Virtual private networks (VPNs) enable you to gain remote access to on-premise private networks, and connect remote private networks into a wide area network (WAN). A VPN typically establishes these connections by assigning users internal IP addresses.
On the one hand, VPNs enable you to expand visibility. Traffic is routed through the VPN, and you can reliably log, filter, and monitor traffic. You can also authorize and authenticate before granting users access to network assets. On the other hand, if these expanded visibility capabilities are exploited, threat actors can gain access to your network.
You can use a VPN to protect your endpoints, but you also need to secure your VPNs from known and unknown vulnerabilities. To secure VPNs, you can implement EDR practices, and minimize endpoint, authentication, and network architecture risks. Even better, you can use new Extended Detection and Response (XDR) solutions to enhance protections beyond those provided by EDR solutions.
In this article, you will learn:
What is a VPN
How VPNs affect endpoint security
Critical VPN vulnerabilities
Deploying a VPN through endpoint security
What Is a VPN?
A virtual private network (VPN) is a private network that extends beyond on-premises hardware. It is created from a combination of network tunneling and software controls, rather than dedicated connection lines.
VPNs enable users to remotely access on-premises private networks. These connections assign the user an internal IP address and enable them to access any assets they could if they were physically connected. Organizations can also use VPNs to connect two remote private networks into a wide area network (WAN).
How Do VPNs Affect Endpoint Security?
VPNs enable you to extend your endpoint security measures to remote users and cloud connections. Traffic is routed through the VPN before it accesses your network. This enables you to log, monitor, and filter traffic with the same reliability as a physical connection.
These capabilities are especially important for maintaining the visibility of your various endpoints. As more remote connections are made and cloud resources used, your network perimeter scales up. VPNs can scale with these endpoints, ensuring that security is evenly applied to every connection.
When using VPNs you are able to perform authorization and authentication before a user connects to your assets. This eliminates the need to rely on the security of the user’s Internet connection to verify identity. It also adds a layer on top of any security that is on the user device or network. This reduces the chance that devices stolen from legitimate users can be used to access your VPN.
While VPNs can grant greater security and visibility into remote connections, these tools are not free from vulnerabilities. Unfortunately, there are still loopholes that attackers can use to access sensitive data and systems.
These loopholes can be used against even the largest enterprises. For example, Airbus, a giant in the aerospace industry, was recently hit by a series of attacks focused on VPNs used by its suppliers. To ensure that your organization doesn’t fall victim to the same fate, it helps to understand where VPN vulnerabilities lie. Below are a few to watch out for.
Network architecture and topology
For many organizations, only a small number of users use VPN tunneling to connect to the primary network. This means that only a small, easy to manage pool of IP addresses is allocated for use. However, when organizations scale up the number of remote connections, for example during work from home restrictions, this number must increase.
Primarily remote workforces often require hundreds or even thousands of addresses, some of which may be reused from those formerly dedicated to local connections. This can create serious security issues if you do not carefully audit and reconfigure access controls assigned to those IPs.
Another issue is network latency. VPN connection points can only handle a set amount of traffic. The time it takes for requests and responses depends on a given point’s location in proximity to the user and the allocated bandwidth.
Trying to connect too many users to a single point can overextend these limitations, leading to slow connections or preventing connections entirely. These limits can be leveraged by attackers to block services from legitimate users in denial of service (DoS) attacks.
A large part of VPN security relies on strong authentication measures. Once a user gets past authentication, they have the same access as if they plugged directly into your network on-site.
This means that if you use weak measures, such as allowing short, simple passwords, you are at risk. Additionally, not changing default passwords or never requiring password changes allow attackers easy access.
Another issue is the accessibility of your login portals. If you allow login through public Internet sites you provide attackers easy access to try credentials and passwords.
Ideally, any devices connecting to your VPN are managed by your IT teams. This ensures that devices are up to date, that the appropriate security tooling is installed, and that permissions and access are suitably restricted. Remotely managed devices can be verified and secured by IT teams in the same way as local devices.
