VPNs: Complex, non-compliant, and lacking security for modern remote access

Executive Summary

VPNs have been the go-to remote access solution for the past few decades, and are commonly used to encrypt internet traffic, mask IP addresses, bypass geo-restrictions, create privacy, and create an encrypted tunnel between two networks. 
Although VPN technology has its benefits, they are over-shadowed by the security risks and inconvenience that are inherent with the technology. Per-device client installation and network configurations, limited device options, and the many factors (public networks, overlapping IPs, outbound only traffic, etc) that can interfere with VPN connectivity make it increasingly difficult to support, and ultimately inconvenient for the organization to use. VPNs leave the organization vulnerable to joint risk for all connected devices, lateral traversal within the network, and leave the network wide-open for threat actors with no resource segmenting or granular audit trails. When looking at cyber insurance,  government mandates, and best practices, these security gaps lead to VPNs being non-compliant. VPNs lack modern security features including multi-factor authentication, single sign-on, password stuffing, and granular access control.
Where VPN technology is a moat & castle approach where a user verifies at the external gates and has access to all resources within, Zero-Trust is more like a high security building with strict identity checks and continuous verification at every entry point and resource, requiring verification at the front door, elevator, accessing the floor, getting into the room, and getting to the resource. Agilicus AnyX enables your organization to implement a Zero-Trust architecture to increase overall security posture while being convenient to use and operate, and stay compliant with cyber insurance and security mandates.

Introduction

When an organization is looking to offer remote access to their employees, including third party vendors and contractors, create secure connections between locations, or add a perimeter layer of security to their systems – the team will naturally go and see what is available on the market to implement within their organization and constraints. Implementing a VPN is often among one of the most considered options and is seen as the “safe bet” due to it being a well known technology that has been used for decades, and is within the teams experience level to set up and roll-out. Recommendations to implement a VPN are also easy to present to the board for budget consideration, and checks the high-level boxes for the leadership team.

A VPN architecture enables two or more devices to communicate with each other that are not on the same network by creating a secure connection through a tunneling protocol such as PPTP, IPSEC, SSL, Wireguard, L2TP, GRE, NVGRE, etc. Tunneling essentially works as a long Ethernet connection which enables the client device to act and behave as if it was on the network. VPNs are able to:

• Encrypt internet traffic – A VPN encrypts and encapsulates the packets that travel from one end of the tunnel to the other, making them unreadable if they are intercepted along the way. Once the packets reach the end of the tunnel, they are de-encapsulated and decrypted to continue to their end destination. 
• Mask IP addresses – A VPN is an effective way to mask IP addresses to prevent inbound/outbound packets from being hijacked, which can lead to IP spoofing where the packets are sent to threat actors instead of the intended recipient
• Bypass Geo-restrictions – A VPN enables you to bypass geographic restrictions where access to resources, websites, and assets may not be available, allowing you to act and behave as if you are in a different location by connecting to a VPN in that area. 
• Create Privacy – A VPN enables you to privately browse the public internet while keeping your device information private. Internet Service Providers are unable to dive into your Internet traffic to inspect data packets, and websites are unable to see which IP address you are accessing them from. 
• Tunnel to remote networks – A VPN enables you to tunnel into a remote network, giving access to resources as if you were physically “plugged in” to the network with an Ethernet cable.

VPN network architecture has been useful in connecting client devices to a remote network. However, despite their historical utility and continued marketing hype, VPNs are increasingly becoming unfit for organizations as they are inconvenient to manage, do not comply with external regulations/requirements, and lack the security features needed to secure against modern threat actors.

Complexity

When considering and evaluating remote access tools, ensuring that they are convenient for users, both from an administrative and end user perspective, is an important factor. The resources needed to configure each client, managing multiple connections, lack of device options, and connectivity requirements make the VPN an inconvenient solution for remote access in today’s technology landscape.

