Mitigating External Service Risks using Virtual Private Network (VPN)
Most penetration testers can tell you that they commonly see Secure Socket Shell (SSH), Remote Desktop Protocol (RDP), Network Basic Input/Output System (NetBIOS), Remote Procedure Call (RPC), and various web administration portals exposed to the public internet. Many organizations will claim that the risk is low because they have compensating controls in place to mitigate a portion of that risk.
The fact of the matter is that risks associated with these services range from:
“You really shouldn’t have SSH exposed, even if it’s fully updated and secured.”
to
“Are you seriously exposing your router admin portal to the internet with default credentials?”
Your organization should expose services directly to the public internet only if they need to communicate with other users or services not controlled by the organization. Such services as Hypertext Transfer Protocol (HTTP/HTTPS) (not administration portals), Simple Mail Transfer Protocol (SMTP), Domain Name System (DNS), Border Gateway Protocol (BGP), VPN, and Voice Over IP (VOIP) should be the only services detectable from the public internet. This means that if you need your administrators to be able to access a service or web portal, RDP, or SSH from home, put those services behind VPN connection.
External Service Risks
Every service exposed will present its own set of risks. Some examples of these risks are:
· User enumeration: The act of trying usernames to an authentication mechanism and evaluating the response to determine if the user is valid. Discovered usernames can be used in various attacks including, but not limited to password spraying, password guessing, and phishing.
· Weak authentication: Many endpoints are not properly secured with Multi-Factor-Authentication (MFA) and are therefore susceptible to credential stuffing.
· Remote Code Execution (RCE): Vulnerabilities which allow execution of code on the host are frequently exploited on unpatched RDP endpoints.
· Information disclosure: The gathering of information which may assist in tailoring attack chains against the host are prevalent on many endpoints.
These are just a few of the most prominent concerns with exposing services to the public. The actual risks will be specific to each service, organizational threat model, and the host exposing the service.
Without regard to specific organizational circumstances, the Cybersecurity & Infrastructure Security Agency (CISA) states that malicious actors routinely exploit these services to gain an initial foothold in a victim’s network, and provides a list of common techniques used by malicious actors and mitigations organizations can reference in Alert AA22–137A.
What is a Virtual Private Network?
If one is to consider a private network as a network that is physically isolated from other networks, a virtual private network is also isolated from other networks, but in a virtual sense, not a physical one.
It is a virtual construct which provides an encrypted tunnel of communication between two points. Essentially, VPNs allow secure communication across an insecure medium such as the public internet. This allows network access from individual users into a corporate network, remote offices to other remote offices, data center to data center, etc. to take place without dedicated hardlines.
VPN Protocol Choice
The primary choices of VPN protocols include OpenVPN, Point-to-Point Tunneling Protocol (PPTP), Secure Socket Tunneling Protocol (SSTP), Layer 2 Tunneling Protocol (L2TP), and Internet Key Exchange v2 (IKEv2). Of these, there are only two real choices: OpenVPN and IKEv2. The other options are either complicated and prone to misconfigurations, proprietary, or inherently less secure.
· OpenVPN: Easily configured, customizable for prioritizing speed or security, and available on almost all platforms. It can be configured to run over Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) and on any port, including TCP port 443, which makes it strong for masking your VPN traffic as Hypertext Transfer Protocol Service Secure (HTTPS), thus bypassing traffic blockers.
· IKEv2: A tunneling protocol designed with strong security in mind. When paired with Internet Protocol Security (IPSec), it becomes a VPN protocol. The biggest benefit to choosing IKEv2 is its stability over changing connections.
VPN Products
The market is flush with products that provide VPN tunnel services. Most small business solutions, such as SonicWall and pfSense, have built-in support for VPN tunnels. Enterprise solutions, such as Cisco, Fortinet, and PaloAlto, offer a plethora of VPN options.
There are sufficient VPN products on the market today to support nearly any budget. The barrier to entry for this solution has been reduced to the point where everyone can, and should, secure their external services.
Conclusion
Virtual private networks have enabled organizations to achieve secure perimeter network configurations while still allowing their personnel to have access to resources necessary to operate. Organizations should ensure all services accessible outside the perimeter network need to be accessed by entities not under direct control of the organization.
If you’re interested in external service risks and VPN use, don’t hesitate to reach out to us via the methods below! We’d be happy to discuss further or answer any questions.
Contact Us:
