Virtual private networks (VPNs) are designed to provide a secure connection between two parties. Traffic is encrypted between a VPN client and a VPN aggregator or two VPN endpoints on different networks. By encrypting the traffic, a VPN protects against eavesdropping and provides an experience nearly identical to being directly connected to the remote network.

While this is great in theory, in practice VPNs have a number of issues. Commonly considered issues include their lack of scalability and the significant impacts that a VPN-based corporate network can have on network performance and security.

However, VPNs also create significant security challenges regarding vulnerabilities and patch management. For organizations wishing to have the security benefits of an encrypted network without the security and performance limitations associated with VPNs, an understanding of what is SASE can be extremely beneficial.

VPN Servers Are Prone to Vulnerabilities

Vulnerability and patch management is a challenge for any organization. The amount of software in existence and in use by organizations is rapidly growing and with it grows the number of vulnerabilities. Attempting to identify and apply patches for all of the vulnerabilities within an organization’s digital attack surface can be an overwhelming – and potentially infeasible – task.

Many organizations focus their vulnerability patching efforts on obvious targets like web applications. These applications are customer-facing and highly-visible, making them prime targets for cybercriminals attempting to gain access to an organization’s network or sensitive data.

However, organizations have other systems in their networks that are also prone to exploitable vulnerabilities and can be even more damaging if attacked. The VPN aggregators or endpoints that companies use at their end of a VPN connection are systems for which new vulnerabilities are frequently discovered. Since these systems are often less visible to an organization, they may not be patched as quickly – if at all.

Vulnerability Exploitation Can Have Severe Impacts

An organization’s VPN endpoints are one half of an encrypted connection between its employees and the corporate network. This means that they must be exposed to the public Internet to enable employees or other external users to access them. Additionally, many companies use VPNs, but only a few different VPN providers exist. As a result, each particular VPN product has a large number of users.

This makes VPN vulnerabilities a prime target for cybercriminals. An attack against an organization’s VPN infrastructure can be performed for a variety of different purposes:

Data Breach:

The structure of a VPN-based WAN means that all traffic from external users passes through an organization’s VPN aggregator. With the rise in remote work due to COVID-19, this accounts for a high percentage of an organization’s business traffic. A compromised VPN endpoint could allow an attacker to eavesdrop upon a company’s communications, potentially breaching sensitive corporate or customer data.

Denial of Service:

During the COVID-19 pandemic, an organization’s VPN endpoints became a critical part of their ability to do business. With a mostly or wholly remote workforce, all of an organization’s employees’ traffic passes through their VPN aggregator. A Denial of Service (DoS) attack – including ransomware or other malware taking advantage of the exploited vulnerability – could render an organization incapable of doing business and potentially force it to pay a ransom to resume operations.

Initial Access:

A VPN endpoint is designed to act as a gateway to an organization’s internal network. Remote users can use it to create an encrypted connection between their device and the endpoint. This means that a VPN aggregator has access to an organization’s internal network. Exploitation of a vulnerability within the VPN endpoint’s software could enable an attacker to leverage this foothold to gain access to the organization’s internal network.

Any of these potential attack objectives carries a heavy cost to the organization whose VPN infrastructure was attacked. The root cause of these potential attacks is a publicly-accessible server that is prone to vulnerabilities and is often overlooked when performing patching. Organizations that require a secure remote access solution need a better, more mature option than VPNs.

SASE Provides a More Secure Alternative

Unlike VPNs, Secure Access Service Edge (SASE) is a secure networking solution designed for the modern corporate network. It uses a network of cloud-based points of presence (PoPs) – connected by high-performance, encrypted network links – to provide secure networking and remote access for a network increasingly composed of remote users, cloud infrastructure, and Internet of Things (IoT) devices. This design – in addition to a suite of fully-integrated security solutions within each PoP appliance – eliminates the traditional issues associated with VPN-based networks.

SASE also limits an organization’s exposure to cyber threats caused by unpatched VPN infrastructure. Instead of needing to monitor and secure an array of standalone and vulnerability-prone VPN appliances, organizations can take advantage of a network of managed, cloud-based PoPs. Any vulnerabilities discovered in these PoPs can be quickly and transparently corrected by the service provider, eliminating the security risks of overlooked and unpatched vulnerabilities.