Bwahahahahahahahaha
*gasp* Bwahahahahahahahahaha
Effing morons, the lot. Hoist by their own petards.
Firewalls and VPNs are so complex now, they can actually make you less secure
Organizations using Cisco and Citrix VPN devices were nearly seven times as likely to suffer a ransomware infection over a 15-month period, according to At-Bay, a provider of cyber insurance and a vendor of managed detection and response products. "When compared to businesses without a VPN detected, organizations using Cisco …
-
Tuesday 28th October 2025 23:50 GMT VoiceOfTruth
League tables for vendors
I recently floated the idea of having league tables for vulnerabilities. Not just words from the vendors themselves, but actual numbers based on how often they are compromised.
Nobody would ever get hired for buying Cisco. Cisco should be considered a threat to national security, and be ripped out immediately. But that might leave the American regime with less ways to get in where it wants.
-
Wednesday 29th October 2025 08:17 GMT tip pc
Re: League tables for vendors
The dominant player has more kit out there at varying levels of patching & is just statistically more likely to have vulnerabilities found.
Doesn’t mean that its vulnerabilities in that kit that causes miscreants to access the secure database running on Fujitsu hardware running Broadcom hyper visor running ibm os running oracle software that tunnels back to a 3rd party over https which the traffic is switched, routed, firewalled & otherwise secured by via Cisco equipment.
-
-
Wednesday 29th October 2025 00:30 GMT elDog
Companies that use on-premise HW VPNs more likely to be attacked?
Perhaps these companies are frequent targets and want to in-house their defenses?
A bit of the correlation != causation argument.
Still, I do think complacency creeps in when a vendor installs a bit of new shiny and says "there, all's good!"
-
Wednesday 29th October 2025 09:44 GMT kmorwath
Re: Companies that use on-premise HW VPNs more likely to be attacked?
Exactly. Also, the problem was the VPN software itself, or an infected machine that can reach the company network through a VPN - say a BYOD device or the like? In this case a cloudy VPN can't do any more than an on-prem VPN. It's not a surprise that external devices used by incautios people are far more likely to be compromised.
But a cloud VPN opens issues on their own - since you have your traffic going through someone else's servers that can de-crypt it, since they manage the VPN, even if they swear they can't and won't (I'd like to ask them under oath in a court...), they can be US companies that have to comply with FISA and CLOUD Act. I've had to use Netskope recently (a cloudy product) - after F5, Fortinet and Ivanti were all caught with their pants down, and our sysadmin are still looking for the silver bullet to kill the internet werewolves (with the smallest effort on their own, of course), it can perform TSL inspection too.... who has accesses to those data, beyond my company? It has also an ugly written, cumbersome client...
It is true that VPN software tried to become an EDR also - and that made it complex and cumbersome, but is this the cause of the infections? And why shoud cloud VPNs be better at that? As far as I can see they are built on the same software - often open source - everybody else uses.
-
Wednesday 29th October 2025 11:10 GMT sal II
Re: Companies that use on-premise HW VPNs more likely to be attacked?
The study definitely confuses correlation and causation. Provides little evidence of specific exploits that were targeted in aforementioned big vendor FWs.
It's like stating it's less secure to use armored cars for large cash transfers, because you are more likely to be a victim of an armer robbery.
It completely fails to recognize the fact that large chunk (if not the majority) of ransomware attacks are not coming through the FW, but are a result of phishing, social engineering and malware triggered by users etc.
-
Wednesday 29th October 2025 15:30 GMT Anonymous Coward
Re: Companies that use on-premise HW VPNs more likely to be attacked?
I was thinking much the same thing - maybe smaller companies use cloudy VPNs because they don't have the expertise to do on-site, and being smaller, they're not targeted as often. So the correlation may well be "bigger companies get hit more often" - because they're the ones with the money.
-
Monday 3rd November 2025 10:34 GMT Peter Gathercole
Re: Companies that use on-premise HW VPNs more likely to be attacked?
It's not at all clear to me what the meaning of this report is, although I can see that it's partly a sales-pitch for their new cloud based products.
I would love to see more of the details behind this report. My thoughts are that the companies affected probably drop the inbound endpoint of the VPN on one of their secured networks with significant access, rather than assuming that the traffic coming through the VPN is slightly suspect, and possibly should surface in a DMZ and be firewalled off from the rest of the internal networks, only allowing the desired services through.
If the endpoint is inside all other defences, your security is determined by how much hardening you apply to the user's systems out in the wild, and what they do with their work system on the wider Internet.
If it is the case that it is the way that the VPN traffic surfaces gives too much access, then I don't really see how a cloud-based VPN will be any more secure than a properly patched on-prem. one.
I am frequently appalled by how 'flat' many companies internal networks are, which means that once access is gained, huge amounts of damage can be done. Companies should be segmenting the internal networks more. This is not a perfect solution, but makes certain types of attack much, much more difficult.
