The U.S. National Security Agency (NSA) has released guidance to assist companies in securing IP Security (IPsec) Virtual Private Networks (VPNs) that are employed to permit employees to securely link to corporate networks to do remote work.
Though IPsec VPNs can guarantee sensitive data in traffic is secured against unauthorized access by means of cryptography, in case IPsec VPNs are not properly configured they may become vulnerable to attack. Throughout the pandemic, a lot of organizations have used VPNs to assist their remote employees and because of the large number of employees doing business remotely, cybercriminals are targeting VPNs. Numerous attacks were carried out on vulnerable VPNs and issues and misconfigurations were exploited to access organizational networks to steal sensitive information and install malware and ransomware.
The NSA states that keeping a secure VPN tunnel can be difficult and routine maintenance is needed. Like with all software, routine program updates are necessary. Patches must be employed on VPN gateways and clients immediately to avert exploitation. It is additionally essential for default VPN settings to be altered. Default credentials are available to the public and may be utilized by malicious actors to login and get a foothold in the network.
Administrators should take steps to minimize the VPN gateway attack spot. Considering that VPNs are usually available online, they can be susceptible to brute force attacks, network scanning, and zero-day vulnerabilities. To minimize risk, admins must use filtering protocols to restrict ports, protocols, and IP addresses of network traffic to VPN units. In case it isn’t possible to limit access, an intrusion prevention system ought to be put in place prior to the gateway to keep track of malicious traffic and examine IPsec session negotiations.
IPsec VPN controls call for the Internet Security Association and Key Management Protocol (ISAKMP) or Internet Key Exchange (IKE) policy, together with an IPsec policy. It is crucial that SAKMP/IKE and IPsec policies do not permit out of date cryptographic algorithms. When these insecure algorithms are allowed, it may place the VPN in danger. A downgrade attack may be performed where the VPN is compelled into using non-compliant or weak cryptography suites. The NSA notes that extra SAKMP/IKE and IPsec policies are usually integrated by default.
Organizations must look at CNSSP and NIST guidance on the most recent cryptographic prerequisites and standards and make certain to use these cryptographic algorithms.
Read the NSA guidance on securing IPsec VPNs on this page.