Virtual private networks (VPNs) are a commonly-used remote access solution. However, this does not mean that they are a good or secure one. VPNs are prone to vulnerabilities, and cybercriminals take advantage of this fact. The insecurity of VPNs, combined with their other shortcomings, is a good reason to consider upgrading to a VPN alternative.
VPNs Are a Good Target for Cybercriminals
The majority of cyberattacks begin as a phishing email. However, for those that don’t, targeting an unpatched vulnerability in an exposed service is also a popular approach. In many cases, cybercriminals can discover and exploit these vulnerabilities automatically using scripts that look for and attack services with known vulnerabilities.
VPNs are a good target for cybercriminals for a number of reasons, including:
- Exposure: VPN gateways are designed to allow remote users to gain access to the enterprise network. For this reason, they must be exposed to the public Internet to allow employees to authenticate and connect.
- Importance: As remote work grows, VPNs are becoming critical infrastructure for many organizations. Cybercriminals can deny access to VPN infrastructure as part of a Denial of Service (DoS) attack or to force a target to pay a ransom.
- Login Portals: Remote users need to authenticate to the VPN service in order to gain access. Cybercriminals take advantage of this fact and use VPN login portals in credential stuffing attacks to test weak or breached passwords and attempt to gain access to user accounts.
- Unrestricted Access: A VPN is designed to provide a secure connection between an employee and the enterprise network. It does not include functionality to restrict access to certain resources or to perform security inspection on the traffic flowing over it.
- Vulnerability: VPN vulnerabilities are common. It is not usual for a VPN vendor to have at least one high severity vulnerability discovered each year, and often more than one is discovered.
Chinese Cyber Threat Actors Exploit VPN Vulnerabilities
Not every vulnerability is created equal. Of the many vulnerabilities that are discovered each year, only a fraction of them are actively exploited in the wild. Whether or not a particular vulnerability will be exploited is based on a variety of factors, including potential impact, use of the vulnerable software, speed of patch deployment, and more.
When developing a patch management program, it can be difficult to determine which updates should be a priority. A good starting point is the vulnerabilities that attackers are actively targeting in their campaigns.
The United States’ National Security Agency (NSA) published a list of the top twenty-five vulnerabilities that are currently being targeted by Chinese attackers. The list covers a wide variety of different software and vulnerabilities, but right at the top is a VPN vulnerability. Topping the NSA’s list is a vulnerability in the Pulse Secure VPN. A specially designed malicious request can allow an attacker to read files on the server. This file read can be used to expose keys, passwords, or other sensitive information.
If an attacker can exploit the Pulse Secure vulnerability (or any VPN vulnerability), there is a chance that they can compromise a user account or bypass the authentication on a VPN. If so, they can take advantage of the VPN’s intended functionality: to allow remote access to the enterprise network.
Replacing VPNs with a Modern WAN Solution
VPNs have a number of different issues. A major problem with VPNs is that they were designed for a network infrastructure that no longer exists; one where the majority of an organization’s users and resources were located on the corporate LAN. As resources and users move to the cloud and telework, attempting to use VPNs for the corporate WAN creates significant issues with network latency and performance.
This is in addition to the security issues associated with a VPN-based WAN. VPN vulnerabilities are common, yet many organizations lag behind on their vulnerabilities management programs. This combination places these companies at risk of attack.
The use of a modern WAN solution, like SASE, helps to eliminate these VPN-specific issues. SASE offers a number of different features that VPNs lack, such as:
- Integrated Security: A SASE point of presence (PoP) includes a fully integrated security stack. This enables it to provide the same level of security as routing traffic through the headquarters network without relying on centralized security infrastructure.
- Network Optimization: SASE PoPs integrate software-defined WAN (SD-WAN) functionality that enables optimal traffic routing between SASE PoPs. This optimized routing minimizes the latency of the SASE network.
- Location Independence: Many VPNs are implemented as physical appliances deployed on the corporate LAN. SASE PoPs are located in the cloud, enabling them to be deployed geographically near common traffic sources and destinations (cloud infrastructure, remote users, etc.). This minimizes the latency incurred by users due to their use of the SASE-based WAN.
These features enable SASE to provide superior network performance and security compared to VPNs. However, the design of SASE also means that it is easy to implement it as a managed offering. This enables organizations to hand over responsibility for maintenance, eliminating the risk associated with managing the vulnerabilities that are so common with VPN solutions.