Realistically, however, at least some connecting devices are likely to be personal ones. More organizations are adopting bring your own device (BYOD) policies. This restricts securing device traffic and operations to operations inside the network.
Of particular concern is the connection of machines that are already infected with malware. For these machines, even installing VPN client software may not be enough to secure connections. Depending on the infection type, attackers may be able to hijack these agents. Or attackers may be able to take control of devices after legitimate connections are made.
Deploying VPN through Endpoint Security
One method for increasing the security of your VPN involves leveraging solutions you may already be using. With the expansion of cloud resources and remote work, many organizations have adopted endpoint protection platforms (EPPs).
EPPs enable organizations to secure endpoints with protective features, including access controls, next-generation antivirus (NGAV), intrusion prevention and detection systems (IPS/IDS), and endpoint detection and response (EDR). Learn more in our article about EPP vs EDR, which explains the main differences between these two endpoint technologies.
VPNs can be deployed through these platforms to layer monitoring and proactive functionalities on endpoint connections. This is in contrast to VPNs deployed individually on client endpoints which rely only on device security measures and VPN authentication. Some of the protective measures you can gain from deploying VPN through EPPs include the following.
Data loss prevention (DLP)
DLP tools play a key role in protecting endpoints and networks. These tools help you detect suspicious traffic and can enable you to block access into and the transfer of data out of networks. When applied alongside VPNs, you can extend your data protection beyond encryption into active traffic control.
Deploying VPNs through EPPs helps keep your security measures centralized. This increases visibility and streamlines management for your IT and security teams. It can also help teams ensure that security policies and controls are consistently applied.
If you are managing VPN controls from one dashboard and the rest of your network controls from another, you increase the chance of misconfiguration. In contrast, monitoring and managing VPN traffic alongside your on-site traffic helps ensure consistent protections.
Learn more in our article: Endpoint Security: Defending the New Front Door of Corporate Networks.
VPNs deployed through EPPs can help you enforce strong authentication measures. The combination allows the overlapping of authentication and access controls for greater protection. This includes both single sign-on (SSO) and multi-factor authentication (MFA).
SSO can increase security by decreasing the number of passwords users must remember and the number of login points that must be exposed. With SSO, a user signs on once, and for the life of their session those credentials are used to provide access to any necessary assets.
MFA increases security by reducing or eliminating the chance that compromised credentials can be used. It requires users to confirm their identity with a secondary measure, such as entering a matching pin sent via text or scanning a fingerprint.
VPNs deployed through EPPs can help both IT and users during times of incident response. For IT teams, these connections can enable secure, remote management of systems at any time and from any place. This ensures that teams are able to respond to incidents as soon as possible, reducing any damage caused.
For users, these systems can help ensure that access to assets remains available and minimizes interruptions to productivity. Without a secure VPN in place, IT may have to block all remote connections to a network during incidents. However, protected VPN connections can be reliably allowed through, minimizing the impacts on legitimate users.
Endpoint Security and VPN Protection with Cynet
Cynet 360 is a holistic security solution that protects against threats to endpoint security and across your network. Cynet provides all of the basics of perimeter security, including next-generation antivirus (NGAV), intrusion detection, and management of virtual private networks (VPNs).
Cynet’s intelligent technologies can help you detect attacks by correlating information from endpoints, network analytics and behavioral analytics with almost no false positives.
With Cynet, you can proactively monitor entire internal environments, including endpoints, network, files, and hosts. This can help you reduce attack surfaces and the likelihood of multiple attacks.
Cynet 360 provides cutting edge EDR capabilities:
Advanced endpoint threat detection—full visibility and predicts how an attacker might operate, based on continuous monitoring of endpoints and behavioral analysis.
Investigation and validation—search and review historic or current incident data on endpoints, investigate threats, and validate alerts. This allows you to confirm the threat before responding to it, reducing dwell-time and performing faster remediation.
Rapid deployment and response—deploy across thousands of endpoints within two hours. You can then use it to perform automatic or manual remediation of threats on the endpoints, disrupt malicious activity and minimize damage caused by attacks.