NSA, CISA Release VPN Security GuidanceAgencies Offer Advice on Minimizing Attack Surface
In a bid to address security risks associated with the use of virtual private network solutions, the National Security Agency and the Cybersecurity and Infrastructure Security Agency on Tuesday offered government leaders guidance on selecting and strengthening remote access VPNs.
The security advice is aimed at leaders in the Department of Defense, National Security Systems and the Defense Industrial Base.
According to the agencies, remote-access VPN servers allow off-site users to tunnel into protected networks, which makes these entry points vulnerable to exploitation.
VPN servers are entry points into protected networks, making them attractive targets. APT actors have and will exploit VPNs - the latest guidance from NSA and @CISAgov can help shrink your attack surface. Invest in your own protection! https://t.co/npBc8Sh9A4— Rob Joyce (@NSA_CSDirector) September 28, 2021
This exploitation may allow malicious actors to harvest credentials, remotely execute code on VPN devices, cryptographically weaken encrypted traffic sessions, hijack encrypted traffic sessions and read sensitive data such as configurations, credentials and keys from the device, the agencies say.
The NSA and CISA add that several nation-state advanced persistent threat actors have already weaponized common vulnerabilities and exposures to gain access to vulnerable VPN devices.
Late last year, CISA issued a warning about a password leak that could affect vulnerable Fortinet VPNs and lead to exploitation.
According to Archie Agarwal, founder and CEO of ThreatModeler, "a quick Shodan search" reveals the use of over 1 million VPNs on the internet in the U.S. alone. These VPNs, he says, are the doorways to private, sensitive internal networks and are "sitting there exposed to the world for any miscreant to try to break through."
The NSA-CISA information sheet advises that leaders pick standards-based VPNs from vendors who remediate vulnerabilities and follow best practices to ensure strong authentication is in place. It does not name specific vendors.
Users can prevent the compromise of VPN servers and reduce the attack surface by configuring strong cryptography and authentication, running only strictly necessary features, and protecting and monitoring access to and from the VPNs, the agencies note.
Specifically, they say users can minimize the attack surface by:
- Applying patches and updates to mitigate known vulnerabilities that are often rapidly exploited (sometimes within less than 24 hours);
- Explicitly following all vendor patch guidance, including recommendations such as changing passwords that are associated with the device;
- Updating VPN user, administrator and service account credentials when necessary;
- Revoking and generating new VPN server keys and certificates, which could require redistribution of VPN connection information;
- Restricting external access to the VPN device by port and protocol.
The agencies further recommend disabling non-VPN-related functionalities and features that are likely to have vulnerabilities. Features such as web administration, Remote Desktop Protocol, Secure Shell, and file sharing are convenient, but not necessary for the operation of remote access VPNs, the agencies say.
In addition, the agencies ask leaders to restrict management interface access via the VPN. "Malicious cyber actors that manage to compromise administrator credentials could try to authenticate into management interfaces and maliciously perform privileged operations," the agencies note.
VPN administrators must also not be allowed to log into the management interface via the remote access VPN, the report notes. Organizations must restrict administrative access to dedicated internal management networks and investigate all attempts to use administrator credentials to access remote access VPNs, CISA and the NSA add.