“Friends don’t let friends use VPN.” I read this claim in a blog post by Matthew Sullivan (whom I give all creative credits) and was immediately sold into the line. In this blog post we’ll discuss why classic VPN (Virtual Private Network) solutions are not ‘good enough’ anymore for businesses to enable remote working and teleworking. For clarity, when we talk about VPN, we are specifically not talking about P2P managed VPN connections to bridge 2 sites, or about commercial VPN services (that are assumed to give a more private and secure Internet browsing experience).
VPN – Virtual Private Network – goes back to the nineties. In 1996, Microsoft employee Gurdeep Singh-Pall ‘invented’ PPTP (Point-to-Point Tunneling Protocol). It offered a method to implement virtual private networks and a secure Internet connection. Back in 1996, then world counted 36Mio Internet users (source). Two thirds of these were based in the US. There were a staggering 100.000 websites, Netscape was the browser of choice, and at 33,8Kbps users were able to surf the web at the speed of light. VPN was the appropriate tool at that time. Of course, times have changed.
The typical security issues with enterprise VPN
· Once you’re in, you’re really ‘in’
According to an IDC analysis, more than 40% of security breaches come from authorized users like contractors, vendors and employees. This means that VPNs typically lack the granular controls needed to allocate users with specific rights. Once a remote user is authenticated by a VPN, that user is considered trusted and gets access to anything on the company network. It makes the company network and its resources pretty vulnerable and open to attacks or data leakage.
VPN user access management is not only linked to Active Directory (AD) but also the device certificates. That implies that when an employee leaves the company, his device certificate needs to be revoked – as you can guess, that’s something that is unfortunately often forgotten.
· Need to always run last version
VPN platforms are pretty popular. Also for hackers. No platform can benefit from absolute security, and that’s certainly also the case for VPN platforms. In the past year alone, many of the most popular and used VPN platforms have been breached at the core (and just the end-point). In some cases it took vendors weeks to come with a security patch that would put a cork in the hole. The following is just a small list of recent vulnerabilities per platform:
- Palo Alto Network Security Advisory PAN-SA-2019-0020, in relation to CVE-2019-1579;
- FortiGuard Security Advisories FG-IR-18-389, in relation to CVE-2018-13382; FG-IR-18-388in relation to CVE-2018-13383; FG-IR-18-384, in relation to CVE-2018-13379;
- Pulse Secure Security Advisory SA44101, in relation to CVE-2019-11510, CVE-2019-11508, CVE-2019-11540, CVE-2019-11543, CVE-2019-11541, CVE-2019-11542, CVE-2019-11539, CVE-2019-11538, CVE-2019-11509, CVE-2019-11507.
- Citrix Security Advisory CTX267027, in relation to CVE-2019-19781.
The message is clear, especially given that it’s easy to detect what VPN technology is used by who: always have the latest version running, always apply all security patches, and do it immediately. To be honest, this should be a default procedure for any software solution these days.
· Just doing login/password
Multi-Factor Authentication is the absolute minimum users need to authenticate with VPN. Unfortunately, it’s still not a default in many organizations… and that’s like leaving the door to your house wide open. Many user passwords have already been hacked and are collected in databases on the darkweb (honestly, even I can find them). Even more, by just using “123456” as a password, hackers already have an amazing chance to get in. For completeness, the most common passwords according to SplashData in 2019 were
And if you force users to have at least one number and letter in a password, #11 in the list is ‘abc123’. No wonder a study from Microsoft found that using MFA blocks account takeover attacks in 99.9% of the case. Bottom-line: use MFA. Always. It’s an absolute minimum.
· Compromised devices
End-users need to activate the VPN connection via VPN client on their device – typically a laptop. Once the link between the device and the company network is made, the gates to Valhalla are typically open. Even if that authentication happens with additional security such as MFA. That means: if the device running the VPN client is compromised with malware, opening up a VPN connection can also enable the malware to find it’s way into your company network.
It’s the reason why you only want to enable VPN on devices that are company owned and managed. IT needs to have optimal control of the device, be certain it runs the latest OS version and patches, has an active anti-malware service, etc. For exactly those reasons, running VPN on user-owned devices is an absolute no-go from a security perspective.
