The hidden risks in enterprise VPN

‘Free’ WiFi may turn out to be very expensive indeed
Charl van der Walt, Orange Cyberdefense. Photo: Karolina Komendera
Charl van der Walt, Orange Cyberdefense. Photo: Karolina Komendera

Just how dependable is enterprise VPN technology? It depends on who you ask.

Charl van der Walt, head of security research at Orange Cyberdefense, asks what happens when a machine joins a ‘free’ (the quotes are his) WiFi network, at, for example, an airport lounge?

Speaking at ITWeb’s Security Summit last week, he says that at the airport, the user is usually required to interact with what he calls a ‘captive portal’, or that page that asks you for a username/password or your credit card details. What’s happening here is that you’re being served some pages, and there’s something you need to fill out before you’re granted full access to the Internet. In the meantime, there may be a couple of apps that have begun to complain that they couldn’t make connections to the sites they were looking for, because they’d been presented with the wrong SSL certificates.

What’s actually happening here?

For those expecting a name-and-shame conclusion, Van der Walt will not be providing one.

Van der Walt says his company was confronted with an incident in which two laptops triggered an alert on a SIEM when they connected to a hotel’s WiFi. This could have been a responder attack, or when an attacker attempts to trick an end-point into making a connection to a fake Windows service, which can, in theory, lead to the service requesting the credentials for the logged-in user. This is not good news, and the attacker could eventually get hold of the username and password for that user in Windows Active Directory.

In any event, Van der Walt and his team traced this down to an accidental configuration, but one that can have quite serious implications.

What’s important to know is that the laptop woke up and was able to connect to the WiFi network before the VPN software could connect and stop any outgoing traffic.

In purgatory

A captive portal puts a laptop into a captive state, where the machine is connected to the LAN, but not the Internet. This means the VPN can’t establish a tunnel, and can’t enforce any protections.

As Van der Walt puts it, the machine is now in a state of ‘indefinite purgatory’, and the attack can, again in theory, be extended indefinitely.

What does all this mean? What is it that enterprises can expect from their VPN? Surely, asks Van der Walt, it should be guaranteed that if an end-point is connected to a remote location – on a WiFi access point – it should enjoy the same security controls and protections as that afforded to one on a corporate LAN?

And so he and colleagues turned their attention to five appliances on the market today, from Cisco, Pulse Secure, Palo Alto Networks, Fortinet, and Checkpoint. And, as it turns out, not all VPNs are equal.

For those expecting a name-and-shame conclusion, Van der Walt will not be providing one, saying only that his team is ‘engaging with those vendors where we found issues with their technologies’.

But he does say that in today’s world, he thinks it quite likely that enterprises’ end-users are connecting to the Internet either via an untrusted – if not malicious – public WiFi, or are connecting via home WiFi that isn’t theirs, and has perhaps been compromised.

This, he says, needs to be part of the industry’s threat model.

What can be done?

He says VPN configurations do make a difference, and security teams need to understand and apply them correctly as not all these configurations behave in the same way. He also says enterprises should control and centralise DNS, as well as qualify internal host names (i.e. don’t just name your printer, ‘printer-HQ’) and, where possible, avoid split tunnelling. It’s also not a good idea to only depend on a VPN’s lockdown features to protect end-points. Users should also have a local firewall.

But it’s a vicious circle, and the larger question here, says Van der Walt, is the business models: some businesses don’t want to pay for their users’ data, but others, such as coffee shops, are incentivised to offer free WiFi, but also need to create some kind of contractual agreement with the customer. This is where the captive portal comes in, which, in turn, forces the VPN vendors to create new and complex features.

If the user takes responsibility for their own connectivity, all these problems go away.