Why VPNs and Edge Services Are Under Siege (and What To Do About It)

As we've noted before, The Edge is having a bit of a moment. Brute force attacks against VPNs, remote access applications, and other edge services are alive and well, and hammering away harder than ever. A recent HelpNetSecurity article highlights how attackers are relentlessly targeting VPNs and firewalls as entry points, while Infosecurity Magazine notes that nearly 30% of breaches begin at the edge of the network.

30%!? That's not an anomaly - that's a trend.

Why the Edge is So Attractive

The problem is a combination of necessity, exposure, and risk. Businesses rely on VPNs to connect remote employees, RDP portals for network admins and vendor access, and SFTP services for data transfers, just to name a few. These are valid use cases, but each one represents an open door. On top of that, the last few years have seen a flood of exploitable vulnerabilities in firewalls, VPN services, and other public-facing applications. Even when configurations are legit, they don’t always follow best practices, and sometimes those access points are left open long after they’re needed.

In short: the edge is both required and risky, which makes it irresistible to attackers.

More Than Just a Breach Risk

When we say "brute force attack," of course there's the risk of a compromise, but to be honest that can be mitigated by secure connections and MFA. But the impact is way broader than that. Constant brute force attempts can lock out legitimate users, creating endless help desk resets. These attacks are basically a form of denial-of-service, overwhelming firewalls and other edge devices that were never meant to absorb that volume of traffic. It's a waste of time and resources.

Yes, patching helps address known vulnerabilities, obviously. But not zero-days, and not services (like VPNs) that are intentionally accessable to the masses. That’s why even the most modern of firewalls struggle to stop brute force attacks in these cases. It's all technically "legitimate" traffic, and even though it's trivial to distinguish a real employee login from a botnet hammering credentials, the firewall still has to deal with the traffic.

Why the “Standard Fixes” Fall Short

Security teams often try to blunt brute force with IP restrictions or intricate firewall rules. In theory, that works. In practice, it doesn’t. Remote users’ IP addresses change constantly, making whitelisting nearly impossible. In some cases (but certainly not all) firewalls can be configured to mitigate the noise, but the complexity of routing rules and policies is beyond most network admin's expertise, and it’s easy to break something critical. Aaaand even when it works, the solution is fragile and a pain to maintain.

A Different Approach: Custom Defense at the Edge

Since our Outpost sensor sits inline outside the firewall, we have the luxury of identifying and stopping this malicious traffic before it even reaches our customers' infrastructure. That said, sometimes the real value requires customized defenses for each customer.

Take brute force VPN attacks. Fortinet isn't alone: Palo Alto, Cisco, SonicWall, and other platforms have had issues with vulnerabilities and exposed VPN services, too. Instead of trying to restrict IPs, we analyze the way each VPN session is established for each vendor, identify what’s unique about a legitimate connection, and craft custom deep packet inspection rules that filter out the fakes. Malicious login storms get stopped cold before they reach the firewall.

This is not a cookie-cutter approach. Each environment requires careful analysis, tuning, and monitoring to avoid false positives. But the payoff is worth it: in most cases, we’ve reduced brute force attempts by 99%. And once proven, the same methodology can be extended to RDP, SFTP, and other services.

The Basics Still Matter

Customization is powerful, but it works best when built on a solid foundation. Our architecture is designed to sit outside the firewall, where it isn’t limited by the firewall’s own rules. Network Cloaking hides customers from scans and reconnaissance. As the creators of the CINS Army threat feed, we see emerging attack patterns before they go mainstream. And our managed SecOps team layers in controls like geo and ASN blacklisting, exploit rules, and Rogue Packet detection. Together, these basics dramatically reduce noise so that the custom defenses can focus where it matters most.

Shifting the Balance

Attackers love brute force because it’s cheap, automated, and endlessly repeatable. Businesses keep edge services open because they’re necessary. That tension isn’t going away. What can change is how we defend those services. By combining strong defaults with hands-on customization, we’ve helped customers turn brute force into background noise — something they barely notice anymore.

Let the attackers keep hammering. We’ll keep the doors closed.

‍