Remote Access Security: The Dangers of VPN

Millions of people worldwide are still working remotely to support shelter-in-place requirements brought on by the pandemic. For many workers, a remote workstyle is a preference that will likely become a more permanent arrangement. Enterprises have responded by expanding their use of VPNs to provide remote access to the masses, but is this the right choice for long-term access? 

Aside from enabling easy connectivity, enterprises also must consider the security of VPNs and whether their extensive use poses risks to the organization. (Spoiler alert: they do.) Long-term use alternatives must be considered due to VPNs’ failures where remote access security is concerned. One prominent alternative is Secure Access Service Edge (SASE) platforms with embedded Zero Trust Network Access (ZTNA) that alleviate the security dangers and other disadvantages of VPN. 

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

VPNs Put Remote Access Security at High Risk

In general, VPNs provide minimal security with traffic encryption and simple user authentication. Without inherent strong security measures, they present numerous risk areas: 

VPN users have excessive permissions 

VPNs do not provide granular user access to specific resources. When working remotely via VPN, users access the network via a common pool of VPN-assigned IP addresses. This leads to users being able to “see” unauthorized resources on the network, putting them only a password away from being able to access them. 

Simple authentication isn’t enough

VPNs do provide simple user authentication, but stronger authentication of users and their devices is essential. Without extra authentication safeguards – for example, multi-factor authentication, or verification against an enterprise directory system or a RADIUS authentication server – an attacker can use stolen credentials and gain broad access to the network. 

Insecure endpoints can spread malware to the network 

There is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network. 

The full security stack doesn’t reach users’ homes

Enterprises have built a full stack of security solutions in their central and branch offices. This security doesn’t extend into workers’ homes. Thus, to maintain proper security, traffic must be routed through a security stack at the VPN’s terminus on the network. In addition to inefficient routing and increased network latency, this can result in having to purchase, deploy, monitor, and maintain security stacks at multiple sites to decentralize the security load. 

VPN appliances are a single point of failure 

For enterprises that support a large remote workforce connecting via VPN, there is high risk of business interruption if a VPN fails or is incapacitated, such as through a DoS attack. No appliance means no access for anyone who would connect to it. 

Some VPNs have known vulnerabilities 

Enterprises are responsible for monitoring for vulnerabilities and updating and patching devices as needed. Serious flaws that go unpatched can put organizations at risk. For example, in March 2020, it was reported that Iranian hackers were leveraging VPN vulnerabilities to install backdoors in corporate and government networks. The attack campaign targeted several high–profile brands of VPNs. 

VPNs add to overall network complexity 

Adding one or more VPNs to the data center to manage and configure adds to the overall complexity of network management, which could ultimately lead to greater security vulnerabilities. 

Network managers have limited visibility into VPN connections 

The IT department has no visibility into what is happening over these appliances. The user experience suffers when problems occur, and no one knows the root cause. 

Split tunneling provides opportunity for attack 

To alleviate VPN capacity constraints, organizations sometimes utilize split tunneling. This is a network architecture configuration where traffic is directed from a VPN client to the corporate network and also through a gateway to link with the Internet. The Internet and corporate network can be accessed at the same time. This provides an opportunity for attackers on the shared public network to compromise the remote computer and use it to gain network access to the internal network. 

VPNs Have Other Drawbacks

In addition to the security issues, VPNs have other drawbacks that make them unsuitable for long-term remote access connectivity. For example, an appliance has capacity to support a limited number of simultaneous users. Ordinarily this isn’t a problem when companies have 10% or less of their employees working remotely, but when a much higher percentage of workers need simultaneous and continuous access, VPN capacity can be quickly exceeded. This requires the deployment of more and/or larger appliances, driving costs and management requirements up considerably. Companies use workarounds like split tunneling to address lack of scalability, which can degrade traffic visibility and security. 

A Better Long-term Solution for Secure Remote Access

VPNs are no longer the only (or best) choice for enterprise remote access. Gartner’s Market Guide for Zero Trust Network Access (ZTNA) projected that by 2023, 60% of enterprises will phase out VPN and use ZTNA instead. The main driver of ZTNA adoption is the changing shape of enterprise network perimeters. Cloud workloads, work from home, mobile, and on-premises network assets must be accounted for, and point solutions, such as VPN appliances, aren’t the right tool for the job. 

