Fred Donovan, Author at eSecurity Planet

What Is a Virtual Private Network?

Fred Donovan — Tue, 20 Oct 2020 23:00:30 +0000

With more and more employees working remotely, either from home or on the go, enterprises need a way to secure their communications with the corporate network. One solution is a virtual private network (VPN), which enables employees to securely send data between computers across a shared or public network.

VPNs were developed to solve two challenges: the high cost of leased lines for branch offices, and the growing need to enable remote workers to access the corporate network securely.

VPNs provide secure connections by encrypting data and sending it through a “tunnel,” but there are limitations to that security. Device trust — like that provided by Kolide, this article’s sponsor — can improve VPN security by allowing only secure and properly configured devices to connect to an organization’s network, adding an additional layer of assurance on top of VPN security.

But before examining the limitations of VPNs, let’s take a look at how they work.

How does a VPN work?

A VPN involves the transfer of encrypted data wrapped with a header containing routing information. This process enables the data to travel securely over a shared or public network to reach its endpoint.

Data packets passed over the public network in this way are unreadable without the decryption keys, thus ensuring that data is not disclosed or changed during transmission.

From the user’s perspective, the VPN connection is a point-to-point connection between the user’s computer and a corporate server. The nature of the public network is irrelevant to the user because it appears as if the data is being sent over a dedicated private link.

As workers become more mobile, VPN connections allow users working at home or on the road to connect in a secure fashion to a remote corporate server using the routing infrastructure provided by a public network, such as the Internet.

VPNs improve Wi-Fi security

Many of these mobile workers use public Wi-Fi to access corporate data, and more than one-third never use a VPN to protect their data even though two-thirds are concerned about public Wi-Fi security, according to a survey by iPass. VPN remains a viable option for securing data transferred over public Wi-Fi.

Of course, it is not just employees working remotely who could endanger the security of corporate data and networks. Third parties, such as vendors, contractors, and suppliers, could pose risks by accessing corporate resources in an insecure manner. A VPN is just one way to reduce security risks from third parties.

In the enterprise, VPNs are used in number of ways, including remote access for users connecting to the corporate network from home or a mobile device, intranet connections among fixed locations such as branch offices, extranet connections with business partners such as suppliers and customers, and wide area network (WAN) replacement for geographically dispersed networks.

As a WAN replacement, VPN can be cheaper because it requires less overhead to maintain and offers better scalability. However, network reliability and performance might become an issue, especially when connections are tunneled through the Internet.

VPN risks – and must-have security features

Are VPNs safe? Admittedly, there are security risks associated with VPNs. These include VPN hijacking, in which an unauthorized user takes over a VPN connection from a remote client; man-in-the-middle attacks, in which the attacker is able to intercept data; weak user authentication; split tunneling, in which a user is accessing an insecure Internet connection while also accessing the VPN connection to a private network; malware infection of a client machine; granting too many network access rights; and DNS leak, in which the computer uses its default DNS connection rather than the VPN’s secure DNS server.

Even with these added security measures, VPNs are not immune to breaches. They operate on a principle of trusting whoever enters the network rather than using the principle of least privilege. The more secure ones are difficult to implement, as employees take time to put new security protocols in place, and VPNs overall are neither very flexible nor easy to manage. Organizations with many remote workers may find VPN management expensive, particularly if they are using a good provider (the better a VPN is, the more costly you can expect it to be). VPNs can be useful tools, but they can also slow a company’s productivity during the implementation process. And as previously noted, VPNs trust whoever gains access to the private network, meaning that an attacker will have full access to an Internet session once they have penetrated it.

To address these risks, enterprises should consider additional VPN security features when choosing a VPN product. These include must-have security features include:

support for strong authentication
strong encryption algorithms
support for anti-virus software and intrusion detection and prevention tools
strong default security for administration and maintenance ports
digital certificate support
logging and auditing support
and the ability to assign addresses to clients on a private network while ensuring all addresses are kept private.

Also, having a kill switch is an important VPN security precaution. The kill switch ensures that if the computer loses the VPN connection, either the Internet connection is shut down or the apps that are using the connection are shut down. This prevents the Internet address from being exposed.

