An episode dedicated to VPN security…what more could you ask for?! Andrew Bindner joins us for an episode dedicated to Virtual Private Networks, otherwise known as VPNs. As a Senior Offensive Security Consultant of Red Team Services here at CTEK, Andrew has many conversations with clients and customers about VPN security risks. Now you too get to hear his expert recommendations. In this episode of The Risk Perspective, Andrew will address the need for VPNs, give his advice on immediate protection, discuss hardening endpoints (what is it, why is it important, and what is there to consider?), and passionately review best practice VPN security controls. This quick listen has everything you need to learn about the importance of and the steps to consider when implementing a strong and secure VPN. Something all organizations should consider while remote working is considered “the new normal”.
Subscribe to CTEK Voices: The Risk Perspective
Hello! Welcome back for season two, episode two of CTEK Voices: The Risk Perspective.
Today we have Andrew Bindner with us here to talk about VPN Security.
Andrew is a Senior Offensive Security Consultant of Red Team Services here at CTEK and overall is a really cool guy.
Welcome, Andrew, how’re you?
I am doing absolutely fantastic today. How about yourself, Lauren?
I’m doing great!
To kick us off, tell us why we’re here talking about VPN Security.
Well, over the past couple of months, we’ve had clients reach out to ask specifically about VPN security.
As you know, most organizations have had to allow office-based employees to work remote due to COVID, and their concerns being, endpoint protection, protection of their sensitive internal data is because VPNs are a frontline security device and they support remote management solutions.
But basically, throughout 2019 and 2020, we’ve seen an elevated trend in vulnerabilities associated with VPNs. It’s impacted Pulse, Cisco, FloridaNet, SonicWall, and that’s just to name a few.
So, we’ve been helping our clients one-on-one through, sharing our strategies for VPN security, and it’s a critical service for protection of employees, when they work from home, at coffee, shops, hotels, or just anywhere outside of the organization.
I can imagine. It’s a pretty big topic just given COVID 19 and just overall, how 2020 has been going so far?
Given the need (and kind of what you touched on), given the need for remote workforce right now, how are you advising organizations handle their VPN security?
First thing I would say is patch now.
A lot of the times, we don’t (as far as vulnerability management programs organizations) we don’t look at the network devices. We’re often concerned with hardening the endpoints, servers, web services, things like that, but we often neglect or don’t want to touch the networking devices because there’s a potential that you’re going to have a small downtime rebooting the device and what that may actually look like. So, we just can kind of push those checks off.
I would recommend, patch now, and check often, because those are on that rising trend, right?
Also, one thing to consider is that you probably should be, as organizations spending a little bit extra – It’s really not as expensive as you think – but spending a little bit extra on helping sensitive individuals, such as those who work in HR and finance, or who work in higher level positions, such as executives, the CEO, for instance, giving them better equipment in their homes to help protect their own devices.
So, can you go into a little more detail on what endpoint security really is, and how it’s changed in 2020? Also, if you can tell us how you recommend you go about securing VPNs remotely.
Oh, yeah, absolutely!
So, endpoint protection is just referring to the device itself. Whether it’s a workstation, or a laptop or even a virtually hosted workstation that’s outside of the organization or inside the organization it’s just the end point of the network, right?
So, if we’re not talking about the core, we’re just talking about devices, but as they specifically relate to devices that are in people’s homes now right because we’ve taken a laptop out of the office and we’ve gone home with these. The operating system itself loses the protections that are afforded by the internal network’s protocols.
So, we have moved away from that security into home, and now, if you think about it logically, what is stopping somebody at home from going on the Internet to go into places that they, they shouldn’t be going to? What type of security protections are there? Myself (as an example), I have kids and my kids, yet, they’re highly monitored and highly restricted on my network because I’m a paranoid person about their security and they’re about what the content they view. But it doesn’t prevent them from possibly going to a malicious site and then getting infected. Well, if I keep my data on the same VLAN as them, then I am potentially affected. So, if my laptop from my office is not actually hardened appropriately, then we end up with, you know, the ability to possibly compromise that system and then pivot from my system into the internal network.
So, we can prevent this by one hardening the system. Hardening of the system is actually a pretty straightforward process, but at the same time, it’s also very complicated. You have to balance usability versus security. There are really good models through CISA, through DISA, through NIST and they all have different checklists that you can go through and they’re easy to Google and find.
