Skip to content

Author's Note: This was an article I previously wrote for the Dasher Technologies blog on May 7th, 2020. As Dasher has been acquired by Converge Technology Solutions, the Dasher blog may be removed in the future; I am posting this here for archival purposes (with permission).

(Original Blog Post) Author’s Note: When this idea was originally suggested, there was debate between (Dasher CTO) Chris Saso and I about who the author of the song that I reference in the title is Bruce Springsteen or Edwin Starr. You be the judge – before you google for the answer!

With the explosive growth of working from home, many organizations have had to dramatically scale up their Client VPN infrastructure to accommodate the increased demand of remote workers. Unfortunately, with this move towards a remote workforce, the security posture of many organizations has weakened. In this blog, I’d like to discuss some of the increased risks associated with Client VPN, and how to address them.

The Risks of Client VPN

There are several risks associated with most Client VPN deployments, the biggest of which is the use of split tunneling. Split tunneling, for those who aren’t familiar with it, is the practice of directing a VPN client to only send traffic destined for certain IP addresses through the VPN, allowing the rest of the traffic to be transmitted via the Client’s local internet connection. Split tunneling improves internet access performance, as the Client’s internet traffic doesn’t have to “boomerang” through the organization’s firewall.

The security risk of this deployment method is simple to define – because the Client’s internet traffic is no longer traversing the company’s firewall, security policies cannot be applied. Therefore, split tunneling could result in abuses of acceptable use policies, such as streaming movies, or visiting sites otherwise considered “not safe for work”, or it could lead to much more significant organizational issues, such as infection by malware. In addition, allowing some traffic to not be subjected to the encryption associated with the VPN could increase the risk of eavesdropping when the Client is using an unsecured wireless work, such as at a coffee shop.

The Simple Fix Isn’t So Simple

Most Cybersecurity engineers would say the fix to the split tunnel issue is as straightforward as it sounds – force all traffic back to the organization’s firewall, so security policies can be applied as they would be for users in the office. Unfortunately, just like many security-related implementations, the tradeoff to additional security can often be a reduction in performance. While more and more residential internet customers are able to have access to Gigabit internet speeds, most business are still running business-grade internet services well under Gigabit speeds, and these business feeds still need to ensure sufficient bandwidth available for customer-facing services. Additionally, with the increased use of web meetings and remote VoIP softphones, additional latency introduced by having to VPN back to a company firewall, then go out the internet, can cause a poor end-user experience.

Is VPN Good For (Absolutely) Nothing?

The news is not all bad, it turns out a well-architected Client VPN solution is possible! The rise of cloud computing enables a scalable security solution that a savvy security engineer can adopt for their company. Simply put, the solution consists of one or more virtual firewalls in the cloud, configured with the same industry standard best-practice-based authentication mechanisms and security policies used by the corporate physical firewalls. The virtual firewalls are connected to the corporation through one or more site-to-site tunnels. In this scenario, the concerns of bandwidth utilization and performance to reach SaaS applications and other cloud services is minimized, because most cloud providers are either hosting or peered with these cloud-based security solutions.

Depending on the organization, though, this type of “do it yourself” deployment can take a lot of administrative overhead, especially if the remote workforce is geographically distributed in such a way that multiple appliances in multiple cloud regions are required for good performance.

Feeling…SASE?

The newest trend to support secure remote access for Client VPN, while also extending the security boundary to include the Client machine wherever it is located, is known as Secure Access Service Edge, or SASE (pronounced “sassy”) for short. These solutions take the guesswork and administrative overhead out of deploying a distributed Client VPN solution, by orchestrating the back-end processes, and providing consistent security between an organization’s on-premises security appliances and the cloud security provided through the SASE platform. Products such as Palo Alto Networks’ Prisma Access, NetSkope’s Next Gen SWG, and Cisco’s Umbrella Roaming provide a fast, scalable, and “always-on” VPN solution for Client connectivity and are worth careful consideration as an organization evaluates its remote connectivity strategy.

Author's Note: This was an article I previously wrote for the Dasher Technologies blog on September 20th, 2017. As Dasher has been acquired by Converge Technology Solutions, the Dasher blog may be removed in the future; I am posting this here for archival purposes (with permission).

Over the last few years, “traditional” antivirus protection has become increasingly ineffective against modern malware. This has led to a shift in the industry towards “next-generation” endpoint protection…except the term “next-generation” refers to a variety of methods for combating modern malware. Today, I’d like to take you through a brief history of antivirus, a discussion of the challenges facing “traditional” antivirus products, and then discuss the different types of “next-generation” endpoint protection options.

