SPIRE-Based Remote Attestation for Secure VPN Access

Resumo

This work proposes an intermediate solution between a full-fledged Zero-Trust Architecture (ZTA) for remote access and a conventional, less secure Virtual Private Network (VPN). Our approach enhances the authentication component of VPNs to help achieve some of the benefits of ZTA without requiring modifications to the VPN infrastructure or code. We leverage the Cloud Native Computing Foundation’s open-source standard, SPIFFE, and its reference implementation, SPIRE, to build an attestation-based authorization for VPN access. The work proposes new node and workload attestors for SPIRE, enabling the verification of user and machine identity before granting access to the VPN. SPIRE also provides automatic credential rotation, which avoids long-term credentials and consequently minimizes the impact if the credentials are stolen. Finally, the paper provides an overview of the major security issues associated with traditional VPN authentication methods, such as credential or physical device theft, and how the proposed solution addresses these threats.