Is that VPN connection really safe?

Hello,
when I work from home, the table I use is a box of Ehime mandarin oranges🍊It
's cute from the System Solutions Department.

It's starting to feel like winter little by little.
I also tend to work remotely and stay at home on days when the weather is cold or bad.
Although there is a trend to return to the basics of going back to the office, I believe there are still many companies that have introduced or promoted remote work since the coronavirus pandemic.
As a result, I think the use of remote access VPNs from home has increased, but is it safe to use them in the first place?

In this article, I would like to write about the mechanism and issues of remote access VPN.

Advantages and disadvantages of remote access VPN

First, let's summarize the basic advantages/disadvantages of remote access VPNs.

The main purpose of a remote access VPN is to securely connect to the office from home or on the go .

Next, I think there is a use for ensuring safety when connecting to public Wi-Fi in cafes and other places using unsafe wireless standards such as WPA (though in this case, the ideal option would be to not connect in the first place ...) .
( There is also the Evil Twins attack *For the types of protocols used in wireless connections,
see Kaspersky's concise and detailed article below: https://www.kaspersky.co.jp/resource-center/definitions/wep- vs-wpa

■Advantages
The main advantage is
data encryption With a VPN, even if you use a public network such as a cafe, the communication up to the VPN server (in-house router, etc.) is encrypted, so the risk of interception is reduced.

Additionally, as mentioned above, securely access local file servers and in-house systems located within the office , and obtain the information you need for your work from virtually anywhere.
In addition, depending on the routing settings, it is possible to connect to an environment with IP restrictions even from outside using the office IP as the source (so-called zero route). convenience.

■Disadvantages
However, one disadvantage that you must keep in mind that even if you use a VPN connection, not everything will be secure .

The flip side of the benefit is that a VPN only encrypts the route from your home to your office .
Access to the Internet beyond that point will not be secure even via a VPN unless it is separately encrypted using HTTPS, etc.

There are also concerns about communication speed and connection stability.
Since VPN connections involve encrypting communications and detouring the route, the connection may be more unstable than usual.
Adding decryption/re-encryption processing to encrypted packets increases the load on the router that serves as the VPN server, and in some cases, local Internet connectivity may also be affected.

How remote access VPNs work and types

There are several methods of remote access VPN, each with different advantages and disadvantages.
This paragraph briefly introduces the most commonly used ones.
(Each method name has a hyperlink to the article by ``SE Guidepost.'' If you want to know more, please take a look.)

[
IPsec/L2TP ] IPsec (Security Architecture for Internet Protocol or Internet Protocol Security) is a protocol that authenticates and encrypts data packets, and is used in combination with L2TP (Layer2 Tunneling Protocol).

Authentication method: Pre-shared key or certificate
Advantages: Provides high security and is standardly supported by many operating systems.
Disadvantages: Encryption processing has restrictions on connections in NAT environments, so configuration may be difficult depending on the environment.

In terms of behavior, it first encapsulates the packet using L2TP and plays the role of tunneling the data link layer.
Since L2TP does not have an encryption function and is not secure enough on its own, confidentiality/integrity is ensured by protecting this packet with IPsec, and encryption/authentication is performed using IP protocols such as AH and ESP. Provide.

[
SSL VPN ] SSL VPN is a method of creating a VPN tunnel using HTTPS.
It can be used from a web browser and encrypts data using the SSL/TLS protocol.

Authentication method: ID/password, one-time password, certificate, etc.
Advantage: Works with a standard web browser, making it easy to connect even in a NAT environment.
Disadvantages: Reliance on web traffic, which may limit applications.

It is simple because TCP/443 can generally be used. Also, compared to IPsec/L2TP, it requires less processing and can be expected to have a more stable communication speed.
Please note that if it overlaps with other services, you will need to shift the port number.

[
IKEv2 ] IKEv2 provides a VPN that is especially suitable for mobile environments when combined with IPsec.

Authentication method: Certificate authentication, EAP (Extensible Authentication Protocol)
Advantages: Quick re-establishment of connection and strong connection while on the move.
Disadvantages: Compared to other methods, many devices do not support it.

