What Your VPN Doesn’t Know (Can Hurt You)For a quick dash of security, companies set up many telecommuters with VPN clients to connect to the corporate server and other assets on the company’s computer network. Leaving aside the issues of expense, inconvenience and how good the VPN’s encryption actually is, these companies and telecommuters should not overlook the bigger (yet often overlooked) concern over the possibility of viruses and malware spreading from home networks to the corporate network and vice versa. Companies implement VPNs to provide security, however, the type of security they provide is limited to encrypting the communications between the corporate VPN server and the telecommuter’s VPN client. This prevents ISPs and other third parties from snooping on their communications while in transit through the Internet, however, it does nothing to regulate or examine the contents of those communications. Malware sent from place to place via VPN, SSL or TLS is just as much malware as that sent through unencrypted means. VPNs, on their own with no other security measures in place, provide an easy environment in which to spread viruses and malware from a Chinese-made smart TV (with its built-in processing and data-collection abilities) connected to the telecommuter's home network to the corporate network via the telecommuter’s very own computer and encrypted connection, and, by extension, to everyone else in and out of the office who connects to the corporate network. In this way a whole company could become fodder for spyware, ransomware and any other kind of malware you can think of because the contents of VPN-encrypted communications are erroneously considered “secure” and therefore “safe.” With the growth of internet-connected “smart” appliances and gadgets in the home, this danger has only grown, with refrigerators, TVs, gaming consoles, entertainment systems, thermostats and home security systems as possible vectors through which hackers infiltrate home computing networks. Even kids’ toys these days come internet-capable, and at a price too low to assume the companies making them built in robust security, especially when they have neither the expertise nor experience of building secure computing devices. Anything with a computer chip, regardless of its original purpose, can provide an “in” for the hackers to pwn the unsuspecting telecommuter’s home network, a home network directly connected to the corporate network and other telecommuters by a trusted VPN. The VPN is a one-trick pony: it encrypts and sends data, regardless of what that data is. In doing so, it makes it impossible to implement other security features that could address its shortcomings. In encrypting the data, the VPN makes any intervening packet capture, firewall or IDS/IPS next to useless, because the VPN data passing through would be encrypted and therefore not examinable, conveniently allowing malicious communications to travel undetected because the trusty VPN has encrypted them along with the legitimate business communications. While theoretically you could combine a VPN with a firewall, aside from the configurational nightmare that presents, the two technologies are not typically combined nor optimized to work together nicely or efficiently. What this means? In a VPN environment all you may be doing is making it easier for hackers to spread their malicious tools and spy on telecommuters and business computers alike, undetected. On top of the expense of implementing a VPN in the first place, which merely hides communications from the ISPs and telecom carriers, the VPN introduces a mechanism that defeats any other security measures that may be put in place, such as firewalls and packet capture, because the data sent between the VPN client and server is encrypted and therefore as good as invisible to network security equipment. Under the seemingly legitimate cover of “VPN traffic” hackers could pass through undetected from an infected computer, smartphone or smart TV to spy on both the telecommuter and any network to which the telecommuter connects. Any equipment monitoring the traffic for anomalies is quite effectively hamstrung. While, due to its limitations, a VPN is an ineffective and counterproductive device on its own, combining VPN functions with packet capture and lateral firewall technologies addresses its limitations and eliminates its security drawbacks, providing the security of encrypted traffic in transit between client and server while maintaining the effectiveness of the security and monitoring provided by packet capture and firewalling. This is what our LateralAccessDevice can do for you.
|