Search
My account
Categories
 Naar overzicht
The Need for Zero Trust Network Access (ZTNA).

The Need for Zero Trust Network Access (ZTNA).

A cyber attack on Cisco devices. Without Authentication. Had they used Zero Trust Network Access, this could never have happened. Discover the 8800 reasons to use ZTNA from Safe-T on-prem or in the cloud.

After the well-known data breaches of SolarWinds and Exchange, Cisco also recently announced a data breach. The network hardware and telecom equipment manufacturer had to confess that earlier this month a critical security vulnerability was found in a subset of some small business VPN routers. Using a remote cyber attack without authentication, a hacker managed to attack and take over Cisco’s devices, leaving 8800 systems vulnerable and accessible to intruders. 

WAN vulnerable by bug

After thorough investigation, it was found that the main problem was access, which was controlled through their vendors Dual WAN gigabit VPN routers. The bug occurred in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P and RV260W VPN Routers.

The bug had the effect of allowing an unauthenticated, remote attacker to gain access and execute arbitrary commands’s with root-level privileges on the underlying operating system. The origin of the vulnerability lays in the fact that users were not adequately authenticated. This, of course, is what cyber attackers like to take advantage of it. In this case, by sending crafted requests to the web-based management interface.

Attack with Cisco Packet Tracer for Windows

A vulnerability in Cisco Packet Tracer for Windows (CVE-2021-1593) could also allow an authenticated local attacker to perform a DLL injection on an affected device. However, to do this, the attacker must have valid login credentials on the Windows system.

Cisco Network Services Orchestrator (NSO) & ConfD options for CLI Secure Shell (SSH) Server attack

Another very serious security issue was traced as CVE-2021-1572. This issue affected both the Cisco Network Services Orchestrator (NSO) and the ConfD options for the CLI Secure Shell (SSH) Server. It appeared to be a privilege escalation bug that could allow an authenticated, local attacker to execute arbitrary commands'at the level of the account under which the service is running, which is usually ‘root’.

To exploit this vulnerability, the attacker would need to have a valid account on an affected device.

”Incorrect handling of directory paths during execution”

According to Cisco, the vulnerability was due to “incorrect handling of directory paths during execution. An attacker could exploit this vulnerability by placing a configuration file in a specific path on the system, allowing a malicious DLL file to be loaded when the application is launched. Successful exploitation could allow an attacker with normal user privileges to execute arbitrary code on the affected system with the privileges of another user account."

But that's all in hindsight. How can problems like this be avoided in the future?

What exactly was the problem?

When we zoom in on the problem that arose we see that this attack was planned according to three parameters:

  • The attack was aimed at DDOS and Privilege Root
  • The attack was aimed at the SMB market
  • Anyone with high privileges was also able to cause damage to the operating system

A patch is not enough

Of course, one might immediately think of releasing a patch that fixes the problem. But then you are actually mopping up the situation. It is only a matter of time before a new, more advanced patch is needed. In short: patches for VPN won't get you there. You're only moving the problem while still being vulnerable to Zero-day attacks in the meantime.

Zero Trust Network Access (ZTNA)

So the solution is in authenticating users. Zero Trust Network Access is like an extra layer of security that makes it impossible for hackers to gain access. On the one hand because they are not authenticated users, on the other hand because the network is simply not visible.

How does ZTNA work?

ZTNA works by separating the identification process from the access event, thus separating the 'weaknesses' of the VPN from the organization. This means that even if a hacker manages to bypass the VPN which can create vulnerabilities in the network, it still has to go through a multi-factor authentication (MFA) component, which still prevents the hacker from entering the organization's network.

ZTNA takes care of authorizing users and then access is given. Because ZTNA runs a continuous authorization process with MFA you provide a micro segemented network. MFA is not supported by VPN after the tunnel is established.

ZTNA and VPN work together optimally

Through traditional VPN’s, you first make the connection and then authentication follows. That should be the other way around because otherwise you are very vulnerable. In addition, ZTNA is from ZoneZero VPN (boven je huidige VPN) of ZoneZero SDP (replacement for VPN) vfrom Safe-T also goes clientless (without agent software) and prevents the attack surface.

In the ideal situation, the system is completely bypassed via VPN. By first authorizing, identifying and only then giving access, even very clever hackers cannot get through.

ZoneZero Zero Trust Network Access (ZTNA)-solutiong

ZoneZero, Safe-T's NextGen cloud and on-premises ZTNA solutions ensure that all use cases for organizational access, both inbound and outbound, are fully secured according to a "first validate, then access" protocol. No one from inside or outside the network is trusted by default, and any identity seeking to access resources on the network or in the cloud must be authenticated.

Remote access users (not-VPN)

ZoneZero enables organizations to deploy ZTNA and provide secure and transparent access to any internal application, service and data, in parallel with or replacing an existing VPN. ZoneZero is based on patented reverse-access technology and is a clientless solution, eliminating the need to open incoming ports in an organization's firewall for seamless, effective and secure operations. Reverse Access Technology” also ensures that your network remains invisible from both outside and inside.

Benefits ZoneZero from Safe-T

  • Provides secure and transparent access to any internal application, service and data, in parallel with or replacing an existing VPN
  • ZoneZero is based on patented reverse-access technology
  • Clientless solution eliminating the need to open incoming ports in an organization's firewall
  • Identity-based segmentation and multi-factor authentication for any internal application and secure access management
  • With ZoneZero, organizations can easily integrate multi-factor authentication and continuous identity and verification for all applications

Order ZTNA at Hart4Technology

Order ZTNA now at Hart4Technology. Order today and we will deliver within 2 working days. Would you rather have tailored advice first? That is of course possible. Please don't hesitate to contact us.