The Decline of SSL VPN: Why Ivanti Connect Secure is Abandonware
Table of Contents
by: Lari Huttunen
Those who cannot remember the past are condemned to repeat it. – George Santayana
I remember when as a younger techy working on a project to deliver content securely from A to B involved tedious work with IPSEC tunnels. Even getting the IKEv1 negotiation to go through involved hours of debugging until finally you managed to get your proposals and ciphers straight and the tunnel was up and running.
Roughly around the same time in 2001 an an engineer and business developer Mr. Krishna “Kittu” Kolluri became the CEO of Neoteris and gave life to a new business category dubbed Instant Virtual Extranet Technology. This meant accessible VPN technology, which instead of IPSEC relied on SSL and was accessible through a browser.
A Brief History of an SSL VPN Product #
Over the last 23 years, the evolution of the SSL VPN has brought us from the original Neoteris Instant Virtual Extranet (IVE) to what we now know as Ivanti Connect Secure. While some things have changed—most notably the transition from SSL to TLS as the standard protocol—the core idea remains largely the same. However, from a product lifecycle perspective, the journey of Neoteris IVE has ultimately led to a dead end under the Ivanti brand.
The story began with Krishna “Kittu” Kolluri, who made Neoteris a success, catching the attention of Netscreen, which subsequently acquired it. Shortly afterward, in 2003, Juniper Networks saw potential in this emerging security technology and acquired Netscreen, rebranding the SSL VPN solution as Juniper SA (Secure Access) and expanding it further with Juniper MAG (Mobile Access Gateway) for mobile access.
In 2014, Siris Capital acquired Juniper’s SSL VPN product line and formed Pulse Secure, which became a dominant player in the enterprise VPN market. Pulse Secure was, for many, the go-to solution for secure remote connectivity. Eventually, in 2021, Siris Capital sold Pulse Secure to Ivanti, which rebranded the solution as Ivanti Connect Secure.
It could be argued that the SSL VPN might have reached its natural end of life if not for the COVID-19 pandemic, which forced companies worldwide to quickly provide secure remote access for their workforce, temporarily reviving the demand for these legacy VPN solutions.
The Same Timeline, Different Mess #
The history lesson above paints a picture of a great business success where a hefty payout has been made for all the venture capitalists involved.
What about security then?
If we think about concepts such as Secure Software Development Life Cycle (SSDLC), where the product life cycle goes something like this:
- Requirements and Planning: Incorporating security requirements.
- Design: Threat modeling and secure architecture.
- Implementation: Writing secure code and using static analysis tools.
- Testing: Security testing, such as penetration testing.
- Deployment and Maintenance: Ensuring secure deployment and monitoring for vulnerabilities.
If the initial deployment of said SSL VPN happened more than decade ago, then the maintenance is likely to become more and more difficult unless the code base is rewritten from scratch to keep up with the dependencies and to keep the security product secure.
A Cold Dose of Reality for Your SSL VPN Solution #
As many of us probably know, even Pulse Secure has not been the epitomy of a properly executed SSDLC. A quick CVE search and a plot of the Pulse Secure vulnerabilities speak volumes of how well the product has been maintained and kept abreast with the changing environment.
Ivanti Connect Secure: The Height of Decay #
Naturally, the decline in the number of vulnerabilities in Pulse Secure are due to the product having been rebranded to Ivanti Connect Secure in September 2021.
Of course counting just the number of vulnerabilities is not enough, but the interesting bit is how severe are the vulnerabilities and are they being actively exploited by criminals.
From a risk analysis standpoint, considering the sheer number of severe vulnerabilities and the presence of multiple entries in the CISA KEV catalog, the risk profile of this product looks downright alarming.
Time to Give Your Ivanti a Final Rest #
I would argue based on the above and what we have read from the news is that the SSL VPN and especially Ivanti Connect Secure has reached peak bit rot and must be buried in the back yard.
If you reach a point in your product life cycle, which resembles a boat full of holes, then trying to address those leaks one by one is not feasible for any party concerned.
Moreover, the whole paradigm of an easily browser-accessible management interface for your VPN connection has seen its better days. That is why I have started actively recommending abandoning the SSL VPN paradigm to all of my customers still stuck with those solutions.
The New Hype Cycle #
Given the insecurities of the dominant business operating system, the hosts cannot most likely function without a VPN, but the first thing you will have to fix is the trust issue you have towards your users. The sad fact is that providing a secure transport for your users to connect to is a good idea, but once connected they shouldn’t be able to move laterally as much as they want.
In other words, instead of trusting the authenticated user with all the resources they have access to, they should only get a minimal set of services will help a lot in minimizing the effects of a client-side compromise.
The concepts of Zero Trust Network Access (ZTNA) and Secure Access Service Edge (SASE) are the new hype terms, but it remains to be seen whether the ZTNA controller vulnerabilities for example will emerge as a result instead. Complexity has never been good for usability and security and even if at present these solutions provide a much needed reduction in attack surface, I remain doubtful whether they are the silver bullet they claim to be.
I think the fixes would have to start on the client-side by building security in. Unfortunately, I don’t see that happening any time soon.