VPN security and management is lacking

By Michael S. Mimoso, Editorial Director, SearchSecurity | Jul 28, 2010

0 comments

Digg

 Email

 Print

LAS VEGAS -- Virtual private networks, whether SSL or IPsec VPNs, have been IT's ultimate set-and-forget technology. Once installed and configured, these remote access technologies are often left on auto-pilot providing secure, isolated access to backend applications, files and other resources.

Mobile devices such as BlackBerries, iPhones and Droid smartphones, however, are changing the remote access dynamic. Companies will soon have to take a second look at remote link-ups over VPNs, especially as users introduce new personal devices to the network and demand access to apps from a variety of operating systems and platforms. In turn, it's up to security operations to provide secure VPN connections for these myriad devices.

As a result, tried-and-true VPN connections and configurations aren't good enough. IT operations, complacent about their VPNs, need to take another look, according to research to be released this week at the Black Hat Briefings by NCP Engineering Inc. Attackers are already leveraging insecure VPN connections to access critical data inside the enterprise. The attacks on TJX, Heartland Payment Systems and even this year's attacks on Google, Adobe and more than 30 other large technology companies, defense contractors and big companies, were carried out remotely with legitimate access over VPN connections.

"The set-and-forget approach is flawed," said Martin Hack, executive vice president, NCP. "If you have VPN clients out there, you have to make sure they are synched to management systems and are getting ongoing policy, configuration and management changes. You need strong proactive remote access management to prevent these issues because otherwise, these connections become the first weapon for an attacker."

NCP's research indicates that complacency over VPNs is one of the primary drivers leading to VPNs becoming an attractive attack vector. Not only configuration issues, but out-of-date software is leading to severe vulnerabilities that could lead an attacker straight into an organization with legitimate access. For example, corrupted route targets in a VPN implementation could redirect traffic to an attack site. In SSL VPNs, organizations often overlook Same Origin Restriction. Failing to turn this on could enable attackers to carry out phishing attacks by routing legitimate traffic away from its intended destination and onto a phishing site.

0 comments

Digg

 Email

 Print