Configuration

Setting up a VPN involves configuring network settings on both the client and server. VPN servers require multiple steps to ensure they are properly configured and have their own set of network requirements.
IP address: To connect to a network through a VPN, the network needs to be on a public, reachable, static IP address that devices/clients can connect to. Having a static IP address ensures that the VPN connection uses the same address each time – matching with the client software, enabling traffic from the VPN client to the server, and vice-versa. Configuring a site-to-site tunnel connection requires each end of the network to be on a public and static IP. Requiring a static IP on a public network creates a larger target as the location is consistent. Setting up port forwarding and other network configurations is also more complex with a static IP. 
Firewall rules – Any firewalls within a network or VPN server needs to be configured to ensure that traffic is allowed across selected protocols, typically being UDP 500, 1194, 4500 and TCP 443. Configuring your firewall to allow public traffic through these ports creates a weak point in the firewall, allowing for a known and penetrable entry into the network. Firewall configurations need to be applied on both ends of the tunnel (device/client and VPN network), along with the network the user is on when making the connection. This configuration process is required for every VPN connection that an organization implements. 
The device that will be accessing the VPN needs to run a client/software on it for it to be able to establish a connection with the server. Port configuration, proxy settings, and any on-device firewall settings may need to be configured for the device to establish a connection with the VPN server. These client/device configurations are required for each device connecting to a VPN. Once up and running, that device is essentially bonded to its respective VPN unless configuration changes are made for the IP, domain name, and any other network settings needed. Logging in from public networks makes this more difficult as the traffic may not be allowed to travel over the network due to configurations and settings. 

Hotel/Venue/Airport blocks VPN access

Hotels, airports and other venues often block VPN connections, disrupting your ability to connect remotely while traveling, in venues, or while using public wi-fi networks. The most common reason for not being able to connect is that the public network is blocking the ports needed, and the gateway does not pass the necessary traffic to connect. Public wi-fi networks are often provided “as-is” with no support, often resulting in the end user creating a wi-fi hotspot with their cellular device to connect – chewing through data and working on a slower connection.

I need Admin privileges to install/start VPN client

The installation, startup, and configuration of many VPN clients often require administrative privileges on the device you are using. When installing and configuring a VPN, there are system-level changes that need to be done for network configurations, which require administrative level access. Once the VPN is installed and configured, starting a VPN client often requires administrative level access as well as an additional layer of security to ensure that the device connecting to the VPN is authorized.
On a device running a VPN client, additional permissions are often granted to create a network interface, permissions to change the routing table and to start the VPN themselves without the need of creating a support ticket each time. Providing increased permissions opens the doors for malware on the device to act as the user, intercept network traffic, or share configuration information since the user has permissions.

I cannot use a VPN via satellite/cell internet connection

VPNs rely on establishing a secure tunnel, encrypting data packets bi-directionally, requiring both inbound and outbound traffic. Using satellite/cellular internet connections for VPNs is not possible as they are 

1. Outbound only connections – Most satellite/cellular ISPs do not allow for inbound network traffic or port forwarding, resulting in VPNs to not be able to connect
2. Limited number of public IP addresses – Multiple users share the same public IP address, creating complications for VPN access and configuration, resulting in the VPN not being able to connect due to the RFC1918 subnet matching the remote subnet.

High latency connection – The high-latency of Satellite internet presents a significant issue when connecting to a VPN. The increased round-trip time of packets can lead to timeouts, dropped connections and overall poor VPN performance

One Connection at a Time

VPNs work as a one-to-one connection for access where the tunnel is created between one client and a network, or two networks connecting to each other. External third party vendors, contractors, service providers run into issues where the device client can only connect to one connection at a time. This provides 2 options on how to connect to all of the customers’ VPN networks

1. Introduce a new client/device for every customer the partner manages
2. Constantly connect and disconnect from one server to another

Having a separate VPN client for each physical site or use case is not a feasible solution, often resulting in users hopping from one VPN to another every time they need to connect to a different system – adding unnecessary steps, resulting in a drop in efficiency and productivity. A common occurrence is when a user needs to check on sensors/monitors located across multiple locations at the same time. With one user needing to connect to multiple VPN servers at the same time, the barriers become very apparent. Simultaneously connecting to multiple VPNs would require multiple clients to establish connections – An inefficient and time consuming method for conducting regular day-to-day tasks. 

Use case example: An organization that offers managed support/service contracts needs to connect to multiple networks throughout a regular day in order to effectively support their clients. When supporting a client with multiple locations, each site/office has a unique VPN configuration. In order to connect from one site to another, the support agent must disconnect from the existing network, reconfigure the VPN client, and reconnect to the other network, and not be able to access both sites from one device at the same time. The same process also exists for supporting multiple clients where the support team is forced to disconnect from one, and connect to another for support. This connect/disconnect/reconnect workflow becomes very disruptive, reducing efficiency, and increasing the amount of time needed to resolve support tickets.

