US National Security Agency Issues Recommendations for Securing IPSec VPNs
The National Security Agency (NSA), the national-level intelligence agency of the United States Department of Defense, is primarily known for its intelligence gathering activities. But an important part of its mission is protecting US secrets and the privacy rights of Americans – a charter that has resulted in the NSA becoming the world leader in cryptology. With its privacy-rights protection hat firmly in place, in July 2020, NSA issued a Cybersecurity Information bulletin providing guidance on “Securing IPsec Virtual Private Networks.”
No doubt, the decision to issue this bulletin now was influenced by the increase in numbers of people working from home and connecting to corporate networks remotely as a result of COVID-19 pandemic-related recommendations. The rise in remote connectivity has been accompanied by a sharp increase in cyberattacks. For example, brute force attacks on Remote Desktop Protocol (RDP) ports skyrocketed from around 250,000/day in January-February 2020 to over 1.4 million a day in April.
VPNs are being targeted as well as RDP ports, and for similar reasons. With new VPN vulnerabilities being frequently discovered, and ongoing concerns about the technology’s inherent security weaknesses, VPNs represent low-hanging fruit for cyberattackers seeking additional ways to exploit the move to remote work.
IPSec versus SSL
Two major protocols, IPSec and SSL, are used to encrypt VPN traffic to keep it secure. IPSec is the more traditional protocol used for securing VPNs, although SSL is gaining in popularity because it can be accessed with a standard browser. It does not require installation of specialized client software on end user devices – an important consideration for users who are working at home on their own devices, without onsite IT support.
While the NSA’s recommendations specifically mention IPSec VPNs, many of the same considerations are equally applicable when the SSL network encryption protocol is used.
The NSA bulletin includes the following five recommendations:
- Reduce the VPN gateway attack surface. Vulnerability to brute force attacks, network scanning, and zero-day attacks can be reduced by limiting ports, IP addresses, and protocols of network traffic. The NSA also recommends monitoring for unusual traffic, so that attacks can be quickly discovered and halted.
- Verify that cryptographic algorithms are compliant with Committee on National Security Systems Policy (CNSSP) 15. CNSSP-15 requires national security information to be secured by NSA-approved cryptography. The Bulletin advises private sector organizations to utilize CNSSP-15 compliant cryptography as well, and provides specific advice on how to check if existing VPN setups are using approved cryptography.
- Avoid using default VPN settings. To make deploying complex VPNs easy for customers, many vendors include a set of default configurations. Making setup easy for customers, however, makes hacking easy as well. Hackers are well aware of these default settings, which means that you should avoid using them. Given the choice, select the strongest cryptography available.
- Remove unused or non-compliant cryptography suites. Some vendors include a variety of cryptography suites in their product, some of which are not compliant with CNSSP-15. It’s best to explicitly remove any unused or non-compliant policies from the configuration to avoid downgrade attacks, in which a cybercriminal tries to force a VPN endpoint to use a non-compliant cryptography suite.
- Apply vendor-provided updates (i.e. patches) for VPN gateways and clients. Vulnerabilities are periodically discovered in IPSec VPNs as well as in all kinds of software. It’s important to keep all software up-to-date and apply patches as soon as they are released.
These NSA recommendations are essential steps for helping you secure your IPSec VPNs against cyberattacks, and should be implemented by all organizations.
In addition to strengthening your VPN by implementing the NSA recommendations, explore complementary ways to reduce your attack surface. Limit lateral network traffic by micro-segmenting your network. And because users working from home are particularly vulnerable to web-based attacks such as phishing and malware, industry analysts like Gartner recommend using technologies like Remote Browser Isolation to keep malicious web content from reaching endpoints, especially if organizations have deployed a split-tunnel approach that does not route general internet traffic over the VPN.