And then, I always recommend a third-party patching solution. Third-party patching solution doesn’t just look for, necessarily for vulnerabilities on the system, you can actually look for outdated software and outdated software you can have a plague of different vulnerabilities throughout those systems. So, if they are compromised in one way, shape or form, it allows an attacker to gain a really good foothold.
So even if you do all of that, right, you segmented your network, or, in my case, I have VLANS that keep me away from everyone else in my house and all my IoT devices might have a hardened system and I have third party patching. How are we actually effectively checking for that? So this is where I’d recommend, even if you have a hardening solution in place, you have those policies within your organization that you’re at least going forward and making sure that you’re working with either a vendor or somebody within the security team that has a good, strong knowledge of penetration testing attack techniques, and they’re testing that system inside and out to mimic what would happen in a coffee shop, what would happen in a home environment, those types of attacks that might affect the operating system itself? Because then if they’re connected to the VPN, if they get in, if the malicious actor gets in, they can pivot into the internal network. So, we want to make sure the endpoint level, that that’s our first line of security.
Getting back to discussing actual VPNs, what are the specifications we need to look at that we can talk about today?
OK, I’m going to go on a very quick rant.
And that is actually talk about the encryption level of VPNs first and foremost.
This topic, in itself, could be hundreds of white papers talking about, the strength of one security cipher suite versus the other one.
There are some commonalities between all of the different methodologies on how we implement the encryption for remote management protocols, such as SSH, Web SSL, or TLS, VPNs, things like that.
So, if you are talking about SSL, for instance, TLS is actually the new standard of SSL. But because we’ve had SSL for a very long time, those words are almost becoming synonymous.
So, there’s very particular things you should not be using SSL. You should be using TLS, which is transport layer security.
And there’s actually new recommendations going forward that say, if you’re not using TLS version 1.2 or above (which is only 1.3) you could actually fail PCI compliance going forward in the future. So that’s a really important distinction there.
When you scan for your devices, when you’re trying to check what cipher suites are supported, what is the encryption level? Things like that, you’re going to find that there’s a number of open-source tools that are readily available, that do this very easily, very quickly, very efficiently.
But between tools, they will change and go back and forth. So, if you’re going to work with a penetration testing company or you have internal teams, make sure that they’re talking on the same page. [Make sure] that they’re using either the same tool, or they understand the security risks and implementation expectations going back and forth between the different programs.
So also, with the VPNs, you have the ability to push it out in a couple of different ways.
You can either perform VPN through a web-based SSL, which case somebody from the organization goes out to a website and actually logs in and it downloads the client right there on the spot.
The other alternative is that they have a client that’s installed locally on their laptop, or however there remoting in, and they’re able to log in from the application itself. So, there’s benefits and disadvantages to both of those solutions.
So, with web-based SSL VPNs, you gain the advantage of allowing a user to connect through the website, and they’re always getting the fresh, latest client that it will always install the newest version that they are supposed to be using.
The disadvantage to this is that you don’t know where they’re coming from, which means you have to actually expose that webpage to the world. So, if you’re not using proper DNS management, and you’re not making it at the same time easy for people to get access to it, it can be discovered by anybody which means a likelihood of, malicious actors trying to brute force their way in through password, guessing, and things like that.
On the client-side, with the applications, you do not have to have that web interface, but, they, log in through their application, and that application may or may not get updated on a regular basis, and this can possibly introduce vulnerabilities into the network. So, between the two systems, depending on how you deploy it, these are the, the advantages and disadvantages.
Furthermore, when we talk about, once they’re connected and how they get connected, whether it’s through the web console, or whether it’s through a client application, there’s an SSL certificate that is a possibility that you can add on top of this. And that certificate is a wonderful solution because, on the user side, if the user leaves the company and go somewhere else for another job, If they’re in an accident, if there’s some reason where we need to take them offline for a short spell, or terminate your employment if there’s a chance that that person has become compromised. We can actually block their cert. So even if they had the proper username and password, they can’t get back in.
So, this also prevents man in the middle attacks and things like that across the Internet. So, if they’re at a coffee shop, they’re not able to redirect traffic back forth.
