Julie PreissSeptember 9, 2021
Fortinet VPN Hack Highlights Essential Need to Replace Aging Network Security Technology
Today it was reported that nearly half a million Fortinet VPN login credentials were dumped on the dark web. The stolen data was sourced from about 13,000 devices across 74 countries. For security professionals, it's déjà vu all over again. Advice from the vendor, which began warning customers about a vulnerability (CVE-2018-13379) in June, is to temporarily disable the VPN until passwords can be reset.
Over the past year, VPN hacks against Pulse Secure, Palo Alto Networks, Citrix, LimeVPN and Android VPN vendors have dominated the news and have been repeatedly issued in warnings by the U.S. Computer Emergency Response Team (CERT), National Security Agency (NSA), FBI and the U.K.’s National Cyber Security Centre (NCSC) … just Google “VPN CVE” to find the latest. Despite this troubling data, VPN usage surged during the pandemic, with more than 85% of organizations saying in a June 2020 study they were relying on VPNs for remote access.
We must finally and firmly ask ourselves, “Why is this 25-year-old technology still used by most enterprises and government agencies today?” It’s well-documented that VPNs create a huge attack surface and threat actors can easily find open ports of entry to exploit. In a world where cyberattackers already have first-mover advantage, leaving VPNs in place gives them every opportunity to exploit the many weaknesses of this antiquated and inadequate technology.
VPNs: Big Three Security Flaws
- VPN aren’t designed to secure distributed, hybrid IT infrastructure
- VPNs have easily scannable open ports
- VPNs based trusted access on the user’s IP address making it easy to gain access with stolen credentials
How to Tackle VPN Security Issues
So how do you combat the VPN crisis? Get rid of them. It may sound easier said than done, but the good news is you don’t have to go on a rip-and-replace rampage. Start with your most critical access concerns and move practically across the network until you’ve addressed the most pressing security gaps. Nearly every enterprise and government agency have VPNs ingrained in their security stack. Take comfort that you’re not alone in the journey, nor are you forging an unknown path. VPN replacement is the most prevalent use case we encounter today for customers seeking a modern secure remote access solution based on Zero Trust principles. You can read some of their stories here.
Many organizations share the same concerns about VPN replacement, including:
- Sunken costs: because VPNs are embedded in tech stacks worldwide, the biggest objection is simply that the investment has already been made. We recommend an incremental VPN to a Zero Trust Network Access (ZTNA) migration strategy that solves for this concern. To start, divert budget earmarked for new secure access initiatives away from VPNs—or other aging technology—to a ZTNA solution. Another avenue is to replace VPNs that need expensive hardware refreshing.
- Known vs. unknown: the fact that VPNs have been around a quarter of a century makes them a very “known" entity. Organizations are used to working with and around them. Retraining staff and fielding service desk calls may be initial objections to adopting a ZTNA solution, but these are short-lived when stacked against benefits that include reduced complexity, improved user experience and performance gains.
- Extra workload: a natural concern is that tech stack additions could create over-tooling vs. consolidation. But a ZTNA solution can reduce dependency on VPN, NAC and firewall solutions without a “rip and replace.” This is due to the extensibility of a single, private access platform and centralized policy engine overlay that solves the secure access limitations of legacy tools. So, you can cut the number of firewall rules to manage; end new VPN investments and ease concentrator choke points; and eliminate future complex and expensive NAC installments. These operational benefits mean your overburdened security and IT team can focus on business initiatives vs. mundane policy management tasks inherent with legacy network security tools.
When it comes to VPN replacement, we encourage organizations to start small, think big and scale as you go. We mapped out a five-step process that breaks these seemingly insurmountable obstacles into manageable actions in an e-book titled, Five Steps for Successful VPN to ZTNA Migration, that you can read here. The basics are:
- Understand your current VPN landscape
- Develop a roadmap to transition to modern, ZTNA technology
- Start wherever makes sense to your organization
- Implement your first use case
- Scale as you learn and grow
The Fierce Urgency of Now: VPNs Must Go
It’s likely another major breach involving vulnerable VPNs will hit the headlines soon. We urge organizations to act now to replace or augment their legacy VPN with the modern security grounded in Zero Trust principles. The increasingly sophisticated cyberthreat landscape—combined with the proliferation of work-from-anywhere business models— makes it an imperative. Start small but think big in terms of long-term security goals. By starting with a manageable ZTNA use case, your IT and security team can leverage its knowledge and expertise for incremental enterprise-wide implementation. This ensures stakeholder support, better user adoption and minimal business interruption.