When Security Solutions Become Security Liabilities: VPN Concentrators Are Under Attack

By Tim Grossner, Principal Firewall Engineer

Estimated Reading Time: 6 minutes

Client Virtual Private Networks (VPNs), used to secure remote access to your organizations’ internal networks, have been the method of choice for “Road Warriors” for decades now. They allow users to connect to a corporate network from anywhere with an internet connection. However, the security of any VPN hinges on the strength of its gateway – the VPN concentrator. Unfortunately, these concentrators have become prime targets for cyberattacks, making them a potential vulnerability in a company’s cyber defenses, as we’ve seen with each of three different common VPN vendors in just the past few months.

There is another option in perimeter security, particularly in the role of remote access to applications, and the concept of cyber resilience. Let’s look at the security shortcomings of traditional VPN concentrators, analyze best practices for securing VPNs with firewalls, and explore the potential of Zero Trust Network Access (ZTNA) as a VPN alternative.

VPN Concentrators as Attack Magnets

Remote work requires access to corporate assets. Pre-cloud and post modem-bank, the VPN reigned supreme, since they could be used from any network connection (dial-up or otherwise), and were a state-of-the-art upgrade from previous offerings. VPN concentrators, by design, became singular points of entry, making them highly attractive targets. It wasn’t long before discrete concentrators became features on firewall hardware, meaning that instead of being physically behind the firewall, they’re now part of those edge security devices.

Today, a successful attack on a VPN concentrator can grant access to an organization’s entire network, potentially leading to data breaches, malware infiltration, and disruption of critical operations. Recent events make it clear that the unpatched firewalls and stand-alone concentrators themselves are vulnerable to unauthenticated remote code execution (RCE) attacks.

From Gatekeepers to Shields

Firewalls have traditionally served as the first line of defense, inspecting and filtering incoming and outgoing network traffic. However, with the rise of sophisticated cyberattacks, the limitations of traditional firewalls in securing VPNs became evident.

Companies like Ivanti, Cisco, and Palo Alto Networks offer advanced firewalls that go beyond basic packet filtering. These next-generation firewalls (NGFWs) incorporate features like:

  • Deep Packet Inspection (DPI): Examining the content of data packets to identify malware and other threats.
  • Application Control: Restricting access to specific applications or protocols, ensuring only authorized VPN traffic passes through.
  • Intrusion Detection and Prevention Systems (IDS/IPS): Monitoring network activity for suspicious behavior and actively blocking potential attacks.

Firewall Best Practices for Mitigating VPN Risk

Regardless of whether a VPN concentrator is a standalone device or integrated directly into the firewall itself, modern next-generation firewalls (NGFWs) can still help mitigate risk for VPN concentrators, even against zero-day attacks. By implementing best practices with NGFWs, organizations can significantly enhance their VPN security posture and build cyber resilience:

  • Geographic and IP-based restrictions: Limit VPN and other connections to specific geographic regions or IP addresses associated with trusted users. While this doesn’t eliminate all risks, it reduces the attack surface.
  • Zero Trust principles: Don’t blindly trust any connection. Integrate the firewall with Multi-Factor Authentication (MFA) solutions for an extra layer of security.
  • Rule-based protection: Allow only required protocols and applications for VPN traffic (e.g., IPSec, Global Protect). Block all connections from list of hosts provided by outside vendors, such as Palo Alto Networks Known Malicious IP Addresses list. They provide this list, free of charge, as part of their NGFW product.
  • Deny All Other Traffic: This rule acts as a safety net, blocking any unauthorized traffic attempting to exploit vulnerabilities.
  • Threat protection: Enable threat intelligence feeds and signature updates on the firewall to identify and block the latest threats attempting to infiltrate the network through the VPN. These can be updated with a timer on the order of minutes, thus leading to protections being in place very quiolckly.
  • Role-based access control (RBAC): Enforce granular access controls based on user roles and needs. Grant users access only to the resources they require for their specific tasks.
  • Firewall isolation: Minimize the attack surface of the firewall itself by isolating it from other network segments and restricting traffic generated by the firewall itself from having free reign over the internal network.

The Allure and Challenge of Going VPN-less

While securing VPNs with NGFWs is crucial, some organizations might consider eliminating VPNs altogether. One alternative is zero trust network access (ZTNA), a security solution that eliminates the need for traditional VPNs. ZTNA verifies user identity and authorizes access to specific applications or resources on a granular level, without requiring users to connect to a central network, eliminating the inbound “hole” in your firewall needed to support a traditional VPN concentrator. They further offer more flexibility to interact directly with cloud resources in a way that traditional VPN solutions are not adept at.

Akami research published in 2023 indicates that 38% of organizations are already using ZTNA for all external access, with another 33% using it for some access, while 21% more were in planning stages. That indicates that more than a third of organizations have already eliminated (or never had) VPNs, and another third are in great position to quickly follow suit.

However, transitioning to ZTNA introduces additional complexity. Organizations need to invest in new infrastructure and expertise to manage ZTNA solutions. This complexity can, in itself, become a risk factor if not managed properly, just as the current VPN concentrator is – there are absolutely tradeoffs here.

The Risk Continuum: Finding the Right Balance

The security landscape is not a binary choice between a single, all-encompassing solution and a complex web of security tools. The optimal approach lies on a risk continuum. Separating the VPN concentrator from the firewall might offer increased security, but it also adds management overhead.

Ultimately, even the most robust NGFW cannot guarantee complete security. It’s essential to maintain a layered security approach. Strong authentication protocols, endpoint security solutions, and regular security audits are critical components of a cyber resilient organization.

Building a Cyber Resilient VPN Environment

A compromised VPN appliance doesn’t have to spell disaster for a cyber resilient organization. By implementing a combination of NGFWs with best practices, user authentication controls, a robust monitoring and detection capability, and other security measures, organizations can build resilience in their VPN environment. A combination of efforts is required.

Layering multiple security controls, a defense in depth strategy, is important. Even if one control fails, others can mitigate the damage. Incident response planning is necessary to identify, contain, and recover from a security incident to minimize downtime and data loss. Because threats are constantly evolving, proactive monitoring of network activity and security logs helps identify suspicious behavior and potential attacks before they can cause significant damage.

By adopting a cyber resilience mindset and implementing the strategies outlined above, organizations can ensure their VPNs remain secure gateways, not vulnerable entry points. They can achieve this while acknowledging the inherent complexity and risk associated with security solutions that protect remote access.

Tim Grossner, Principal Firewall Engineer

Tim Grossner has been in IT and Network Security for over 25 years, with experience in many firewall and security device vendors. Over the last 13 years, his focus has been on utilizing Palo Alto Networks to secure large scale environments.

Read Posts


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog