VPN rots your brains
This post is for people who have already decided that layer 7 authN/Z controls are right for their needs. This leaves the question of whether it’s worth deploying a separate layer 3 control, like a VPN. Defense in depth is good, right? Who can argue with a belt-and-suspenders approach?
My general thought is that a belt-and-suspenders security measure is always a good idea if the cost of maintaining it doesn’t result in underinvestment in any other security control. We can divide this cost into two categories:
- opportunity cost
- psychological cost
Opportunity cost is straightforward. If I need to spend 4 days building a control plane for my L3 VPN-based solution, those are 4 days that I can’t spend building improvements to my L7 solution. If I need to dedicate headcount to the VPN, that’s headcount that can’t go to any other security initiative.
Psychological cost is fuzzier: it is de-facto underinvestment in the primary control because of the “fuzzy blanket” (i.e. false sense of security) offered by the defense in depth. It’s the “well, it doesn’t matter if Layer A in my swiss cheese has a massive hole, since I still have Layer B.” If you want to use economics terminology, psychological cost is moral hazard.
Put differently: VPNs are just barely good enough to cause defenders’ brains to rot, but not good enough to actually work in real life.
I have had so many conversations with engineers who say “well, it’s behind VPN, so that should be good enough,” and to be honest it’s frustrating to have to answer “well it’s not going to bite you immediately, but you still shouldn’t do it.” Most software engineers recognize that launching an unauthed service to the Internet would constitute blatant engineering malpractice; they avoid it because they want to keep their jobs. Nobody acts the same way about services behind a VPN.
As a de-facto concession to the argument being made by the hypothetical software engineer above, most organizations have no governance for what services get exposed within VPN. So in practice the controls are reversed: L3 becomes the primary control, and L7 exists as a secondary defense-in-depth measure.
To conclude: L3 controls are great, and typically worth their direct opportunity cost as a form of defense-in-depth. But in the absence of a serious plan to address their psychological costs, they aren’t worth having.
Caveats
There are probably smart solutions to this problem, like inviting external red-teamers into your VPN and paying them bounties. I’ve never seen them implemented, but I can see a reasoned argument for giving it a shot.
This post is mostly about services exposed to endpoint devices on a corporate network. Many of the ideas transfer to a production network, but not all of them 1:1. L3 controls still definitely have a place in production networks. In my unscientific sample, people take L7 more seriously when in production.
I entirely skipped over the benefits of L7 controls vs L3, so if you find yourself shaking your head, it might be worth dividing your counter-arguments into (1) the merits of L7 controls generally, (2) arguments over the cost/benefit of maintain the two kinds of controls in tandem.