Are VPNs really safe? ~With the idea of ​​layered defense~

The introduction is long, but it's the main part.

A VPN is an option to increase the security of your remote access, but of course it does not provide complete protection on its own.
To protect important data and systems, multi-layered/multi-layered defense that incorporates the concept of zero trust is necessary .

■Newly discovered vulnerability (CVE-2024-3661)
Around May 2024, an attack method was reported that poisons the routing table even when connected to a VPN and prevents communication from going through a tunnel.
Details: https://jvn.jp/ta/JVNTA94876636/
This method uses DHCP option 121, and although it requires the attacker to have a malicious DHCP server in the network, it
has not been considered safe until now It has become a hot topic as an attack method that threatens intranets that were previously used.

■A case in which an actual VPN device became an entry point
Another example that is still fresh in my memory is the 2022 incident at Osaka Acute and General Medical Center .
This attack caused the hospital system to shut down, and everything had to be handled manually, and it took about a year for it to fully recover.

According to the investigation report: https://www.gh.opho.jp/pdf/report_v01.pdf

The intrusion route this time was a supply chain attack via Company E's school lunch center.
, which was the intrusion route, had not been updated, and it was confirmed
Additionally, in accordance with Company C's request, the hospital
made firewall Y available for RDP communication (port number: 3389) from Company E's information system at all times, and subsequently failed
The attack on Company E spread to the hospital.

The above is a quote from ``4.2.3. Summary of technical factors'' in the report, but I think this case shows that the main office is not the only point of entry.
This is a so-called supply chain attack, and cases of infiltration from VPN devices at branch offices and affiliated companies and expansion to the headquarters via closed networks occur frequently.
This highlights the point that
no matter how hard you strengthen the entrance, once an intranet is infiltrated, it is extremely vulnerable Therefore, even if communication is encrypted with a remote access VPN in the first place, if the connecting client is already infected, the VPN is of no use.

■Zero Trust Concept
Zero Trust the concept of verifying and authenticating all communications, devices, and users accessing the network based on the principle of "no trust" ( bad theory).
In addition to a VPN connection, we minimize risks by combining access control, communication confirmation, and two-factor authentication.

A specific solution is to utilize authentication services such as Azure Active Directory (Azure AD).
Using Azure AD, you can set authentication policies for each user's device/application and control access from outside the company in detail.
Details: https://learn.microsoft.com/ja-jp/azure/security/fundamentals/zero-trust

■In addition to endpoint protection and detection
, no matter how much you protect authentication and front-end parts, unfortunately it is not possible to completely prevent malware from invading the client side, such as a PC.
Therefore, in preparation for the unlikely event of an intrusion or infection, it has become almost essential to
collect and monitor logs using asset management software and install endpoint security products *An overview of endpoint security is introduced in a previous article▼

・Easy endpoint security story

Easy endpoint security story

summary

VPNs are certainly convenient and powerful, but it's dangerous to think that just because you use a VPN, you're safe.
Remote access VPN only encrypts communication from your home to your office router, but does not protect internet communication beyond that point.
To ensure appropriate security, it is important to have a flexible design that incorporates the concept of defense in depth, zero trust, and authentication infrastructure.

By the way, in an interesting move, Microsoft published an article
stating that it will deprecate the PPTP and L2TP methods in the future *PPTP is too vulnerable to begin with, so it is better not to use it.
In the future, there may be a shift to SSTP, which is not introduced in this article, and the aforementioned IKEv2.
https://techcommunity.microsoft.com/blog/windowsservernewsandbestpractices/pptp-and-l2tp-deprecation-a-new-era-of-secure-connectivity/4263956
https://ascii.jp/elem/000/004/227/4227428/#:~:text=%E3%83%9E%E3%82%A4%E3%82%AF%E3%83%AD%E3 %82%BD%E3%83%95%E3%8 3%88%E3%81%AF%E3%80%812024%E5%B9%B410,%E3%82%92%E6%8E%A8%E5%A5%A8%E3%81%97%E3%81 %A6%E3%81%84%E3%81%8F%E3%80%82

complete