Only one VPN client installed at a time

When working with multiple organizations, a common barrier is that they will be using two different VPN providers, and only one VPN client can be installed per device. Installing multiple VPN clients is not possible as they each require their own configurations, which will use the same VPN driver, causing connectivity issues as both clients will fight over routing rules, virtual network interfaces, drivers, and port usage..

No Tablets or Phones

VPNs require a client software to be installed on the end user machine, leading to workflow issues as they can only access the systems/resources they need from specified devices which may only be available from specific physical locations (desktop at home office, in-office workstations, technician team laptop, etc). Given that a VPN requires a client, and personal devices are not managed by the organization, a support staff member may get a ticket that requires immediate attention, but they are unable to resolve it if they are not physically next to the device that has been configured to connect to the VPN server – Leading to an increased mean time-to-repair and reducing overall efficiency of the team.
Typically, a VPN can only be installed on managed devices provided by an organization, restricting a user’s ability to use their personal devices to reach systems they need remotely when they are away from their desk, lowering efficiency of operations, and increasing the mean time to reach systems. Eliminating barriers to remote access by allowing users to reach critical systems in a way that is convenient for them is critical for improving business efficiency. 
When connecting to a VPN, the device client creates a tunnel from your device, directly to the network you are connected to as if you were physically there. When this happens, devices on your network are no longer discoverable and therefore unusable for your device. Scanning and printing documents using a network device is no longer possible when the VPN is up and running, requiring document downloads for offline access, disconnecting from the VPN to scan/print, and reconnecting to establish a connection back to the network.

Overlapping IPs

A significant inconvenience in VPN technology arises when connecting to multiple networks, particularly when those networks utilize overlapping IP address ranges. The overlapping IP addresses can lead to connection failure, network instability, and misrouting of data packets. In order to prevent connection issues, reconfiguration of network settings such as IP address, subnet mask, and gateway are required each time you switch between overlapping IP networks. This constant need for network configuration highlights the inconvenience of VPNs and the resulting increase in overhead, especially in scenarios involving multiple connections.

High Overhead and support

VPNs are often used to connect third-parties to your network such as external support teams, vendors, contractors, etc for them to accomplish the tasks needed. As these users are looking to connect to your network, they all need to have the correct VPN client installed and configured on their devices. This requires the IT team to either configure each end-user device connecting through the VPN, or working with the IT team of the third-party organization to ensure the devices are correctly configured. Supporting  / debugging third-party connections in a timely manner becomes a recurring task for the IT team. The overhead to setup, configure, troubleshoot, and support these connections becomes very high.

An additional carrying cost that must be taken into account with third-party VPN remote access is license costs and who incurs them. Is the responsibility to provide the licensed seat up to the organization or the third-party provider that is connecting to it.

Compliance

In addition to the end-user complexity and inconvenience, VPNs can also create compliance issues. VPNs are often seen as a way to provide secure remote access for those who need it. In reality, a VPN broadens the attack surface and introduces compliance risks for cyber insurance, industry standards (ISO 27001),regulatory associations (CISA, NIST, GDPR), and organizational policy/procedures. The risks of being non-compliant with insurance, legal requirements, and industry requirements can often result in serious repercussions such as fines, penalties, and even the risk of losing accreditations and having insurance policies revoked. When considering the poor audit trails, lack of multi-factor authentication and resource segmenting, and the inability to inspect data, it is clear that VPN technology does not comply with cyber insurance requirements or government agency standards for secure remote access.