In addition, training should be conducted for network and security administrators and support staff, as well as remote users, to ensure that they follow security best practices during VPN implementation and ongoing use.

Another way to improve VPN security is through perfect forward secrecy (PFS). If PFS is used, encrypted communications and sessions recorded in the past cannot be retrieved and decrypted should long-term secret keys or passwords be compromised.

With PFS, each VPN session uses a different encryption key combination, so even if attackers steal one key, they will not be able to decrypt any other VPN sessions.

Also read: NSA, CISA Release Guidance for Choosing and Hardening VPNs

Zero trust architecture: an alternative approach to network security

Some network providers have begun implementing a new type of architecture for computer networks: Zero trust. Zero trust operates from the principle of least privilege, only allowing a network user to access exactly the services and applications they need to do their job. And each application or access point requires a verification step. Users allowed onto the network are not automatically trusted.

In a zero trust architecture, companies define specific places within their network that need to be secured. These are known as protect surfaces: the applications or accounts that require protection. Networks that offer a zero trust solution create microperimeters for each protect surface. Rather than only having one giant network perimeter, through which everyone goes and then has access to the entire network, a zero trust framework places perimeters around each application or service. An attacker must make their way through more walls than just the initial point of entry in the network.

A zero trust security solution ensures that possible attackers have limited access to a network, rather than throwing the doors wide open once a user authenticates themselves at an endpoint. By requiring multiple steps of verification for different services, the network limits users to only the applications that they need to complete tasks. This is where least privilege becomes important: by segmenting the network into smaller zones, the network limits what users are authorized to access.

Zero trust architectures also help organizations better monitor workloads and processes, which in a multi-cloud environment are very agile and hard to track. If multiple steps of verification are required to perform a workload, it will be much easier to see what action has taken place and who exactly initiated it. Organizations can then track malicious activity with better information.

As networks see more remote workers, devices, and workloads, zero trust may become the primary method of securing them. Some network providers have already implemented a zero trust architecture, including Palo Alto, Cisco, and Symantec. See our top zero trust security vendors for more.

What are types of VPNs?

There are basically four types of VPNs:

A firewall-based VPN is equipped with both a firewall and VPN capabilities. This type uses the security provided by firewalls to restrict access to an internal network and provides address translation, user authentication, alarms and logging.
A hardware-based VPN provides high network throughput as well as improved performance and reliability, but is also expensive.
A software-based VPN provides flexibility in terms of how traffic is managed. This is best for when endpoints are not controlled by the same party and when different firewalls and routers are used.
A secure socket layer (SSL) VPN enables users to connect to VPN devices using a web browser. SSL is used to encrypt traffic between the web browser and the VPN device.

VPN tunneling protocols

VPN tunneling protocols offer different features and levels of security, and there are benefits and disadvantages to each. There are five main VPN tunneling protocols: Secure Socket Tunneling Protocol (SSTP), Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP), OpenVPN, and Internet Key Exchange version 2 (IKEv2).

SSTP uses the HTTPS protocol to pass traffic through firewalls and web proxies that might block other protocols. SSTP provides a mechanism to wrap point-to-point protocol (PPP) traffic over the SSL channel. The use of PPP allows support for strong authentication methods, and SSL provides transport-level security with enhanced key negotiation, encryption and integrity checking.

PPTP allows multiprotocol traffic to be encrypted and then wrapped in a header to be sent across an Internet protocol (IP) network. PPTP can be used for remote access and site-to-site VPN connections. When using the Internet, the PPTP server is a PPTP-enabled VPN server with one interface on the Internet and a second interface on the corporate intranet. PPTP uses a transmission control protocol connection for tunnel management and generic routing encapsulation to wrap PPP frames for tunneled data.

L2TP enables multiprotocol traffic to be encrypted and then sent over any medium that supports PPP data delivery, such as IP or asynchronous transfer mode. L2TP is a combination of PPTP and Layer 2 Forwarding (L2F). L2TP represents the best features of PPTP and L2F. Unlike PPTP, L2TP relies on IP Security (IPsec) in transport mode for encryption services. The combination of L2TP and IPsec is known as L2TP/IPsec. Both L2TP and IPsec must be supported by both the VPN client and the VPN server. L2TP/IPsec is perfect forward secrecy capable.

