Last year, the Department of Homeland Security issued a vulnerability notice that disturbed many in the cybersecurity community: Several popular virtual private network solutions had insecurely stored authentication cookies in their memory or log files. An attacker gaining access to that information could steal a legitimate user’s session and gain access to services protected by the VPN without going through the normal authentication process.
Since then, vendors have provided patches for this vulnerability. But the announcement underscores the importance of carefully configuring and managing all components of an organization’s security program. VPNs play a crucial role, safeguarding network traffic between sites for remote and mobile users.
Even so, VPNs often get very little attention — the modern VPN is a workhorse that simply works properly and doesn’t demand administrator intervention. This lack of attention can lead to serious security issues over time.
Let’s consider three ways that colleges and universities can better protect their VPN implementations.