When it’s attached to a device. If the device is ever stolen or misplaced/lost, we can actually remove the certificate from internally, and that device can no longer connect in, which is also, you know, if you have single sign on solution or cached user’s credentials in some way, shape, or form, and we’re preventing that level of access.
The next step beyond that would be multi-factor authentication.
You know, Lauren, I can actually feel people listening to this podcast who might go “Ugh, that’s a very expensive thing/that’s very hard to manage!”.
Actually, you’d be wrong on that.
There are mobile solutions. There are token-based solutions. There are even e-mail based solutions, – not that we would recommend e-mail! But as far as the mobile solutions, multifactor authentication has really changed in the last let’s call it five years, and the solutions are getting less expensive, as we go through time.
So, if you’ve looked in the past and he thought that multi-factor authentication solution might be too expensive. I really suggest going back and taking a look, to see, you know, talking with vendors because that’s all that they do. So, things like Duo or even Google authentication, Microsoft has their own as well, RSA has been at a very large standard for a very long time.
Next, we actually want to take a look at the network, so we have bypassed all of the authentication. We’ve talked about that, but we do want to take a look at what’s happening on the network itself.
There are two ways to implement those tunnels and one of them is called split tunneling.
Split tunneling, rather than the traditional tunnel, allows only the traffic that is needed for the internal corporate network to pass through the tunnel.
This has its advantages and disadvantages. Yes, you do not need to maintain you know, it’s only passing the traffic that the user needs for the office. But because of split tunneling, if they go out to the internet, all of that traffic that they’re going out to and going to other sites, which may be potential for causing effort for injecting their machines. That allows the malicious actor to be able to compromise the browser and then potentially pivot in through the VPN. So you’re adding an extra layer of risk that you really can avoid by avoiding split tunneling.
The problem with this, though, is that, if you’re doing regular tunneling, then all the traffic that they sent from their machine forward, including internet traffic, goes through your VPN.
This is generally not a very big concern, unless you’re in a remote area where bandwidth requirements, such as satellite, or working in other countries that have remote offices that, that run off of dial up links and things like that, where you have to pay for the amount of data that goes through. That’s when the actual split tunneling would be in a more beneficial manner. But as long as you’re hardening the operating system, that endpoint protection is really in place, you’re reducing that risk from split tunneling.
But once they’re on the network and once they’re connected, whether you’re using regular tunneling or split tunneling, now they’re on your network. So, what do you do?
Where do they come in at? How are they accessing those resources? A lot of VPNs allow administrators to actually get very fine-grained in what resources they can and should not access.
The first thing to note is that segmentation is really the key here when using VPNs. A VPN user even though they’ve authenticated to your network, they should always be treated as suspect, because you don’t know if it is the same person, or if it’s a malicious actor who has come in.
So, you should encourage your administrators to not give them full network access, but only give them access to what that user needs, based on their role.
Will also, when we’re talking about individuals, as they connect in, that it possibly is the real person, there could be a malicious actor. One of the things that you can really do for your organization is to monitor based on geo location for your SIEM solution or Security Information and Event Manager.
What does that mean by geolocation, though?
In the case of geolocation, you can hear a lot of the vendors actually already do that, compare with databases from, say, MaxMind that actually have cataloged where the IP addresses are coming from.
So, if somebody logs in in Georgia, and they’re accessing your network and that’s their normal traffic, and the next thing you know they log in from a different country in Europe, Asia, Africa, or even just all the way across the United States and say Washington. Then, you can actually set events to trigger and deactivate that user because there’s a potential that their traffic has been compromised or their credentials have been compromised. Somebody has had some way of finding, accessing. But it looks suspicious so they can just kill it can just kill the connection.
Those, honestly, Lauren, those are my biggest talking points that I talk about with our clients on a very regular basis.
Thanks, Andrew. I believe that about wraps up our discussion on VPNs, you’ve covered a lot of ground. Thanks for joining us.
I know for our listeners, if you enjoyed this episode, I encourage you to check out season one, episode 18, of The Risk Perspective. It’s Andrew’s episode on a strong privacy and security program during COVID 19.
Remember to like and subscribe to The Risk Perspective and stay tuned for more content in the future!
Thanks for listening.