Poor Auditing

Insurance and regulatory requirements require granular data logs to be compliant. A 90-day fine grained audit trail along with 3-year is required by the FOIA (Freedom of Information Act), as well as many insurance providers. With a VPN, audit logs are available at a high-level such as when a user has connected and how much data has travelled through the tunnel, but do not offer granular information beyond the initial entry point, failing to provide granular data for what a user did once in the network. Organizations often need to utilize software or system logs of devices that are on the network if they need to audit – which are very limited in the information they can provide. With IP addresses being ephemeral, device logs become irrelevant as an IP can be cycled through users e.g. Joe has the IP Monday, Jane has it Tuesday. Identifying who was on what device from what IP at any specific time cannot be determined from a device log. Additionally, shared devices that are always connected to the VPN will have no reporting on who the user was that accessed the device or resource.
Being able to prove who did what, when, and for how long in a system plays a critical role in obtaining/maintaining cyber insurance and being compliant with regulatory requirements. In the event of a breach, the VPN activity logs are unable to accurately show who the threat actor was, or what exactly was done in the systems although independent software logs may provide some data. Without being able to maintain fine grained audit trails clearly identifying who did what ,when, and for how long, the poor auditing capabilities of a VPN leave organizations in a state of non-compliance.

Lack of Authentication

Accessing a VPN often requires basic credentials (Username/Password), and although it is constantly reinforced to use a strong password, with organizations often having “strong password policies”, authenticating with basic credentials is not enough to stay compliant with cyber insurance and regulations. The use of an authentication protocol is not a legally mandated requirement itself but the use is driven by cyber insurance, regulations and industry requirements.
When multiple users need to be connected to the VPN, that password can become shared among users, further reducing visibility into who is logging in. Stolen devices, shared passwords, and brute-force hacking are all examples of how an attacker can gain authenticated access to a network through a VPN as there is no multi-factor authentication required. CISA Risk and Vulnerability Assessment shows that misused valid credentials is the top method threat actors utilize to gain unauthorized access into networks. For example, Akira, a ransomware variant, uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access to a network. In May, 2021, Colonial Pipeline was the victim of a ransomware attack, resulting in loss of productivity, availability, and financial theft, paying a ransomware of 75 bitcoins, approximating $5million USD at the time of the event.
Shared credentials open the door to risk when employees leave their organization and are no longer authorized to utilize the VPN, and depending on employee churn rate, the organization may not enforce switching passwords with the exit of an employee. Having shared credentials allows threat actors to connect to the VPN to carry out malicious activity when they are no longer at the organization. Utilizing single sign-on to allow an organization to easily deactivate a user in their directory, eliminating the ability to use a shared password to access unauthorized resources.
Multi-Factor Authentication of users accessing your networks is essential to comply with cyber insurance requirements as it enforces a “never trust, always verify” approach by enforcing the user to provide any two of something you know (password), something you have (Smartphone, YubiKey), or something you are (biometrics such as facial recognition or fingerprint) to authenticate your identity. 
Given that VPN connections require basic credentials to connect, they are often the targeted entry-point into a network for ransomware, malware, data theft, etc. VPN technology is non-compliant with insurance requirements/regulations as they do not offer multi-factor authentication to clearly identify who is accessing systems.

No resource Segmenting

Accessing a VPN gives you entry to the entire network without being able to segment resources that users have access to. The concept of User A has access to resources 1,2,3 while User B has access to resources 2,3, and 5 does not exist with VPNs. A VPN is designed to provide access from one end of the tunnel to another. Once you are in the network, you have wide open access to everything that is on it, exposing critical resources, information, and software to users that should not have access to it. Without segmenting, you are trusting your users, whether direct employees or third-party vendors, contractors, support teams, that they will only access the resources that they should, and nothing else. 
In 2023, The “CyberAv3ngers” group engaged in targeting Unitronics PLC controllers which were often found in the water and wastewater industries. With no resource segmentation in place, the attackers were able to access the PLC/HMI, which still used the default password of ‘1111’. The attacks caused organizations to halt operations due to loss of availability of the HMI/PLC. Resource segmentation could have directly prevented these attackers from accessing resources. 
Not having guardrails on what users can access is a large downside of using a VPN to remotely access resources on a network, resulting in non-compliance for cyber insurance and best practices.

