CISA effectively mandates the SASE architecture
The recent months have seen frequent exploitations of vulnerabilities in public facing services. Examples include Application Delivery Controllers (ADC), VPN gateways, mobile device management (MDM) software, and file sharing apps (see more here).
It seems this is an adjustment to circumstances: as organizations are boosting their network visibility and endpoint protection, malicious actors have shifted strategies by targeting network devices supporting the underlying network infrastructure.
What is worrying is vulnerabilities in public facing devices and apps are typically disclosed or discovered only after being actively exploited in the wild for weeks or even months.
In this context, it's interesting to read a recent Binding Operational Directive (BOD) from US Cybersecurity and Infrastructure Security (CISA) agency called "Mitigating the Risk from Internet-Exposed Management Interfaces". As a reminder, BODs are mandatory legal directives to be followed by all US governmental institutions from the federal and executive branch.
Shutting down employee remote access VPN!?
CISA is effectively asking all organizations under its authority to shut down public access ("remove the interface from the internet") for the following devices and systems: "routers, switches, firewalls, VPN concentrators, proxies, load balancers, and out of band server management interfaces (such as iLo and iDRAC)." Additionally, it requires to disconnect devices with exposed management interfaces relying on HTTP(S), FTP, SNMP, RDP, SSH, among others.
This means any of the recently exploited public facing services should no longer have an interface with a listening port available on the internet. You'll agree this seems drastic, as removing access to applications and devices covered by the directive would halt an organization's critical business processes (think how many are relying on SSL VPN or even direct RDP access).
How are organizations supposed to shut down crucial services and ensure business continuity?
CISA says organizations should ensure "the interface is protected by capabilities, as part of a Zero Trust Architecture, that enforce access control to the interface through a policy enforcement point separate from the interface itself".
Effectively, what CISA is aiming at is the SASE architecture, specifically the secure private access (SPA) component. In this architecture, the remote access point is moved from the VPN device to a cloud access point supported and operated by the vendor. The architecture is therefore making the vendor responsible for security and availability of the publicly exposed service, reducing the time to patch and respond to threats.
As an example, see Fortinet's FortiSASE approach in the diagram below and notice how remote employee communications are established via a vendor managed Security PoP connection point, removing direct access to an SSL VPN device, as per CISA recommendation:
Similarly, see Palo Alto Networks' SASE solution (called Prisma Access) following a similar architectural approach:
Besides moving the enforcement point from the infrastructure VPN device to a cloud service (security PoP), the secure private access (SPA) approach also encapsulates access to any internal app within a zero trust (ZTNA) framework, hiding it from the internet.
The CISA's directive is the latest indication organizations should modernize their remote access infrastructure and move away from legacy VPN gateway architectures, where an application or device is sitting directly exposed to the internet.
But what about the local Adriatics region? It appears the road ahead is long: for ex. in case of Fortigate VPN, a Shodan internet search still reveals massive amounts of VPN gateways directly exposed and vulnerable to a bug patched months earlier - the waiting time between disclosure and patching is not sustainable anymore.
Modernization requires work but it's also an opportunity for partners and MSSPs.