The main advantage of ZTNA is its granular control over who gains and maintains network access, to which specific resources, and from which end user devices. Access is granted on a least-privilege basis according to security policies.  

But Zero Trust is only one part of a remote access solution. There are performance and ongoing security issues that aren’t addressed by ZTNA standalone offerings.  For example, all traffic still needs to undergo security inspection before proceeding to its destination. This is where having ZTNA fully integrated into a Secure Access Service Edge (SASE) solution is most beneficial.  

SASE converges ZTNA, NextGen firewall (NGFW), and other security services along with network services such as SD-WAN, WAN optimization, and bandwidth aggregation into a cloud-native platform. Enterprises that leverage a SASE networking architecture receive the benefits of ZTNA, plus a full suite of converged network and security solutions that is both simple to manage and highly scalable. SASE provides all this in a cloud-native platform. 

SASE solution enables remote users, through a client or clientless browser access, to access all business applications, via secure and optimized connection. The SASE Cloud, a global cloud-native service, can scale to accommodate any number of users without deploying a dedicated VPN infrastructure. Remote workers connect to the nearest SASE PoP – there are more than 60 PoPs worldwide – and their traffic is optimally routed across the SASE global private backbone to on-premises or cloud applications. The SASE’s baked-in security layer protects remote users against threats and enforces application access control. 

Contact us to upgrade your MPLS / SD WAN to a secure, cost-effective SASE.

Originally published by Cato Networks.

Latest Articles

On-Demand Webinar: CISO’s Roadmap to Cloud Security Excellence

Today’s CISOs face a daunting array of security threats. From ransomware and cloud misconfigurations to zero-day exploits and code vulnerabilities, the stakes have never been higher. Join our cloud security expert engineers for an enlightening webinar that delves deep into the state of cloud security in 2023. Learn about the best tools and practices that […]

Ganesh The Awesome Senior Pre & Post-Sales Engineer at GlobalDots
18th June, 2023
The fastest Zero Trust browsing & app access service

Welcome to our Solution Brief on Zero Trust, the future of cybersecurity. Our expert team at GlobalDots has prepared this to help you understand the key components of Zero Trust, and its role in securing modern business applications and data. Our Zero Trust solution covers all the critical components of ZTNA, including VPN replacement and […]

Ganesh The Awesome Senior Pre & Post-Sales Engineer at GlobalDots
9th March, 2023
Remote work & WFH Policies: FAQs Answered

We were recently approached by the press to provide some policy guidelines for companies adopting the hybrid or 100%-remote model. Truth be told, GlobalDots’ legacy of remote work dates back to the surge of Skype. Yes, we’ve been working remotely for quite a while, so for us, the Pandemic didn’t change much. How One AI-Driven […]

Shalom Carmel Chief Information Officer at GlobalDots
20th April, 2022
How to Keep Hackers Out of Your Distributed Environment

New normal, new challenges One of the outcomes of COVID-19 has been our newfound openness to remote work. According to a recent PwC survey, 41% of workers would now prefer their workdays to be fully remote, compared with 29% in January 2021, signaling the desire to work remotely is only ramping up. For cybersecurity teams, this new reality brings […]

Shalom Carmel Chief Information Officer at GlobalDots
19th December, 2021

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

    GlobalDots' industry expertise proactively addressed structural inefficiencies that would have otherwise hindered our success. Their laser focus is why I would recommend them as a partner to other companies

    Marco Kaiser
    Marco Kaiser

    CTO

    Legal Services

    GlobalDots has helped us to scale up our innovative capabilities, and in significantly improving our service provided to our clients

    Antonio Ostuni
    Antonio Ostuni

    CIO

    IT Services

    It's common for 3rd parties to work with a limited number of vendors - GlobalDots and its multi-vendor approach is different. Thanks to GlobalDots vendors umbrella, the hybrid-cloud migration was exceedingly smooth

    Motti Shpirer
    Motti Shpirer

    VP of Infrastructure & Technology

    Advertising Services