Web, dark web and backdoor web
It's interesting to read in the media about the web and the fascination with the dark web, but we ought to focus more on back door web.
By back door web, I'm referring to all of the VPNs companies have and the tangled web they weave.
A VPN is a virtual private network, it's just a way to connect one network to another network securely via encryption across a public network (the internet).
Sounds good and we've got that word "private" in the acronym, but really it's just the transport of the data that is secure or private. Well, maybe, it depends upon a number of decisions, but that's an encryption and best practices discussion for another day.
When we talk about VPNs, there are both site to site VPNs (network to network) and user/device VPNs (device to network). I equate it to extending a network cable from the data center or network to a user's home or personal device. Who would knowingly do that without inspection….? A site to site VPN connects one network to another. Without taking extra precautions, it also connects other networks on either end that may have connected. It can literally create a tangled web of implied trust that one or both parties never intended or know about. After all, we've all heard the phrase six degrees of separation.
Lets say you are working at company "A" and create a VPN with company "B". Great, you both cooperated and agreed (but I hope you're doing audits to confirm that). However, what if company "B" also had a VPN to company "C" that you wouldn't even know of?
Granted there are ways to restrict access via ACLs, policies, proxies etc. However, did you and do you validate that's the case? Can you really? What if company B decides to NAT the addresses of company C into a network address (allowed VPN mask) of company B? Now would you know?
Unless you have access and continually recheck all layer 3 device configs, you have no clue. Ideally all companies are using a NAT solution and ideally all players are using STRICT scoping of source and destination address based rules with tight network masks. It's probably doubtful.
How do you know? I say you've got back doors unless you can absolutely prove and validate otherwise.
So, stop connecting VPNs DIRECTLY into your networks, create VPN buffer zones and strict policies instead. Segment, segment, segment.
Don't be a TARGET, pun intended!