Juniper Vulnerability, NSA Allegations Raise Broader VPN Security Concerns

Juniper Networks Thursday said it had discovered a major vulnerability in its firewall operating system that could allow hackers to decrypt VPN connections, news that solution providers and security experts said raises broader concerns around VPN security.

The vulnerability affects devices running ScreenOS, which is the operating system for its NetScreen firewall devices. Juniper said in the security announcement that a ’knowledgeable’ hacker could use the vulnerability to decrypt NetScreen VPN connections, although it said it has ’not received any reports of these vulnerabilities being exploited.’

Juniper, Sunnyvale, Calif., did not reply to request for comment from CRN.

[Related: Cybersecurity From A To Z: What Solution Providers Need To Know]

The news of the vulnerability immediately drew allegations from the tech industry that Juniper had built backdoors into its firewalls for National Security Agency or other government agency access. Juniper vehemently denied the claims.

The claims echoed those from December 2013, when a report said that the NSA had been planting backdoors in new computing and networking hardware from major U.S. vendors including Cisco Systems, Juniper and Dell for years.

Specifically, the vulnerability impacts NetScreen devices using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20, the company said. Juniper said it did not believe it affected the SRX or devices running Junos.

While he isn't a Juniper partner, Matt Johnson, CEO of Reisterstown, Md.-based Phalanx Secure (formerly known as Raven Data Technologies), said news of the vulnerability has broad implications on how people view the security of VPNs.

’This is troubling in a broader sense that decrypting the traffic defeats the purpose of having the VPN and would allow anyone to sniff the network and have access to that traffic. The reason we have VPNs is to create those secure tunnels,’ Johnson said.

Jane Wright, senior analyst covering security at Technology Business Research, agreed, saying that she expected the Juniper news would prompt other network security vendors to evaluate their own offerings.

’This incident will serve as a reminder of the importance of privileged account authorization and network security analytics, as well as encryption. If hackers have been decrypting data traveling through one network vendor’s VPNs, then it’s probably happening on other network vendors’ equipment, too. I expect customers are going to call for more independent audits of their network and security vendors’ solutions,’ Technology Business Research's Wright said in an email.

Juniper has already released patches for the vulnerability and urged customers to update their systems as soon as possible.

PUBLISHED DEC. 18, 2015