In the last few weeks, we have heard about two major vulnerabilities in VPN gateways and enterprise firewalls that demonstrate the extent to which these time-tested security products are not immune to exploitation.
At the beginning of October, the US National Security Agency (NSA) sent out a warning to admins about patching old security bugs that were being exploited. The vulnerabilities were allowing “remote arbitrary file downloads and remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways,” they warned. Additional vulnerabilities allowed encrypted traffic sessions to be intercepted or hijacked. They explained that exploit code was publicly available online through the Metasploit Framework and GitHub, and that malicious cyber actors were actively using it.
In another instance, Sophos announced that they were fixing a vulnerability in their Cyberoam firewall appliances which might allow an attacker to gain access to a company’s internal network without a password.
TechCrunch explained that the vulnerability allowed “an attacker to remotely gain ‘root’ permissions on a vulnerable device, giving them the highest level of access, by sending malicious commands across the internet.” This kind of attack exploits the web-based OS on the firewall.
Protecting Enterprise Remote Access
Best practices say that in order to protect and secure access to your enterprise, you need to keep all your security software up to date. Vendors often provide software updates for known vulnerabilities, and applying these updates is a first step to prevent bad actors from exploiting them.
A better approach would be to move your firewall and VPN to the cloud. Choose SaaS products so that the vendors, rather than your IT team, are responsible for updates. When your IT team is responsible for updates, vendors have to develop patches that are then packaged and distributed to you and all of their other customers who then need to make or find time for someone on the team to deploy and test. This creates a complicated and error-prone work process that can sometimes take days or weeks to complete, leaving businesses wide open to exploits and creating costly and disruptive downtime. With a SaaS solution, patches can be deployed as soon as the vendor is alerted to a vulnerability in a way that is transparent to users and effortless for IT. In an ideal setup, software on user devices (e.g. agents) are also as simple as possible, requiring rare upgrades and minimal maintenance from your IT team.
The best and most efficient option is to upgrade your VPN to a Software-Defined Perimeter (SDP) which is redefining the perimeter, moving it from physical offices and datacenters to follow the user and his or her device wherever they go.
But it’s even more than that.
SDP Changes the Game from the Cloud
SDP offers access specific to each app, not to a full network, which is a big security advantage over VPNs, which offer open access to potentially broad sections of the enterprise network. SDP enables your company to create granular security policies that associate specific employees or contractors with the exact applications and/or services that they actually need access to. With SDP, each individual employee or contractor’s device is assigned an authenticated, unique identity which is continuously verified and authorized for every packet in real-time. Only resources that a specific employee or contractor is authorized to access are visible to that individual - and everything else remains invisible - thus reducing the surface for potential attacks.
VPN appliance configuration can also be quite complex - especially for organizations with multiple data centers and clouds. SDP significantly simplifies management, maintenance and availability processes. You only need one cloud console to manage the access policies for all your cloud or datacenter resources.
SDP also makes user onboarding easier, and allows clientless web-based access for contractors and unmanaged personal devices.
In general, SDP enables a more consistent and reliable user experience and easy, transparent, worldwide access compared to VPN. From the IT perspective, an SDP solution offers central policy management for all your applications and data.
By leveraging “need to know” access through a zero-trust approach offered by an SDP solution from the cloud, you will benefit from heightened security, zero patching cycles, and reduced risk and cost that today’s competitive enterprises need and that traditional VPNs can no longer support.
Subscribe to the Proofpoint Blog