4

My company wants to move an internal web app to the cloud. The app only accepts SSL/TLS connections and requires all users to authenticate using our Single Sign-On provider.

Today when a user wants to access this internal app remotely, they connect to our corporate VPN. So the current plan is to configure a site-to-site VPN connection between our office and the cloud provider.

My personal impression is that whitelisting our office's IP with our cloud provider would basically provide the same level of security. Everybody tells me that I am wrong but fails to give me a convincing argument.

My thinking is the following:

  1. Site-to-site VPN does not authenticate individual users or machines, it only guaranties that the traffic only flows between two networks (our office and our cloud provider). If the source of the traffic is restricted by its IP and the destination is authenticated by its valid SSL certificate, isn't it the same?
  2. The encryption provided by the VPN is redundant since we already use TLS.
  3. If anything, the VPN option is less secure since it could let in incoming connection from the cloud provider which we do not need nor want.

The main argument that I've heard is rebutting point #1 on the basis that IP whitelisting is not secure because of IP spoofing. My understanding is that IP spoofing is basically only used in DoS attack and that an attacker would not be able to complete a TLS handshake while faking it's IP (see this question for details).

Am I missing something here?

  • You're assuming the connection is unidirectional (from the user browser to the web server). Maybe that's not case, and the application needs access to internal services (AD or file server, for example). In this case, the VPN makes a lot of sense. – Najkin Feb 05 '20 at 12:04
  • 1
    @Najkin I know for a fact that the application does not need incoming connections, I coded it. That's why I am saying in item #3 that bidirectionality is actually more of an argument against the VPN. – asking_for_a_friend Feb 05 '20 at 14:45
  • Your cloud provider theoretically has access to any resource that you host in the cloud. An IP restriction of your public office IP doesn't prevent your cloud provider from accessing the application. If you're thinking about that then you shouldn't go to the cloud. – Artjom B. Jul 05 '20 at 20:57

3 Answers3

2

While your assumption #1 is true, whitelisting your corporate IP means that anybody in your company can have access to that application, even though they might be blocked by the SSO. Using a StS VPN helps here because you can use subnets and only allow people in specific subnets to have access to the application.

Also, if you have a corporate WiFi and a guest wifi, whitelisting your corporate IP would allow ... guests, to have access to that application.

Kaymaz
  • 248
  • 1
  • 7
0

Site-to-site VPN does not authenticate individual users or machines, it only guaranties that the traffic only flows between two networks (our office and our cloud provider). If the source of the traffic is restricted by its IP and the destination is authenticated by its valid SSL certificate, isn't it the same?

That is true, VPN in this case does not authenticate individual users or machines, however, it offers a defense against MiTM attacks, since impersonating one point of VPN site-to-site network would require a considerable effort.

The encryption provided by the VPN is redundant since we already use TLS.

True, but I doubt that VPN was selected because of encryption (assuming)

If anything, the VPN option is less secure since it could let in incoming connection from the cloud provider which we do not need nor want.

True, but in the same manner neither is IP whitelisting is secure, as it will allow traffic flow from provider.

There might be more to it than you've described, for example Network Administrator thinks that it we be easier for him to manage such connections by putting them on VPN, or maybe you company uses different devices for VPN access than a firewall for example, and want to offload traffic burden from firewall.

Rashad Novruzov
  • 678
  • 3
  • 13
0

Defense in Depth

No single strategy is ever adequate because there are ways around each individual strategy. When you combine layers of strategies, then the connection is only possible if all layers are satisfied.

What about non-application users?

Also keep in mind that while you mentioned the application users use TLS with mutual authentication, it is also necessary to maintain the infrastructure. E.g. you'll probably need to apply OS patches, software patches & revisions, perform database maintenance, do backups, access your cloud console, etc. etc. All these accounts are necessary but not using the TLS client-certificates to authenticate.

The point is... assume the credentials can be stolen (however unlikely, the probably is never actually 0.) If stolen and since your application is hosted in a public cloud reachable from anywhere on the Internet, then anyone able to steal the credential can access your application.

Trusted Users vs. Trusted Path/Location

When you use a site-to-site VPN, the VPN usually just authenticates it's two endpoints and not the connections, users, or machines that use the VPN. So the VPN on it's own isn't adequate security. It's just one of many layers of a defense-in-depth strategy.

But what the VPN does do (besides the obvious) is it forces all users to reach the cloud host application and infrastructure via a trusted-path. If your servers are set up such that they only listen for connection on the VPN, then stolen credentials aren't useful unless they are also used by someone who can establish a connection via the trusted path ... not just anywhere on the planet.

This means, for example, that when your DBA's connect to the cloud-hosted database, they would need to be coming through that trusted path ... giving you a little more assurance that the DBA is coming from an expected location -- not just anywhere.

Use Both

TLS serves to authenticate the application users (but probably not the folks who maintain your infrastructure). But it doesn't make sure those users are coming from a trusted location.

The VPN doesn't authenticate the individual users. But it does serve to make sure the connections come from a trusted location.

Tim Campbell
  • 241
  • 1
  • 4