Leverage Your VPN For Attack Surface Reduction

Take a moment and mentally tally up all the different technological resources your business utilizes on a day to day basis. You probably have plenty of computers, cell phones, and internet connected printers in the office. Your employees likely use a corporate email account, specific websites, and SaaS (software-as-a-service) tools to get work done. On top of that, you have APIs for your partners to use, and specific interfaces to keep business moving forward.

All of these allow you to reach your goal and be successful and profitable. But like any double-edged sword, these can also be your biggest vulnerability.

That’s because all your valuable IT resources also make up your attack surface.

Keeping the attack surface as small as possible is a basic security measure — but increased services, devices, and tools mean the attack surface expands with every new addition.

What is The Cyber Attack Surface Anyway?

An attack surface is the number of points, or “vectors,” an attacker can use to gain access to your data and IT systems. There are two primary types of attack surface: digital and physical. The digital attack surface includes things such as software applications, networks, protocol ports, operating system services, and web and desktop applications. The physical attack surface includes everything related to hardware and physical devices such as routers, desktop computers, mobile phones, printers, and USB ports.

attack surface protection

The larger your attack surface, and the more points of entry you have, the easier it is for an attacker to gain access to your network. Large organizations are typically at higher risk. However, many smaller organizations have a very broad attack surface they aren't aware of. Cybercriminals may see them as an easy target.

Attackers usually try to penetrate an attack surface in one of two ways:

  1. Sending data into your network
  2. Extracting data from your network

One of the most common ways they do this is through login credentials. Usernames and passwords are easy to compromise and provide access to a wide range of resources. Most employees choose passwords that are easy to remember — which means they are also easy to guess or compromise in a brute force attack. A lot of employees also use the same usernames and passwords across all of their different tools and services. This means if a hacker can compromise one set of credentials, they can get access to a long list of different resources.

So, what can you do?

One easy way to secure many vectors on your attack surface is to implement multi-factor authentication. MFA can help you double-down on all password-protected resources that would otherwise give an attacker easy access to your network. Multi-factor authentication can be easily implemented using OpenVPN Access Server.

How One Company Minimizes its Attack Surface With OpenVPN

Take for instance a company that provides a cloud-based platform for sensitive geospatial analytics. The company needed to provide secure access over the Internet to important internal resources — but the number of employees requiring remote access had grown substantially, leading to a drastically increased attack surface. The company needed a new solution for its entire remote workforce, which would allow them to minimize its attack surface, without hindering employee capabilities.

OpenVPN Access Server provided the company with a robust VPN solution that enabled remote employees to securely access private company resources. The company then used the easy to install Amazon Machine Image to deploy Access Server within the Amazon Web Services Virtual Private Cloud that housed the other internal servers. Then they set up AWS Security Groups for those servers to accept incoming traffic to privileged ports only if it comes from the Access Server.

To authenticate the employees with privileged access, they interfaced OpenVPN Access Server with their identity directory using RADIUS, and they implemented multi-factor authentication (MFA) by connecting to their MFA provider over RADIUS.

With the Access Server solution in place, employees access their applications securely from office or home — and the security administrators no longer manage cumbersome IP whitelists. By investing in OpenVPN Access Server, the company provides a secure remote access solution for its employees, with simple, effective management tools.

Simple Steps For Attack Surface Reduction

In order to protect your organization thoroughly, you need to be able to understand and visualize your attack surface:

Step 1: Map out all of the different attack vectors so you can see exactly what ports of entry an attacker might be able to go after.

Step 2: Identify which resources are potentially vulnerable to outside attack.

Step 3: Determine how to minimize your attack surface.

After following those three steps, you will have a better picture of what your attack surface looks like, and how to achieve attack surface reduction. If you decide to implement VPN to provide greater security and reduce the attack surface open to public access, OpenVPN Access Server can help.

MFA Options Compatible With OpenVPN Access Server

Access Server can be easily integrated with several TOTP (the Time-based One-Time Password algorithm)  MFA services such as Duo Security, Authy, and SaaSPass. It can also be used with our built-in support for Google Authenticator. By combining these security solutions, you can easily reduce your cyber attack surface.

Google Authenticator: Access Server supports the Google Authenticator multi-factor authentication system, but it is not enabled by default. It can be enabled via the Admin UI under “Client Settings" or via the command line with the command-line examples given here.

RADIUS: OpenVPN Access Server allows you to easily configure RADIUS servers for user authentication. The configuration RADIUS has three methods that you are able to choose, and you can also configure five RADIUS servers that will be used for authentication. For detailed instructions, see our resource on Configuring Radius for Authentication.

Share this story: