The National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Information Sheet on Thursday, detailing factors to consider when choosing a virtual private network (VPN) and top configurations for deploying it securely.
Titled, “Selecting and Hardening Remote Access VPN Solutions,” it will also will help leaders in the Department of Defense, National Security Systems and the Defense Industrial Base better understand the risks associated with VPNs.
The Information Sheet details considerations for selecting a remote access VPN, as well as actions to harden the VPN from compromise.
Top hardening recommendations include using tested and validated VPN products on the National Information Assurance Partnership (NIAP) Product Compliant List, employing strong authentication methods like multi-factor authentication, promptly applying patches and updates, and reducing the VPN’s attack surface by disabling non-VPN-related features.
VPN servers are entry points into protected networks, making them attractive targets. Multiple nation-state advanced persistent threat (APT) actors have weaponized common vulnerabilities and exposures (CVEs) to gain access to vulnerable VPN devices.
Exploitation of these CVEs can enable a malicious actor to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, and read sensitive data from the device. If successful, these effects usually lead to further malicious access and could result in a large-scale compromise to the corporate network.