Cannot inspect documents/information that goes in and out

When a VPN connection is established, there is a secure tunnel created between the two devices that are connected. At each end of the tunnel, the data packets are encrypted and encapsulated before travelling through the tunnel. At the other end, the packets are decrypted to continue to their destination on the network. As a consequence, network administrators and organizations are unable to inspect the information that travels in and out of their network through a VPN. Not having access to this information reduces the ability to track suspicious activity, or even which IPs are connected to the network as it becomes obfuscated. 
Data Manipulation is where a threat actor uploads, downloads, or manipulates files on the network with the intent to cause damage to an organization. 
This includes:

• Downloading confidential files
• Uploading malware, ransomware, etc.
• Deleting/Manipulating files on the server

An example of this is APT38, North Korean state-sponsored threat group that specializes in financial cyber attacks. In 2016, APT38 targeted the Bank of Bangladesh where they created, deleted, and modified bank databases for financial theft for an attempted theft of $1 Billion – the largest bank heist in history. Although the majority of transactions were halted, APT38 stole $81 Million from the Bank of Bangladesh
Data Loss Prevention (DLP) is a component of a cyber insurance policy designed to protect data from being lost, stolen, or misused. Being able to inspect the documents/information that flows in and out of the network is a key requirement for the DLP component of cyber insurance.
With a VPN, there is no visibility into what documents are being downloaded onto the connected device for offline viewing. Pairing this with the lack of resource segmenting increases the likelihood of sensitive and confidential information (payroll, proprietary information, contracts, etc) being downloaded onto unauthorized devices. Having sensitive and confidential information stored and accessed in a manner that allows the user to download it onto their device is a failure point of VPN technology, and results in non-compliance for cyber insurance and best practices.

Joint Risk

With a VPN creating a tunnel from one device to another, it creates a secure path for packets to travel, but as a byproduct they adopt each other’s security risks when connected. A device from one network can ping any device on the connected network, as if they were physically connected and vice versa: the VPN brings the risk of your customer into your network too. If one device is compromised, threat actors can walk across to other devices through the established tunnel, which has already been configured and authorized to connect from the client and network side. 
When working with vendors, third party users, or linking site-to-site, both parties take on the security risk of the other, dropping the security level down to the weakest link. The connecting organization may not be compliant with cyber insurance or implementing cybersecurity best practices. You adopt their risk, and they adopt yours.

Lateral Traversal

Threat actors are constantly looking for the weakest point of a network as a breach point. This is especially important now that threat actors can access networks in many ways, typically through unprotected devices such as printers, HVAC systems, smart displays, and any other device with a permanent internet connection and static IP address. With a VPN being an all-or-nothing approach to remote access, an attacker looking to access a corporate network can utilize the wifi network that the client device is connected to to access the corporate network through the VPN. Without segmenting, all resources that are on a network are vulnerable to attacks through lateral traversal, creating a broader attack surface. Once in, they can navigate freely once in the network, installing malicious software and reaching their original target. 
In February 2022, APT28, a Russia based threat group, launched the “Nearest Neighbor Campaign”, which leveraged the zero-day exploitation CVE-2022-38028 and used wifi networks in close proximity to the intended target to gain access to the victim environment. By daisy-chaining multiple compromised networks, they were able to use compromised credentials to connect to a victim network.
Being able to reduce your blast radius and limiting the amount of resources that can be accessed during a breach is an important requirement for cyber insurance compliance, and VPNs are unable to do that.

Multi-Factor Authentication

Multi-Factor Authentication significantly increases an organizations security posture by requiring users to provide multiple verification methods to authenticate an account. This means that even if an attacker gains access to your password through data leaks, phishing attempts or is able to brute-force passwords, they would not be able to bypass the additional authentication layers to access the network. With VPN clients, the credentials to login are configured to simplify access – One click and you’re in. Any attacker that gets access to a client device can now access your entire network without facing any authentication requirements. Implementing multi-factor alone can reduce hacking attempts by 99% – A security feature that VPNs lack.

Single Sign-On

Single Sign-on enables organizations to provision users, vendors, contractors, third-party support, etc  with their existing credentials, regardless of who they are with (Microsoft, Google, Azure, etc), eliminating the need to create new users on the active directory – Eliminating the cost of additional licenses. When creating user credentials on the active directory for third-party access, organizations often create a single account for a vendor to use. The credentials for this account are then shared with the team to have remote access to the resources they need. However, there is a lack of control for how passwords are stored (printed out, shared sheets, post-it notes, etc), no insight into when certain employees should no longer have access, resulting in the password staying the same, and no access to who is actually logging in to the system. Single Sign-On is a security feature that eliminates the use of shared passwords while reducing licensing costs on the active directory, a key security feature missing from VPNs

No password stuffing

Password “stuffing” is a process where an authorized and authenticated user is able to log into a resource (VNC/SSH) that they have access to without the need of entering a password or resetting/removing passwords for employees that no longer need access. VPNs are unable to provide this security feature as it requires access on the application layer, Layer 7 on the OSI model, which translates binary computer language into what an end-user will interact with, instead, VPNs operate on layer 3, the network layer where it manages the connection and routing of two different devices on different networks and forwards data to the correct IP address. Click here to learn more about the OSI model. Not being able to offer password stuffing for resources is a security feature that is missing, and not achievable through VPN.

