The U.S. National Security Agency (NSA) issued a set of guidelines on securing IPsec (IP security) and Virtual Private Networks (VPNs) against potential cyberthreats. The NSA advisory also highlighted the importance of using strong cryptography techniques to protect sensitive information and communication when connecting to remote servers via third-party sources.
“Many organizations currently utilize IP Security and Virtual Private Networks to connect remote sites and enable telework capabilities. These connections use cryptography to protect sensitive information that traverses untrusted networks. To protect this traffic and ensure data confidentiality, it is critical that these VPNs use strong cryptography. This guidance identifies common VPN misconfigurations and vulnerabilities,” NSA said in the advisory.
Securing Virtual Private Networks
For a secure VPN, NSA recommended certain guidelines, including:
- Reduce the VPN gateway attack surface
- Verify that the cryptographic algorithms are Committee on National Security Systems Policy (CNSSP) 15-compliant
- Avoid using default VPN settings
- Remove unused or non-compliant cryptography suites
- Apply vendor-provided updates for VPN gateways and clients
“VPNs are essential for enabling remote access and securely connecting remote sites, but without proper configuration, patch management, and hardening, VPNs are vulnerable to attack,” the advisory added.
Mitigating Attack Surface
The advisory stated that VPN gateways can be accessed directly from the internet and are exposed to network scanning, zero-day vulnerabilities, and brute force attacks. In order to defend against these vulnerabilities, NSA urged network administrators to execute traffic filtering rules, which include:
- Restrict all traffic to the VPN gateway, limiting access to only UDP port 500, UDP port 4500, and ESP
- When possible, limit accepted traffic to known VPN peer IP addresses. Remote access VPNs present the issue of the remote peer IP address being unknown and therefore it cannot be added to a static filtering rule
- If traffic cannot be filtered to a specific IP address, NSA recommends an Intrusion Prevention System (IPS) in front of the VPN gateway to monitor for undesired IPsec traffic and inspect IPsec session negotiations
“VPNs are essential for enabling remote access and connecting remote sites securely. However, without the proper configuration, patch management, and hardening, VPNs are vulnerable to many different types of attacks. To ensure that the confidentiality and integrity of a VPN is protected, reduce the VPN gateway attack surface, always use CNSSP 15- compliant cryptography suites, avoid using vendor defaults, disable all other cryptography suites, and apply patches in a timely manner,” the NSA concluded.