How to choose and harden your VPN: Best practices from NSA & CISA
Businesses have been rapidly growing more distributed in recent years. The COVID-19 pandemic was a major driver of this, inspiring many organizations to adopt remote work policies that may persist beyond the end of the pandemic. These remote workers need secure remote access to company systems and resources over untrusted networks. Companies also commonly have satellite offices and cloud-based infrastructure and the need to securely connect these geographically-distributed networks.
Virtual private networks (VPNs) are a common choice for meeting these needs. A remote-access VPN establishes an encrypted tunnel between a user’s computer and a VPN endpoint, while a site-to-site VPN creates an encrypted tunnel between two VPN endpoints.
The rise of remote work has driven a boom in VPN usage, making the technology a prime target for cybercriminals. As of Oct. 25, 2021, cybercriminals were known to be using 54 zero-day vulnerabilities in VPNs to deliver ransomware.
Best practices for choosing and hardening a VPN
In September 2021, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint guidance on Selecting and Hardening Remote Access VPN Solutions.
This advisory provides numerous recommendations on selecting the right VPN and hardening and configuring it to minimize the organization’s digital attack surface. Here are some of the highlights from the recommendations:
1. Select a standards-based VPN
VPNs that use accepted standards, such as Internet Key Exchange/Internet Protocol Security (IKE/IPSec), are generally less risky and more secure than Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs that use custom code to send traffic over TLS. If a VPN is designed to use a custom SSL/TLS tunnel as a fallback, disable this functionality.
2. Use a VPN with strong cryptography
Validate that the encryption algorithms authentication algorithms and protocols used by a VPN are strong and FIP-validated. Configure all VPNs to use multi-factor authentication (MFA) and replace password-based authentication with client authentication through digital certificates (stored on smartcards) when possible.
3. Manage software vulnerabilities
The exploitation of VPN vulnerabilities is a common attack vector for cybercriminals. Select a VPN vendor with a strong track record of vulnerability patching, and request a software bill of materials (SBOM) to validate that third-party code is up-to-date and secure. Also, look for a product that can perform validation of its code when running to detect potential intrusions.
After deploying a VPN, regularly check for and promptly apply software updates. Follow vendor guidance for updating, such as forcing a password change for users when patching a vulnerability known to be actively exploited by threat actors.
4. Limit VPN access
VPNs are a common target for cybercriminals who use compromised credentials to access an organization’s internal systems. Create firewall rules to allow only UDP ports 500 and 4500 for IKE/IPsec VPNs or TCP port 433 (or custom port) for SSL/TLS VPNs.
It is also wise to restrict access to and from the VPN. If possible, limit access to the VPN endpoint based on an IP address allowlist. Also, block access to management interfaces via the VPN to prevent it from being used with compromised administrator credentials to access management interfaces and perform privileged activities. This should be part of a greater zero trust security and network segmentation policy that limits access to and from the VPN based on the principle of least privilege.
5. Secure VPN traffic
A VPN is designed to provide an encrypted channel between two locations. It does not perform any security inspection or filter the traffic passing through this tunnel.
All VPN traffic should pass through a full security stack en route to and from the enterprise network, including a web application firewall (WAF) and intrusion prevention system (IPS). Additionally, the VPN should be configured with all web application security settings enabled, such as replay attacks using previous users’ session data.
Deploying a secure remote access VPN
In the wake of the COVID-19 pandemic, many organizations rolled out infrastructure as quickly as possible to support a suddenly remote workforce. As a result, many remote access infrastructure was vulnerable to exploitation, a state that ransomware gangs and other cybercriminals have taken full advantage of.
The need for remote access is not going away any time soon, and securing the remote workforce should be a core component of an enterprise cybersecurity strategy. The guidance released by the NSA and CISA provides an opportunity for organizations to review and reevaluate their existing VPN infrastructure and potential plans for expansion. Check out the full advisory for a list of recommendations for acquiring and hardening secure remote access VPNs.
Sources:
- Tweet, @pancak3lullz
- NSA, CISA Release Guidance on Selecting and Hardening Remote Access VPNs, NSA
- Selecting and Hardening Remote Access VPN Solutions, NSA and CISA