With more organizations trying to find ways to accommodate remote employees, new solutions are being examined. One of these is SSL VPNs, a more advanced version of the more cumbersome IPsec VPN. However, SSL VPNs still make the network vulnerable to attackers, because they enable tunneling in hackers and spreading malware. Let’s see how SSL VPNs work and how the risks they pose can be mitigated with zero trust.
SSL (Secure Sockets Layer) VPNs are a more technologically advanced type of VPNs, intended to provide more secure remote access to enterprise applications. Compared to the more common IPsec VPNs, SSL VPNs encrypt at the transport layer, and also encrypt network traffic. Encryption takes place through the TLS protocol. As a result, many enterprises are turning to SSL VPNs for their remote workforce.
There are two main types of SSL VPNs:
Portal VPN - This type of VPN permits only one SSL VPN connection at a time. They are agentless and do not require client software installation. Instead, they can be accessed through a web portal. However, they are often difficult to configure and do not support all protocols (usually HTML and HTML5).
Tunnel VPN - A tunnel VPN operates like a tunnel to enable users to access multiple network services. A connection is established between the user and the VPN server, which is connected to the network resources. The Tunnel VPN requires a client for setting up.
However, despite being more secure than IPsec VPNs, SSL VPNs still increase the organization’s attack surface, compared to other connectivity solutions.
This is because SSL VPNs often sit behind the perimeter firewall. This means the organization is still dependent on the castle-and-moat security approach, which does not protect from attackers who are inside the network. Encryption is not enough to protect the organization’s crown jewels from perpetrators who have access to assets and can also see the network and progress progress laterally. Without an additional security layer that protects internal applications, hackers can progress without significant barriers and plan and execute their attack.
In addition, SSL portal VPNs do not authenticate the user’s device for the latest security measures. An infected device could spread malware into the network.
Even if you choose a SSL VPN, it’s important to mitigate the vulnerabilities it poses with zero trust. Zero trust is an innovative security model that continuously identifies and authorities each and every identity and device before they get access to network assets. Zero trust eliminates transitive trust and is based on the principle of least privilege. To enforce that, not only are users blocked from accessing apps before authentication, but also they do not have visibility into the network at all. This prevents hackers from gathering reconnaissance and planning attacks.
Let’s see how each of the vulnerabilities listed above can be mitigated with zero trust to increase security posture:
Stopping user tunneling - Zero trust does not enable tunneling in users. Each user is authenticated before they get access to organizations information, through methods like MFA and SSO. This authentication continues even when users are in the network, to ensure that attackers who got in, stay out of the crown jewels. Zero trust can complement SSL VPNs by securing the internal network. Transitive trust is eliminated with zero trust architecture, so users who came in through the VPN will not have immediate access like before. In addition, zero trust provides visibility into the network and the players within it, to enable auditing, recording and control.
The opposite of the castle-and-moat approach - Zero trust is a modern approach that is fit for enterprises that need business agility and the ability to connect third parties, remote workers, multiple types of devices, and more. The geographical limitations of the perimeter become obsolete, because zero trust protects all organizational assets through continuous authorization based on granular authentication policies. SSL VPNs, on the other hand, create holes in the perimeter.
Device authentication - Some zero trust providers like Cyolo authenticate user devices for the latest anti-virus updates and certificates before providing them with network access. This ensures that malware will not be distributed throughout the network.
SSL VPNs might seem like a more secure and agile solution, but they do not provide CISOs and IT teams with the peace of mind they need for secure connectivity. Replace or complement your VPNs with zero trust, to reduce the risks of major attacks.
Cyolo is the leading zero trust security provider for organizations that want to protect their assets and customers. By securely connecting all users from anywhere without requiring a VPN, Cyolo enables employees to focus on their work and the business to grow. Cyolo provides advanced user management features, real-time recording abilities and an easy to use UI. Cyolo can also integrate with your VPNs, if needed.
Cyolo takes minutes to implement and is compatible with any network topology and identity infrastructure. In addition, Cyolo does not have access to the organizational data. Not only does this ensure true privacy and security, it also improves performance as a better user experience.
Author
Jennifer Tullman-Botzer is a cybersecurity nerd by day and a history nerd by night. She has over a decade of experience in cybersecurity marketing and is as tired as you are of hackers-in-hoodies stock images. Jennifer joined Cyolo in 2021 and currently serves as Head of Content. Prior to Cyolo, she worked in a variety of marketing roles at IBM Security. She lives in Tel Aviv, Israel.