The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have released guidance and best practices for securing
virtual private network (VPN) solutions.
VPNs, an important security tool in an era of widespread
remote work, are entry points into secured networks that bad attackers frequently try to use in malicious assaults. Because of VPNs’ vulnerabilities – a recent example involved a massive
leak of Fortinet users’ passwords – a number of security vendors have been pushing
zero trust network access as a potential replacement for VPNs.
The Sept. 28
NSA-CISA document (PDF download) urges buyers to use standards-based VPNs from vendors with a track record of swiftly addressing known vulnerabilities and using strong authentication credentials. The VPN can be further hardened through authentication and strong cryptography configuration, enabling the most essential features, and protecting and monitoring access to and from the VPN. What might be most striking about the document is how many security steps and solutions it takes to properly secure VPN connections.
Nation-state
advanced persistent threat (APT) actors have used VPN device vulnerabilities for credential harvesting, remote code execution, traffic hijacking, data leaking, and to compromise the security of encrypted traffic sessions. According to the document, these effects usually lead to further malicious access through the VPN, resulting in large-scale compromise of the corporate network or identity infrastructure and sometimes of separate services as well.