-
-
Wednesday 29th October 2025 05:42 GMT Anonymous Coward
complex ... actually make[s] you less secure
Complexity pretty much destroys any idea of "correctness" in any system.
The question of whether a your ingress/egress systems are secure resolves into whether your firewall rules etc implement your security policy completely completely and no more ie correct wrt policy.
When you have devices with pages of dynamic incomprehensible rules and a host of dodgy services that shuttle stuff backwards and forwards to cloud based services I doubt anyone can honestly say they know with any accuracy what the whole shemozzle actually implements.
VPNs that terminate on your border devices or within your perimeter are often accorded unrestricted access to internal services which is pretty game over with a single compromised VPN account. This is pretty common even in organisations large enough to know better.
This situation can only go from bad to worse as skilled experienced professionals are shown the door and replaced with AI and cheaper rookies neither of which heed the old engineering motto "noli futuis quod non intelligis."
-
Wednesday 29th October 2025 09:23 GMT ComicalEngineer
Re: complex ... actually make[s] you less secure
I have been saying that software has become too complex for several years now (and getting the occasional downvote on here for my comments!)
No system that I am aware of is 100% secure and where it used to be e.g. stack overflows, attacks are now more sophisticated and AI makes attacks easier for operators with relatively low knowledge.
Of course, the BOFH who clicks on a malicious attachment is still a huge problem.
-
-
Wednesday 29th October 2025 05:51 GMT Taliesinawen
Firewalls and VPNs make you less secure :o
Firewalls and VPNs are so complex now, they can actually make you less secure. Especially if they use a web interface for control. All to save having to read a technical manual and understand a syntax. The more links in a chain the more oppurtunities to break in. ref ref
-
Wednesday 29th October 2025 09:02 GMT tip pc
Re: Firewalls and VPNs make you less secure :o
The answer in those pa examples is to not expose the management interfaces to the internet.
If you do need to then at least restrict it to a small tiny range of IP’s that you control.
If they are open to all then expect them to be probed by aliens !!! Who may just decide to attack
-
Wednesday 29th October 2025 11:12 GMT Roland6
Re: Firewalls and VPNs make you less secure :o
>” If you do need to then at least restrict it to a small tiny range of IP’s that you control.”
Surely the old school way of exposing the interface was to have external users VPN into a host on the management network and to LAN connect to network appliances, this also enables you to log access and if needed also record sessions.
That way there is nothing to probe from the web.
-
-
-
Thursday 30th October 2025 01:59 GMT Taliesinawen
Re: Firewalls and VPNs make you less secure :o
> Sure, with a CLI the average lazy sysadmin just copy & pastes commands stored somewhere. Often without reading much which commands he's entering...
A single line in a config file won't mutate and cause instability on the other side of the planet.
-
-
-
Wednesday 29th October 2025 08:09 GMT tip pc
So much nonsense
"We think the takeaway is clear:
No it’s not clear
Companies relying on on-premise VPN devices from vendors like Cisco and Citrix should strongly consider transitioning to modern cloud-based, remote access solutions."
Paying someone to do my work is not always a wise move especially when they care less about what I’m doing and are more interested in acquiring the next subscriber.
"Early VPNs were simple," the report says. "They only handled VPN connections and were easier to secure. Over time, vendors began combining multiple functions (like firewall, router, proxy, and VPN) into a single device."
All the early vpn systems I worked on (pix, checkpoint fw1, SRX, Sonicwall ) where also firewalls & by necessity also did routing. How can you have a firewall that doesn’t route?
This led to next-generation firewalls (NGFWs), which exploded in popularity following the pandemic-induced remote work rush of 2020. "The result is that NGFWs create a very large attack surface, which attackers are actively taking advantage of," the report authors wrote.
This makes it seem like NGFW are all about vpn’s, routing etc but ngfw is all about extra security like IPS, heuristics, AI detection, deep packet inspection leading to application detection and control etc.
https://en.wikipedia.org/wiki/Next-generation_firewall
It’s like someone is trying to rewrite a narrative here & getting it totally wrong while using all the buzzword bingo tech jargon words they think their pray have heard of or be impressed by.
-
-
Wednesday 29th October 2025 10:34 GMT Anonymous Coward
I'm not a networking expert, but I have ended up as the most expert left so dealing with things like security. As I know I'm not up to all of the fancy capabilities advertised, and we don't have a budget for such boxes anyway, for me it is using OpenWRT as simple, cheap, and decently secure.
-
Wednesday 29th October 2025 11:19 GMT Roland6
I suggest it is the likes of Cisco et al who are driving the complex appliance. Rather than have discrete appliances for firewall, router, VPN server, RDS gateway, they have created the integrated appliance and sold it as being 1U instead of 4U etc.
IT will due to its place in many companies of being a cost centre will be pressured to keep costs down and if the complex appliance from Cisco is cheaper that a bunch of discrete and more secure appliances from best-of-breed vendors then that is what is going to get purchased.
-
-
Biting the hand that feeds IT