OpenVPN is an open-source software application that implements VPN techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that uses SSL/TLS for key exchange. It is capable of traversing network address translators and firewalls. OpenVPN allows peers to authenticate each other using a secret key, certificate, or username and password. Most VPN providers using OpenVPN employ perfect forward secrecy.

IKEv2 is an IPSec-based protocol that is baked into Windows 7 and above. IKEv2 is the next-generation standard for secure key exchange between peer VPN devices. IKEv2 is particularly good at automatically re-establishing a VPN connection when users temporarily lose their Internet connections.

Also read: WireGuard vs. OpenVPN: Comparing Top VPN Protocols

Choosing the most secure VPN for your organization

So how do you choose the most secure VPN? Even though it is open source-based, many view OpenVPN as the most secure VPN protocol. It is stable and reliable, easily configured to run on any port, supports hardware acceleration for improved speeds, is able to traverse firewalls and network address translation (NAT), and uses OpenSSL libraries for encryption. However, it requires client software and cannot be used on iPhones and only on a limited number of Android phones.

Another secure VPN protocol is L2TP/IPSec. It has strong encryption, no additional software for devices, is built into most desktop operating systems and mobile devices, is fairly easy to implement, and has no known major vulnerabilities. However, it does have trouble with firewalls, it is challenging to configure on a Linux server, and it is relatively easy to block by Internet service providers.

SSTP provides strong encryption, is very hard to detect and block, and is supported on all Microsoft Windows computers. At the same time, it is not supported by all VPN providers, and there is limited support for non-Windows devices.

The least secure VPN protocol is PPTP. Its benefits include easy setup, wide support for most devices, and low overhead. Because it has been around for a long time, it has known security issues that could be exploited by hackers (or government agencies). It has weak encryption and is relatively easy to block by ISPs.

IKEv2 is supported as part of IPSec implementation in Windows, easy to use, shorter negotiation period, and essential features standard. However, the bugs are still being worked out, and interoperability between different vendors is an issue.

Which VPN protocol is best depends on the enterprise and the individual. For those looking for the most secure, OpenVPN is the best. For those looking for support for many devices, PPTP may be the way to go.

A VPN provides a means of accessing a secure corporate network over insecure public networks. While a VPN is an improvement over transmitting unencrypted data over public networks, the potential security flaws should be considered by enterprises considering deploying a VPN or those that have already deployed one. Choosing the most appropriate VPN is vital for improved security in the enterprise.

VPN vendors

A number of security and networking vendors offer VPN solutions, among them:

F5 Networks
Cisco Systems
Pulse Secure
SonicWall
Citrix
Barracuda
Check Point
Palo Alto Network

Further reading:

The post What Is a Virtual Private Network? appeared first on eSecurity Planet.

What is a Cloud Access Security Broker (CASB)?

Fred Donovan — Tue, 28 Mar 2017 00:00:00 +0000

What is a CASB?

A CASB provides enterprises with a critical control point for the secure use of cloud services across multiple cloud providers. Software as a service (SaaS) apps are becoming pervasive in enterprises, which exacerbates the frustration of security teams looking for visibility and control of those apps.

CASB sales have soared as cloud security concerns have grown, especially the use of “Shadow IT” cloud services that IT security teams don’t know about.

See our picks for top CASB solutions and top cloud security products

CASB solutions fill many of the security gaps in individual cloud services and allow information security professionals to do it across cloud services, including infrastructure as a service (IaaS) and platform as a service (PaaS) providers. As such, CASBs address a critical enterprise requirement to set policy, monitor behavior, and manage risk across the entire set of enterprise cloud services being consumed.

A CASB can consolidate multiple types of security policy enforcement. Examples of security policies enforced by a CASB include authentication, single sign on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, and malware detection and prevention.

