Skip to main content

The death of remote access VPN

The death of remote access VPN
(Image credit: Altalex)

Remote Access VPN, also known as business VPN, is an important technology that has been around for decades. It allows remote workers to connect their devices to the company network over the public internet; thus allowing them to function as if they were inside the corporate network. In this regard, business VPN differ from personal VPN used for creating anonymity while surfing the web.

About the author

Peter Ayedun is the CEO of TruGrid.

The problem with Remote Access VPN is that they are no longer suitable for a mobile workforce with rampant and unabating cybersecurity threats. To emphasize this problem, a Gartner’s June 2019 analysis predicts that by 2023, 60% of enterprises will phase out their Remote Access VPN in favor of Zero-Trust Network Access. 

Fast forward to June 2020 and it is evident that the shift to work from home as a result of the COVID-19 pandemic has further exposed VPN weaknesses and may therefore accelerate its demise faster that Gartner predicts.

According to US DHS on April 8, 2020, “the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPN), amplifying the threat to individuals and organizations”. The problems facing VPN can be broadly split into END USER vulnerabilities and GATEWAY vulnerabilities.

VPN end user vulnerabilities

The original flaw of the VPN is that it establishes too much trust between the remote device and the corporate network. While the VPN tunnel between a remote worker and corporate network is cryptographically secure, the trust between the two is easily exploited. As a result, threats (including ransomware) affecting the remote worker device or network can travel to, and infect, the corporate network. Segmenting a company network to limit access over VPN is an arduous task and does not guarantee security from lateral threat movements. 

Using company-issued devices with corporate security safeguards can minimize threats, but does not eliminate them. Allowing remote workers to use personal devices to connect to corporate networks over VPN dramatically increases the risk to the company because personal devices often lack the safeguards installed on company devices.

When a remote worker is away from the company network, threats such as email phishing, malware attacks, and data exfiltration are more likely to succeed. The problem has gotten so bad that NASA released a bulletin on April 6, 2020, strongly encouraging employees and contractors working remotely over VPN to “refrain from opening your personal email or non-work related social media on your NASA computer systems/devices. Also, be cautious before clicking on links in text messages and social media”. 

NASA released these warnings after witnessing a doubling of email phishing attempts, exponential increase in malware attacks, and doubling of internet sites being blocked by NASA mitigation systems.

Essentially, using a business VPN is tantamount to putting a remote device inside the company network, without all the safeguards of the company network. Successful attacks on a remote device or network can easily make their way to the corporate network.

VPN gateway vulnerabilities

On the corporate network where VPN gateways are often hosted, there continues to be multiple vulnerabilities. Like all technologies, VPN gateways need to be constantly patched to improve security. However, because they are exposed to the entire world, they are far more targeted than most systems. As a result, VPN needs to be updated more frequently. The challenge is that many companies rely on their VPN to be up at all hours of the day to provide access to employees and contractors working remotely. This often causes VPN gateway appliances to go unpatched for months or years, and thus more vulnerable to new attacks. 

The scale of attack against VPN gateways is best illustrated by the many security warnings issued by both the USA NSA and UK NSC over several months. The vulnerabilities are so widespread that government agencies released new bulletins shortly after new patches were released. The problems found were so egregious that some were pre-authentication – meaning that access could be granted to several affected VPN systems without successful login.

Of the many organizations that succumbed to VPN gateway vulnerabilities, one of the most notable is Travelex of UK. Travelex is the world's leading foreign-exchange business with a presence in 30 countries where it exchanges currency for 40 million customers each year. As a result of a VPN vulnerability that was not patched, Travelex entire operation was crippled for over two weeks, beginning December 31, 2019. It was reported on April 9, 2020 that Travelex paid $2.3 million in cyberattack ransom to restore operations. The attack reportedly cost over $30 million to its Q1 financials. On April 22, Travelex puts itself up for sale!

Stop for a moment to reflect on this … the largest travel exchange company in the world may go out of business because of a successful attack against its VPN system!

Zero-trust network access

The solution to the gaping problems exposed by VPN weaknesses is a system that does not create any trust between the remote worker devices and company network; and which authenticates remote workers in the cloud or away from company network before granting access to only authorized systems. Systems that fit this category are often referred to as Zero-Trust Network Access.

An effective zero-trust system will support any remote device (personal or company-issued). It will allow remote devices to login to a cloud broker or gateway for initial authentication requiring multi-factor system. Only when this arms-length authentication is successful will the remote worker be given access to the specific system they are authorized. An effective zero-trust system will not allow any threat on the remote worker device or network to traverse the company network, and will automatically update itself against new threats.