De-Constructing Security of VPN-Based Remote Access

In such unprecedented times, entire workforce globally has been forced to work from home. While safety first is the order of the day, it has also put tremendous pressure on CISOs & security teams within organizations to test the ‘safety’ of their respective organizations’ IT infrastructure and architecture. Needless to mention, VPN-based remote access is the way to go for most. For what it’s worth, for all the right reasons, the appeal for a VPN is justified, since it is cost effective, easy to use and most importantly gives the perception of secure remote access.

However, what is interesting is this – I was just browsing through the primary use-cases of a VPN and the results for the same were amusing. The top 3 use-cases I saw were:

• Bypass restrictions from ISPs & governments to browse websites of choice by hiding & masking your source IP address
• Workaround to watch streaming media such as Netflix in places that restrict viewing of content on such platforms
• Protect yourself from being logged while torrenting

Well, I know the larger intent of a VPN and how it does work for organizations, especially in scenarios where a site-to-site VPN is in use. In some places, a remote VPN is used wherein there is a pre-requisite for end users’ devices to have the VPN client installed. Yet, when I read these results today, it is amusing as it does not come across as a compelling enough reason to opt for a VPN for securing access to critical IT systems and applications, should one not know about its use-case in IT scenarios. None of the above use-cases evidently speaks of the security aspects a VPN can provide to an organization or how it can secure a user’s access or protect critical data. It simply speaks of the anonymity a VPN can provide while browsing over the internet or public Wi-Fi under the pretext of safeguarding privacy and encrypting the traffic from user’s machine to the VPN as if the access came from the organization’s private network. Yet, are these reasons enough to make VPN the go-to solution for securing remote work from home amid this global pandemic, especially for organizations that store confidential data and allow critical access to users? Maybe not.

De-Constructing VPN Vulnerabilities

From an operational standpoint, VPN setup is architecturally more complex and more expensive to maintain. Furthermore, it causes inconvenience to users requiring manual and time-consuming steps to enter credentials and initiate a session.

From a security standpoint, attack surface is much larger, let’s consider the below scenarios:

Scenario 1:

For organizations where remote workers use personal devices and are required to only access selective applications or systems, allowing access via VPN client may expose them to a larger attack surface. This is because of the VPN client that is installed on the personal devices, through which other hitherto unknown or malicious applications get exposure to sensitive organizational servers and systems. This is a highly risky and undesirable scenario.

Scenario 2:

Let’s say, to tackle above scenario, designated & hardened IT-managed desktops/laptops are provided to remote users for remote access. Notwithstanding the operational & cost burden to facilitate this arrangement, does it still offer foolproof security? A Research was conducted by academics a few months ago that identified a vulnerability or security flaw in specific operating systems (tracked as CVE-2019-14899) which could allow an attacker to tamper with VPN-tunnelled connections.

Another Research by a group of United States & Spain academics  have discovered a whopping 13 programming errors in 61 separate VPN systems tested. They also identified that 6 of 200 VPN services also scandalously monitored user traffic. This very concept is nothing but data leakage.

Such vulnerabilities are enough for hackers to inject a malware onto the remote system, intercept and compromise credentials of high privilege accounts and take out sensitive information. All it takes is one compromised credential to bring an organization to its knees, not worth the risk.

Scenario 3:

With VPN based access enabled, remote users are given access to the entire network with restrictive control whatsoever as to which systems or applications can be accessed by the users. This exposes the entire infrastructure for access to all remote users which again calls for high risk since the concept of controlled privileges or need-based access is left unaddressed.

Furthermore, there is no logging or tracking of activities or access being done pro-actively. This could make governance much harder considering lack of comprehensive accountability relying only on system logs at best.

Scenario 4:

VPN growth is accompanied by the need for more firewall and other gateway or router appliances. A couple of years ago, Cisco had released an alert stating a vulnerability that could allow an unauthenticated, remote attacker to cause a reload of the affected system and it could stop processing incoming VPN authentication requests due to a low memory condition.

From the above scenarios, the baseline is clear – VPNs are good for allowing users who need access to non-critical information but for those who need access to sensitive information and systems, VPN simply isn’t enough to ensure privacy.

Adopt a VPN-Less Approach

A modern and easy-to-deploy approach for this is to activate a remote privileged access system. All it takes is for the organization to provide a dedicated virtual server residing with organization’s IT managed network. The IP for this server (or dedicated URL as defined by the IT team) should be published over the internet. Any remote user who wishes to access organization’s infrastructure, connects and authenticates through this SSL encrypted communication from user machine to server. Once in, password-less & role-based access can be defined for only designated applications or systems such as RDP, SSH or critical business applications.

Moreover, such access can be allowed over any HTML5 supported browser. This means, the real RDP or SSH sessions open on the server residing in organization’s premise, only a virtualized rendering of this session is emulated over the browser for the remote user. As such, for any critical session accessed, user only sees an HTTPS based session and is hence secured and encrypted. Furthermore, since a browser-based session is allowed, activities including copy paste or extraction and download of data from session to end user’s machine is restricted imposing stronger control measures.

Rest assured, all sessions initiated by remote users are completely logged and monitored with comprehensive audit trails suggesting who logged in to which system at what time and performed what.

This helps with better governance and mitigates risks associated with uncontrolled access given to remote users, isolating user’s end machine from critical systems and network and restricting copy or movement of data outside the network.

Integrate VPN with an Additional Layer of Security Framework

With a VPN in place, to mitigate risks of VPN vulnerabilities, impose an additional layer of security with a privileged remote access security technology. Instead of allowing transparent access to users from the VPN to critical systems, enforce access to remote users and route traffic through this privileged access (PAM) server. Allow communication from VPN only towards PAM server. From PAM, access can be better controlled, encrypted and instead of allowing access to complete network, dedicated need-based access to RDP, SSH and other critical applications can be defined for users. Needless to mention, comprehensive logs and monitoring of user activities can be captured.

How Sectona Can Help Secure Remote Access

Sectona provides an easy-to-deploy Privileged & Remote Access Management solution capable of providing the advanced technology to allow VPN-less or VPN integrable secure access to remote work from home users. The solution seamlessly allows RDP, SSH, Web sessions over TLS on port 443 enabling you to traverse corporate firewalls easily. With added control of restricted movement of data and isolating the user machine to connect to your environment significantly reduces your attack surface.

Know more about Sectona Privileged Access Management here.