Originally posted on LinkedIn by DataEndure Network Architect, Ross Rehart.
Virtual Private Networks (VPNs) came about in 1996 when Microsoft released the point-to-point tunneling protocol (PPTP) to secure connections between the user device and the internet resource(s) the user was connecting to. As the use of the internet grew, businesses began using VPNs to securely transmit data between sites. Eventually, the use of VPNs became ubiquitous, and are commonplace across businesses and homes today. Private VPN companies are thriving as users try to keep their internet use private. So, what’s the problem?
To put it simply, VPNs don’t inherently provide the security and safety they are touted to provide. Sure, once the tunnel is established, any traffic traversing the tunnel is encrypted (although not always with a secure protocol – more on that later). But what VPNs don’t provide is protection against malware, spoofing, phishing, man-in-the-middle (MITM) attacks, etc. Further, VPNs typically depend on an ages-old concept of using a static, pre-shared key to establish the initial connection. Home users who subscribe to pay-to-play VPN services don’t often consider that the VPN provider is gathering all the information that any other DNS provider (be it your own ISP or Google) would collect about the user’s browsing habits. Rarely do end-users ask, “How ‘private’ is my private VPN?” Think about the need for, and use of, a single pre-shared key. If end-users are using a BYOD device and have corporate VPN software configured with a pre-shared key (PSK), when they leave the company, or their device is compromised, then that key is no longer private. And, since every user has the same PSK configured then, effectively, every remote VPN connection could be compromised.
Like any other technology, VPN has gone through countless iterations over the years. In many businesses today, VPNs are still established using outdated and compromised protocols such as Authentication Headers (AH) for phase 1, or 3DES for phase 2. Which means the connections could be compromised as well. Triple Data Encryption Standard (3DES) was ‘retired’ in 2018 because it has long been declared insecure. However, NIST will not fully retire its use until the end of 2023. In fact, many of the major security appliance and software vendors still include DES and 3DES as encryption options within their devices and software. This is a clear and present threat to businesses when their employees’ BYOD could be compromised by using insecure connections to conduct business operations. MITRE ATT&CK even publishes all the methods by which VPNs can be compromised.
Regardless of the encryption being used, VPNs still present their single largest downfall: VPNs authenticate a machine to entire network segments and once connected, never check or re-check the machine to ensure it is meeting all the necessary security requirements of the business. These include up-to-date malware protection, software firewalls in place, fully patched OSs and applications, and properly authenticated end user(s). For bad actors, this is the promised land, as it enables and simplifies their movement east and west through the network. Simply put, with the threat actors present today, VPN cannot and should not be relied upon as a viable means of securing data streams for businesses.
So, what’s the answer?
The fact is, VPN was never designed to accommodate the way businesses work today. Since 2020, and more so since COVID, businesses have moved to a cloud-first mentality, where most corporate data and applications are widely distributed. This has lessened the effectiveness of connecting all users to a central site to access the data and applications they need to conduct day-to-day activities. Further, the bad guys have gotten infinitely more sophisticated over the past few years. There isn’t a day that goes by that we don’t hear about the latest company, including many security companies like LastPass and Sophos, being compromised by hackers. Businesses, CISOs, and IT managers are constantly on the defense.
Enter Secure Access Service Edge (SASE) architecture. SASE is a collection of technologies such as Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA). SD-WAN has become the prevalent site-to-site connectivity option, as it can discern traffic at the application level. Let’s look at one of these technologies: ZTNA.
ZTNA, unlike VPN, starts with the premise that the device and user are untrusted when requesting a connection to a network or cloud-based resource. Effectively, the user and endpoint must ‘prove’ their worthiness to connect to the resource or application. With ZTNA, businesses set policies in place that a machine (user) must meet to be allowed access to the trusted resource. ZTNA software initially checks the machine for policy compliance and assigns it a ‘trust score’. The trust score is built by determining several factors including, something you are, something you know, and something you have + something you do (where, what, when). If the machine does not meet the minimum trust score, it is disallowed access. Once the machine and user are connected, the software constantly re-checks the machine for compliance. So, for instance, if a user disables the machine’s local firewall or anti-malware software, then the machine is no longer in compliance with policy, and the connection is terminated.
ZTNA allows businesses to control access at a micro level; giving only the access that is needed to the end-user vs. the broad access VPN affords. For instance, if a salesperson needs to connect to your CRM application, but nothing else on the same network segment (such as your back-end financial software), then the ZTNA software (via configured policies) provides access only to the CRM app and nothing more. This works without regard to application location.
In addition to significantly reducing security risks, ZTNA can help lower overall IT costs by eliminating the need for dedicated VPN appliances, reducing network complexity, and reducing IT overhead.
If you’d like to learn more about securing your network edge, the team at DataEndure can help. At DataEndure, our engineering teams are constantly evaluating the latest technologies in networking, security, and infrastructure to ensure we can offer the best possible solution to fit your needs. Our goal is simply to help you, your business, and your customers be safe, secure, and have the best Quality of Experience possible.
If you’d like to learn more, please feel free to reach out to us at: email@example.com or by phone at 800-969-4268.