Zero-Trust Network Access

Another On-Prem Gateway Bites the Dust

Last month, we heard of a new vulnerability affecting the Citrix Application Delivery Controller (NetScaler ADC) and the Citrix Gateway (NetScaler Gateway), that might expose the networks of more than 80,000 organizations to hackers. The vulnerability could allow remote attackers to access a company's internal network without requiring authentication.

Security expert Mikhail Klyuchnikov, of Positive Technologies, discovered the vulnerability and said that if successfully exploited, it will lead to arbitrary code execution. According to his team approximately 80,000 companies in 158 countries may be at risk. The five countries with the most potential exposure include the US, UK, Germany, Netherlands and Australia.

Citrix announced that all supported product versions and platforms are affected, and as of the publishing of this article, no fix has been released.

Secure the Perimeter

Keeping security software up to date is the number one rule in any security implementation, but especially when securing your perimeter. For companies that employ hardware appliances like the Citrix gateway in their datacenter, it’s up to the vendor to develop and supply security patches to each client in a timely manner. Once received, the enterprise IT teams are responsible for implementation, which can sometimes take days or weeks. In this case, every company with a Citrix gateway sitting on their perimeter was tasked with maintenance, updates and tests, and unfortunately for the majority of them, these functions were not up to date.

Instant Security...in the Cloud

A simpler and more reliable approach is implementing a cloud-based security solution. “As-a-Service” products move the work and responsibility of updating software back to the vendors themselves, rather than your IT team. When your IT team is responsible for updates, like in the case of the Citrix users, the complicated and error-prone process of implementing updates and patches can sometimes take days or weeks to complete, leaving them open to exploits.

A SaaS solution allows customers to benefit from patches seamlessly deployed by the vendor - immediately, and usually without any additional effort from the enterprise IT team.

From On-Prem VPN to Cloud-Delivered SDP

Another access appliance - the enterprise VPN - is also making the transition to the cloud in the form of a new generation of products called Software Defined Perimeter (SDP) or Zero-Trust Network Access.

The SDP approach is all about redefining the perimeter from the traditional, physical office/ datacenter to the user. Rather than a gateway appliance, SDP is deployed and delivered as a cloud service where the security policy follows the user’s device wherever it goes - a “software-defined perimeter”.

One of the advantages of a cloud-delivered SDP is that it hides the enterprise network from attackers. In contrast, conventional on-premise firewall VPNs make it easy for hackers to discover your IP address and target your organization.

Similarly, users get customized access to exactly the applications they need, rather than the entire network. This is a huge security advantage over On-Prem VPNs. SDP enables the creation of many granular security policies for associating specific employees or contractors with only the applications and services that they need to complete their work. Every user device is prescribed a unique identity which is continuously verified and authorized in real-time. Anything they don’t need remains invisible to them, thus reducing the surface for potential attacks.

An SDP solution also acts as an air gap between the Internet and internal resources. With an SDP solution, you minimize the number of open ports that are required to be exposed to the internet and prone to attacks.

The Rise of Zero-Trust

The landscape of network security is changing and as more and more enterprises understand the widening gap left by on-prem solutions, the need for Zero-trust security grows with it. When compared to the VPN, SDP is the better choice for micro-segmented application access as it isolates the enterprise network from threats. The solution is a people-centric, software-defined perimeter that protects users and data both on and off-premise.

Subscribe to the Proofpoint Blog