing business today, but necessary for most enterprises.
The challenge is how to provide access to applications in a truly secure fashion so the organization is free from malware and bad actors gaining access through third-party connections. Attackers these days are looking to access organizations’ most sensitive data, and will leverage any weak point in the overall infrastructure to establish a foothold to discover and exploit critical assets.
Third-party access is often the weakest link in network security. Attackers have successfully exploited traditional remote access solutions in some of the largest data breaches to date, including retailers Target Corporation and Home Depot, healthcare provider Community Health Systems, and financial services company J.P. Morgan.
There are many factors that make securing third-party access uniquely difficult. People authorized to access the network and applications might not adhere to the organization’s same level of security protocols. They might use weak or default passwords, or share a single set of credentials among numerous people. Their devices might be unmanaged and should be considered untrusted. And even if proper security protocols are observed, traditional remote connectivity methods are easily hacked through stolen user credentials and session hijacking techniques.
Traditional remote access VPNs are unsuitable for third-party access
When VPNs were first developed in the 1990s, the intent was to extend the LAN to employees’ home offices and hotels as they traveled. This meant giving employees remote access to everything their company network had to offer just as if they were directly on the internal network. When companies began outsourcing work and bringing ecosystem partners onto their networks, the remote access VPN was the only tool at their disposal. The VPN became the default means to provide third parties access into corporate networks and applications, and its use is still quite common today.
There are multiple security weaknesses that make the remote access VPN an unsuitable method for third-party access to network and applications. Some of these are:
Login credentials needed for a remote access VPN can be compromised in a variety of ways. For example, just recently more than half a billion sets of user name/password combinations were posted for sale on the Dark Web. They came from previously reported breaches of LinkedIn (117 million credentials) and MySpace (427 million credentials). It’s very possible that your contractor, vendor or service provider uses the same credentials for your remote access VPN as for his social media account.
Passwords can also be hacked through brute force attacks. In February, one security company reported seeing 6.6 million such attacks against 72,532 websites. Considering that people often use simple or default passwords, this guessing technique can be very effective for hacking through a remote access VPN.
Multi-factor authentication (MFA) can be an effective deterrent against credential abuse, but many companies say it is too expensive or complicated to deploy MFA, especially if it involves distributing a hardware token to all remote users. In addition, traditional MFA methodologies require tremendous effort to support with an internal IT helpdesk. However, username and password credentials alone for remote access VPN authentication are far too risky.
You may say trusted third-party partners will not exploit vulnerabilities in the internal network. But these same parties that use their own devices to access the network via VPN pose a risk of bringing malware to the network environment unbeknownst to them. These devices are unmanaged, or at least untrusted, and there is nothing in the VPN connection process that assesses the state of a device. If any type of malware is on an access device, the malicious software can easily propagate across the VPN into the broader network. As discussed in the next two sections, this represents a huge attack surface for the bad actors behind the malware.
The VPN provides wide, often excessive access to network resources, including domain controllers and infrastructure DHCP, DNS, switches and routers. Not only does this provide a large attack surface for a bad actor, but it also gives even the legitimate third-party user access to far more than the one or two applications he really needs.
Vulnerabilities in VPN products can further compound this weakness. For example, Cisco recently acknowledged vulnerabilities in its ASA Clientless SSL VPN that expose the entire enterprise infrastructure to remote attacks or could allow their infrastructure to serve up malware to others.
In a remote access VPN scenario, once a VPN connection is established, internal application servers are exposed to the external device and whatever software and malware is running on it. That makes it possible for an attacker to reach these servers via the public Internet. This means that the servers are listening to – and exposed to – every possible client device on the network. Compromised clients will scan the network looking for servers, and if a server or any of its applications has vulnerabilities, attackers will compromise them.
Exposed servers are often compromised via configuration errors and known or unknown vulnerabilities. The previously cited problems of compromised devices and excessive access facilitate an attacker’s ability to reach a target server to steal, delete or corrupt important data and content.
A new approach for security and business efficiency
The decades-old connectivity practices of remote access VPNs have too many security weaknesses for today’s heightened cyber threat environment. Third-party VPN connections are far too risky for today’s business and the important assets on organization’s networks. New approaches to the third-party access problem powered by the Software Defined Perimeter (SDP) standard are available today that meet the needs of organizations around security and business efficiency.
These new methods for third-party remote access should be considered for addressing the following concerns:
- Credentials alone that are an insufficient authentication method.
- Unwieldy and costly MFA approaches to solving the credential theft problem.
- Untrusted devices that potentially have the ability to propagate malware are gaining access to your network.
- Important application servers that third parties are accessing have risky exposure to the Internet.