card

NSA, CISA issue guidance on selecting and securing VPNs

14.10.2024
108

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have recently issued a new guide aimed at helping government organisations choose and secure Virtual Private Network (VPN) solutions. These recommendations, however, aren’t just for the government—they’re valuable for any organisation looking to bolster its cybersecurity defences.

VPNs are essential tools for providing remote, secure access to an organisation’s resources, but they also present attractive targets for cyber attackers. VPN vulnerabilities have been exploited by nation-state Advanced Persistent Threat (APT) actors for activities like credential harvesting, remote code execution, traffic hijacking, and data leakage. The consequences of these attacks can be severe, often leading to the compromise of entire networks, identity infrastructures, and even separate services.

The NSA and CISA’s guide, titled “Selecting and Hardening Remote Access VPN Solutions”, offers a series of recommendations to help organisations navigate the complexities of VPN selection and implementation. One of the primary pieces of advice is to avoid non-standard VPN solutions. Instead, organisations should opt for vendors like hide VPN, with a proven track record in security. This includes thoroughly reading vendor documentation to understand the product’s capabilities and ensuring that the VPN supports strong authentication methods and robust code integrity checks.

More tips on: How to choose a hacker-resistant VPN.

Once a VPN solution has been deployed, the guidance emphasises the importance of requiring strong, approved cryptographic protocols, algorithms, and authentication credentials. Organisations are also advised to minimise their attack surface by regularly patching the VPN software, particularly when vulnerabilities known to be exploited by attackers are discovered. Reviewing credentials and logs during the patching process is crucial, as is restricting external access to the VPN device to prevent unauthorised entry.

In addition to these core recommendations, the agencies suggest further enhancing security through the use of Intrusion Prevention Systems (IPS) and Web Application Firewalls (WAFs). These tools help to bolster web application security and can provide additional layers of protection by segmenting the network and logging all VPN user activity, both locally and remotely. This level of monitoring is essential for tracking and responding to any suspicious activities.

The NSA and CISA stress that remote access VPN services are gateways to an organisation’s most sensitive data and services, making them prime targets for malicious actors. Selecting a secure, standards-based VPN solution and hardening its attack surface are critical steps in maintaining strong cybersecurity defences. Following these guidelines can help keep malicious actors at bay and ensure that an organisation’s network remains secure.

Although this guidance is specifically designed to assist decision-makers within the Department of Defense, National Security Systems, and the Defense Industrial Base, it is equally applicable to private organisations of all sizes. In today’s threat landscape, where cyberattacks are becoming increasingly sophisticated, taking the necessary steps to secure VPN solutions is not just recommended—it’s essential.