VPN and Ransomware

Use Case: EliminatingRemoving SSHVPN AttackRansomware SurfaceRisk infrom aStolen Distributed EnvironmentCredentials

A ~~large~~mid-size ~~distributed~~business ~~enterprise~~relied ~~needed~~on Internet-exposed VPN appliances to ~~eliminate~~provide extranet access for staff, contractors, and business partners. Due to legacy constraints, some external users still used single-factor credentials.

After stolen credentials led to a ransomware incident, the ~~attack~~security ~~surface~~team ofacted ~~its~~fast—deploying ~~Internet-facing~~KnocKnoc ~~SSH~~to ~~servers~~protect -the ~~without~~VPN ~~adding~~edge ~~latency,~~by ~~changing~~orchestrating ~~its~~an ~~network~~existing ~~architecture,~~in-line ~~or compromising on security.~~ firewall.

The goal: ~~tie~~eliminate ~~network-level SSH~~Internet exposure ~~and access to their identity provider, while keeping~~of the ~~experience~~VPN ~~seamless.~~

without

~~Knocknoc~~changing ~~was~~network ~~deployed~~architecture ~~using~~or ~~its~~requiring ~~on-host~~client ~~Linux~~software—critical ~~firewall orchestration. Within days, all SSH services were rendered invisible until users authenticated, effectively removing~~for the ~~pre-auth~~diverse, ~~attack~~distributed ~~surface.~~user base.

The result: ~~zero~~no ~~added~~exposed ~~hops,~~VPN, ~~zero~~no user installation required, no routing changes, and a ~~drastically~~dramatically reduced ~~risk~~attack ~~profile.~~surface.

Technical how:

~~SSH~~In ~~can~~this beexample, ~~protected~~an byexisting ~~Knocknoc~~in-line inFirewall aappliance ~~number~~was oforchestrated ~~ways:~~

~~Local Linux firewall orchestration on~~protect the ~~host~~VPN ~~(eg:~~and ~~using~~ ~~IPSets~~)

~~In-line firewall/control device orchestration (Fortigate, JunOS, Palo, AWS, etc), via an adjacent Knocknoc Agent deployment~~

~~HAproxy can sit in front of~~expose the ~~SSH~~services ~~service using the TCP feature~~

~~An on-host firewall orchestration approach is great for bastion hosts - or remove all SSH exposure from your external or internal environments.~~

~~This also allows Knocknoc~~just-in-time to ~~effectively add SSO (and MFA) atop SSH, working together to add heightened security for bastion hosts, fast.~~

~~Shown below, the user first logs in to Knocknoc (auth tied to their IdP), the Knocknoc orchestration-agent then receives instruction to open the firewall to port 22/tcp from the users IP address~~authenticated and ~~the~~authorized ~~user then connects. No proxy/broker, no additional routing nor client installation is required, simple but very effective firewall orchestration.~~

~~This essentially removes attack surface of your SSH hosts until users centrally log in.~~

users.