Don’t Patch. Hide.

Posted: Thursday July 6, 2023
Author: Jason Garbis

I don’t like criticizing vendors when they have a well-publicized vulnerability. All vendors will have occasional security issues or CVEs, and most vendors are diligent and reasonable about addressing them.

But, Fortinet has been in the news this past week, with a lot of coverage and chatter about a CVE for its VPN. This vulnerability is a heap-based buffer overflow, which can be exploited via the VPN service, and can be used for remote code execution (RCE) by unauthenticated attackers. This vulnerability may have already been exploited in real-world attacks, according to Fortinet, and if it hasn’t, it will be soon

Based on the excellent work by the Bishop Fox team, we know that as of June 30, there were still over 330,000 vulnerable and exposed Fortinet VPN servers on the internet. Some of these haven’t been updated in years, and will very likely never be patched. Given the widespread media coverage of this vulnerability, those servers are effectively acting as open doors to those enterprise’s networks. 


But I’m not here to single out Fortinet, I’m just using them as a timely example to make my point. And my point is the following (in bold and italics for emphasis):

Given everything we know about our current threat landscape and networking vulnerabilities, enterprises must hide their remote access services from unauthorized users

I’ll repeat my point that in perhaps a less strident tone. Organizations need to immediately prioritize replacing and retiring their VPNs and other publicly exposed remote access services on their enterprise networks. These services, by design, have access into the internal enterprise network, and as such are an incredibly inviting attack surface, enabled by the inherently open nature of TCP/IP.

We need to shift our thinking to a Zero Trust perspective, and adopt technology which requires authentication and authorization before permitting a network connection to be established.

So that brings us to our deliberately controversial headline, “Don’t Patch. Hide”. Wouldn’t it be better to hide services from unauthorized users? This gets us away from our current urgent need to patch, and our thin wisps of hope that there aren’t any exploitable but unknown vulnerabilities still lurking.

Now, I’m not seriously suggesting that organizations not patch. But by hiding your remote access services, you immediately shut out the 99.99%-plus of attackers who don’t have a foothold on one of your users’ devices. 

And, given the thriving marketplace of innovative security vendors, there are many technology and architectural choices about how you can achieve this. For example, you can take a Software-Defined Perimeter approach, which uses a basic but effective form of cryptography to protect your ports. Or, you could adopt the cloud-routed access model of many SSE / SASE vendors, in which you only have outbound network connections. Or, look at other models that use some NAT traversal wizardry to achieve this.

Given this rich set of alternatives, there is no reason to delay, and every reason in the world to get moving.

So I propose a challenge: Set a deadline that by the end of August you will have deployed a remote access VPN replacement product, and begun dismantling your vulnerable VPN infrastructure. 

And that by the end of September, you’ll have it completely decommissioned. 

Then you can throw yourself a pizza party, or even a Music Dance Experience (but please, make it less creepy and disturbing than the one from Severance).

Need help? Want guidance creating a plan to meet this challenge? Need support to build a technical, security, and business case for this? 

Reach out to us, and we can get you set up for success.

We’ll even buy the pizza for your VPN decommissioning ceremony.

(Want some additional guidance? Buy the Getting Started With Zero Trust book here, which includes coverage of the VPN Replacement scenario).

Want more news like this? Subscribe to stay informed and up-to-date