Fri. Sep 23rd, 2022

Executive summary
Organizations are facing increasing confusion from both on-site and remote employees who try to bypass proxy servers to hide their online activities or leak data undetected. For example, employees may use “incognito” mode, download personal virtual private networks (VPNS) or Tor browsers, or bypass corporate VPNS. In these cases, the Information Security team (InfoSec) needs full network visibility to determine whether the employee is simply protecting his or her privacy, covering up violations of the organization’s policies, or trying to cover up attacks.

The PERSONAL VPN service promises to enable secure and encrypted tunnels for user traffic. They offer services that prevent others from seeing the tunnels by encrypting Internet connections and keeping users’ app usage and browsing history private. VPNS can be used to bypass Internet censorship and traffic policy enforcement. In practice, however, they obscure an organization’s visibility into the network.

Network visibility is important for a number of reasons, including enforcing policies to improve security, reduce shadow IT, and quickly detect malicious or suspicious activity. It can enhance an organization’s application analysis and help make informed decisions.

Organizations often use tools such as Palo Alto Networks Next-generation firewalls to gain great visibility into network traffic. An enterprise may attempt to gain visibility down to the packet, application, and user levels.

Here, we assess personal VPN applications and their risks and threats to network visibility within an organization. We’ll discuss how these applications and services can bypass firewalls to bypass security and policy enforcement mechanisms.

Palo Alto Networks customers can maintain complete network visibility by using the next generation firewall app-ID, which helps identify and clean up individual VPNS in the network.

Using a personal VPN on an enterprise network: The main risk
VPNS enable users to access network resources that might otherwise be inaccessible. VPNS were developed to allow companies in different locations to connect to their internal networks over the Internet over encrypted channels. They are typically used in the workplace to provide access to assets and equipment for users (such as remote workers) who are not physically connected to the corporate network. But now everyone can easily use a VPN — in some cases for free. Still, the risk of using a personal VPN on a company device is not usually considered by the average user.

Regarding VPN data security and privacy, in most cases, users must simply trust their VPN provider because the provider operates the network tunnel. In addition, providers can see which websites users visit, including unencrypted data, and how often they visit. You can store this data; Some of these are valuable to advertising and marketing firms that use browsing behavior to target ads to the right target audience. VPN providers can win both users and businesses by collecting subscription fees from users and selling their web consumption data to the advertising industry. In more extreme cases, they may even provide user data to government authorities.

Using a personal VPN brings risks to the network. These risks include threat mitigation through defense in depth strategies by the InfoSec team in an enterprise environment to protect endpoints and prevent users from intentionally or accidentally performing specific unauthorized tasks.

Attackers constantly scan vulnerable networks for attacks. If an attacker succeeds in damaging even one computer in an organization, the entire network could be at risk. Organizations use their Domain Name System (DNS), enterprise Data Loss Protection (DLP), and proxy servers as countermeasures, each of which plays an important role in protecting users, data, and communications. Avoiding either reduces network visibility and endangers the organization.

One of the primary uses of proxy servers is to prevent employees from accessing inappropriate and insecure web sites and monitor traffic. In addition, proxy servers protect corporate endpoints from communication with malicious command and control (C2) servers. However, with VPNS, users can bypass this protection. For example, if an employee’s computer becomes infected while using a VPN, the data sent to the C2 server will not be visible to the information security team.

Internal threats pose almost as much of a risk to enterprise security as external intruders. Private or personal VPNS allow employees to bypass security measures and permissions implemented by information security teams. VPNS can make online activities vulnerable to hackers. In addition, the IT team loses full visibility into user activity — for example, users hide when they visit insecure or banned sites.

