Businesses are naturally trusting of their suppliers, often developing long-term partnerships. However, over the last few years, the supply chain has become a major target for cyber-criminals, seeking to exploit the soft underbelly often created by such relationships. Aside from any data leakage or social engineering risks resulting from an insecure supply chain, many businesses elect to deploy a persistent Virtual Private Network (VPN) connection between organisations, without realizing the inherent risks involved. If poorly implemented, a persistent VPN connection can pose a critical security risk for even a well-secured organisation.
About the author
Thomas Owen, Head of Security at Memset
VPNs are an effective way to share data across multiple networks in a secure way, enforcing the confidentiality and integrity of the data in the tunnel. However, in many cases, VPNs are the only data security measure put in place around the data being transferred. This creates a significant vulnerability which attackers can exploit.
This is because VPNs create a tunnel between distinct networks, much like a literal physical connection. If an attacker can compromise a host on one end, then a VPN can act like an opaque conduit to wherever the other end has been placed, even if this is deep inside an otherwise effective security architecture. Whilst the customer may have strong security controls this may not be the case with the supplier, thereby inviting attackers into the soft underbelly of your digital estate.
VPNs have also been the recent target of Advanced Persistent Threat (APT) actors and the National Cyber Security Centre (NCSC) has published warning and advice to organisations on how to detect malicious activity, showing the growing vulnerability of this technology. To put it simply, a VPN is only as safe as it’s configuration and the additional security measures in place around it to manage the traffic traversing it.
There are a huge range of modern business-oriented VPN technologies available — from vendor-specific implementations from your firewall or network monitoring vendor, through to dedicated appliances and strong open-source contenders like OpenVPN and Strongswan. However, industry has seen cases across more legacy VPN protocols — particularly PPTP and L2TP without the IPSEC encryption — where historical implementation decisions have hurt security in the modern world. So, it would be advisable to opt for modern, well-known protocols and vendor technologies.
For maximum security in any IPSEC-based VPN, businesses should avoid aggressive modes and ensure that both AH and ESP are enabled. They should also consider disabling ISAKAMP and IKEv1 for security associations (IKEv2 is currently fine). For OpenVPN and other TLS-based options, businesses should understand the potentially game-ending weaknesses that can exist within the underlying TLS/SSL ciphers and act accordingly.
For maximum security (but potentially tricky interoperability) go for something like TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384, AES-256-GCM as the cipher is solid and consider Curve25519 for DH exchange instead of the more NIST-y alternatives. If you want something exciting, try looking into ChaCha20-Poly1305 AEAD.
For today’s SMEs, a ‘defence-in-depth’ approach is the only true path to achieving meaningful security. The approach combines multiple layers of controls which support one-another, while an attacker has to defeat or circumvent multiple layers of protection across applications, hosts and networks.
Such a judicious mix of security layers, including host hardening, firewalling, network segregation and content inspection of the data exiting and entering the VPN, will ensure not all elements of an organisation’s IT infrastructure are breached at the same time. This not only provides more time for detection and response, but also reduces an organisation’s ‘low hanging fruit’ appeal for passing cybercriminals. Further, don’t blindly trust the traffic exiting a supplier’s VPN security endpoint, keep VPNs in the DMZ and subject to the same controls that any other inbound public connection would have.
I hate to bang the GDPR drum, but securing organisational data has become even more important. An inappropriately deployed third-party VPN connection, successfully exploited during an attack would be contrary to the ‘taking into account the state of the art’ approach defined by Article 32, potentially reducing the effectiveness of an otherwise well secured, investment-intensive security strategy to nil.
As the new norms require data processors and controllers to share liability, businesses must think twice about the network and endpoint security of the supplier before sharing any data or providing access into their network. Opting for a defence-in-depth approach that includes the deliberate location and management of VPNs in your estate can help businesses stay resilient and afloat in the face of a cyber threat, malware attack, or in the aftermath of a breach.
VPNs are legitimate, useful security tools but they should be used with great care. Taking a ‘secure by design’ approach and integrating VPNs as part of a layered security strategy can make it easier for organisations to engage with their supplier chain, leveraging the business benefits whilst maintaining protection.