Introduction
In an era where remote work has become the norm, the demand for secure solutions for accessing servers and network infrastructure has never been higher. Traditionally, Virtual Private Networks (VPNs) have been the go-to choice for enterprises seeking a secure channel for remote access. However, recent events, such as the Ivanti VPN exploitation, have shed some light on the potential disadvantages and security vulnerabilities in traditional VPNs. In this blog, we’ll take a closer look at the Ivanti incident and the weaknesses of traditional VPNs – and introduce Admin By Request’s Remote Access solution as the superior alternative.
The Ivanti VPN Exploitation: A Wake-Up Call
The Ivanti incident brought attention to the cybersecurity community, revealing the potential challenges of relying on conventional VPNs for secure remote access. The exploits involved hackers taking advantage of two previously unknown weaknesses (zero-day vulnerabilities) in Ivanti’s Connect Secure and Ivanti Policy Secure products. These vulnerabilities allowed the attackers to bypass security measures, gaining unauthorized access to VPN gateways/appliances.
The first vulnerability (CVE-2023-46805) enabled the attackers to bypass authentication, granting them access to restricted resources without the proper credentials. The second vulnerability (CVE-2024-21887) allowed the attackers to execute specially crafted commands on the Ivanti VPN, essentially taking control of the system.
Once inside, the attackers could engage in various malicious activities, including stealing sensitive data and compromising target organizations’ IT systems. The scale of the attack was widespread, affecting thousands of Ivanti VPN appliances globally and impacting organizations across different industries.
Understanding Virtual Private Networks (VPNs)
Virtual Private Networks (VPNs) have long been the cornerstone of remote access strategies. They work by creating an encrypted tunnel between the user’s device and the corporate network, ensuring data confidentiality and integrity. VPNs are trusted for their simplicity and widespread use, providing a secure conduit for employees to connect to their organization’s internal infrastructure from anywhere in the world.
Security Risks in Traditional VPNs
The recent Ivanti VPN incident exposed the dangers of VPN vulnerabilities, shedding light on the potential security risks and disadvantages associated with these solutions. Below we delve into the various pitfalls and consequences linked to traditional VPN software, which enterprises should carefully consider when formulating their remote access strategy.
Inbound Requests and Vulnerabilities
- Challenge: Traditional VPNs often rely on inbound requests for access, making them susceptible to exploitation. Inbound requests can provide a potential entry point for attackers, especially if vulnerabilities exist in the VPN software.
- Impact: Recent events, such as the Ivanti VPN exploitation, have highlighted the potential dangers of such vulnerabilities – attackers may attempt to exploit weaknesses, conduct unauthorized access, and potentially compromise the network’s security.
Limited Granular Control
- Challenge: Traditional VPNs may offer limited granularity in terms of access controls and user permissions. Admins might face challenges in implementing detailed access policies.
- Impact: This limitation can lead to challenges in ensuring that users have appropriate access levels and that sensitive resources are adequately protected.
Potential for Split Tunneling Risks
- Challenge: Some VPN configurations allow split tunneling, where only traffic destined for the corporate network is sent through the VPN. This introduces potential security risks.
- Impact: If not configured securely, split tunneling can expose users to threats when accessing the internet directly, bypassing the protective measures applied to corporate traffic.
Reliance on Traditional Authentication
- Challenge: Traditional VPNs often rely on username and password authentication, which can be vulnerable to credential-based attacks.
- Impact: If user credentials are compromised, attackers can gain unauthorized access to the VPN, potentially leading to data breaches, lateral movement, and other security incidents.
Limited Support for Zero Trust Models
- Challenge: Traditional VPNs may not seamlessly align with Zero Trust models, which prioritize continuous verification and least privilege access. Achieving a Zero Trust architecture within the existing framework of traditional VPNs often requires additional security measures.
- Impact: The incongruence with Zero Trust models poses a potential security risk, as traditional VPNs might struggle to enforce the stringent access controls and continuous monitoring required for a robust Zero Trust security posture. Organizations may face difficulties in implementing a comprehensive Zero Trust strategy without integrating supplementary security measures.