Known VPN vulnerabilities
Not only does the underlying functionality of non-VPN products pose a risk to organizations, but these products are often the target of advanced persistent Threats (APT) due to their vulnerabilities. Unfortunately, cybercriminals often find ways to exploit known and patched vulnerabilities and rely on not all users to keep their patches up to date.
How does a VPN application attempt to bypass a firewall?
Given that they can introduce vulnerabilities into an organization’s network, it is worrisome that THE capabilities of VPN applications include trying to circumvent firewalls. VPNS cannot make online connections completely anonymous; However, VPNS typically tunnel into other protocols and use encryption. VPN service providers can use secure VPN protocols, For example, Internet Protocol security (IPsec), Transport layer security (SSL/TLS), Datagram Transport Layer security (DTLS), Microsoft Point-to-point encryption (MPPE), Microsoft Secure Socket Tunneling Protocol (SSTP), and Secure shell VPN SSH/OpenSSH, OpenVPN, and WireGuard However, these are secure and well-defined protocols for legitimate USE of VPNS, to the disadvantage of individual VPN service providers. Because these are known agreements, they can easily be blocked by organizations or governments. This contradicts the 100% secure connection and availability that VPN providers promise their customers.

VPN providers do their best to remain undetectable in their networks, using methods such as switching ports or servers or jumping from protocols. For example, VPN services based on OpenVPN give users the option to change their transport protocol to transmission Control Protocol (TCP) or user Datagram Protocol (UDP). However, the need to remain undiscovered while maintaining full availability for customers goes far beyond that. Some VPN companies specifically design their proprietary protocols to circumvent organizational or government blockades.

In this section, we review some of the circumvention techniques used by VPN products.

Self-signed certificate
Figure 1 illustrates how Hotspot Shield uses forged self-signed certificates to bypass the firewall through its traffic. However, it can be identified by checking TLS Cipher Suite information, port numbers, and observing patterns that differ from the genuine certificate.

Personal VPN Hotspot Shield uses forged self-signed certificates to avoid firewall traffic.
“Tunnel into HTTP Traffic”
Some VPN applications try to get past the firewall by sending traffic that looks like simple HTTP traffic. However, upon close examination, you can identify their characteristics, such as the authentication header or encoding, HTTP request method or port number, and other different information in the request header. These can be used to identify such applications.

SetupVPN, with more than 2 million users, uses HTTP proxy authorization headers to authenticate users on its servers. Decrypting headers can provide useful information about SetupVPN applications.

The HTTP proxy authorization header in SetupVPN shown here can provide useful information about the SetupVPN application.

Imitation generic protocol
VPN applications use well-known ports to send traffic for communication to circumvent the firewall and cause false identification of the firewall implementation to get past the firewall. For example, Thunder VPN, which has over 10 million users, uses UDP port 53, best known for DNS, and TCP port 443, best known for the TLS/ SSL-based HTTP protocol.

Screen captures show how Thunder VPN (sometimes used as a personal VPN) simulates SSL traffic using protocol-specific ports and handshake types.

The following figure shows that the Wireshark incorrectly identifies the traffic on port 443 sent by the Xunlei VPN as SSL. Thunder VPN simulates SSL traffic by using the same port and handshake type.

Thunder VPN also uses port 53 to circumvent traffic using the default DNS ports, which are generally allowed on all networks. In addition, the DNS reservation flag Z is set to 1, which must be zero in all DNS queries and responses in traffic initiated by this application. Port 53 UDP traffic sent by Thunder VPN is shown in Figure 4.

The following shows the UDP traffic sent by Thunder VPN port 53.

conclusion
Palo Alto Networks app-ID technology enables customers to control applications and protocols in their Networks. It allows information and network security teams to securely enable applications through policies that allow or deny applications based on context. This helps keep the attack surface as small as possible.

The app-ID now running on Palo Alto Networks’ next-generation firewall grants visibility to VPN applications and the underlying protocols in their Networks, including all of the protocols mentioned in this article. App-id helps security teams see who is using VPN applications across your network — and when and where — and enforce policies chosen by your organization. Currently, app-ID covers more than 70 of the most popular VPN services.

The App-ID team constantly reviews and releases updates to the latest version of the VPN application to its customers. Because of the nature of these applications, their traffic often varies to avoid the firewall.

By admin

Leave a Reply

Your email address will not be published.