Most people believe that virtual private networks (VPNs), which create a point-to-point tunnel between two computer devices, provide security and privacy of their communications. However, the level of security is only as good as the type of encryption used to protect the transmission of data. The three major encryption types — DES, AES and RSA — are ranked based on the estimated time it would take to “break” the keys. Most VPNs use a less secure encryption solution, which gives users a false sense of security.
Beyond encryption, several other issues limit the effectiveness of traditional VPNs:
• Vulnerabilities: New vulnerabilities are regularly disclosed in popular VPNs, which have become a favorite target for attackers. Current VPNs implemented across commercial networks have no or poor control of the route between the ingress and the egress points. This allows an adversary or interested party to manipulate the underlying network infrastructure to access VPN traffic and exploit unpatched vulnerabilities. This can enable them to capture data being communicated and potentially compromise backend networks. These vulnerabilities must be patched immediately since they otherwise result in users having a false sense of security.
• Discoverability: Since VPNs typically connect an entry point to an exit point, these can be easily discovered. Therefore, an attacker can detect and obtain information related to a VPN link even though encryption is being used to protect the traffic. Moreover, most solutions require a short-term external connection between the ingress and egress points in order to establish the VPN. A better approach would use dynamic VPN routing that enables a user and/or administrator associated with the source device to select a path through the network that does not broadcast information that identifies the egress node as belonging to a VPN.
• The Onion Router (TOR): This is a VPN alternative that allows users to navigate the internet anonymously by concealing the route of traffic from origin to destination. However, TOR clients and nodes keep an inventory of participating TOR nodes in a routing table that is used to randomly select a path between the origin and destination. Since this list is broadcast to keep each client and node up to date, an adversary can exploit well-documented TOR vulnerabilities to target users of the service.
In order to properly protect their sensitive communications, organizations need to consider both the security and privacy of their network connections, which is beyond the capabilities of VPNs. Most people have a general understanding that security means protection. For organizations, security demands the protection of customer information and intellectual property from unauthorized access, exfiltration or corruption.
Meanwhile, privacy is often misinterpreted as being interchangeable with security. Network privacy is a new and often overlooked concept that describes an organization’s right and need to shield its identity, intellectual property and customer data while doing business over the internet. As such, network privacy provides an additional layer of protection that makes it significantly harder for would-be attackers to locate and target an organization and its sensitive data.
It is possible to have security without privacy, but it is impossible to have privacy without security. That’s because privacy prevents exposure of the identity of the network user to potential attackers.
In today’s threat environment, organizations need to implement both security and privacy concepts to protect against attacks. This can be accomplished using:
Zero-trust networking that enforces authentication policies to fully protect individuals, applications and processes from accessing network resources without approval. This can be achieved by defining the attack surface to protect, mapping transaction patterns, implementing zero trust networking software and creating security policies to be enforced by security tools.
A moving-target defense, which is based on the concept that a stationary target is easier to attack than a moving target. This can be accomplished by continuously shifting/moving the corporate network so that its location is not static and it’s not an easily recognized target.
Obfuscation techniques, which have been used for years by cybercriminals and adversaries to avoid detection and conceal their activities. These same capabilities can be incorporated into the defensive strategies used by companies with technology that conceals the identity and browsing activity of employees on the internet, as well as the footprint and traffic of the network. This makes it harder for attackers to find and target an organization’s infrastructure and assets.
It’s important to recognize that VPNs lack the privacy controls needed to protect enterprise users and networks from being targeted by attackers. Consider implementing the suggestions above to make your organization invisible to adversaries.