NSA Shares Guide to Securing IPSec VPNs, Telework, Remote Sites
In light of the expansion of remote sites and telework, the NSA released insights for organizations designed to help better secure the IPSec Virtual Private Network (VPN) environment.
The National Security Agency (NSA) released guidance designed to help organizations better secure Ip Security (IpSec) Virtual Private Networks (VPNs), given the rapid adoption of telework and remote sites during the COVID-19 pandemic.
The guide joins previous insights from the American Medical Association and the American Hospital Association for shoring up telework vulnerabilities amid the Coronavirus crisis.
At the present, many organizations are heavily relying upon remote work, especially in the healthcare space with the expansion of telehealth options. The Department of Homeland Security has repeatedly warned hackers are targeting the increase in remote work and VPNs in response to the massive shift.
Most recently, DHS warned hackers are targeting patched VPNs with compromised credentials, given many employees reuse their password across multiple platforms.
To support the change, some organizations are leveraging IPSec VPNs, which rely on cryptography to protect data sent through untrusted networks. The need for strong cryptography is critical to securing those connections and transmissions. However, some VPNs face known vulnerabilities and not all have been patched, while common misconfigurations can also put those connections at risk.
The guide is designed to highlight some of the biggest VPN risks and the steps network administrators should take to maintain a secure VPN connection, as “maintaining a secure VPN tunnel can be complex and requires regular maintenance.”
“VPN gateways tend to be directly accessible from the Internet and are prone to network scanning, brute force attacks, and zero-day vulnerabilities,” NSA officials wrote. “To mitigate many of these vulnerabilities, network administrators should implement strict traffic filtering rules to limit the ports, protocols, and IP addresses of network traffic to VPN devices.”
“If traffic cannot be filtered to a specific IP address, NSA recommends an Intrusion Prevention System (IPS) in front of the VPN gateway to monitor for undesired IPsec traffic and inspect IPsec session negotiations,” they added.
To start, administrators should reduce the VPN attack surface and verify that its cryptographic algorithms are compliant with Committee on National Security Systems Policy (CNSSP). CNSSP policies address national security systems from a broad perspective, while establishing national goals and objectives.
All VPN configurations require at least two elements: The Internet Security Association and Key Management Protocol (ISAKMP) or Internet Key Exchange (IKE) policy and an IPsec policy. A misconfiguration could allow obsolete cryptographic algorithms, putting the entire VPN and data confidentiality at risk. The CNSSP will help admins to determine the best way to approach this process.
In addition, administrators should be prepared for cryptographic agility, by periodically checking NIST and CNSSP guidance for the latest requirements, standards, and recommendations.
“When configuring ISAKMP/IKE, many vendors support having several possible ISAKMP/IKE policies. The device then chooses the strongest matching policy between the remote and local ends of the VPN,” officials explained. “Some vendors do this through priority numbers and others through explicit selection.”
Organizations should configure only those policies that meet the minimum level of security and remove any legacy protocols. If using priority numbers, admins will need to give the strongest ISAKMP/IKE policy should the highest priority.
The NSA guide also provides insights for deciphering the strongest cryptography suites supported by the chosen network device using approved cryptographic algorithms.
Default settings should also be avoided, and administrators will need to verify and remove unused or non-compliant cryptography suites. Further, organizations should ensure devices have applied vendor-provided updates and patches for VPN gateways and clients.
“VPNs are essential for enabling remote access and securely connecting remote sites, but without proper configuration, patch management, and hardening, VPNs are vulnerable to attack,” NSA concluded.
“To ensure that the confidentiality and integrity of a VPN is protected, reduce the VPN gateway attack surface, always use CNSSP 15-compliant cryptography suites, avoid using vendor defaults, disable all other cryptography suites, and apply patches in a timely manner,” they added.