Michael FriedrichJuly 22, 2021
CISA Issues New Warning About Pulse Secure VPN Vulnerabilities
It’s time to enact a Zero Trust Network Access strategy
Another day, another warning about how inadequate VPNs can’t protect organizations from today’s threats. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is advising administrators to act on its just released analysis of 13 malware samples discovered on compromised Pulse Secure devices. This follows similar warnings issued earlier this year by CISA.
It’s time to tackle the issue head-on because CISA isn't the only entity raising a red flag. The White House Executive Order on Improving the Nation’s Cybersecurity requires all federal agencies develop a plan to implement a Zero Trust architecture, identify activities that will have the most immediate security impact and include a schedule to implement them. Certainly, augmenting or replacing vulnerable VPNs fall into that bucket.
The shortfalls of the antiquated VPN are well documented. Notable recent attacks have targeted Pulse Secure, Cisco Any Connect, Palo Alto and Fortinet. Cyber adversaries understand the technology is outdated and was never designed to solve for today’s complex IT and threat environment.
Former U.S. CISO and Brigadier General USAF (ret.) Gregory Touhill has a rule of thumb about technology: “One human year equals 25 computer years.” If you apply that to the VPN, then this technology introduced in 1996 is 625 years old. What technology from 1996 are you still using today?
While change can be difficult, it also can be positive when done for the right reason, particularly in light of recurring attacks against VPN vulnerabilities such as those found within Pulse Secure. When VPNs first came out, they were state of the art. But now 625 technology-years older, they are inflexible, unresponsive, undynamic and unscalable. Threats have evolved and security technology must do the same. Some VPN limitations include:
- Exposed edges: VPNs can be queried to discover the OS and version, paving the way for cyberattackers to get in using common hacking tools
- Over-privileged access: VPNs are dependent on overly complex firewall rules to prevent lateral movement
- Limited throughput: a typical VPN maxes out below 1Gbps which adds extra costs and complexities
- Vulnerable to man-in-the-middle attacks: VPNs do not validate certificates on both sides of the communication path
- No direct route to workloads: users coming into a central VPN access point are then routed on the backend which causes latency, frustrates users and creates complicated dependencies
- Lack of scale: VPNs can't handle an influx of users. During the height of the pandemic, organizations were forced to ration VPN time to prevent a complete system meltdown
A modern approach to solving these network access issues, including eliminating concerns about VPN vulnerabilities, is to deploy a solution grounded in Zero Trust. One way is with a software-defined perimeter (SDP). It only grants access for authenticated users to the specific resources they need to accomplish a task during a specific moment in time. When compared to the VPN limitations mentioned above, SDP overcomes every one of them:
- Eliminates exposed edges: SDP cloaks the edges using single packet authorization (SPA) making them undiscoverable to preying eyes and greatly reducing the risk of DDoS attacks
- Provides least privilege access: By default, SDP only provides user access to resources needed to do a task at any given point in time if the right conditions are met
- Offers high throughput: a typical SDP gateway achieves 8Gps or higher throughput
- Stops man-in-the-middle attacks: SDP uses mTLS technology to ensure certificates are validated on both sides of the communication path every time
- Applies 1:1 connections: SDP routes users directly to protected workloads
- Delivers agile scalability: SDP is not dependent on a unified state table making scaling seamless and automated
Zero Trust starts with secure Zero Trust Network Access (ZTNA), but it will be a multi-year journey to complete your roadmap. Though we advocate "#killtheVPN,” we also understand it won't happen overnight. Under the CISA advisory, patch those Pulse Secure VPNs immediately, then start to consider what your Zero Trust roadmap looks like. With Appgate SDP, in quick order you can strengthen and simplify access controls to realize immediate security and operational benefits while simultaneously laying a foundation for your future network security architecture.
To learn more, I invite you to: