NSA and CISA Release Security Guide for VPN Devices

The U.S. National Security Agency (NSA) and the U.S. Cybersecurity and Infrastructure Security Administration (CISA) have released technical guidance on properly securing the VPN servers that companies use to allow employees remote access to their internal networks.

https://www.nsa.gov/Press-Room/News-Highlights/Article/ Article/2791320/nsa-cisa-release-guidance-on-selecting-and-hardening-remote-access-vpns/

The NSA said it created the nine-page guide in response to several nation-state Advanced Persistent Threats (APTs) that have used vulnerabilities in common VPN servers to penetrate organizations.

By exploiting a CVE (vulnerability) in a VPN device, an attacker can steal credentials, execute code remotely, weaken the encryption of encrypted traffic, hijack encrypted traffic sessions, and Read sensitive data from devices.

These actions, if successful, typically lead to further malicious access and can lead to massive compromise of corporate networks

For example, state-sponsored groups in China, Iran, and Russia have been identified as exploiting vulnerabilities in Pulse Secure and Fortinet VPNs in attacks that took place between 2019 and 2021.

It has also been observed that ransomware groups such as Conti, Ryuk, REVil, DoppelPaymer, and LockBit are using VPN servers as an entry point into organizations to gain greater access to internal networks and launch file encryption attacks.

In addition, crypto botnets use VPN servers to infiltrate corporate networks, hiding cryptocurrency mining software in their internal systems. It has also been seen to use up computing resources for the attacker’s financial gain.

“Exploiting remote access VPNs can be a gateway to a major breach,” said Rob Joyce, director of cybersecurity for the NSA.

We’ve created guidance to help organizations understand what to look for when choosing a VPN and how to configure it to reduce the risk of abuse

Review these recommendations to ensure your VPN is configured securely.

Please review these recommendations to make sure your VPN is configured securely.

This guide contains advice on the following topics, although it is expected to be updated in the future as new issues and recommendations are discovered.

  • A note on choosing a remote access VPN
  • Instructions for configuring strong cryptography and authentication
  • Advice on reducing the attack surface of the VPN by performing only strictly necessary functions
  • Advice on protecting and monitoring access to and from the VPN

The release of this guidance comes after the two organizations also released another joint guide on strengthening the security of Kubernetes clusters last month in August 2021.

NSA and CISA guidance

Selecting and Hardening Remote Access VPNs

Virtual Private Networks (VPNs) allow users to remotely connect to corporate networks through a secure tunnel.

You can connect to the corporate network through a secure tunnel. Through this tunnel, users can take advantage of internal services and protections that are normally provided to onsite users, such as email and collaboration.

Customers can access email/collaboration tools, confidential document vaults, and other internal services and protections through this tunnel.

This makes remote access VPN servers a target for adversaries because they are the entry point to a protected network.

Aggressive exploitation

Multiple nation-state Advanced Persistent Threats (APTs) are exploiting publicly available Common Vulnerabilities and Exposures (CVEs).

They are exploiting publicly available Common Vulnerabilities and Exposures (CVEs) to attack vulnerable VPN devices.

In some cases, exploit code may be freely available online. By exploiting a publicly available CVE, a malicious actor can

  • Credential harvesting
  • Remote code execution of arbitrary code on VPN devices
  • Cryptographic weakening of encrypted traffic sessions
  • Hijacking of encrypted traffic sessions
  • Arbitrary reading of sensitive data (configuration, credentials, keys, etc.) from devices

These effects typically lead to further malicious access via VPNs, which can lead to massive compromise of corporate networks and identity infrastructures and in some cases compromise of other services as well.

Recommendations for choosing a remote access VPN

When choosing a remote access VPN, please consider the following recommendations.

■ Avoid choosing non-standard VPN solutions, including products called SSL/TLS (Secure Sockets Layer/Transport Layer Security) VPNs.

These products include customized, non-standard features for tunneling traffic via TLS.

Even if the TLS parameters used by the product are secure, the use of custom or non-standard features poses additional risks.

The NSA and CISA recommend a standardized Internet Key Exchange/Internet Protocol Security (IKE/IPsec) VPN.

■ Please refer to the compliant list (PCL) (Conformance Claim:EP_VPN_GW or MOD_VPNGW)]. NIAP certified equipment has been rigorously tested by third party laboratories NIAP certified equipment has been rigorously tested by third party laboratories based on clearly defined security features and requirements.

Proprietary protocols may or may not have security requirements defined.

This may not be as well analyzed or tested as standards-based protocols.

Please read the vendor’s documentation carefully to make sure that your candidate product supports the following.

■ Make sure that IKE/IPsec VPN is supported.

Some products may not provide comprehensive information about supported protocols in their documentation.

Some products do not provide comprehensive information about the protocols they support when establishing a VPN tunnel. Avoid products that do not clearly state the standards they comply with, or that claim to use proprietary methods to build VPNs.

If you are unable to establish an IKE/IPsec VPN, check whether the product uses SSL/TLS with its own VPN protocol or a non-standard VPN protocol.

Disable SSL/TLS dedicated or non-standards based VPN fallback, if possible.