Virtual Private Networks (VPNs) are quite famous, as they enable users to remotely correlate to a corporate network through an unharmed as well as a protected tunnel. But, sometimes this fails to protect users fully, and that’s why NSA and CISA have jointly published a cheat sheet for selecting and hardening the remote access VPN.
The tunnels used by VPNs help the users to take advantage of the internal services and protections that are being offered to on-site users, such as:-
- Collaboration tools
- Delicate document containers
- Sensitive access to any system remotely
So, the NSA and CISA have combined authorities in order to distribute guidelines ideas so that they can help users to make versed choices while choosing a VPN.
To compromise the vulnerable VPN devices, the Multiple nation-state Advanced Persistent Threat (APT) actors have exploited public Common Vulnerabilities and Exposures (CVEs).
After joining the authorities, both NSA, as well as CISA, has provided some active exploitation of these public CVEs, as they can allow a malicious actor to perform:-
- Credential harvesting
- Remote code execution of arbitrary code on the VPN device
- Cryptographic weakening of encrypted traffic sessions
- Hijacking of encrypted traffic sessions
- Arbitrary reads of sensitive data (e.g., configurations, credentials, keys) from the device
Recommendations for Selecting Remote Access VPNs
It is very important to choose the VPN correctly since the joint report has also suggested some points that will help the users to choose a wise VPN:-
- Always try to bypass choosing non-standard VPN solutions, that include a class of products that are generally referred to as Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs.
- Carefully read vendor documentation to ensure potential products support IKE/IPsec VPNs.
- Try to avoid the products that do not explicitly recognize the standards they use or pretend to use, so, that’s why always use established techniques to secure VPNs.
- Before choosing a VPN always do proper research and then pick a vendor with a demonstrated track record of promoting products through regular software updates and immediately remediating known vulnerabilities.
- Don’t forget to check the product properly, as it might have a robust method to verify the integrity of its own code and, it can also perform code validation.
Once the user is done with choosing a VPN, now the joint report has some action that will harden the VPN, and therefore here we have mentioned them below:-
- Require only reliable, approved cryptographic protocols, algorithms, and authentication credentials.
- Lessen the remote access VPN attack surface.
- Shield and monitor access to and from the VPN.
- Secure the network entrance
Apart from this, the cybersecurity researchers of both the agency have claimed that remote-access VPNs are the entry path into corporate networks and all the delicate data and services they have.
However, VPN is being targeted by different threat actors because of the direct access. And that’s why the users always need to select a secure as well as standards-based VPN and after that, they should follow the actions that will harden its attack surface.
Not only this even the users also have to take care of other security concerns like restricting access to the management interface and impair unrequired functionality.