Search
Appgate SDP
Appgate SDP Overview
Learn how Appgate SDP reduces risk and complexity, and why it's the industry's most comprehensive Zero Trust network access solution.
How Appgate SDP Works
Find out about the inner-workings of the most flexible and adaptable Zero Trust Network Access solution available today.
Appgate SDP Integrations
Explore security, IT and business-system integrations that can enhance and help you adapt Appgate SDP to your existing workflows
Appgate SDP for Developers
Access developer tools and resources to maximize the value of your Appgate SDP deployment.
Use Cases for Securing:
Risk-Based Authentication
Overview
Learn how Risk-Based Authentication provides a frictionless, intelligent and data-informed approach to user authentication.
Strong Authentication
Find out how you can provide secure, frictionless access with the right multi-factor authentication method.
Transaction Monitoring
Explore the tools you can use to intelligently identify and prevent online fraud.
Behavioral Biometrics Service
Learn how behavioral analysis and machine learning stop fraudulent online web activity in real-time.
Secure Consumer Access for:
Digital Threat Protection
Overview
Discover how you can gain unparalleled threat visibility and the risk management tools that enable early identification and elimination of potential attacks.
Key Features
Take a deep dive into the features and tools contained within our industry-leading Digital Threat Protection (DTP) solution.
FEDERAL DIVISION

Michael FriedrichJuly 22, 2021

CISA Issues New Warning About Pulse Secure VPN Vulnerabilities

It’s time to enact a Zero Trust Network Access strategy

Share

Another day, another warning about how inadequate VPNs can’t protect organizations from today’s threats. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is advising administrators to act on its just released analysis of 13 malware samples discovered on compromised Pulse Secure devices. This follows similar warnings issued earlier this year by CISA.

It’s time to tackle the issue head-on because CISA isn't the only entity raising a red flag. The White House Executive Order on Improving the Nation’s Cybersecurity requires all federal agencies develop a plan to implement a Zero Trust architecture, identify activities that will have the most immediate security impact and include a schedule to implement them. Certainly, augmenting or replacing vulnerable VPNs fall into that bucket.

The shortfalls of the antiquated VPN are well documented. Notable recent attacks have targeted Pulse Secure, Cisco Any Connect, Palo Alto and Fortinet. Cyber adversaries understand the technology is outdated and was never designed to solve for today’s complex IT and threat environment.

Former U.S. CISO and Brigadier General USAF (ret.) Gregory Touhill has a rule of thumb about technology: “One human year equals 25 computer years.” If you apply that to the VPN, then this technology introduced in 1996 is 625 years old. What technology from 1996 are you still using today?

While change can be difficult, it also can be positive when done for the right reason, particularly in light of recurring attacks against VPN vulnerabilities such as those found within Pulse Secure. When VPNs first came out, they were state of the art. But now 625 technology-years older, they are inflexible, unresponsive, undynamic and unscalable. Threats have evolved and security technology must do the same. Some VPN limitations include:

  • Exposed edges: VPNs can be queried to discover the OS and version, paving the way for cyberattackers to get in using common hacking tools
  • Over-privileged access: VPNs are dependent on overly complex firewall rules to prevent lateral movement
  • Limited throughput: a typical VPN maxes out below 1Gbps which adds extra costs and complexities
  • Vulnerable to man-in-the-middle attacks: VPNs do not validate certificates on both sides of the communication path
  • No direct route to workloads: users coming into a central VPN access point are then routed on the backend which causes latency, frustrates users and creates complicated dependencies
  • Lack of scale: VPNs can't handle an influx of users. During the height of the pandemic, organizations were forced to ration VPN time to prevent a complete system meltdown

A modern approach to solving these network access issues, including eliminating concerns about VPN vulnerabilities, is to deploy a solution grounded in Zero Trust. One way is with a software-defined perimeter (SDP). It only grants access for authenticated users to the specific resources they need to accomplish a task during a specific moment in time. When compared to the VPN limitations mentioned above, SDP overcomes every one of them:

  • Eliminates exposed edges: SDP cloaks the edges using single packet authorization (SPA) making them undiscoverable to preying eyes and greatly reducing the risk of DDoS attacks
  • Provides least privilege access: By default, SDP only provides user access to resources needed to do a task at any given point in time if the right conditions are met
  • Offers high throughput: a typical SDP gateway achieves 8Gps or higher throughput
  • Stops man-in-the-middle attacks: SDP uses mTLS technology to ensure certificates are validated on both sides of the communication path every time
  • Applies 1:1 connections: SDP routes users directly to protected workloads
  • Delivers agile scalability: SDP is not dependent on a unified state table making scaling seamless and automated

Zero Trust starts with secure Zero Trust Network Access (ZTNA), but it will be a multi-year journey to complete your roadmap. Though we advocate "#killtheVPN,” we also understand it won't happen overnight. Under the CISA advisory, patch those Pulse Secure VPNs immediately, then start to consider what your Zero Trust roadmap looks like. With Appgate SDP, in quick order you can strengthen and simplify access controls to realize immediate security and operational benefits while simultaneously laying a foundation for your future network security architecture.

To learn more, I invite you to:

Receive News and Updates From Appgate