
Vulnerabilities exploited in VPN products used worldwide - infodocket
https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities
======
tptacek
Commercial enterprise VPN products are an open sewer, and there aren't any,
from any vendor, that I trust. I don't like OpenVPN or strongSwan, but you'd
be better off with either of them than you would be with a commercial VPN
appliance. The gold standard, as ever, is Wireguard.

~~~
ihuman
Why do you prefer Wireguard over Openvpn?

~~~
big_chungus
Others pointed this out already, but I'd like to second the simplicity. It's
much, much easier to set up wireguard, especially compared to the mess that is
openvpn. I had to use algo to set up openvpn originally, and God help you if
you're not on ubuntu.

Secondly, wireguard is faster. If you're dealing with lots of users, CPU could
be limited; in such environments, wireguard has allowed me up to fifty percent
more throughput than with openvpn. It's also newer and probably not as
optimized, so may get better. Finally, the new tap/tun driver on windows is
orders of magnitude better than the openvpn one.

------
Havoc
>These vulnerabilities are well documented in open source.

Seeing this awkward use of "open source" a lot lately. Its almost as if people
think "readable on the internet for free" equals open source.

~~~
jackcodes
It does mean that. Free software and open source mean different things.

~~~
yjftsjthsd-h
Is this open source or source available? There is a meaningful distinction.

~~~
jackcodes
What is the distinction?

~~~
detaro
Open Source fullfills the open source definition: [https://opensource.org/osd-
annotated](https://opensource.org/osd-annotated). Source available is software
where you can look at the source, but do not have the rights you have with
Open Source.

------
campuscodi
The APT referenced in the NCSC alert is APT5:
[https://www.zdnet.com/article/a-chinese-apt-is-now-going-
aft...](https://www.zdnet.com/article/a-chinese-apt-is-now-going-after-pulse-
secure-and-fortinet-vpn-servers/)

~~~
dontbenebby
Thank you, did not want to enable JS to read...

------
gz5
The architecture (of classic VPN) is the vulnerability. imo, we need to move
towards architectures which design in:

\+ Least privileged access and isolation. Worst-case, 5-tuple, session-by-
session. Best-case, app level bindings, independent of addressing. Isolation
to prevent lateral attacks.

\+ Zero trust. Yes the ZT term seems to have been taken over by marketing, but
the architecture itself is sound.

\+ Telemetry data for proper visibility.

\+ Programmable-by-Design. Integrate into overall app and security constructs
and tooling; no (mainly) separate VPN islands.

~~~
pjmlp
And not written in C, as some of these CVEs are the typical issues C has
plagued the industry with.

------
kerng
Well, still better then having all internal infrastructure exposed by default.
At least there is something that needs to be circumvented.

Companies that do BeyondCorp dont even have that level of protection. Most
blindly follow that, without realizing that security of their internal systems
is bad and therefore they should not do BeyondCorp. I have seen companies put
their production infra without any fire walling out on the Internet (e.g
jumpboxes and bastions) - that's also mind boggling.

Zero Trust is a journey not a solution....

~~~
xyzzy_plugh
BeyondCorp isn't incompatible with VPN solutions -- if anything they're highly
complementary. Why not use both?

~~~
kerng
Exactly my point, Zero Trust is good strategy and mindset. BeyondCorp though
is short sighted and seems more like a solution from a company that wants to
sell its cloud sooutions, by trying to make VPN evil by suggesting you should
not have a network perimeter at all:

"Connecting from a particular network must not determine which services you
can access."

I argue, that a simple source IP check is still one of the most significant
and effective defense in depth measures that can be put in place. Not doing it
seems like lack of due diligence to me. Its the first level of defense to
which more security needs to be added on to.

------
acl777
end users: "vulnerabilities" government security offices: "opportunities"

:-)

------
basicplus2
<vulnerabilities affecting Virtual Private Network (VPN) products from vendors
Pulse secure, Palo Alto and Fortinet>

