NSA, CISA release guidance on hardening remote access via VPN solutions

The U.S. CISA and the NSA agencies have published guidance for securely using virtual private network (VPN) solutions.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released guidance for increasing the security of virtual private network (VPN) solutions.

Multiple attacks against private organizations and government entities, especially during the pandemic, were carried out by threat actors by exploiting vulnerabilities in popular VPN systems.

Multiple ransomware gangs exploited VPN solutions from major vendors, including Fortinet, Ivanti (Pulse), and SonicWall.

“US government experts pointed out that compromised VPN devicesrepresented the entry points into protected networks, for this reason, multiple nation-state actors have weaponized common known vulnerabilities to gain access to vulnerable VPN servers.” states the joint announcement published by the US agencies.

The agencies published an Information Sheet that provided recommendations on the criteria to adopt to select a remote access VPN service and instructions on how to harden the VPN to prevent their compromise.

The guidance suggests to select only industry-standard solutions, do not choose non-standard VPN solutions, including a class of products referred to as Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs. These products include custom, non-standard features to tunnel traffic via TLS. The report suggests to refers to the National Information Assurance Partnership (NIAP) Product Compliant List (PCL) that includes validated VPNs that were approved after being rigorously tested by third-party labs.

Select a vendor that is known for supporting products via regular software updates and quickly remediating known vulnerabilities.

The agencies recommend VPN solutions that implements protections against intrusions, such as the use of signed binaries or firmware images, a secure boot process that verifies boot code before it runs, and integrity validation of runtime processes and files.

Take care of the documentation provided by vendors of VPN services, it is important that it provides information about the protocols they support when establishing VPN tunnels.

Select only solutions that support strong authentication credentials and protocols, and disables weak credentials and protocols by default. It is important to use multi-factor authentication.

The guidance also provided the following recommendations to reduce the remote access VPN attack surface:

• Immediately apply patches and updates to mitigate known vulnerabilities that are often rapidly exploited;
• Restrict external access to the VPN device by port and protocol;
• Disable non-VPN-related functionality and advanced features that are more likely to have vulnerabilities (i.e. web administration, Remote Desktop Protocol, Secure Shell, and file sharing).
• Restrict management interface access via the VPN;

Government experts recommend to protect and monitor access to and from the VPN, they suggest the use of an intrusion prevention system in front of the remote access VPN to detect malicious VPN traffic, and the use of Web Application Firewalls (WAFs),

It is important enabling local and remote logging to record and track VPN user activity and to implement network segmentation and restrictions to limit access only to services that really needed to be remotely reachable via the VPN.

“Remote access VPNs are entryways into corporate networks and all the sensitive data and services they have. This direct access makes them prized targets for malicious actors. Keep malicious actors out by selecting a secure, standards-based VPN and hardening its attack surface. This is essential for ensuring a network’s cybersecurity.” concludes the guidance.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, VPN solutions)

[adrotate banner=”5″]

[adrotate banner=”13″]