Furthermore, the fact that there is likely – probably – confidential data sitting on the end-user device will be a security risk as such. Also for managed devices.
The flexibility and UX-side of VPN
The idea of VPN is the extension of a device on a home network (for example) into the company network. Basically, act as if the device was running in the LAN. This has some consequences;
- users can typically use all local software & files running on the device itself
- when accessing assets on the company network, they are fully downloaded (or uploaded); for example getting work done on a database file on a sharedrive will down and upload the file constantly
- By using split tunnelling, traffic (such as YouTube and social media) can be routed via the public internet access instead of the VPN. But this obvisously comes with other security risks. The alternative is to route all traffic through the company VPN, which can create a strain on VPN capacity.
Bottom line: VPN gives users (if they have a managed laptop) their known office experience. But it comes at a cost of capacity.
· Any device
As you figured out, from a security perspective, it is only advisable to enable VPN on devices that you fully manage. But to extend on that, most enterprise VPN clients are not available on all devices and Operating Systems (e.g. MacOS devices, Chromebooks, Raspberry Pi, Android tablets, …). This put a serious limitation on your, and your users, degrees of freedom.
As described above, VPN platforms typically need to absorb a lot of download and upload capacity. These platforms are rarely scaled to enable 100% of users to work remotely at the same time. Consequently, capacity and related performance issues are more frequent than rare.
At Awingu, we run things differently
Awingu is a browser-based Unified Workspace. It makes RDP-based applications and desktops available in HTML5, on any browser. It also aggregates file servers, intranets, web applications, SaaS, … together behind a single pane of glass with Single Sign-On. Have a look at the Awingu architecture and features to find out more.
· Awingu has the minimum security layers built-in
Awingu enables a minimum IT security level for its users. Awingu is typically deployed on top of an RDS (Terminal Server) and RDP access. You can interpret this document as giving a rundown on what levels of security Awingu enables on top of ‘plain’ RDP/RDS.
- Multi-factor authentication: Awingu comes with a built-in MFA solution and can (if necessary) easily integrate your current method of authentication. By adding MFA, you minimize the risk for ‘brute force attacks’. The Awingu built-in MFA supports the use of One-Time tokens (HOTP) and Time-Based tokens (TOTP). Awingu also integrates DUO Security, Azure MFA, SMS Passcode or Radius based services.
- Encryption over HTTPS: between the end-user (browser) and the Awingu virtual appliance, Awingu favours and enables encryption over HTTPS. Awingu allows the use of own SSL certificates (or SSL Proxy). Furthermore, Awingu has a built-in integration with Let’s Encrypt, which automatically generates a unique SSL Certificate and takes care of its renewal.
- Port 443 only: when set up correctly, Awingu only requires port 443 to be available for end-user clients.
- Extensive usage audit : Awingu comes built-in with an extensive usage log. The usage audit tracks what application session users open (or close) and when and where (from what IP address) they do that. It also tracks what files are opened, deleted, shared, etc. The audit log is available via the Awingu dashboard (admin) and custom reports can be extracted.
- Anomaly detection: get informed about irregularities in your environment, such as someone who logs in too often with a wrong password or someone trying to log in from abroad. This information is available via the Awingu dashboard (admin only).
- HTML iso RDP: RDP is known to have numerous exploits, especially when running older and unpatched versions. HTML minimizes the ‘threat vector’ specific to RDP (e.g. Bluekeep, NotPetya).
- Granular usage controls: specific rights can be allocated for every user (group); e.g. preventing the use of the virtual printer (i.e. no printing at home), preventing downloading (or uploading) of files to and from the local desktop, preventing Awingu application session sharing, preventing Awingu file sharing, etc.
- Session recording: Awingu can enable auto-recording of set applications or users (note: excluded for Awingu Reverse Proxy sessions). The end-user will get a warning of the recording prior to starting his Awingu application/desktop and will need to ‘accept’.
- No local data: All applications, files, hosted desktops, etc. run in HTML5 inside the browser. There is no footprint on the device (cf. granular usage controls) and only screen ‘images’ are shared.
· Awingu enables better UX
With Awingu, users can take any device, also their own private device, and get work done. It can be Windows 7 device, a MacBook or a tablet. It’s a simple and consistent experience.