5 NSA-recommended strategies for improving your VPN security

The US National Security Agency has noticed a surge in cyberattacks targeting VPNs since the COVID-19 pandemic has forced more people to work from home.

vpn.jpg

Image: Getty Images/iStockphoto

The United States National Security Agency (NSA) is warning remote workers, whose numbers have skyrocketed due to the COVID-19 pandemic, that Virtual Private Networks (VPNs) are increasingly a target of cybercriminals. A senior NSA official speaking to reporters last week said that telework infrastructure like VPNs have become a focus for malicious actors, which led the NSA to release a formal advisory on how to secure VPNs from cyberattacks

Security risks due to an increase in remote work have been well documented, and tips to counter those threats have also been covered by TechRepublic. 

SEE: Navigating data privacy (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

This latest set of five recommendations may look familiar to cybersecurity professionals and those familiar with securing remote connections, but the information bears repeating, especially with many more VPN connections being used and reports that cybersecurity isn't keeping up with the work-from-home revolution that quarantines have forced on businesses. 

1. Reduce the attack surface of VPN gateways

"VPN gateways tend to be directly accessible from the internet and are prone to network scanning, brute force attacks, and zero-day vulnerabilities," the NSA bulletin said. Mitigation efforts should include implementing strict traffic filtering rules to limit ports, protocols, and IP addresses that can transmit on VPNs, and using an intrusion prevention system in front of the VPN gateway that can inspect traffic.

2. Only use cryptographic algorithms that comply with CNSSP 15

The Committee on National Security Systems Policy 15 (PDF) specifies which encryption protocols can be used on secure government systems, and if it's good enough for the NSA (at least until it swapped CNSSP 15 for CNSA in 2018), it's probably good enough for your organization.

CNSSP 15-compliant encryption falls into two categories: Encryption sufficient to protect secret-level information (256-bit elliptic curve, SHA-256, and AES-128) and encryption sufficient to protect top secret information (384-bit elliptic curve, SHA-384, and AES-256). 

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

"As the computing environment evolves and new weaknesses in algorithms are identified, administrators should prepare for cryptographic agility: Periodically check CNSSP and NIST guidance for the latest cryptographic requirements, standards, and recommendations," the NSA said.

3. Don't use default VPN settings

Configuring a VPN deployment can be difficult, which leads many organizations to leave default settings in place, said the NSA. The NSA specifically states that administrators should avoid using auto config tools or GUI wizards because they can leave undesired cryptographic suites behind, giving a potential attacker more avenues to break in.

4. Remove any cryptography suites that aren't in use or are non-compliant

The particular problem here comes in the form of Internet Security Association and Key Management Protocol (ISAKMP) and Internet Key Exchange (IKE) encryption policies, many of which fail to comply with CNSSP 15. As mentioned above, automated tools often leave residual crypto suites behind after setup, leaving VPNs vulnerable to encryption downgrade attacks. 

"Verifying that only compliant ISAKMP/IKE and IPsec policies are configured and all unused or non-compliant policies are explicitly removed from the configuration mitigates this risk," the NSA said. 

SEE: The best VPN service for 2020 (CNET)

5. Keep VPNs updated

"Over the past several years, multiple vulnerabilities have been released related to IPsec VPNs. Many of these vulnerabilities are only mitigated by routinely applying vendor-provided patches to VPN gateways and clients," the NSA said.

Good patching habits are a standard part of any security best practices and the same goes for VPNs--keep them up to date and subscribe to security alert emails to be sure you know about any newly discovered threats.

Also see