A CASB vendor also gives enterprises visibility into authorized and non-authorized cloud usage. It can intercept and monitor data traffic between the corporate network and cloud platform, assist with compliance issues, offer data security policy enforcement, and prevent unauthorized devices, users, and apps from accessing cloud services.

In the all-important area of data security, a CASB provider enforces corporate data security policies to prevent unwanted activity based on data classification, data discovery, and user activity monitoring. Policies are applied through controls, such as audits, alerts, blocking, quarantine, deletion, and encryption, at the field and file level in cloud hosting services.

CASB solutions include control and monitoring, risk and compliance management, threat protection, and cloud data security.

CASB use cases

A CASB has multiple use cases for the enterprise.

Secure shadow IT

One major use case is to discover, monitor, and secure shadow IT — the unauthorized use of cloud services by line-of-business staff. Because IT teams are not aware of shadow IT, it is not subject to corporate security, compliance, and governance policies. This exposes enterprises to significant security risks.

According to a recent survey of more than 2,000 IT pros by Intel Security, almost 40 percent of cloud services are now commissioned without the involvement of IT. As a result, 65 percent of IT professionals think shadow IT is interfering with their ability to keep cloud usage safe and secure. More than half of respondents said they have tracked malware from a cloud application.

Despite cloud security worries, 62 percent of respondents store sensitive customer information in the public cloud. Also, the number of companies using private cloud only has dropped from 51 percent to 24 percent over the past year, while hybrid cloud use has increased from 19 percent to 57 percent.

Govern device usage

CASBs can monitor and control user activities when users are accessing cloud services from a mobile or desktop app or sync client, govern access to public cloud services by device ownership class, monitor privileged accounts and prevent unauthorized activity in the cloud, monitor and control user activities with collaboration tools and social media without blocking those services, and monitor and control advanced or cross-service activities in real time.

Secure data

In terms of securing data, CASBs can prevent data exfiltration from a sanctioned to an unsanctioned cloud service, enforce different policies for personal and corporate instances of the same cloud service, enforce a policy at the activity or data level across a category of services, enforce conditional activity-level policies, enforce layered policies, and apply encryption.

Block malware

To protect against threats, CASBs can block or remediate malware in sanctioned cloud services and to and from unsanctioned cloud services, detect and alert enterprises about user login anomalies, detect anomalies such as excessive downloads, uploads, or sharing with both sanctioned and unsanctioned cloud services, and prevent data infiltration involving new employees.

Where CASBs run

CASBs may run on premises or in the cloud. Logically, CASBs sit between the end user and the cloud, but physically a CASB has to be located in one of two places: in a corporate data center or in the cloud itself. That means you have a choice between using a cloud access security broker as a service or hosting one on a physical or virtual appliance.

The SaaS option is easier to manage and is the more popular option, according to Gartner, but in certain industries you may have to use an on-premises system for compliance reasons.

How CASBs work

There are two key ways that a CASB can work. It can be set up as a proxy — either a forward or a reverse proxy — or it can work in API mode, using cloud providers’ APIs to control cloud access and apply corporate security policies. Increasingly CASBs are becoming “mixed mode” or “multi-mode,” using both proxying and API technology. That’s because each approach offers pros and cons.

Forward proxy

For example, a forward proxy can be used for all types of cloud applications and all data passes through the proxy, but to use a forward proxy you need to install self-signed certificates on every single device that accesses the proxy. This can be difficult to deploy in a distributed environment or one with a large number of employee-owned mobile devices.

Reverse proxy

A reverse proxy system is easier in that respect because it is accessible from any device, anywhere, without the need for special configuration or certificate installation. The drawback is that a reverse proxy can’t work with client-server type apps, which have hard-coded hostnames.

API-based systems

API-based systems are also easy to deploy. One drawback, however, is that the range of cloud applications they can work fully with is more limited because not all cloud applications provide API support.

“Proxy or API architectures from CASB have different abilities to perform different actions, which have various implications for how that provider delivers the four pillars for a specific cloud service,” Gartner says.

