Zero-Trust Network Access

On-Premise Routers/Gateways Leaving Gaps in Network Security

The Fall of the Traditional Network Router

Traditional enterprise networking routers and gateways have fallen victim to a number of vulnerabilities which are subject to exploitation by hackers. Many of these vulnerabilities permit legitimate gaps in security, allowing for unauthorized network access to unknown parties. Once the door to these trust-based networks opens, the impacted organization may be at significant risk from unrestricted infiltration.

In January of 2020, networking equipment from Cisco was found to be vulnerable to several security threats, which enabled criminal hackers to override access requirements and fully control the networks managed by those systems. According to reports, several of the threats that affected Cisco routers were collectively named "CDPwn." Experts believed the vulnerabilities resided in the Cisco Discovery Protocol (CDP) which was on by default upon recognition of the issue.

First discovered by Armis research, the CDP deployments revealed a buffer overflow and format string vulnerabilities that may have permitted hackers to run malware on the equipment by delivering "malicious unauthenticated CDP packets." As a result, CDPwn Cisco vulnerabilities affected tens of millions of devices widely deployed in enterprise networks. During an attack, CDPwn is exploited against network switches to break network segmentation, allowing unauthorized access to sensitive data from network-connected systems.

When Private Information Goes Public

Also in January, threat researchers found that private keys for signed Transport Layer Security (TLS) certificates could be revealed through Netgear firmware, impacting the security of Netgear routers. According to a bug report, there were at least two valid, signed TLS certificates that were bundled with publicly available Netgear device firmware. These certificates were trusted by browsers on all platforms, but thereafter added to revocation lists. The firmware images that contained these certificates and their private keys were publicly available for download through Netgear's support website, without authentication; thus anyone in the world could have retrieved the keys and gained unauthorized network access through the affected routers.

At the end of 2019, a now resolved vulnerability affecting the Citrix Application Delivery Controller (NetScaler ADC) and the Citrix Gateway (NetScaler Gateway), enabled network exposure of more than 80,000 organizations to hackers came to light. The vulnerability allowed remote attackers to bypass authentication and access a company’s internal network and the full scale of IT resources.

Security expert Mikhail Klyuchnikov discovered the vulnerability and said that if successfully exploited, it could have led to arbitrary code execution. According to his team, companies in 158 countries may have been at risk, and the five countries with the greatest potential exposure were the US, UK, Germany, Netherlands and Australia. Citrix announced that all supported product versions and platforms were affected. Roughly a month after the vulnerability was discovered, the company provided its first permanent fix.

Securing the Perimeter

Keeping security software up to date is the number one rule in any security implementation, but especially when securing the perimeter. For companies that employ hardware appliances like the Citrix gateway in the datacenter, it’s up to the vendor to develop and supply security patches to each client in a timely manner. Once received, the enterprise IT teams are responsible for implementation, which can sometimes take days or weeks. In this case, every company with a Citrix gateway sitting on their perimeter was tasked with maintenance, updates and tests, and unfortunately for the majority of them, these functions were not up to date.

Instant Security…in the Cloud

A simpler and more reliable approach is to implement a cloud-based security solution. “As-a-Service” products move the work and responsibility of updating software back to the vendors themselves, rather than an organization's IT team. For IT teams managing router/gateway vulnerabilities and ensuring updates, the complicated and error-prone process of implementing updates and patches can sometimes take days or weeks to complete, leaving them open to exploits. With a SaaS solution, customers can benefit from patches seamlessly deployed through the cloud by the vendor immediately, and usually without any additional effort from the enterprise IT team.

From On-Prem VPN to Zero-Trust Network Access Solutions

Another access appliance – the enterprise VPN – is giving way to the cloud and a new generation of products called Zero-Trust Network Access (ZTNA) solutions. The ZTNA approach is all about redefining the perimeter from the traditional, physical office/ datacenter to the user. Rather than a gateway appliance, ZTNA solutions are deployed and delivered as cloud services where the security policy follows the user’s device wherever it goes, creating a software-defined perimeter.

One of the advantages of cloud-delivered ZTNA is that it hides the enterprise network from attackers. In contrast, conventional on-premise firewall VPNs make it easy for hackers to discover IP addresses and target the organization.

Similarly, users get customized access to exactly the applications they need, rather than the entire network. This is a huge security advantage over on-prem VPNs. ZTNA enables the creation of many granular security policies for associating specific employees or contractors with only the applications and services that they need to complete their work. Every user device is prescribed a unique identity which is continuously verified and authorized in real-time. Anything they don’t need remains invisible to them, thus reducing the surface for potential attacks. Finally, ZTNA solutions also provide an air gap between the Internet and internal resources, minimizing the number of open ports exposed to the internet which are prone to attack.

Zero-Trust Rises to the Cause

The landscape of network security is changing and as more and more enterprises understand the widening gap left by on-prem solutions, the need for Zero-trust security agrows with it. When compared to the corporate VPN, ZTNA solutions are the better choice for micro-segmented application access as they isolate the enterprise network from threats. The approach offers a people-centric, software-defined perimeter that protects users and data both on and off-premise.