Using virtual private network (VPN) client certificates and authentication cookies can help increase VPN security and improve the user experience by reducing the need to enter or re-enter a password. However, the use of these authentication methods can be like leaving your keys in the front door.
Malicious cyber attackers may hack a client computer and use its VPN client certificate or authentication cookie, or use the poorly secured session cookies on another machine, to bypass password authentication. Web-based or SSL VPN may also have certificate bypass vulnerabilities. When the key is already in the door, who needs to steal the password?
Take these steps to help ensure your VPN is not a security weak spot:
1. Secure the remote client computer by installing and enabling on the workstation:
- A firewall
- An anti-theft or MDM/EMM solution. CyberArk Idaptive’s Device Security Management can remotely wipe stolen Windows 10, MacOS, iOS and Android devices.
- Enforce device security policies that fit your organization, such as screen lock when idle, block the USB ports, and other OS hardening settings.
- Multi-Factor Authentication for computer login. CyberArk Idaptive’s Multi-Factor Authentication for Login can offer different two-factor choices such as phone call, SMS, push notification mobile app, security question, email and OATH OTP. We also offer offline two-factor authentication when internet is not available.
2. Make sure VPN session time-outs are not too long.
3. Promptly address known vulnerabilities in your VPN solution. Keep your VPN solution up-to-date or, in some cases, downgrade to work around a bug.
4. Integrate an MFA solution with your VPN solution. In the event the VPN client certificate or session cookie is used to bypass authentication, or the user’s password has been compromised, hackers will still be prompted for multi-factor authentication as the last line of defense. CyberArk Idaptive’s MFA for VPN can integrate with both VPN thick clients and web-based VPN.
This video demonstrates two-factor authentication being prompted even when a VPN authentication cookie is being used.
Using VPN client certificates and authentication cookies has security benefits, but it also creates vulnerabilities that allow cyber attackers to bypass authentication. To help secure these vulnerabilities, secure the VPN client devices from being exploited and enforce MFA on your VPN in the event certificate, cookies or passwords are compromised.