The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released guidance for improving the security of virtual private network (VPN) solutions. The guide suits the needs of different size companies and includes adhering to tested-and-verified solutions that are compliant with industry standards.
One of the Best and Easy-to-Read Guidelines for Securely Using VPN Solutions
“Remote access VPNs are entryways into corporate networks and all the sensitive data and services they have. This direct access makes them prized targets for malicious actors. Keep malicious actors out by selecting a secure, standards-based VPN and hardening its attack surface. This is essential for ensuring a network’s cybersecurity.”
— “Selecting and Hardening Remote Access VPN Solutions”
Multiple attacks against private organizations and government entities, especially during the pandemic, were carried out by threat actors exploiting vulnerabilities in popular VPN systems. Moreover, ransomware hacking organizations exploited VPN solutions from major vendors, including Fortinet, Ivanti (Pulse), and SonicWall.
According to the CISA and the NSA’s joint announcement:
“U.S. government experts pointed out that compromised VPN devices represented the entry points into protected networks, for this reason, multiple nation-state actors have weaponized common known vulnerabilities to gain access to vulnerable VPN servers.”
In addition, the agencies issued an Information Sheet named “Selecting and Hardening Remote Access VPN Solutions” that provided recommendations on selection criteria for a remote access VPN solution and guidance on hardening the VPN.
Industry-Standard Solution
The guidance suggests choosing only industry-standard solutions and avoiding non-standard VPN solutions, including a class of products called Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs. These products include custom, non-standard features to tunnel traffic via TLS.
In addition, the report recommends we refer to the National Information Assurance Partnership (NIAP) Product Compliant List (PCL) that includes validated VPNs that were approved after being repeatedly tested by third-party labs. Be aware that PCL is long, so it is better to search for the targeted VPN solutions and check if they are on the list.
Software Development Lifecycle
The agencies recommend VPN solutions that implement protections against intrusions, such as:
- the use of signed binaries or firmware images,
- a secure boot process that verifies boot code before it runs and
- integrity validation of runtime processes and files.
Take care of the documentation provided by vendors of VPN services, and it must give information about the protocols they support when establishing VPN tunnels.
Good Cyber Hygiene
Select only solutions that support strong authentication credentials and protocols and disables weak credentials and protocols by default. In addition, it is essential to use multi-factor authentication. It is also good to select a vendor known for supporting products via regular software updates and quickly remediating known vulnerabilities.
The guidance also provided the following recommendations to reduce the remote access VPN attack surface:
- Immediately apply patches and updates to mitigate known vulnerabilities that are often rapidly exploited;
- Restrict external access to the VPN device by port and protocol;
- Disable non-VPN-related functionality and advanced features that are more likely to have vulnerabilities (i.e., web administration, Remote Desktop Protocol, Secure Shell, and file sharing);
- Restrict management interface accessible via the VPN.
It is also recommended to protect and monitor access to and from the VPN, for example:
- the use of an intrusion prevention system (IPS) in front of the remote access VPN to detect malicious VPN traffic and
- the use of Web Application Firewalls (WAFs) to protect the authentication page and management interfaces.
It is crucial to enable local and remote logging to track VPN user activity and implement network segmentation and permission restrictions to limit access to services that demand remotely reachable via the VPN.
Final Words
While the information aims to enhance the security of the Department of Defense, National Security systems and the Defense Industrial Base, following these recommendations would serve any organization or company, public or governmental, regardless of their size, that uses a VPN solution to access its systems.
The guidance document also details best practices for hardening security and reducing the attack surface, such as:
- configuring strong cryptography and authentication,
- only activating features that are strictly necessary (Need-to-know),
- protecting and monitoring access to and from the VPN,
- implementing multi-factor authentication, and
- ensuring patches and updates are implemented promptly.
Thank you for reading. May InfoSec be with you🖖.