NSA and CISA Publishing Guide for Choosing and Hardening VPNs
The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published tips and best practices for securing virtual private network (VPN) solutions.
VPNs, an important security tool in the era of widespread remote working, are entry points into secure networks that bad attackers frequently attempt to use in malicious attacks. Due to VPN vulnerabilities – a recent example involved a massive leak of Fortinet user passwords – a number of security providers have pushed zero-trust network access as a potential replacement for VPNs.
The September 28 NSA-CISA document (PDF download) urges buyers to use VPNs based on vendor standards proven to quickly resolve known vulnerabilities and use strong credentials. The VPN can be further strengthened through strong cryptographic authentication and configuration, enabling the most essential features, and protecting and monitoring access to and from the VPN. What may be most striking about this document is the number of steps and security solutions required to properly secure VPN connections.
Nation-state Advanced Persistent Threat (APT) actors have used vulnerabilities in VPN devices for credential collection, remote code execution, traffic hijacking, data leakage, and to compromise the security of encrypted traffic sessions. According to the document, these effects usually lead to further malicious access through the VPN, leading to large-scale compromise of the corporate network or identity infrastructure and sometimes separate services.
Choose a VPN
The guide offers a number of issues to consider and pitfalls to avoid when choosing a VPN.
- Selecting non-standard VPN solutions, such as Secure Sockets Layer / Transport Layer Security (SSL / TLS) VPNs, is a bad idea. These solutions include special and non-standard capabilities to tunnel traffic using TLS. Even though the TLS settings used by the products are secure, using custom or non-standard features puts you at additional risk. The NSA and CISA offer standardized Internet Key Exchange / Internet Protocol Security (IKE / IPsec) VPNs that have been evaluated against standardized VPN security requirements.
- Read the vendor’s documentation carefully to ensure that the products support IKE / IPsec VPNs. Some product documentation may lack details on the protocols they support for establishing VPN tunnels. Avoid products that don’t explicitly state what standards they adhere to or that claim to use proprietary methods to establish VPNs.
- When an IKE / IPsec VPN cannot be established, determine whether the product uses SSL / TLS in a proprietary or non-standards-based VPN protocol. Identify scenarios that could lead to the failure of IKE / IPsec discussions. If possible, disable proprietary SSL / TLS or non-standards-based VPN fallback.
- Make sure that all potential products use FIPS validated cryptographic modules and that they can be configured to use only approved cryptographic algorithms.
- Consider whether a product offers strong credentials and authentication protocols by default, as opposed to weak credentials and protocols. Use multi-factor authentication and choose products that are compatible with the credentials you will be using.
- Find and choose a vendor with a proven track record in supporting products with regular software updates and quick fixes for identified defects. Ensure that the duration of the support covers the total expected useful life of the product and replace the product before it reaches the end of its life.
- Request and validate the software nomenclature (SBOM) of a product to determine the risk of the underlying software components. Since many vendors use outdated versions of open source software in their products, many of which have known vulnerabilities, this risk should be carefully managed.
- Make sure that the product has a reliable way to validate the integrity of its own code and that code validation is performed frequently. VPN gateways are frequent targets for an attacker as a security appliance on the perimeter of a network. It is often impossible to identify intrusions without the ability to confirm the integrity of a device.
- Recognize the dangers of not being able to independently inspect the product. Some VPN providers encrypt devices so that prompt response to incidents is not possible. Products that do not allow the product owner to fully verify the item present an additional risk and may lead the manufacturer to become a product support bottleneck. Delays in the incident response process can give sophisticated actors enough time to hide their tracks.
- Consider the additional features of the device in light of your business risk tolerance. While many additional features, such as remotely accessible administrative pages or web access to internal services, can be beneficial, they also pose a danger because they extend the product’s attack surface, which is frequently targeted and exploited by individuals. opponents. Choose products that focus on backing up basic VPN operation and don’t include a lot of extra features, or at the very least, make sure that extra features can be turned off and ideally are turned off by default.
- Make sure the product has anti-intrusion features such as:
- Binary files or signed firmware images
- A secure boot procedure that validates the boot code before it is executed
- Validate runtime programs and files for integrity
Strengthening a VPN
Once you have chosen the VPN, you need to configure it to be as secure as possible. The NSA and CISA document recommended the following steps to further strengthen the VPN against compromise.
Cryptography and authentication
Only use strong cryptographic methods, algorithms, and credentials that have been approved, the agencies said.
- The Commercial National Security Algorithm (CNSA) suite algorithms approved by the NSA must be used by National Security Systems (NSS). Non-NSS US government systems must use algorithms specified by NIST, which include those approved to protect the NSS. Other systems should use the cryptographic methods specified in the CNSA suite.
- Disable SSL / TLS VPN capability and fallback settings if possible, and configure the VPN to use IKE / IPsec.
- Use trusted server certificates for server authentication and update them regularly, such as once a year. Self-signed and generic certificates should be avoided because they should not be trusted or are trusted for excessively broad scope.
- Use client certificate authentication if available. This is a more powerful type of authentication than using passwords and may be supported by some VPN solutions for remote clients attempting to access the VPN, for example using a smart card. Use client certificate authentication whenever possible so that the VPN does not allow connections from clients that do not have valid and trustworthy certificates. Use other supported multifactor authentication types if client certificate authentication is not available to prevent bad actors from authenticating with compromised passwords.
Reduce the attack surface of the remote VPN
- Apply patches and updates as soon as possible to mitigate known vulnerabilities that are frequently – and often quickly – exploited.
- External access to the VPN device should be restricted by port and protocol.
- Allow list of recognized VPN peer IP addresses and disallow all others if possible. Note that if IP addresses of unknown peers are supposed to access the VPN, it can be difficult.
- Disable complex features and non-VPN related features that are more likely to be vulnerable.
- Using a VPN, limit access to the management interface. Malicious cyber actors who gain access to administrator credentials can attempt to log into administrative interfaces and perform privileged actions. It is not recommended to allow VPN administrators to access the management interface through a remote access VPN; instead, administrative access should be limited to specialized internal management networks. Investigate all attempts to access Remote Access VPN using administrator credentials.
Protect and monitor VPN access
- Inspect session negotiations and detect unauthorized VPN traffic with an intrusion prevention system deployed in front of the remote access VPN.
- Enable enhanced web application security. Some remote access VPN solutions may include features for increased web application security, such as fraudulent reuse of users’ past session information to overcome authentication, to prevent compromise attempts against web applications. VPN. When these features are available, enable them.
- Use appropriate network segmentation and access controls to restrict access to only required services remotely. When determining access decisions, consider other factors (such as device information, the environment of the original access request, the strength of the credentials, and the dangers of the path. access).
- Enable local and remote logging to record and track VPN user activity, including connection and access attempts, configuration changes, and network traffic metadata. Regularly monitor and analyze all logs for unauthorized access, malicious configuration changes, abnormal network activity, and other indicators of penetration.
Best Business VPN Solutions for 2021
Remote work safety: priorities and projects