The threat to and from your VPN Infrastructure

The early months of 2020 have changed how we think about our enterprise networks. Dial back a few months and many organisations assumed that the bulk of employee use of IT infrastructure was from campus and branch locations. Yes, remote access to corporate IT has been an accepted fact of life for some decades now and yes, many organisations had at least some of their workforce working remote to varying degrees. Also, the advent of cloud computing and Software-as-a-Service (SaaS) applications like Salesforce.com and Microsoft Office 365 had already reduced the dependency on the corporate network and the assets behind it. However, the typical CIO could trust that the bulk of enterprise IT activity was occurring within and from buildings bearing the logo of their corporation. By Hardik Modi, AVP Engineering, Threat and Mitigation Products at NETSCOUT.

  • Sunday, 31st May 2020 Posted 4 years ago in by Phil Alsop

Fast forward to today and that world has flipped. Social distancing policies in the wake of the Coronavirus pandemic now have the workforce operating entirely remote. Our meetings have moved to the web and breakroom conversations are more likely to happen in a channel in our favourite collaboration tools. Yet, even as the workforce has moved remote, a lot of services that they rely on in a range of departments are still operating from a data centre or infrastructure that the corporation owns. And in most cases, access to these services is guarded by VPN infrastructure of some sort.

The VPN was critical to the IT environment prior to this crisis, but today it’s fair to say that it’s at the centre of the enterprise operations. It’s no surprise that the commercial vendors of these technologies are rapidly expanding their offerings, furiously working to catch up with the increased demand from their customers.

And while VPNs are security-enhancing technologies, there are a range of threat actors that aim to leverage these technologies to further their aims. While brute forcing accounts to get unauthorised access might be the most widely understood activity, there are a few other techniques that also need to be countered.

VPN technologies are quite mature and widely deployed at this point. Any organisation of significance that a nation-state actor might be interested in can be assumed to have such infrastructure deployed.

Over the past few years, a number of vulnerabilities in popular implementations such as Citrix Netscaler have been published. In some cases, the vendor has been unable to rapidly publish patches to remedy the vulnerability that had been recognised. There can be a myriad of reasons for such delays, such as the complexity of the underlying vulnerability. Even in cases where patches are available, there are inevitable delays in getting them deployed, even in otherwise careful organisations.

Recent research by FireEye shows that nation-state actors have used these vulnerabilities to gain a foothold on the VPN infrastructure and stage a successful intrusion of numerous targets. To make matters worse, without a proper forensic examination, it is difficult to determine if such systems have been compromised, so even applying the available patch isn’t enough, provided there’s a gap between the vulnerability becoming well known and the application of the patch.

Packages such as OpenVPN have a robust open-source community behind them and tend to be widely deployed in smaller organisations as well as in the education and non-profit sector. In our recent Netscout Threat Intelligence Report, we have demonstrated how an OpenVPN vulnerability was used to launch volumetric DDoS attacks against a range of targets in 2019. In this case, even as a patch is available, the sheer prevalence of OpenVPN implementations means that there are plenty of vulnerable devices available to launch attacks against an unsuspecting target.

Even as VPN technologies become more important to ensure secure access to the enterprise, the availability of the VPN service becomes critical to the enterprise. We at Netscout Arbor expect that DDoS attacks against such remote access infrastructure, such as VPN concentrators, will increase during this period. Any degradation of such services can lead to severe impacts to an enterprise. In some cases, the design of such services can be faulty and not fully thought-through. For example, if your VPN concentrator and public website are in the same netblock, an attack on your website might impede remote access to the web infrastructure team and deny them the ability to make changes to counter the threat.

In this respect, your VPN infrastructure can be targeted to launch attacks both against your organisation and even other targets.

It is important to give this technology the attention it deserves. In order to fend off those seeking unauthorised access, there are a number of measures worth considering. Here are some of the key ones:

·         Always make sure you are proactively patching and securing your VPN infrastructure. There have been a number of high-profile vulnerabilities published in the past few years and threat actors are primed to take advantage of the next one that comes along. You want to narrow the window between the availability of the patch and its application

·         Two-factor authentication is a best-practice for all access, but especially important when it comes to remote access

·         Monitoring remote access is key. Make sure your VPN logs are going to a SIEM and being correlated to other security monitoring. This can be especially valuable for incident response

Alongside secure access, it’s very important that you’re focused on the availability of this infrastructure. Threat Actors can inflict damage without an intrusion by denying access via a DDoS attack. We at Netscout Arbor have published Best Current Practices for the availability of secure remote access infrastructure here. Here are some that might seem especially non-intuitive:

·         Make sure your enterprise is not collateral damage in an online-game related DDoS attack by implementing split-tunnelled VPN as well as disseminating Acceptable-Use Policies (AUPs) to your remote workforce

·         Consider not identifying your VPN infrastructure by avoiding the use of the term ‘vpn’ when you create a hostname eg. don't use https://vpn.yourcompany.com

·         Use a commercial DDoS protection service or an on-premise Intelligent DDoS Mitigation System (IDMS) or a combination thereof to protect your infrastructure

Remote access in various forms is here to stay and even as our societies aim to get past the pandemic crisis, we can anticipate that the ‘new normal’ will include some means of continuing to do business without needing to do it all in person. The network and secure, continuous remote access to it will be key in this future.