Blog

Are VPNs Obsolete? CISA's Modern Approaches to Network Access Security

The workforce has expanded to a large share being work from home, hybrid work models.  This means that organizations are provisioning access to their resources for access from outside the internal network; increasing their IT complexity and ultimately their risk.  Cloud managed services are also becoming more common.

There are several impacts that come to mind: Organizations' security is impacted more and more by insecure networks. Monitoring an internal network for indicators of compromise (IoC) is challenging, but monitoring an employee's SOHO network is infeasible.  Unified Endpoint Management and remote attestation solutions can help ensure that a remote-worker's device is not compromised.  

The Cybersecurity and Infrastructure Security Agency (CISA) in concert with partners including the F.B.I, The Canadian Centre For Cybersecurity, and New Zealand’s Computer Emergency Response Team have proposed a comprehensive guide outlining the best practices for a modern approach to network access security.  In this article we will cover the most important security technologies outlined in the advisory to get you started on your journey to understanding next-gen network access security. 

Are VPNs Obsolete?

CISA has identified that many recent high-profile incidents involve virtual private network (VPN) solutions, exploited by both cyber criminals and nation-state actors. CISA has found over 22 Known Exploited Vulnerabilities (KEVs) related to VPN compromises, which provide broad access to victim networks. These vulnerabilities are prompting considerations to replace legacy VPN solutions with modern network access solutions. Additionally, the increasing shift of services to the cloud underscores the value of Secure Access Service Edge (SASE) over traditional on-premises security stacks.

While some VPN solutions are inherently more secure than others, hybrid networks necessitate adopting modern network access security solutions to protect corporate resources. These solutions offer granular access control not available with traditional VPNs. CISA advises organizations to carefully analyze their evolving security needs due to increased cloud service usage and to leverage technology updates to advance their Zero Trust security approach.

So, while VPNs are not dead per say, they are not a catch-all solution for securing remote access given the evolution of the modern workforce. CISA recommends replacing legacy VPN solutions with modern network access security solutions, such as Secure Access Service Edge (SASE), to address numerous vulnerabilities and enhance security in evolving hybrid and cloud-based networks.

VPNs, despite providing secure access to corporate networks, can expose organizations to vulnerabilities such as IP address and DNS spoofing, implementation complexities, and potential misconfigurations. Additionally, third-party connections and software-based VPN solutions increase the risk of cyber threats, as compromised devices or accounts can lead to broad network access, posing significant risks, especially when tied to identity management and Active Directory.

The Core Components Of Network Access Security 

According to the recent report published by CISA and partners, modern solutions like Zero Trust, SSE, and SASE provide remote access based on granular access control policies, rejecting unauthorized users and enhancing data security.

Implementing these principles allows organizations to reduce the risk of compromise and secure data both in transit and at rest, though the effectiveness depends on the organization’s specific network and infrastructure needs.

Zero Trust 

Zero Trust (ZT), as defined by NIST in Special Publication 800-207, aims to prevent unauthorized access to data and services by enforcing granular access control and the principle of least privilege. ZT assumes no user or asset is implicitly trusted, requiring continuous re-authentication and reauthorization.

Organizations are encouraged to adopt CISA's Zero Trust Maturity Model (ZTMM) to develop and implement ZT strategies, which outline progressive maturity across five pillars and detail how various CISA programs support ZT solutions.

Secure Service Edge

Secure Service Edge (SSE) is a comprehensive cloud security solution that enhances safe browsing, secures SaaS applications, and simplifies user validation for network data access. It combines networking, security practices, policies, and services into a single platform, ensuring application security and data access regardless of the user's device or location.

SSE includes capabilities such as Zero Trust Network Access, Cloud Secure Web Gateway, Cloud Access Security Broker, and Firewall-as-a-Service.

Secure Access Service Edge

Secure Access Service Edge (SASE) combines network and security services into a cloud architecture, integrating functions such as SD-WAN, SWG, CASB, NGFW, and ZTNA.

Cloud service providers offer these capabilities, eliminating the need for on-premises security solutions and enhancing visibility for network administrators over all ports, protocols, and applications. SASE simplifies management, reduces complexity, and supports robust security policies through a secure management interface.

Other Best Practices

While the additional best practices for modern network access security is more extensive and thorough, below is a curated list of additional measures from the report. The report can be found online in PDF format to review the advisory in its entirety. 

  • Identity and Access Management: Implement strong identity verification with phishing-resistant MFA

  • Principle of Least Privilege: Restrict access to only what is necessary for users and devices on a just-in-time basis.

  • Role-Based Access: Grant remote access only based on the user’s role to protect sensitive information. As a primer, here is a complete guide to the types of Access Control Models

  • FWaaS: Use Firewall-as-a-Service to protect against web-based threats

  • Email and Domain Security: Mail Transfer Agent Strict Transport Security (MTA-STS) provides strict encryption to mail traffic sent to a domain. DNS-based Authentication of Named Entities (DANE) allows network administrators to bind Transport Layer Security (TLS) certificates to domain names

  • Implementing SIEM and SOAR: Using Security Information and Event Management (SIEM) and Security Orchestration and Automation (SOAR) work by pushing logged security data from sensitive networks to monitoring systems and automate responses to certain security events to improve incident response times.

Conclusion

A joint effort from several national cybersecurity agencies has been made to highlight the vulnerabilities in traditional VPN solutions, prompting a shift towards modern network access security solutions composed of Zero Trust (ZT), Secure Service Edge (SSE), and Secure Access Service Edge (SASE) security solutions. 

They offer reduced overhead for technical implementation and enhanced security through granular access control, making them better suited for the hybrid and cloud-based environments of today's workforce. CISA recommends adopting Zero Trust principles and leveraging advanced technologies to secure remote access, protect data, and mitigate risks associated with legacy VPNs and third-party connections.

Featured Posts

See All

August 15 - Blog

Packetlabs at Info-Tech LIVE 2024

It's official: Packetlabs is a partner and attendee of Info-Tech LIVE 2024 in Las Vegas. Learn more about event dates and registration today.

August 01 - Blog

A Deep Dive Into Privilege Escalation

This article will delve into the most common techniques attackers use to transition from their initial breach to achieving their end goals: Privilege Escalation.

July 31 - Blog

What Is Attack Attribution?

Did you know? Attack attribution supports cybersecurity by providing contextual awareness for building an effective and efficient cybersecurity program. Learn more in today's blog.