Skip to content Skip to footer
0 items - $0.00 0
Menu

In which I agree with the federal government and bash VPNs for fun and profit by EthanHeilman

0CommentsShare Post
In which I agree with the federal government and bash VPNs for fun and profit by EthanHeilman
News

In which I agree with the federal government and bash VPNs for fun and profit by EthanHeilman

February 15, 2022
0Comments
Share This Article
Share Post
Newsletter

Sed ut perspiciatis unde.

Subscribe

Send to HN

When I first read the federal government’s memo on it’s “transition zero trust”, I was jumping out of my skin with excitement.  There’s lots of great stuff in that memo (see my earlier blog post) but what excited me most was the memo’s stance on VPNs.  

Perimeter VPNs are deprecated

You would expect the memo to say “VPNs are not enough”, because they really aren’t.  The memo says: 

… the Federal Government can no longer depend on conventional perimeter-based defenses

The old-fashioned perimeter VPNs are highly problematic, if they are used in the absence of other defenses. Having just one perimeter VPN to protect your assets, but no other defense, is akin to basing your corporate security posture around giving keys to office buildings but not to individual offices.  Once the attacker enters the building, they can get into any office and no one can stop them from doing whatever they want.  

We already know that this memo is, in part, a reaction to the Colonial Pipeline ransomware incident of 2021, where a single inactive VPN account allowed the attackers to breach Colonial Pipeline’s entire infrastructure.  So we’d expect perimeter VPNs to be deprecated. 

Segmented VPNs are deprecated

So what I would have expected next would be for the memo to say “segment your network using VPNs”.  This would be like giving individuals keys to individual offices, rather than the entire building.  And this is what many of today’s modern VPNs do — they use policy or role-based access control (RBAC) to control which part of a corporate network a given user has access to. But actually the memo didn’t say that.  It said:

Users should log into applications, rather than networks

So, that sounds kind of reasonable.  You could imagine having users log into applications behind a VPN.   So first you would VPN into the network, and then you would use another set of credentials to log into your application.  

Just log into applications

But actually the memo doesn’t say that.  It says:

Enterprise applications should be able to be used over the public internet.

In other words, it actually advises against using VPNs at all!  Enterprise applications must be secure enough to be used without a VPN. This is the beyondcorp approach that Google promulgated back in 2013.  The memo later spells out it’s stance even more starkly by saying

Making applications internet-accessible in a safe manner, without relying on a

Read More

Tags:
0Likes
Leave a comment

Leave a comment

In the Shadows of Innovation”

© 2025 HackTech.info. All Rights Reserved.

Sign Up to Our Newsletter

Be the first to know the latest updates

Whoops, you're not connected to Mailchimp. You need to enter a valid Mailchimp API key.