As a network engineer I used to set up a lot of S2S vpns. It was a great job: I would schedule a meeting with the other company’s representative, we would exchange VPN parameters, secret keys, encryption domains and voila: all employees from company A had access to all IP addresses from encryption domain of company B. Some application testing followed and we all went our separate ways, IT heroes that we were. Happy end.
There are obviously so many things that bother me these days about this setup.
a) as admin from company A, I never made sure that there were some access policies that would prevent unauthorized personnel from company B from accessing a machine that was part of their encryption domain. We never even asked questions about it.
b) conversely, admins from company B never asked us about our upgrade policies. In fact, our vpn hubs were so old that we wouldn’t be able to upgrade even if we had wanted to. We never asked them either.
c) In one example setup, there was a firewall on the left of our VPN router, with all ACLs + IPS + antivirus etc. All logging went to SIEM but in all the years when I was the admin, we never heard from anyone in SOC about any alerts connected with those VPNs. Hell, we had no idea who those guys were and if they existed at all
d) Because we were a vpn hub for hundreds of other service providers, those other companies had all sorts of gateways. Some of them new, some of them really old and crap. Incompatibility issues were galore. After a few years we almost always knew what the problem was with each of them but every now and again we spent hundreds of hours investigating a flapping tunnel.
I could probably go on and on like that but in a nutshell:
Firstly, if you have a site to site VPN to another company, all you see entering your network is an IP address. This is all you know. And this is far from enough. Firewalls simply don’t have enough processing power to look into those packets to see the problem. Also, how will you SSL inspect traffic from a different company?
Secondly, you need expert admins on both ends if you run into compatibility issues. Not every admin can debug.
Thirdly, VPNs don’t age well. Even the parameters used are good today, traffic can be recorded and decrypted next year when the man in the middle has access to new decryption techniques.
Get rid of your VPNs. Today.
My name is Tomek De Wille. Welcome to my blog about Zscaler 