Understanding these weaknesses highlights the importance of exploring more secure alternatives, such as Admin By Request’s Remote Access solution.
Admin By Request Remote Access: A Superior Alternative
Admin By Request Privileged Access Management (PAM) now offers Remote Access: a feature that redefines the way organizations approach secure remote connections, providing a robust alternative to traditional VPNs.
How It Works
The core concept of the solution is to empower users to connect to remote servers effortlessly through their browsers. This is achieved by establishing a Secure WebSocket connection to a gateway, facilitated through a secure Cloudflare tunnel.
The service can be hosted on-premises or as a fully managed cloud service:
- Cloud-Managed Setup: In a cloud-managed setup, the customer’s server establishes an outbound connection or tunnel to the gateway within Admin By Request infrastructure. Users can then connect directly to the gateway, which maintains a direct connection to the desired server.
- On-Premises Setup: Similar principles apply to the on-premises setup where the gateway is hosted within the customer’s infrastructure: the server initiates a connection with the gateway within the customer’s infrastructure. Using a Cloudflare tunnel, this gateway enables direct external connections.
Secure Outbound Requests
The connection method described above presents a lower security risk compared to the typical inbound requests associated with VPNs. Inbound requests in traditional VPNs carry a higher risk of unauthorized access from external entities, serving as potential entry points for attackers – like the scenario witnessed in the Ivanti exploit. Additionally, in both cloud-managed and on-premises configurations, connections are initiated either by the gateway or endpoint, eliminating the need for network changes (such as adjusting firewall rules) within the customer’s infrastructure. By ensuring that all user traffic is routed through a secure gateway, Admin By Request also removes the threats associated with VPN split tunneling.
Support for External Access
With Admin By Request’s setup, there’s no need to incorporate external users into your Active Directory or VPN solution. Instead, you can maintain a secure workflow by implementing the tried and tested Admin By Request approval process. Users seeking access to the server must go through an approval system, ensuring controlled and time-limited connections without the necessity of integrating external users into your internal infrastructure.
Access Controls & Monitoring
Admin By Request’s Remote Access utilizes extensive Privileged Access Management (PAM) capabilities, allowing enterprises to define granular access rules for users and groups via a simple web interface. These access controls ensure all users have the appropriate access to critical infrastructure around the clock, minimizing headaches for IT. User permissions are monitored via the Admin By Request Admin Portal, triggering alerts in case of lateral movement – another tactic used in the Ivanti VPN attacks. These features align with a Zero Trust model: enforcing least privilege principles and continuously monitoring user activity.
Comprehensive Visibility
Traditional VPNs often fall short when it comes to providing visibility on user activity during remote sessions. Access to servers instigated via Admin By Request is fully audited and video recorded, enabling enterprises to track exactly what’s gone on during a remote session.
Diverse Authentication Methods
Admin By Request Remote Access offers authentication via Just-In-Time (JIT) accounts, which terminate after use, as well as support for native credentials (username and password). This flexibility in authentication options when connecting to servers helps to reduce the risk of credential-based attacks and ensures a robust approach to safeguarding access.
Conclusion: Embracing a New Era of Remote Access Security
The Ivanti VPN exploitation serves as a stark reminder that the traditional approach to remote access is not infallible. Admin By Request’s Remote Access product emerges as a game-changer, offering organizations a secure, user-friendly, and innovative alternative to traditional VPNs.
Try it today as part of Admin By Request Server Edition, available on a lifetime Free Plan at the link below.
Sources:
- Svenska företag hackade via säkerhetshål i Ivanti vpn – Computer Sweden (idg.se)
- State-Sponsored Hackers Exploit Zero-Day Flaws in Ivanti VPN (pcmag.com)
- www.itpro.com
- Hackers begin mass-exploiting Ivanti VPN zero-day flaws | TechCrunch
- Threat Actors Exploiting Ivanti EPMM Vulnerabilities | CISA
- Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN | Volexity
