Cybersecurity was already a top concern among IT professionals prior to the COVID-19 pandemic, but the sudden shift to remote work policies brought a number of latent security issues to light. That’s because the increase in the number of users needing remote access to their digital workspaces also opened up new opportunities for hackers and developers of malware.
That left organizations—and IT departments specifically—in a real bind. They desperately wanted to harden their network security and prevent cybercriminals from gaining access to sensitive data that could seriously damage their business. At the same time, they also had to keep day-to-day operations running, and that meant allowing remote users to access files and software behind the corporate firewall.
One of the most common methods of providing users with this access has been through a virtual private network, or VPN. With a VPN client, remote workers can “tunnel” into the organization’s internal network via the connection provided by a third-party Internet service provider (ISP) — in most cases, their home Internet connection.
It’s easy to see the appeal. Most VPNs are able to automatically traverse the various links in the network chain (e.g., the users’ home router or a public Wi-Fi access point, modems, the corporate firewall) and enable users with even basic technical knowledge to establish a direct connection between their remote PC and the organization’s local network. For IT, the bulk of the work goes into configuring the users’ VPN connection and is therefore upfront rather than ongoing.
But virtual private networks have some proven downsides. Corporate VPNs typically require on-premises infrastructure, such as VPN servers and connection brokers, which means purchase costs and long-term maintenance. From the user’s perspective, it isn’t always easy for them to understand how to use VPNs properly. VPNs can also affect the speed of Internet traffic and make high-bandwidth connections appear to run more slowly.
And they also have some deep-rooted security flaws.
Think VPNs are secure? Think again
As we’ve already acknowledged, VPNs are often used by enterprise-scale organizations. In addition, a lot of the marketing for commercial VPN providers revolves around things like online privacy and protecting your personal data. Those factors have led to the widespread assumption that VPNs are synonymous with security.
The truth is that VPNs are actually a prime attack vector for major hacks.
Recently, security-focused organizations like the US National Security Agency have issued stark warnings for large groups of VPN users. In 2022, critical vulnerabilities in Citrix Gateway, an SSL VPN service, as well as related products were found to allow hackers to bypass authentication and verification mechanisms or carry out brute-force attacks. Exploits like these could give malicious actors access to an organization’s entire network.
Nor was this the first time that a vulnerability had been found in Citrix VPN solutions. Security flaws in the same suite of products are known to have exposed more than 80,000 organizations to threat actors in 2019.
And Citrix VPN solutions certainly aren’t the only ones vulnerable to exploits and attacks. Virtual private networks as a technology category have serious and fundamental security issues, as a roundup of headlines from the past few years will reveal:
- Security experts discover a 1,500%+ increase in attacks against VPN due to remote work [Nuspire/PRNewsWire]
- Attacks on VPNs and health industry headline 2021’s biggest cyber risks [Security Magazine]
- Hacker posts exploits for over 49,000 vulnerable Fortinet VPNs [Bleeping Computer]
Simply put, the conventional VPN model runs counter to recommended security policies and best practices.
What’s the nature of some VPN vulnerabilities?
There are some inherent security flaws that are common to all or most VPNs.
DNS leaks: Whenever a computer attempts to communicate with another networked device, it makes a Domain Name System (DNS) query via the DNS server that has been configured for that device. VPNs rely heavily on custom DNS settings that can inadvertently leak DNS queries. This leakage can reveal things like the endpoint device’s IP address and its online activity or even allow important Internet traffic to escape the ostensibly secure VPN tunnel. It also leaves the device vulnerable to spoofing and man-in-the-middle attacks.
VPN pivoting: Like its name suggests, pivoting describes the method by which a hacker turns a compromised endpoint into a vector for attacking its network, often through malware. The implicit trust behind VPN connections makes it possible for these rogue devices to circumvent permissions or firewall restrictions, thereby gaining full network access and a direct route to sensitive data.
Poorly stored credentials: The point-to-point tunnels that VPNs create are usually touted as one of their security features. However, security researchers have found that VPN clients often store authentication credentials or session cookies on the remote endpoint. If these credentials are intercepted by hackers, they now have access to the corporate network through the VPN connection.
Some might be quick to point out that VPNs use different connection protocols — namely, Internet Protocol Security (IPsec)/IKEv2, IPSec/L2TP, OpenVPN and Point-to-Point Tunneling Protocol (PPTP). But the fact is that these vulnerabilities exist irrespective of the protocol.
To eliminate VPN security risks, you need to eliminate VPNs
Security experts have recognized the “all access” philosophy of VPNs to be a serious concern and an outdated approach to modern computing. In response they’ve started advocating for a security policy called Zero Trust Network Access (ZTNA), which is the polar opposite of the VPN model. In fact, Gartner has identified ZTNA as the fastest-growing segment in network security, with a growth forecast of 31% in 2023.
The assumption behind ZTNA is that all devices are potentially compromised. As a result, the focus falls on providing endpoint devices with “just in time” or as-needed access to the corporate network while also limiting their scope of access as well. Should those devices be actually compromised, hackers’ room to maneuver will be severely constrained and any damage will be highly contained.
Unlike VPNs, Cameyo’s Virtual Application Delivery (VAD) platform was designed from the very beginning with the Zero Trust security model in mind. It eliminates the need for VPNs (and therefore the major security hole they introduce) yet provides remote workers with seamless access to their essential apps.
Not to put too fine a point on it, but one of our remote access technologies is called NoVPN. It offers the same end functionality as a VPN but doesn’t come burdened with the same risks — like the need to punch holes in your organization’s firewall. And NoVPN is just one component of our comprehensive Zero Trust network architecture:
- Always-on monitoring & validation: Cameyo makes use of what are called non-persistent servers. This means that a user’s data is erased from the Cameyo server every time that user logs out.
- Device access control: Cameyo follows ZTNA best practices by treating every device as if it could be compromised. Remote users get access to all (and only) the apps they need as they need them.
- Identity & access management: If you have a preferred Single Sign-On (SSO) provider, Cameyo can integrate with it for seamless authentication. Cameyo supports existing Multi-Factor Authentication (MFA) protocols too.
- Least privilege: Because Cameyo delivers apps via an SSL HTML5 browser session, all Internet traffic that is part of this session is encrypted. Furthermore, the underlying technologies keep permissions to the bare minimum, cutting off access to sensitive data.
- Prevention of lateral movement: Devices remain isolated from the corporate network/data as well as Cameyo’s VAD platform. In the event that a device is infected with ransomware or a malware payload, it remains confined to that endpoint.
- Segmentation: Cameyo’s VAD platform maintains segmentation between the endpoint and the corporate network/data, even when users are in an active session.
You can read more about these security features in this related post, “Mitigating RDP and VPN Vulnerabilities to Reduce Ransomware Attacks.”
The very same security advantages of Cameyo’s VAD solution are also what give it its unparalleled flexibility. With Cameyo, organizations can enable seamless remote access to apps independent of the operating system of the endpoint device. ChromeOS, Windows 11, and macOS users can access legacy Windows applications. iOS and Android users can access desktop-class Linux apps, Windows apps, etc. Remote users can even use intranet apps — anywhere, from any device.
If you’re currently using VPNs, don’t wait for a ransomware attack to highlight the need for Zero Trust security. Sign up today for your free trial of Cameyo and see how Zero Trust security policies and seamless remote access to apps can go hand in hand. And if you’d like more detail on how Cameyo eliminates VPNs while making it easier than ever for remote workers to access their essential apps, schedule a demo to have one of our engineers provide the technical background.