VPN is hot again (thanks google!)
by VPNHaus | 02/18/2010 |Rethink Remote Access
A few weeks back, Google instituted an emergency update to its corporate VPN, which led to many questions whether the network was compromised—Google states “no”, however, timing suggests otherwise. All of the discussions, questions and disorder got us thinking… if Google had to issue an 'emergency VPN update', perhaps the rest of corporate America should be rethinking their remote access to prevent any similar occurrences from happening.
In the case of Google, simple passwords could have been used to access the network, however, if two factor authentication and network access control (NAC)—or as we like to call a ‘pat-down’—were in place this simulation would have been much harder to pull off—even if phishing grabbed some passwords. Forrester analyst, Chenxi Wang made some interesting observations on her blog—her initial analysis was that the attackers gained access to Google's server via its corporate VPN, from a Microsoft browser vulnerability that was exploited. Some employees’ desktops were compromised, and the attacker used these compromised desktops via Google’s VPN to get to some of the servers. Google 'clarified' this later, stating that the method of access, at some point, may have involved VPN, but does not agree with the characterization that “the compromised client used their corporate VPN to gain access to the servers”.
Touching on the fact that the victim’s machine was running IE 6, an outdated browser, Chenxi suggests that the machine may not have been a corporate managed machine. If this is indeed the case, Google’s should be rethinking their remote access policies, and enable employees to use personal devices that are secured and managed. This idea is similar to former Forrester analyst, Natalie Lambert’s concept of BYOPC (Bring your own PC)— employees are going to use whatever device they can to access the network, and probably break many security policies while doing it. Instead of restricting machines that are able to access the network and taking a chance and running to in a situation that Google had on their hands, companies can support a variety of devices, whether it be Windows 7, Windows Vista (32/64 Bit), Linux, Mac, Symbian, Windows Mobile etc. AND secure them. It seems that Google’s technology was restricting employees’ practices because the system could not handle it, which by and large caused an emergency update to the entire corporate VPN infrastructure.
This emergency update caused a connectivity disturbance for more than 24 hours, which affected work flow and productivity. A better VPN management system might have played a significant role for Google.
Follow this discussion on Twitter: @VPNHaus