VPNs such as OpenVPN, SSH, and HTTPS all use similar encryption methods. Are any of these inherently less secure than the others? Feel free to make some assumptions – for example, I’m assuming SSH is configured to only allow key exchange authentication, not passwords. Assume HTTPS is TLS1.3 only.
I’m working for a company that has historically used OpenVPN to allow users to access some internal applications.
But now that we have ubiquitous HTTPS, I have configured some apps to allow logins direct from the Internet, with 2FA.
Should I continue down this path and eventually abolish the VPN entirely?
Some remote sites also need access to some internal services. Currently these go over OpenVPN, and SSH inside of that. Is there any security point in having the OpenVPN layer – ignoring for now the ease of use a VPN provides. I’m purely interested in the security aspects.
The bigger problem with opening apps out to the internet is exposing another attack vector.
The mode of transport may be encrypted but if there is an exploit on the website/app itself you’ve just exposed yourself.
Personally I advocate using Cloudflare or ZScaler for remote access now, rather than VPN or opening ports.
VPN’s are great for techies, but they give too much network access to regular people. Do the remote sites need access to all networks/sites, or just a collections of apps?
I recommend retiring VPNs over time in favour of more tightly controlled access focused on centralised IAM and ZTNA for managing access to applications. If you wanna go down the full Zero Trust approach, let users use any network they please, because it always untrusted. Just make sure you validate the user, the asset they are using and the location they are coming from before you grant access. Encrypted protocols are standard for ZTNA, including DNS which all largely focus on HTTPS.
Downvotes will fly because you know, change but it works for the US air force, Google, DoD and many more.
You need to be very careful with exposing a VPN. It’s one of the main ways companies get compromised. This is because one VPN account compromise exposes too much access and it’s too easy to compromise the account in the first place. Sometimes the VPN gateway itself is hacked too. There are other solutions that might be more effective. Cloudflare has an offering, but I haven’t looked at the details much before.
Is there any security point in having the OpenVPN layer
Defence in depth & access control.
If the applications are internal and have no need for general public access, then why expose them to the internet as a whole?
You present a much smaller attack surface if you just have OpenVPN exposed to the internet instead of various different systems.
Should I continue down this path and eventually abolish the VPN entirely?
No, not what you’re doing. That’s the opposite of reducing your exposed footprint. In a perfect world it would be fine, but it’s not a perfect world and applications can have vulnerabilities that allow direct command/code execution bypassing any auth.
Sounds like you want to look into stuff like Zscaler/NetSkope or similar SASE products.
They are products meant to address this scenario
Iboss does a great job at this.
You can configure OpenVPN (and Wireguard) in a way where the server doesn’t make any response if the packets are not signed by the correct key. Your VPN server would seems like a black hole for everyone except the users who has the right key.
VPNs do not have a “yes I want to trust this certificate” button, like browsers.
OpenVPN (and Wireguard) can be configured to mix a pre-shared key into the TLS key exchange as some protection against store now, decrypt later type of attacks and would make it somewhat quantum-resistant (as long as your pre-shared key isn’t leaked).
With HTTPS / Web you could easily use strong 2FA (Passkey, WebAuthn / FIDO2, HW security key). (AFAIK you can use some of the more expensive YubiKeys to hold the keys for OpenVPN, but it is much harder to configure and use.)
SSH and HTTPS is not a replacement for VPN. The big problem here is that you’ve increased your attack surface from a VPN server SSH and a web server. Are you staying up on patching? Do these software vendors ever have 0 day vulns?
Https (TLS) is a protocol not an application such as ssh or OpenVPN. The Webster or application using it should be secure, and often there are vulnerabilities (TLS 1.3 itself is pretty secure). So I consider exposing https to internet risky in many cases.
SSH and OpenVPN are similarly complex and similarly secure. OpenVPN is designed to be exposed to the internet, so that’s the best option. Then SSH and https over OpenVPN.
Go figure out which layer in the OSI model each of those operate in, and come back and tell us about it. (Yes there are enormous differences. SSH and HTTPS are not VPNs).
Those agencies operate their own coordination servers. People don’t.
Also, you might still need network access with VPNs and reverse proxies