NSA Releases Guidance on VPN Security

As a result of the COVID-19 pandemic, the number of people who are working for home has increased drastically. Unfortunately, so has the number of cyberattacks against online services, apps, and users.

The situation has gotten worse enough for the NSA to put out recommendations that everyone should follow to remain safe in the digital world.

The NSA (National Security Agency) has put out warning notes for remote workers informing them that due to the COVID-19 pandemic, hackers have actually increased the number of cyberattacks on certain online services such as Virtual Private Network or VPNs.

One official from the NSA told reporters earlier this month that malicious actors have now shifted their focus to VPNs and other telework infrastructure. Fortunately, the NSA was quick to hop into action and released a formal document advising workers on how to remain safe and secure from cyberattacks that attack their VPN apps.

An image of the american flag where in front of it you have the official logo of the National Security Agency of the United States of America or short NSA

There is little doubt that the increase in the percentage of work that can be described as remote has led to an equal increase in security risks as well. A lot of research has gone into the area and there is currently little doubt over whether or not remote work leads to more cyberattacks.

The NSA recommendations however are applicable to everyone. As far as the guidance itself is concerned, it mainly relies on giving tips to users on how to protect VPNs and other IP security products against cyberattacks.

Laptop protection online security VPN

It is pretty clear now that the NSA’s main emphasis is on everyone using strong cryptography in order to protect their sensitive information. The agency has emphasized good habits especially when connecting to untrusted networks and remote servers.

Organizations that have a good portion of their total workforce working from home because of the pandemic should follow NSA recommendations more than others. In a post, the NSA explained that VPNs had become an essential piece of technology to enable secure and remote access not just to remote websites but also services.

However, it warned that without properly configuring, hardening, and patching VPN services, they were still vulnerable to different types of cyberattacks.

Some of the most important measures that the NSA wants network administrators to take in order to make sure their VPN services are able to do their jobs properly include reducing the actual attack surface, customizing the default settings of their VPN apps and applying all security patches as early as possible or when their vendor issues them.

Best Way to Secure Your Virtual Private Network

The NSA recommends that everyone should take the following steps to secure their VPNs,

  • Reduce the attack surface of the VPN gateway
  • Change the default VPN settings as soon as possible
  • Get rid of non-compliant or unused cryptography suites
  • Take good care of vendor-provided patches and updates for VPN clients and gateways.
  • Make sure that all the used cryptographic algorithms are CNSSP-15 compliant (Committee on National Security Systems Policy)

As you can probably see, the NSA is essentially advising all administrators to implement tougher filtering rules for traffic. Most of the rules boil down to limiting the IP addresses, protocols, and ports that can be utilized to form a connection with various VPN devices.

Vector art of a man sitting in front of a desktop computer where on the monitor screen we have one giant eye

The NSA does mention that if none of the measures stated above were possible, then organizations should implement an Intrusion Prevention System which should be able to assist in monitoring for any untrusted source of IPSec traffic. Not only that, modern IPS systems are also able to analyze IPsec session negotiations.

Apart from that, the recommendations say that admins must take care of their IPsec and ISAKMP/IKE policies. To avoid any kind of data problems which may compromise user confidentiality, admins should never make use of obsolete algorithms.

In terms of not using default VPN settings, US NSA suggests to not use vendor-provided defaults and wizards or scripts because of the fact that sometimes these can set non-compliant IPsec and ISAKMP/IKE policies.

What readers need to understand here is that ISAKMP (Internet Security Association and Key Management Protocol) and IKE (Internet Key Exchange) offer many encryption policies that do not comply with CNSSP 15.

The CNSSP 15 standard is very important because it specifies all the encryption protocols that systems belonging to the government can use.

So it goes without saying that if an encryption protocol works for NSA or some other government agency like that then it will probably be strong enough for anyone else as well.

Readers should also keep in mind that when it comes to CNSSP 15-compliant protocols, they usually are of two types. There is the 256-bit elliptic curve, AES-128, and SHA-256 which can be used to safeguard secret-level information. Then there is the 384-bit elliptic curve, AES 256-bit, and SHA-384 which is used to guard top-secret information.

Organizations should be agile enough to switch between different algorithms for more protection and not just go with the set-and-forget mentality.

The problem is very rampant in organizations that make use of automated tools. These tools, though save a lot of time, sometimes leave residual crypto suites once the setup is finished. So if there is an encryption downgrade cyberattack, such VPNs are unable to cope.

Pro Tip:

This is why it is even more important, as mentioned before, to exercise clean updating habits. Keep everything up to date and make sure to have subscriptions to various email alerts that inform about newly found cyber threats.

Leave a Reply

Readers Offer: Get 70% Off NordVPNCheck It Out