Joint guidance has been released by the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) on selecting Virtual Private Network (VPN) solutions and hardening security.
VPN solutions are implemented to improve security for remote workers, as they create an encrypted tunnel into protected networks through which all data traffic is routed; however, VPN entry points into networks can be vulnerable to attacks. Nation state threat groups have been targeting vulnerabilities in VPNs to steal credentials, cryptographically weaken encrypted traffic sessions, hijack encrypted traffic sessions, read sensitive data such as configurations, credentials and keys, and remotely execute code on VPN devices.
Chinese and Russian Advanced Persistent Threat (APT) actors have been and continue to target VPN devices using weaponized common vulnerabilities and exposures, and ransomware gangs have similarly been exploiting vulnerabilities to gain initial access to protected networks.
The guidance document offers advice on selecting VPN solutions and recommends only using solutions from reputable vendors, such as those included in the National Information Assurance Partnership (NIAP) Product Compliant List which have been tested and validated as complying with industry standards and having a proven track record for mitigating vulnerabilities promptly.
Best practices are detailed in the document that can be adopted to reduce the attack service and harden security. VPN solutions should have strong cryptography and authentication measures, with multi-factor authentication enabled. VPNs should be protected and access to and from the VPNs should be monitored. It is also recommended only to enable features that are strictly necessary, as this will help to reduce the attack surface. Features to consider blocking include web administration, Remote Desktop Protocol, Secure Shell, and file sharing.
When vulnerabilities in VPNs are discovered, hackers are quick to exploit the flaws. In some cases, APT groups have been observed exploiting flaws within 24 hours. It is therefore vital for security to ensure software updates and patches are applied promptly and vendor patch guidance is carefully followed. For example, if a vendor recommends changing all passwords associated with a device, all passwords should be changed without exception.
When a vulnerable software version is updated, consider updating VPN user, administrator, and service account credentials, evoking and generating new VPN server keys and certificates, and conducting a review of all accounts to check that they are expected and required, as additional accounts may have been created by a threat actor after exploiting a vulnerability. Also consider restricting access to VPN devices by port and protocol, only using UDP ports 500 and 4500 and Encapsulating Security Payload for IKE/IPsec VPNs, and TCP port 443 for SSL/TLS VPNs.
The guidance also recommends creating an allowlist for known VPN peer IP addresses and blocking all others if possible, and restricting management interface access via the VPN.
The guidance can be found on the NSA website.