Agencies Need to Patch VPNs Regularly
Like all technology components, VPNs require regular maintenance. Whether they run on dedicated VPN hardware or use software to run on standard servers, VPNs can contain software and firmware that are subject to security vulnerabilities. Emerging threats, design flaws and code bugs create issues that, when discovered, may allow attackers to compromise VPN connections.
By their nature, VPN devices must be exposed to the outside world to allow inbound connections. This places them in the same risk category as web servers, mail servers and other intentionally exposed systems and increases the importance of ensuring that they are protected against known exploits.
Security teams should place VPN patching high on their priority list. Monitor the security announcements from vendors associated with the agency’s VPN deployment and apply patches as promptly as possible following release. Once a security announcement occurs, the race is on between attackers seeking to exploit a new vulnerability and defenders seeking to secure the VPN from attack.
Also, don’t forget that all components in a VPN stack require regular maintenance. Agencies using server-based VPNs must ensure that the operating system supporting the VPN server also receives regular updates and is protected against compromise.