A Brief History of Antivirus

Back in 1971, the first computer virus was written. Creeper, as it was called, was a worm which copied itself across mainframe computers on ARPANET, with its only damage being the copying of itself to other mainframes, and the printing of the line “I’m the creeper: catch me if you can”. The next year, programmer Ray Tomlinson (best known for inventing email) wrote another worm, Reaper, which was designed to detect and remove the Creeper worm from systems; while some may argue that Reaper was the first antivirus program ever written, its behavior was similar to that of a virus itself, in that it was deployed without the consent of the system owners and administrators. Fast forward to 1987, when a handful of true antivirus utilities were released; the most well-known today being VirusScan by McAfee, and NOD, which was the predecessor to ESET. As the industry progressed in the 80s and 90s, players such as Panda Security, Trend Micro, Symantec, F-Secure, avast!, AVG, and Kaspersky joined the growing market of antivirus solutions, which are commonly used today in homes and businesses around the world.

Challenges of “Traditional” Antivirus

Traditional antivirus solutions are struggling to keep up with the malware threats of today, due to a variety of reasons. Many of these challenges come back to a single root issue: the use of signatures, commonly called “hash values”, to make comparisons with files to identify if the file is a known virus or malware, or is otherwise considered to be clean.

In the early days of antivirus, the number of known samples of malware were fairly low. In 1994, the AV-TEST Institute, an independent IT security research group, reported a total of 28,613 malware samples in their database. To detect these samples, antivirus engines would analyze a file using a mathematical algorithm such as MD5, to create a hash value, and compare that value against the list of hash values associated with known malware.

The challenge with using hash values (or other signature-based methods) in today’s threat landscape is partially due to the rise of what is called “polymorphic” malware. Polymorphic malware is written in such a way as to cause the underlying code of the malware to change, so as to evade detection by way of no longer matching the hash value from which the signature was written. Take the following (incredibly basic) example:

“Hello world” – MD5 hash: ca74e8418fcd3ef2e5d34857baf7b3cb
“Hello world “ – MD5 hash: 2ce16307b8984b86477dc19b548811ef

Just the addition of a single space in the second version results in a different hash value!

This move towards polymorphic malware, combined with the general increase in organized malware campaigns, meant that there were over 115 million new samples of malware added to the AT-TEST Institute’s database in 2016 alone; for comparison, the entire database size at the end of 2013 (of all malware cataloged since 1994) was about 175 million samples.

The increase in number of samples of malware in the wild, combined with the rate at which variants have been created, is causing traditional antivirus systems to fail. When once a day updates worked before to provide sufficient coverage, many vendors are increasing update intervals to as fast as every five minutes, to help customers catch the newest malware. However, until a sample of malware is seen in the wild, it can’t be properly defended against by traditional antivirus; this means a more targeted campaign can be missed for a very long time, like in the case of the initial deployment of Stuxnet.

Side Note: if you are interested in reading more about zero-day malware, I highly recommend the book “Countdown to Zero Day” by Kim Zetter.

How “Next-Generation” Endpoint Protection is Different

Over the past 3-4 years, the endpoint protection industry has started moving towards “next generation” solutions, to better combat the rise of modern malware, especially with the entrance of solutions such as CrowdStrike, Cylance, Bit9, and others. These solutions work in different ways than traditional antivirus, especially in that they all move away from signature-based detection of malware.

Here are a few ways that Next Generation Endpoint Protection works:

  • One vendor’s solution focuses on machine learning and artificial intelligence to break down files into much smaller fingerprints, or characteristics, looking for those pieces which are known to be signs of an attempted attack on a system.
  • Another vendor’s solution works to mitigate malware by analyzing all running processes on a system, maintaining a whitelist of acceptable processes and process behaviors, as well as detailed forensics on processes to identify and stop unusual behaviors.
  • A third vendor’s solution also watches processes on the endpoint, looking for signs of the low-level exploits that are shared across most malware that are leveraged as part of an attack, and stopping those activities from taking place.

Traditional security companies are not standing still and firewall vendors offer total solutions.

Of course the traditional players like Symantec, McAfee, TrendMicro, MS Window Defender and Sophos are not standing still and are coming out with new Next Generation solutions to further fill the marketplace with options for our clients to consider. To make it even more interesting companies that have traditionally worked only in the firewall space such as Cisco, CheckPoint, Palo Alto Networks and Fortinet have come to market with the concept of total protection solutions that offer EndPoint as well as network core and edge protection.

It's back! After quite the hiatus from writing posts for my own blog, and switching hosting providers (again), I am back online! I'm not quite sure what my plan is for this reincarnated blog, but I'm sure it will end up being a discussion of technical tips and tricks for the solutions I spend the most time working on, as well as general commentary about the IT industry, and specifically Cybersecurity (as well as a little networking, since I still work on plumbing from time to time).

Stay tuned for more!

~Kellen