NSA shared important tips on securing IPsec Virtual Private Networks against Cyber Attack

NSA shared important tips on securing IPsec Virtual Private Networks against Cyber Attack
Image by Fry1989 from Wikimedia Commons

The US National Security Agency (NSA) has published useful tips on how to properly secure IP Security (IPsec) Virtual Private Networks (VPNs) against potential attacks. Besides providing organizations with recommendations on how to secure IPsec tunnels, NSA's VPN guidance also highlights the importance of using strong cryptography to protect sensitive information contained within traffic while traversing unsecure networks when connecting to remote servers.

Following these recommendations is especially important for organizations that moved the majority of their workforce to telework since the start of the pandemic situation. The US National Security Agency (NSA) explains that VPNs are essential for enabling remote access and securely connecting remote sites, but without proper configuration, patch management, and hardening, VPNs are vulnerable to attack.

Among the measures network administrators need to take to ensure a VPN's security, the NSA underlines the need to reduce the attack surface, to always customize the VPN's default settings, and to apply any security updates as soon as they are issued by vendors.

How to Secure a Virtual Private Networks

The National Security Agency published a full list of recommendations for a secure VPN:
  1. Reduce the VPN gateway attack surface.
  2. Avoid using default VPN settings.
  3. Remove non-compliant or unused cryptography suites.
  4. Apply vendor provided security updates (i.e. patches) for VPN gateways and clients.
  5. Verify that Cryptographic Algo's are Committee on National Security Systems Policy (CNSSP) 15-compliant.
All Administrators are advised to implement strict traffic filtering rules designed to limit the protocols, ports and IP addresses that can be used to connect to VPN devices. If this is not possible, an Intrusion Prevention System (IPS) can help monitor for undesired IPsec traffic and inspect IPsec session negotiations.

Administrators also need to make sure that ISAKMP/IKE and IPsec policies don't allow obsolete cryptographic algorithms to avoid compromising data confidentiality. When it comes to default VPN settings, NSA recommends avoiding the use of any scripts, wizards or vendor-provided defaults as they might configure non-compliant ISAKMP/IKE and IPsec policies.

Removing unused and non-compliant cryptography suites is another measure recommended to defend against downgrade attacks where the VPN endpoints are forced to negotiate non-compliant and insecure cryptography suites, exposing encrypted VPN traffic to decryption attempts.

Last but not least, make sure that the latest vendor-provided patches are applied as soon as possible will mitigate newly discovered security vulnerabilities affecting both VPN gateways and clients. The NSA also issued guidance providing admins with example IPsec VPN configurations and specific instructions on how to implement the above measures and ensure the most secure VPN configurations.

NSA shared important tips on securing IPsec Virtual Private Networks against Cyber Attack
Official Tweet of NSA Cyber (@NSACyber)

The Importance of Securing the VPNs

In October 2019, the NSA warned about multiple state-backed Advanced Persistent Threat (APT) attackers who were actively weaponizing the CVE-2018-13379, CVE-2019-11510 and CVE-2019-11539 vulnerabilities to compromise vulnerable VPN devices. As part of the same security advisories, NSA also issued mitigation for Pulse Secure, Palo Alto, and Fortinet VPN clients, as well as recommendations on how to harden VPN security configurations.

In January 2020, Cybersecurity and Infrastructure Security Agency warned organizations to patch their Pulse Secure VPN servers to defend against ongoing attacks trying to exploit a remote code execution (RCE) vulnerability tracked as CVE-2019-11510, a warning that followed another alert issued by Cybersecurity and Infrastructure Security Agency (CISA) in October 2019, and others coming from the National Security Agency (NSA), the Canadian Centre for Cyber Security (CCCS)and UK's National Cyber Security Center (NCSC).

In June 2020, DHS CISA and FBI shared important tips on defending against cyberattacks via Tor. As number of cyber attacks increases day by day, CISA also shared a list of top 10 most exploited software vulnerabilities that attackers use to harm organizations that would results in data breach.

Does this article being helpful to you? Let us know your thoughts in the comments section and share it with us on Facebook, Twitter, or our LinkedIn Group.


Previous Post Next Post