Security News > 2021 > September > Keep Attackers Out of VPNs: Feds Offer Guidance
Unsecured VPNs can be a hot mess: Just ask Colonial Pipeline or the 87,000 Fortinet customers whose credentials for unpatched SSL-VPNs were posted online earlier this month.
As the advisory from the NSA and CISA explained, exploiting CVEs associated with VPNs can enable a malicious actor "To steal credentials, remotely execute code, weaken encrypted traffic's cryptography, hijack encrypted traffic sessions, and read sensitive data from the device."
Archie Agarwal, founder and CEO of automated threat modeling provider ThreatModeler, pointed out that a quick search with Shodan - the search engine of Internet-connected devices - uncovers more than a million VPNs on the internet in the U.S. alone.
Will the push to Zero Trust spell doomsday for VPNs? Agarwal thinks so: He pointed to startups that are pioneering Zero Trust and predicted that "The days of VPNs on the Internet are thankfully numbered."
Paunet painted a pro-VPN future: "While there has been a rise in vulnerabilities of VPNs due to more VPN usage over the last year and a half, newer VPN technologies with newer types of cryptography are evolving to ensure the protection of information transmitted across the internet. WireGuard VPN, for example, uses state-of-the-art cryptography and is becoming more popular."
How to Choose and Harden a VPN. For now, the future of VPNs is moot: VPNs haven't disappeared yet, so for now, there's clearly still work to be done to harden their defenses.