The National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Information Sheet today detailing factors to consider when choosing a virtual private network (VPN) and top configurations for deploying it securely.
VPN servers are entry points into protected networks, making them attractive targets. Multiple nation-states advanced persistent threat (APT) actors have weaponized common vulnerabilities and exposures (CVEs) to gain access to vulnerable VPN devices.
The exploitation of these CVEs can enable a malicious actor to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, and read sensitive data from the device. If successful, these effects usually lead to further malicious access and could result in a large-scale compromise to the corporate network.
As general rules for hardening the VPN, the two agencies recommend reducing the server’s attack surface by:
- Configuring strong cryptography and authentication
- Running on strictly necessary features
- Protecting and monitoring access to and from the VPN
The Information Sheet details considerations for selecting a remote access VPN, as well as actions to harden the VPN from compromise. Top hardening recommendations include using tested and validated VPN products on the National Information Assurance Partnership (NIAP) Product Compliant List, employing strong authentication methods like multi-factor authentication, promptly applying patches and updates, and reducing the VPN’s attack surface by disabling non-VPN-related features.
NSA is releasing this guidance as part of our mission to help secure the Department of Defense, National Security Systems and the Defense Industrial Base.
