The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified numerous vulnerabilities in traditional virtual private network (VPN) solutions that have been exploited in recent high-profile cyber attacks, leading the agency to recommend that organizations adopt new approaches to network access security. CISA has urged businesses to switch to modern approaches like Secure Access Service Edge (SASE) and Secure Service Edge (SSE) to integrate enhanced identity verification, adaptive access controls, and cloud-delivered security. This move would help advance their way on their zero trust journey.

Vulnerabilities in Traditional VPN Systems

CISA has identified several different vulnerabilities in legacy VPN systems can enable broad network compromise if exploited, given their typical lack of granular access controls. While VPNs provide ease of access for employees to connect to remote company applications and external data servers, they also make organizations more susceptible to compromise through various vulnerabilities inherent to typical network design. Recent examples of successful exploitation of VPNs include:

• Vulnerabilities affecting Ivanti Connect Secure gateways (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) allowed threat actors to reverse tunnel from the VPN device, hijack sessions, and move laterally across victim networks while evading detection.
• The Citrix Bleed vulnerability (CVE-2023-4966) enabled bypassing of multifactor authentication, allowing threat actors to impersonate legitimate users, harvest credentials, and conduct ransomware attacks.

Compromised user devices connected via VPNs also introduce risks from poor cyber hygiene. And third-party vendors granted VPN access may lack sufficient network segmentation controls and least privilege protections. While some VPNs can enforce firewall policies, not all provide the identity-based adaptive access controls central to zero trust. Software-based VPNs also carry inherent vulnerabilities lacking in hardware-based solutions.

Modern Solutions to Network Access Security

Modern alternatives to VPN-based network access control includes zero trust architecture, SSE, SASE and identity-based adaptive access policies. These solutions provide access to applications and services based on continuous, granular validation of user identity and authorization - rejecting those not explicitly authenticated for specific resources. Zero Trust is a collection of different concepts and ideas that help organizations enforce accurate per-request access decisions based on the principles of least privilege. SSE is a comprehensive approach that combines networking, security practices, policies and services within a single platform. Key capabilities like multi-factor authentication, endpoint security validation, and activity monitoring better secure data in network transit while reducing attack surfaces. Tighter access controls also help secure data at rest by limiting exposure of internal applications. Effectiveness relies heavily on aligning network and infrastructure with zero trust principles like least privilege. Implementing zero trust even partially can greatly enhance protections against threats and data loss. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.