SSL VPN- End of Service (EOS)

End of support for SSL VPN

Fortinet has launched FortiOS 7.6.3, which completely removes the support for SSL-VPN Tunnel Mode.
The decision came against the backdrop of the increase in cyber attacks that focus on remote entry points into corporate networks in general, and in particular those that use SSL VPN.
SSL-VPN Tunnel Mode has been a popular access solution for remote workers for years due to its simplicity and flexibility. Over the years, significant vulnerabilities have been discovered, some of which have been and are still being exploited in effective and large-scale cyber attacks.
In light of the above, Fortinet has decided to immediately discontinue support for SSL Tunnel Mode in new software versions. In light of this fact, organizations are required to examine alternative approaches.

IPsec VPNs

This is actually Tunnel Mode, which uses a different encryption protocol (IPsec) that is inherently significantly more secure than SSL.
Moving to IPsec is more secure, but it is based on the same gateway to an organization as SSL VPN. Moving an organization to IPsec VPN requires a significant time investment. The process includes configuring authentication, access policies, and establishing a new connection on each endpoint separately. It involves a significant investment of time and operational risk: inconsistencies between settings can lead to security breaches, and the need for re-implementation with any future changes.
Forti offers the FortiClient EMS system – A centralized system to manage FortiClient at endpoints. This solution allows admins to create and push new IPsec VPN settings to all workstations, as well as perform version management and updates to maintain compliance with emerging security threats.

SSE – Security Service Edge

Change of perspective and transition to SSE working in ZTNA mode (the next generation of remote connections). This encrypted and secure connection doesn’t expose the GW, and includes control over the endpoints.. A Device Posture Check mechanism that ensures endpoints comply with the organization’s security policy. The tests include the operating system version, the status of protection software such as antivirus or EDR, the status of the local firewall, the existence of storage encryption, processes running on the station, and the presence of digital certificates. These tests support the Zero Trust Network Access (ZTNA) model, where access level is determined in real time according to the actual status of the station – and not just according to the user’s details.

What needs to be done to ensure a smooth and secure transition to one of the two alternatives

• Analyzing the current situation and needs Identifying all users, systems, and services that make SSL VPN connections today, including employee, contractor, vendor, and automated system connections, and future needs.
• Choosing the solution Choosing a solution that suits your organization’s needs today and in the future.
• Planning and implementation Planning HLD/LLD and drawing up an Action Plan; actual implementation and delivery to the organization.

Don’t wait until the last minute.

Early preparation is critical.
Contact us today for a consultation to ensure a smooth transition, maintain service availability, and get maximum protection for your organization’s critical information.