PAN-SA-2020-0009 Informational: Mitigating threats for GlobalProtect clients connecting from untrusted networks
Orange Cyberdefense presented a study on the efficacy of modern commercial VPN solutions when providing security to clients on untrusted networks, such as internet hotspots. The study aims to make network administrators aware that they must carefully deploy their VPN solutions. This study highlights the fact that VPN-only solutions do not offer the level of security required for clients connecting from untrusted networks.
Researchers conducted this study to measure the efficacy of VPNs in a controlled lab environment where they disabled host firewalls and threat prevention features and conducted attacks that are considered known risks in an untrusted network. This research does not demonstrate a new vulnerability or a novel attack technique.
Palo Alto Networks products, such as GlobalProtect™, Cortex™ XDR, and threat prevention features and subscriptions on our next-generation firewalls, are ideally suited to address the risks considered in the study.
This study illustrated the importance of enabling GlobalProtect features related to captive portals and of enabling additional layers of security through endpoint protection and next-generation firewall features.
Required Configuration for Exposure
The following GlobalProtect portal configuration increases the risks associated with GlobalProtect clients in an untrusted network:
1. 'No direct access to local network’ is disabled under Split Tunnel configuration. See https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/globalprotect/network-globalprotect-gateways/globalprotect-gateways-agent-tab/client-settings-tab.html.
2. 'Allow User to Continue with Invalid Portal Server Certificate' is set to 'Yes' (Network > GlobalProtect > Portal > Agent > <agent-config> > App).
CVSSv3.1 Base Score: 0 (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N)
The risks outlined in the study are mitigated by:
1. Ensuring that you have the following configuration for the GlobalProtect portal:
(a) 'Allow User to Continue with Invalid Portal Server Certificate' set to 'No' (Network > GlobalProtect > Portal > Agent > <agent-config> > App).
(b) 'No Direct access to local network' option is enabled (Split Tunnel configuration). See https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/globalprotect/network-globalprotect-gateways/globalprotect-gateways-agent-tab/client-settings-tab.html
2. Ensuring that all next-generation firewall threat prevention features and subscriptions are enabled.
3. Ensuring that you deployed the Cortex XDR agent on clients for endpoint protection. See https://www.paloaltonetworks.com/cortex/endpoint-protection.
4. Not accessing unsecured HTTP sites until GlobalProtect status displays as 'Connected'. Setting a low value for the 'Captive Portal Exception Timeout (seconds)' option reduces this window of time. See https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/globalprotect-quick-configs/captive-portal-and-enforce-globalprotect-for-network-access.html
5. 'Enforce GlobalProtect Connection for Network Access' option can be set to 'Yes' to prevent user internet access outside of the VPN tunnel. See https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/globalprotect-quick-configs/captive-portal-and-enforce-globalprotect-for-network-access.html
6. Ensure host-based firewalls on the endpoint clients are not disabled.
7. To reduce the attack surface for IPv6-based threats for GlobalProtect VPN tunnel to Prisma Access configure Prisma Access to sinkhole IPv6 traffic. See https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-for-users/quick-configs-for-user-deployments/sinkhole-ipv6-traffic-from-mobile-users.html
Because our products are capable of addressing these risks with the appropriate use of existing features and options, no GlobalProtect updates are required.
Workarounds and Mitigations
See the solution section.