Latest Updates from CISA and the NSA on How To Improve VPN Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released guidance for improving the security of virtual private network (VPN) solutions. The guide suits the needs of different size companies and includes adhering to tested-and-verified solutions that are compliant with industry standards. One of the Best and Easy-to-Read Guidelines for Securely Using VPN Solutions “Remote access VPNs are entryways into corporate networks and all the sensitive data and services they have. This direct access makes them prized targets for malicious actors. Keep malicious actors out by selecting a secure, standards-based VPN and hardening its attack surface. This is essential for ensuring a network’s cybersecurity.” — “Selecting and Hardening Remote Access VPN Solutions” Multiple attacks against private organizations and government entities, especially during the pandemic, were carried out by Moreover, ransomware hacking organizations exploited VPN solutions from major vendors, including Fortinet, Ivanti (Pulse), and SonicWall. threat actors exploiting vulnerabilities in popular VPN systems. According to the CISA and the NSA’s joint : announcement “U.S. government experts pointed out that compromised VPN devices represented the entry points into protected networks, for this reason, multiple nation-state actors have weaponized common known vulnerabilities to gain access to vulnerable VPN servers.” In addition, the agencies issued an Information Sheet named “ ” that provided recommendations on selection criteria for a remote access VPN solution and guidance on hardening the VPN. Selecting and Hardening Remote Access VPN Solutions Industry-Standard Solution The guidance suggests choosing only and avoiding non-standard VPN solutions, including a class of products called Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs. These products include custom, non-standard features to tunnel traffic via TLS. industry-standard solutions In addition, the report recommends we refer to the that includes validated VPNs that were approved after being repeatedly tested by third-party labs. Be aware that PCL is long, so it is better to search for the targeted VPN solutions and check if they are on the list. National Information Assurance Partnership (NIAP) Product Compliant List (PCL) Software Development Lifecycle The agencies recommend VPN solutions that implement protections against intrusions, such as: the use of signed binaries or firmware images, a secure boot process that verifies boot code before it runs and integrity validation of runtime processes and files. Take care of the documentation provided by vendors of VPN services, and it must give information about the protocols they support when establishing VPN tunnels. Good Cyber Hygiene Select only solutions that support strong authentication credentials and protocols and disables weak credentials and protocols by default. In addition, it is essential to use . It is also good to select a vendor known for supporting products via and quickly remediating known vulnerabilities. multi-factor authentication regular software updates The guidance also provided the following recommendations to reduce the remote access VPN attack surface: Immediately apply patches and updates to mitigate known vulnerabilities that are often rapidly exploited; Restrict external access to the VPN device by port and protocol; Disable non-VPN-related functionality and advanced features that are more likely to have vulnerabilities (i.e., web administration, Remote Desktop Protocol, Secure Shell, and file sharing); Restrict management interface accessible via the VPN. It is also recommended to protect and monitor access to and from the VPN, for example: the use of an (IPS) in front of the remote access VPN to detect malicious VPN traffic and intrusion prevention system the use of (WAFs) to protect the authentication page and management interfaces. Web Application Firewalls It is crucial to to track VPN user activity and implement and permission restrictions to limit access to services that demand remotely reachable via the VPN. enable local and remote logging network segmentation Final Words While the information aims to enhance the security of the Department of Defense, National Security systems and the Defense Industrial Base, following these recommendations would serve any organization or company, public or governmental, regardless of their size, that uses a VPN solution to access its systems. The guidance document also details best practices for hardening security and reducing the attack surface, such as: configuring strong cryptography and authentication, only activating features that are strictly necessary (Need-to-know), protecting and monitoring access to and from the VPN, implementing multi-factor authentication, and ensuring patches and updates are implemented promptly. Thank you for reading. May InfoSec be with you🖖. Reference： https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF