Share this article on:
The U.S. National Security Agency (NSA) has issued guidance to help organizations secure IP Security (IPsec) Virtual Private Networks (VPNs), which are used to allow employees to securely connect to corporate networks to support remote working.
While IPsec VPNs can ensure sensitive data in traffic is protected against unauthorized access through the use of cryptography, if IPsec VPNs are not correctly configured they can be vulnerable to attack. During the pandemic, many organizations have turned to VPNs to support their remote workforce and the large number of employees working remotely has made VPNs a key target for cybercriminals. Many attacks have been performed on vulnerable VPNs and flaws and misconfigurations have been exploited to gain access to corporate networks to steal sensitive information and deploy malware and ransomware.
The NSA warns that maintaining a secure VPN tunnel can be complex and regular maintenance is required. As with all software, regular software updates are required. Patches should be applied on VPN gateways and clients as soon as possible to prevent exploitation. It is also important for default VPN settings to be changed. Default credentials are publicly available and can be used by malicious actors to login and gain a foothold in the network.
Admins need to take steps to reduce the VPN gateway attack surface. Since VPNs are often accessible from the internet, they can be prone to brute force attacks, network scanning, and zero-day vulnerabilities. To reduce risk, admins should apply filtering rules to restrict ports, protocols, and IP addresses of network traffic to VPN devices. If it is not possible to restrict access, an intrusion prevention system should be implemented in front of the gateway to monitor for malicious traffic and inspect IPsec session negotiations.
IPsec VPN configurations require the Internet Security Association and Key Management Protocol (ISAKMP) or Internet Key Exchange (IKE) policy, along with an IPsec policy. It is important that SAKMP/IKE and IPsec policies do not allow obsolete cryptographic algorithms. If these weak algorithms are permitted, it could place the VPN at risk. A downgrade attack could be performed where the VPN is forced into using non-compliant or weak cryptography suites. The NSA notes that extra SAKMP/IKE and IPsec policies are often incorporated by default.
Organizations should check CNSSP and NIST guidance on the latest cryptographic requirements and standards and ensure that these cryptographic algorithms are being used.
The NSA guidance on securing IPsec VPNs can be found here.