VPN Servers are an Overcomplicated Security Liability
Written by Marc Barry
14 min read
Users report significant performance and security problems
There is a boom in remote working, we’ve all adapted. The VPN server has not.
Before the global pandemic hit, we saw the undercurrents of a general trend towards remote working starting to emerge, but the seismic shift in social acceptance and wide-scale, rapid adoption over the last two years have pushed the technologies we used to rely on towards and in some cases past breaking point.
Once reserved for the few occasional home-workers, the seemingly proven VPN server is now asked to handle the needs of the many. If you need to turn the VPN off to get a reliable video call, you’re not alone.
The VPN server was created to extend the office, not replace it. In our remote-first reality, the majority of an organisations network traffic originates from outside of the office, destined for systems that don’t exist inside the office, but the last twenty years of VPN design say we must backhaul all of that traffic through the office regardless.
Beyond the bandwidth inefficiencies that can have a significant impact on productivity, the VPN server wants to place remote users directly onto the local network. Unless the administrators sink into the weeds of IP addresses and access control lists to enforce micro-segmentation of the network, your remote users have unrestricted lateral access to the rest of the subnet, an incredibly dangerous foundation upon which to build the security of your business.
We’re still not done sign-posting the problems with the VPN either. We’ve discussed bandwidth inefficiencies and lateral movement on the local network with an assumption that each user on the VPN is at least authenticated and authorised.
But what if they’re not?
The VPN server needs to accept connections from remote workers by having one arm placed out onto the public Internet. That public arm is a doorway into your network, not just for your remote workers, but for anybody who cares to knock. An inbound connection has to be accepted so that the incoming party can be challenged provide the appropriate credentials.
This is the fatal flaw in the VPN server that allows attackers with knowledge of unpatched bugs and security flaws to walk straight into your network. Despite decades of critical vulnerability discoveries, the only defence available remains to apply the latest patches. But until a discovered flaw is publicly disclosed to the vendor, patched, released, and applied to your VPN server, there is simply no defence against a zero-day exploit. The VPN server is a sitting duck.
The National Security Agency (NSA) in the US, and its UK counterpart the National Cyber Security Centre (NCSC) have been flagging vulnerabilities in VPNs for years with no refuge. Users in government, military, academia, business, and healthcare sectors have all been hit by zero-day vulnerabilities.
Today, the VPN server represents an undefendable access point for attackers into the business, an open-door for lateral movement inside the network, and with so much home-user originated traffic destined for the public Internet or Cloud services it is unsustainable to expect the VPN server will be the technology powering business for the next twenty years.
The Future of Remote Working
A study performed by ‘DH2i’ in 2021 shows one thing very clearly: It demonstrates the pain points IT professionals are experiencing with VPNs, particularly focused on the security and operation of the technology. The study examined the state of VPNs prior to the pandemic too when the remote working situation had not compounded the existing pressures on this already creaking technology. The study found that nearly two-thirds (62%) of VPN operators found significant problems with security and two in five (39%) respondents said they believed unauthorised users have accessed their corporate network.
Remote working is here to stay. IT managers must find a way to redefine how access is provided.
More Productivity, Less Complexity
In today’s IT environment employees are working remotely from hundreds of various locations with workloads usually traversing multiple clouds and networks. Managing and deploying traditional technology to monitor and secure this ever-evolving environment becomes incredibly arduous and ever more complex.
Joining the critical control points of users, devices, workloads, and networks can be challenging, especially when relying on a system that was never programmed for such a vastly developing IT environment.
Distributed work, however, must not hinder productivity. On the contrary: Companies need a way of working together to be even more productive than within traditional ‘castle’ type systems. It is not only about enabling easier sharing of data between security controls, but also about enhancing coordination between Security, IT, operations, and development teams to act faster and with greater efficiency.
Alternative Solutions Welcomed
Many businesses also revealed in the ‘DH2i’ survey that they were not completely wedded to the idea of using VPN services. The study found that 86% of respondents would consider an alternative if it could offer improvements in terms of security, configuration and management, cost, performance, or availability.
89% of the respondents went further, noting that if they could limit remote users’ access to specific applications or services without creating a network attack surface, they would immediately embrace an alternative to VPNs.
Simply gaining access
For most workers, the priority is to get easy and trouble-free access. And with an IT department also ensuring that all remote working employees not only have uninterrupted access, but that it is secure on both ends (and everywhere in-between), the doors are wide open for a VPN alternative.
Zero Trust Network Access
Enter the Zero Trust mindset and Zero Trust Network Access technologies.
The Zero Trust architecture represents a shift in our collective mindset, flipping the paradigm that imagines our networks as hard shells with squishy centres into a one where we remove all implicit trust and adopt a posture that assumes compromise.
If we accept the principles of Zero Trust, we can define what post-VPN access could look like:
All applications and access points are hidden from discovery, with no public visibility.
All access is restricted via a trust broker.
The broker verifies the identity, context, and policy for each access.
Lateral movement in the network is prohibited.
We significantly reduce the surface area available for attack.
Zero Trust Network Access (ZTNA) is the name we give to the group of technologies and solutions that can be deployed in place of the VPN server to help us implement this updated model for remote work, and depending on how your ZTNA solution is architected, it can bring with it significant benefits not just to security, but also in reducing the management overheads, configuration costs, performance, and general availability of access.
Enclave is a new a new kind of ZTNA solution designed for both users and servers which can be without changing your existing network. It’s a simple, fast, and elegant way to securely connect home workers, servers, cloud resources and containers together wherever they are without the challenges of a VPN server.
There are no appliances to deploy, no network changes to make and no requirements to rip and replace existing systems or infrastructure to get started.
So if you’ve got better things to do than troubleshoot the VPN, Enclave can help tame your network, replace the VPN server, and offer a simple on-ramp towards 100% ZTNA coverage.
Enclave is free forever for up to ten systems and you can have your first systems protected with Zero Trust network access in under 5 minutes.