Best practices for choosing and hardening a VPN - TechMafia Official

 

Best practices for choosing and hardening a VPN

    In September 2021, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint guidance on Selecting and Hardening Remote Access VPN Solutions.

    This advisory provides numerous recommendations on selecting the right VPN and hardening and configuring it to minimize the organization’s digital attack surface. Here are some of the highlights from the recommendations:




1. Select a standards-based VPN

    VPNs that use accepted standards, such as Internet Key Exchange/Internet Protocol Security (IKE/IPSec), are generally less risky and more secure than Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs that use custom code to send traffic over TLS. If a VPN is designed to use a custom SSL/TLS tunnel as a fallback, disable this functionality.

2. Use a VPN with strong cryptography

    Validate that the encryption algorithms authentication algorithms and protocols used by a VPN are strong and FIP-validated. Configure all VPNs to use multi-factor authentication (MFA) and replace password-based authentication with client authentication through digital certificates (stored on smartcards) when possible.

3. Manage software vulnerabilities

    The exploitation of VPN vulnerabilities is a common attack vector for cybercriminals. Select a VPN vendor with a strong track record of vulnerability patching, and request a software bill of materials (SBOM) to validate that third-party code is up-to-date and secure. Also, look for a product that can perform validation of its code when running to detect potential intrusions.

    After deploying a VPN, regularly check for and promptly apply software updates. Follow vendor guidance for updating, such as forcing a password change for users when patching a vulnerability known to be actively exploited by threat actors.

4. Limit VPN access

    VPNs are a common target for cybercriminals who use compromised credentials to access an organization’s internal systems. Create firewall rules to allow only UDP ports 500 and 4500 for IKE/IPsec VPNs or TCP port 433 (or custom port) for SSL/TLS VPNs.

    It is also wise to restrict access to and from the VPN. If possible, limit access to the VPN endpoint based on an IP address allowlist. Also, block access to management interfaces via the VPN to prevent it from being used with compromised administrator credentials to access management interfaces and perform privileged activities. This should be part of a greater zero trust security and network segmentation policy that limits access to and from the VPN based on the principle of least privilege.

5. Secure VPN traffic

    A VPN is designed to provide an encrypted channel between two locations. It does not perform any security inspection or filter the traffic passing through this tunnel.

    All VPN traffic should pass through a full security stack en route to and from the enterprise network, including a web application firewall (WAF) and intrusion prevention system (IPS). Additionally, the VPN should be configured with all web application security settings enabled, such as replay attacks using previous users’ session data.

Deploying a secure remote access VPN

    In the wake of the COVID-19 pandemic, many organizations rolled out infrastructure as quickly as possible to support a suddenly remote workforce. As a result, many remote access infrastructure was vulnerable to exploitation, a state that ransomware gangs and other cybercriminals have taken full advantage of.

    The need for remote access is not going away any time soon, and securing the remote workforce should be a core component of an enterprise cybersecurity strategy. The guidance released by the NSA and CISA provides an opportunity for organizations to review and reevaluate their existing VPN infrastructure and potential plans for expansion. Check out the full advisory for a list of recommendations for acquiring and hardening secure remote access VPNs.





Follow us on Social Media :)

  

Post a Comment

1 Comments