The US National Security Agency (NSA) has published guidance on how to properly secure IP Security (IPsec) Virtual Private Networks (VPNs) against potential attacks.
Besides providing organizations with recommendations on how to secure IPsec tunnels, NSA’s VPN guidance also highlights the importance of using strong cryptography to protect sensitive info contained within traffic while traversing untrusted networks when connecting to remote servers.
Following these recommendations is especially important for organizations that moved the majority of their workforce to telework since the start of the pandemic.
“VPNs are essential for enabling remote access and securely connecting remote sites, but without proper configuration, patch management, and hardening, VPNs are vulnerable to attack,” the NSA explains.
Among the measures network admins need to take to ensure a VPN’s security, the NSA underlines the need to reduce the attack surface, to always customize the VPN’s default settings, and to apply any security updates as soon as they’re issued by vendors.
How to secure a Virtual Private Network
NSA’s full list of recommendations for a secure VPN:
• Reduce the VPN gateway attack surface
• Verify that cryptographic algorithms are Committee on National Security Systems Policy (CNSSP) 15-compliant
• Avoid using default VPN settings
• Remove unused or non-compliant cryptography suites
• Apply vendor-provided updates (i.e. patches) for VPN gateways and clients
First of all, administrators are advised to implement strict traffic filtering rules designed to limit the ports, protocols, and IP addresses that can be used to connect to VPN devices. If this is not possible, an Intrusion Prevention System (IPS) can help “monitor for undesiredIPsec traffic and inspect IPsec session negotiations.”
Admins also need to make sure that ISAKMP/IKE and IPsec policies don’t allow obsolete cryptographic algorithms to avoid compromising data confidentiality.
When it comes to default VPN settings, NSA recommends avoiding the use of wizards, scripts, or vendor-provided defaults as they might configure non-compliant ISAKMP/IKE and IPsec policies.
Removing non-compliant and unused cryptography suites is another measure recommended to defend against downgrade attacks where the VPN endpoints are forced to negotiate non-compliant and insecure cryptography suites, exposing encrypted VPN traffic to decryption attempts.
Last but not least, making sure that the latest vendor-provided patches are applied as soon as possible will mitigate newly discovered security vulnerabilities affecting both VPN gateways and clients.
The NSA also issued guidance providing administrators with example IPsec VPN configurations and specific instructions on how to implement the above measures and ensure the most secure VPN configurations.
The importance of securing VPNs
In October 2019, the NSA warned about multiple state-backed Advanced Persistent Threat (APT) actors who were actively weaponizing the CVE-2019-11510, CVE-2019-11539, and CVE-2018-13379 vulnerabilities to compromise vulnerable VPN devices.
As part of the same security advisory, NSA also issued mitigation for Pulse Secure, Palo Alto, and Fortinet VPN clients, as well as recommendations on how to harden VPN security configurations.
In January 2020, CISA warned organizations to patch their Pulse Secure VPN servers to defend against ongoing attacks trying to exploit a remote code execution (RCE) vulnerability tracked as CVE-2019-11510, a warning that followed another alert issued by CISA in October 2019, and others coming from the National Security Agency (NSA), UK’s National Cyber Security Center (NCSC), and the Canadian Centre for Cyber Security.
The same month, an FBI flash security alert stated that state-backed hackers breached the networks of a US financial entity and a US municipal government’s network after exploiting servers left vulnerable to CVE-2019-11510 exploits.
Three months later, CISA said that threat actors successfully deployed ransomware on the systems of U.S. hospitals and government entities with the help of stolen Active Directory credentials months after exploiting Pulse Secure VPN servers unpatched against the CVE-2019-11510 vulnerability.
In March, CISA also shared a series of tips designed to help orgs who implemented work from home programs to correctly secure their enterprise VPNs as malicious actors were expected to focus their attacks on teleworkers.