The Problem with VPNs
For a long time, the Virtual Private Network (VPN) has been the enterprise security standard for securing remote access to corporate resources.
Through encryption, VPNs provide protection of the user’s data in transit. However, creating a direct tunnel from the endpoint to the corporate resources exposes the organization to more risk.
VPNs have expanded the edge of the corporate network because employees are using networks out of the control of the enterprise security department; the more people tunnelling into the data centre, the more exposure to risk of breach.
VPNs do not provide full protection of the end-user’s computer. If an attacker sniffs the user’s traffic, they will intercept encrypted data, but the modern threat vectors used by attackers have shifted, meaning using only a VPN for remote access is not enough.
Despite using a VPN, a host device is still vulnerable to local network threats. Some of the common attack vectors that VPNs are rendered defenceless against include:
VPN Pivoting
Pivoting is a method by which an attacker uses a compromised endpoint to attack other systems on the same network, avoiding restrictions such as firewall configurations (which may prohibit direct access to all machines). An example of this was the breach at NASA’s JPL, where the attacker gained unauthorized access to the network and was able to pivot laterally into classified systems and acquire proprietary information.
VPN pivoting is a method whereby an attacker gains control of the host device, leveraging the already established VPN tunnel to have direct access into the corporate network. This technique effectively gives the attacker full network access as if they were behind the corporate firewall.
By attacking the vulnerable remote device, an attacker could infect most or all of a network and gain complete control. Without the Byos μGateway providing endpoint microsegmentation masking the endpoint, attackers can penetrate the host, and pivot through a VPN.
Improperly Storing Memory and Log Files
VPNs are intended to create a point-to-point tunnel, giving secure, direct access to resources that are hosted elsewhere.
A recently released report by the Software Engineering Institute at Carnegie Mellon, revealed that multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files. In other words, the information that was supposed to travel from point A to B now resides on the host computer and can be stolen by network attacks.
Byos μGateway does not create a tunnel nor does it store any user information, meaning there is not a single point of failure like can happen with a VPN that relies on extensive software configuration.
DNS Leakage
Every time a domain name query is made, it is processed by the DNS Server. VPNs rely on extensive software configurations that can leak DNS queries, exposing the users browsing history to potential attackers on the network.
According to the VPN configuration, DNS traffic may also flow outside the tunnel, revealing private information and exposing the host device to tampering and spoofing attacks.
As a standard feature, the Byos μGateway runs it own encrypted DNS server, protecting every DNS request made by the user.
Additional Threat Vectors not protected by VPNs
There are a whole host of threat vectors that exist on public WiFi networks that VPNs cannot protect against.
WiFi Clone
An evil twin WiFi clone is a fraudulent WiFi access point that appears to be legitimate but is set up so the attacker can eavesdrop on network communications.
VPNs don’t protect the user against connecting to fraudulent networks; any connection to an evil twin will leave the user under the control of the owner of the WiFi Clone and vulnerable to other threats.
The Byos μGateway prevents any connection to fraudulent access points at the outset, notifying the user about malicious activity when trying to connect.
Port Scanning and Network Enumeration
A network enumerator or scanner is a computer program used to retrieve usernames and info on groups, shares, and services of networked devices. This type of program scans networks for vulnerabilities in the security of that network and is often the first tool an attacker will use to find vulnerabilities in a network.
Common scanners (like Nmap or Nessus) will tell the attacker what types of devices are connected to the network, which operating systems they’re running (GNU/Linux, Mac OSX, Windows 10, etc.), and what ports they have open (RDP, SMB, SNMP, SSH, etc.).
This is a fundamental principle of Endpoint Microsegmentation through Hardware-Enforced Isolation: the Byos μGateway provides full protection against enumeration attacks because of its restrictive Firewall, IDS/IPS, and MAC address randomization services.
Without the information from a network scanner, an attacker will have a more difficult time gaining control over a victim’s device.
VPNs provide no protection against network enumeration.
Exploits
An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended behavior to occur on computer software.
Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service (DoS or related DDoS) attack.
An example of this includes the recent vulnerability found in the Dell Support Assist software. This vulnerability exploits a security hole in software manufactured by PC-Doctor that is used as part of Dell SupportAssist software. Through a Proof-of-Concept, the SafeBreach research team demonstrated that exploiting this vulnerability would allow attackers to access and read or write to the physical memory of systems. This would enable them to execute malicious code or otherwise compromise the system and achieve admin-level permissions, giving them effective control.
With an Endpoint Microsegmentation solution like the Byos μGateway, malicious remote access is prevented; only remote access permissions from an MDM policy pushed down from the security team are allowed.
VPNs provide no protection against exploits towards the host device.
Conclusion
Breaches using these threat vectors have tangible costs associated with them:
Loss of productivity from in-house application downtime
Reduction of sales revenue from a compromised website
Stolen sensitive information
Damage of brand identity and loss of customer trust
All of which cannot be prevented by a VPN.
A third of the largest breaches of the 21st century could have been prevented using the Byos μGateway:
Marriott International in 2018
Target in 2014,
Home Depot in 2014
United States Office of Personnel Management (OPM) in 2012
Sony’s PlayStation Network in 2011
TJX Companies Inc. in 2006
The concept of Hardware-Enforced Isolation aligns with the Zero Trust Security Model - it provides a hardware layer of protection from inbound and outbound threats, isolating every connected device regardless of the network.
VPNs are an effective tool for specific uses but have limitations. Endpoint Micro-Segmentation through Hardware-Enforced Isolation using the Byos μGateway is a modern approach: protecting employee devices when on uncontrolled public networks.