Granular Access Controls

VPNs utilize a “moat & castle” approach to authorization; once a user has provided their credentials and the VPN is turned on, they are authorized to access the network in its entirety with no segmentation, access levels or concept of who can access what. Granular access embodies the principle of least privilege – precisely defining and limiting what each user can access – down to specific resources and actions. For example, User A can access systems 1, 2, and 3, but only at read write access, where User B can access systems 2,3 with full access but only has read access on system 4. If a threat actor manages to compromise an account with limited access, the potential damage they can inflict is contained to the access level of that user, whereas in a broad access scenario an attacker can gain access to vast amounts of sensitive data and critical systems. Granular access control, and implementing the principle of least privilege is a security feature that VPNs are unable to provide.

Looking Forward: Implement Zero-Trust with Agilicus AnyX

Convenience

Unlike a VPN, there is no software or client to install on user devices. The Agilicus AnyX platform utilizes a web-based launcher with a familiar application tile layout enabling users to log in from any device with a web browser including desktops/laptops, tablets, smartphones. Users are no longer limited to connect to only one network at a time, with Agilicus, multiple resources across multiple networks can be accessed simultaneously without the need of network configurations, or connecting/disconnecting. With no software to install or network configurations to manage/maintain, Agilicus drastically reduces overhead costs for the initial setup, and ongoing support for remote access, without disrupting user workflow.
Agilicus AnyX works with outbound only access, not requiring inbound traffic to your network. Eliminating the need of open ports/port-forwarding for communication, and enabling users to connect remotely regardless of their network configuration (satellite internet with outbound only, Hotel networks, public wi-fi networks).

Compliance

With Agilicus there is no tunnel connection between a remote device and a network, eliminating the inherent joint risk that comes with VPN technology. The connection between the user and resource is made in the Agilicus cloud, eliminating the risk of carrying malware, viruses, or other vulnerabilities from one network to the other. Granular access control and resource segmentation reduces the risks of lateral traversal by limiting who can access which resources and at which level, by doing so, users cannot laterally move across the network. 
Granular audit trails give complete insight into user activity, providing data logs of who accessed what, for how long, and what actions were taken while they were in the resource. This granular level of data gives you complete insight into not only what actions are being done, but also what information is coming in and out of the resource, letting you analyze data packets travelling in and out of the network. Agilicus’ ability to provide granular audit trails ensures that your organization is compliant with the audit requirements of cyber insurance. 
Agilicus AnyX enables your organization to implement and enforce multi-factor authentication on all devices and resources – even when not natively supported. Multi-factor authentication provides additional security measures to authenticate users, combating stolen devices, misplaced passwords, data leaks, phishing attempts, and other targeted attacks geared towards stealing login credentials. By enforcing multi-factor authentication on all devices, you ensure your organization is compliant with cyber insurance standards, government mandates, and best practices.

Security

Agilicus AnyX enables your organization to implement security features required to take on modern cyber threats. Implementing single sign-on enables your organization to provision users, third-party vendors, external support teams, contractors, etc utilizing their existing identity provider (Google, Microsoft, Azure, etc), enabling your organization to easily provision, grant granular access levels,  and manage users in minutes without needing to extend or duplicate licenses. Single sign-on eliminates the use of shared passwords as there is no longer a single login for a vendor – each user within the organization gets provisioned independently. Furthermore, Agilicus AnyX enables password stuffing, where an authorized/authenticated user does not need to enter any additional credentials for resources they have access to, eliminating the password being shared, and not having to manage passwords anytime there is employee turnover.  Multi-factor authentication further strengthens the overall security posture of your organization by requiring users to authenticate with their login credentials as well as one additional factor such as a physical device or biometric verification.