But over the next few years, Gartner expects many cloud service providers to develop their APIs significantly. “In the long term, APIs have the potential to obviate having to intercept traffic with proxies if they mature to the point where real-time visibility and control become possible,” it says.

One CASB may not be enough

The capabilities of CASBs — forward proxy based, reverse proxy based, API based or multimode — vary. It’s important to understand that just because a particular application is supported by a CASB, it doesn’t mean that it is supported to the same extent as another CASB.

It’s also the case that the range of applications supported by a CASB varies. That makes choosing a cloud access security broker that supports the applications you use now, and are likely to use in the future, a challenge. Back-office apps like CRM, HR and ERP are generally well supported, but industry-specific apps (for example for the health care industry) are less so.

Gartner’s advice? “Be cautious when entering into long-term contracts. Build in flexibility, because you may need more than one CASB or you may need to transition from your current provider to one delivering a complete set of your use cases during the next two years.”

CASB market size and vendors

There has been significant growth and activity in the CASB market over the last few years. The CASB market is expected to grow from $3.4 billion in 2015 to $7.5 billion in 2020, at a compound annual growth rate of 17.6 percent, according to a report by MarketsandMarkets.

The increasing adoption of cloud-based applications, such as Office 365, Salesforce, Google Apps and Box, by enterprises is playing a major role in fueling the growth of the market, according to the report.

More than a dozen CASB startups have launched since 2010, and a number of the major CASB vendors have recently been acquired by bigger players in the enterprise security and IT markets.

For example, in 2015, Microsoft gobbled up Adallom and then launched its Cloud App Security unit to complement its other identity and security products, such as Azure Active Directory, Microsoft Advanced Threat Analytics, and Azure Information Protection. Also in that year, Palo Alto Networks acquired CirroSecure, Blue Coat acquired Perspecsys and Elastica, Deloitte partnered with Bitglass, Check Point Software partnered with FireLayers, and IBM launched its Cloud Security Enforcer product.

In 2016, security powerhouse Symantec acquired Blue Coat for a staggering $4.65 billion in cash, indicating the value of CASB vendors to enterprises. Symantec decided to keep Blue Coat as a separate unit rather than incorporate its capabilities into Symantec’s product offerings the way Microsoft handled Adallom. Also in 2016, IT behemoth Cisco bought CloudLock for around $300 million, Proofpoint acquired FireLayers for $55 million, and Oracle bought Palerra for an undisclosed consideration.

In 2017, Raytheon, through its Forcepoint unit, acquired Skyfence from Imperva for an undisclosed consideration. For its part, Imperva acquired Skyfence in 2014.

Major CASB vendors include:

Bitglass
Blue Coat (owned by Symantec)
CipherCloud
CloudLock (owned by Cisco)
Forcepoint (through Skyfence acquisition; owned by Raytheon)
Microsoft (through Adallom acquisition)
Netskope
Skyhigh Networks (acquired by McAfee)

For more information, see our list of the top CASB vendors.

According to a recent Forrester Wave report on the CASB market, Blue Coat and Skyhigh Networks are market “leaders,” with strong offerings across a range of capabilities. Blue Coat integrates a cloud security gateway with its on-premises secure web gateway, while Skyhigh Networks offers shadow IT detection and extensive application support.

CipherCloud and CloudLock are “strong performers,” with CiperCloud offering “robust” structured data protection and on-device encryption, while CloudLock provides an intuitive product with “great reporting features.”

Bitglass, Netskope, and Skyfence are “contenders,” with Bitglass having an “easy-to-use” solution, Netskope offering extensive data loss prevention and pattern matching algorithms, and Skyfence providing extensive IaaS support and a large partner network. Microsoft is at the back of the pack as a “challenger,” with application programming interface monitoring, but with more features scheduled for deployment as of the fourth quarter of 2016.

The CASB market has evolved rapidly since its recent beginnings and has become a necessary cloud security control technology, regardless of the industry vertical, for enterprises adopting multiple cloud services and transferring sensitive data to the cloud.

This article includes previous reporting by Paul Rubens

The post What is a Cloud Access Security Broker (CASB)? appeared first on eSecurity Planet.