A Virtual Private Network (VPN) strengthens data privacy and security by providing a secure connection for users when joining another network online. Despite the security advantages, VPNs have become a frequent target for cybercriminals. From the Chinese APT group’s vulnerability exploitation of Pulse Secure’s VPNs to the latest exposure of 500,000 Fortinet VPN account details on the dark web, several state-sponsored actors have exploited unpatched bugs to gain access to vulnerable VPN devices.
In order to thwart the rising security incidents and help organizations improve their VPN security defenses against cyberattacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) jointly released a Cybersecurity Information Sheet detailing on selecting and hardening remote access VPN solutions. NSA stated that it released the cybersecurity information sheet to help secure the Department of Defense, National Security Systems, and the Defense Industrial Base.
The agencies stated that VPN servers become entry points for threat actors to penetrate critical networks. Multiple nation-states advanced persistent threat (APT) actors have weaponized common vulnerabilities and exposures (CVEs) to gain access to vulnerable VPN devices.
Exploitation of vulnerabilities in VPN networks enable bad actors to
- Steal credentials.
- Remotely execute code.
- Weaken encrypted traffic’s cryptography.
- Hijack encrypted traffic sessions.
- Monitor sensitive data from the device.
- Perform large-scale compromise to the corporate network.
How to Select Remote Access VPN Solutions
- Avoid selecting non-standard VPN solutions, including a class of products referred to as Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs
- Refer to the National Information Assurance Partnership (NIAP) Product Compliant List for validated VPNs
- Carefully read vendor documentation to ensure potential products support IKE/IPsec VPNs
- Identify whether the product uses SSL/TLS in a proprietary or non-standards-based VPN protocol when unable to establish an IKE/IPsec VPN
- Check whether the product supports strong authentication credentials and protocols and disables weak certificates and protocols by default
- Ensure the product includes protection against intrusions, such as the use of signed binaries or firmware images, a secure boot process that verifies boot code before it runs, and integrity validation of runtime processes and files
How to Harden Remote Access VPN Solutions
- Use tested and validated VPN products from the NIAP product list
- Employ robust authentication methods like multi-factor authentication (MFA)
- Apply patches and updates regularly
- Reduce the VPN’s attack surface by disabling non-VPN-related features
- Configure strong cryptography and authentication
- Run on strictly necessary features
- Protect and monitor access to and from the VPN
- Secure the network entrance
“Remote access VPNs are entryways into corporate networks and all the sensitive data and services they have. This direct access makes them prized targets for malicious actors. Keep malicious actors out by selecting a secure, standards-based VPN and hardening its attack surface. This is essential for ensuring a network’s cybersecurity,” the agencies said in an advisory.