April 17, 2019
VPN
MFA

These VPN Configurations Could Be Your Weak Spot

John Wu headshot
John Wu Senior Solutions Engineer
Door with key

Using VPN client certificates and authentication cookies can help increase VPN security and improve the user experience by reducing the need to enter or re-enter a password. However, the use of these authentication methods can be like leaving your keys in the front door.

Malicious hackers may hack a client computer and use its VPN client certificate or authentication cookie, or use the poorly secured session cookies on another machine to bypass password authentication. Web-based or SSL VPN may also have certificate bypass vulnerabilities. When the key is already on the door, who needs to steal the password?

What can you do to make sure VPN is not a security weak spot?

  1. Secure the remote client computer by installing and enabling on the workstation:
    1. A firewall
    2. Anti-malware
    3. An anti-theft or MDM/EMM solution. Idaptive’s Device Security Management can remotely wipe stolen Windows 10, MacOS, iOS and Android devices
    4. Enforce device security policies that fit your organization, such as screen lock when idle, block the USB ports, and other OS hardening settings
    5. Multi-Factor Authentication for computer login. Idaptive’s Multi-Factor Authentication for Login can offer different two-factor choices such as phone call, SMS, push notification mobile app, security question, email and OATH OTP. Idaptive even offers offline two-factor authentication when Internet is not available.
  2. Make sure VPN session time-outs are not too long
  3. Promptly address known vulnerabilities in your VPN solution by keeping your VPN solution up to date or in some cases, downgrade to work around a bug.
  4. Integrate a Multi-Factor Authentication solution with your VPN solution. In the event the VPN client certificate or session cookie is used to bypass authentication, or the user’s password has been compromised, hackers will still be prompted for multi-factor authentication as the last line of defense. Idaptive’s MFA for VPN can integrate with both VPN thick clients and web-based VPN.

The following video demonstrates two-factor authentication being prompted even when a VPN authentication cookie is being used.

https://www.youtube.com/watch?v=l9NQ0bn6ivY

Using VPN client certificates and authentication cookies have security benefits, but also have vulnerabilities that allow hackers to bypass authentication. To help secure these vulnerabilities, make sure you secure the VPN client devices from being exploited and enforce MFA on your VPN in the event certificate, cookies, or passwords are compromised.

© 2020 CyberArk Software Ltd. All rights reserved.    Privacy Policy    Terms and Conditions