On 13 March 2020 CISA published alert AA20-073A “Enterprise VPN Security”, which recognises the mass shift to telework as a risk factor for the infrastructure. The alert introduces no new attack techniques: it points out that the VPN concentrator, once it becomes the sole entry point for an entire workforce, stops being a peripheral component and becomes the point where risk concentrates.

Context and problem

Almost every organisation sized its remote access for a fraction of staff: travel, on-call duty, the occasional day worked from home. The implicit model was a trusted corporate network, with a clear perimeter and a few authenticated remote sessions at the edge. Moving much of the workforce outside that perimeter all at once breaks three assumptions in one go: the concentrator’s capacity, the patching cadence of edge devices, and how well a single authentication factor holds up at much larger scale.

The problem is not theoretical. Throughout 2019 two SSL VPN vulnerabilities were actively exploited: CVE-2019-11510 on Pulse Connect Secure (pre-authentication arbitrary file read, exposing keys and credentials in cleartext) and CVE-2018-13379 on FortiOS (path traversal exposing session files containing usernames and passwords). In October 2019 the NSA issued an advisory on mitigating these VPN vulnerabilities; in January 2020 CISA published AA20-010A, noting that CVE-2019-11510 was still being exploited against systems left unpatched months after the fix was released.

Architecture of the risk

Three properties of the VPN concentrator make it hard to manage under sudden load.

It is Internet-facing and almost never in a maintenance window. A remote access gateway is reachable by anyone, at any hour. Precisely because it serves active sessions without interruption, the window to apply an update is narrow or non-existent: taking the concentrator down means sending the entire workforce home. This is the dynamic AA20-073A puts first: VPN devices fall behind on patches precisely because they are always in use. The 2019 vulnerabilities are the proof — the flaw was known and fixable, but the patch was not applied.

It concentrates authentication. With staff remote, the username/password pair remains the only barrier between the Internet and the internal network for most users. Phishing campaigns aimed at remote workers — the alert’s second point — need not defeat a firewall: it is enough to persuade a person to type their credentials. CVE-2018-13379 makes things worse, because an attacker can read credentials directly off the gateway, with no phishing at all.

It has finite capacity. The number of concurrent sessions is bounded by licensing, TLS termination and bandwidth. AA20-073A cites this as its third risk: past the threshold, no further employee can connect and critical operations stall. It is a double constraint, on continuity and on security: the pressure to “let everyone in” pushes towards lowering controls.

The critical point

The decisive factor is multi-factor authentication (MFA) on remote access. NIST SP 800-63B, the 2017 digital identity guidelines, classifies authenticators by assurance level and treats the password alone as the weakest case. On the VPN, MFA changes the geometry of the attack: a username and password stolen by phishing — or extracted from a vulnerable gateway — no longer suffice to establish a session. The CISA alert recommends MFA on all VPN connections and points to strong passwords only as a fallback, declared explicitly inferior.

Not all second factors are equivalent. SP 800-63B flags that SMS-delivered OTPs (described as “out-of-band restricted” authenticators) are exposed to interception and SIM swapping, and that a path towards stronger authenticators — OTP applications or cryptographic keys — should be planned. Under load, what counts is that MFA must be sized alongside capacity: a second factor requiring manual provisioning will not roll out to hundreds of people in a few days.

Operational implications

The AA20-073A recommendations reduce to a few verifiable priorities.

  • Patch edge devices before scaling. The VPN concentrator, network appliances and the endpoints used for access should be brought to the latest version before load rises, not after. The concrete reference is CVE-2019-11510 and CVE-2018-13379: flaws fixed months earlier and exploited on unpatched systems.
  • MFA as default, strong passwords as a declared fallback. The alert’s order of priority is explicit; a password on its own should be treated as a temporary configuration to be closed, not an acceptable state.
  • Capacity and licensing as a security parameter. Knowing the maximum number of concurrent sessions, and what happens once it is exceeded, keeps operational pressure from turning into an incentive to loosen controls.
  • Logging and incident response sized to the new volume. The alert asks teams to be ready to ramp up log review, detection and response: with more remote sessions, traffic baselines shift and indicators of compromise need recalibrating.

At the level of the model, NIST SP 800-46 Rev. 2 — and the March 2020 ITL Bulletin that summarises it — starts from one precise assumption: remote devices and networks are to be treated as untrusted. The four control families the guide identifies for telework (confidentiality and integrity of communications, authentication of the teleworker and the device, isolation of the client from home-network threats, hygiene of the device itself) do not originate in 2020; mass telework only makes them impossible to ignore.

How these priorities translate into a managed remote-access model — dedicated VPNs into client networks, tracked access and distributed monitoring — is the subject of the insight published by noze: https://www.noze.it/en/insights/remote-work-pandemic/.

Limits

These notes concern perimeter remote access, that is, the VPN-centric model AA20-073A presupposes. Access architectures exist that reduce dependence on a single concentrator by distributing enforcement close to the applications; I do not cover them here, because the reality of March 2020 for most organisations is the gateway already installed and now to be scaled in a hurry. MFA mitigates credential theft but not pre-authentication flaws such as CVE-2019-11510: there the only defence is the patch. And none of these measures covers the unmanaged home device, where the boundary between personal machine and corporate access remains the hardest point to govern.


https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-073a https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-010a https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-46r2.pdf https://csrc.nist.gov/csrc/media/publications/shared/documents/itl-bulletin/itlbul2020-03.pdf https://pages.nist.gov/800-63-3/sp800-63b.html https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF https://nvd.nist.gov/vuln/detail/CVE-2019-11510 https://nvd.nist.gov/vuln/detail/CVE-2018-13379

Cover image: Black rackmount Fortinet FortiGate firewall/VPN appliance with network ports on the front panel — photo by Premeditated, CC BY-SA 4.0 — https://commons.wikimedia.org/wiki/File:Fortinet_FortiGate_6501F.png