NSA and CISA release guidance on securing remote access VPNs

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a joint Cybersecurity Information Sheet selecting and securing remote access VPNs.

The new 9-page guidance infosheet provides sounds guidance on factors to consider in selecting virtual private network (VPN) solutions and top configurations for deploying them securely.

An excerpt from the NSA and CISA joint statement released on September 28, 2021:

VPN servers are entry points into protected networks, making them attractive targets. Multiple nation-state advanced persistent threat (APT) actors have weaponized common vulnerabilities and exposures (CVEs) to gain access to vulnerable VPN devices. Exploitation of these CVEs can enable a malicious actor to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, and read sensitive data from the device. If successful, these effects usually lead to further malicious access and could result in a large-scale compromise to the corporate network.


I have included a few of the highlights from the guidance sheet below.

Selecting VPNs

Organizations should first start by selecting remote VPN solutions from reputable vendors that include strong security controls and features such as:

  • Follows industry standards for VPNs (and avoid custom or non-standard Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs).
  • Timely patching of vulnerabilities (to include keeping VPN components that also use open source software up to date).
  • Method to validate integrity of devices and code.
  • Protect against intrusions (e.g., signed firmware, secure boot process).
  • Offers strong authentication and multi-factor authentication (MFA).
  • Provides strong cryptographic algorithms and protocols.
  • Good documentation.

Moreover, vendor VPN devices should provide strong cryptographic algorithms (i.e., FIPS approved) and as noted in the hardening recommendations.

VPN device hardening

VPN administrators should ensure VPN devices “require only strong, approved cryptographic protocols, algorithms, and authentication,” for example:

  • Standard, secure protocols (e.g., TLS 1.2, CNSSP 15-compliant cryptographic algorithms) and disable weak protocols as fallback.
  • Trusted server certificates for server authentication.
  • Client certificate authentication for remote clients that need to connect to VPN devices.

Moreover, users should “reduce the remote access VPN attack surface,” such as:

  • Immediately apply vendor patches to remediate vulnerabilities.
  • If there have been known public exploits of vulnerabilities, consider:
    • Updating VPN user, administrator, and service account credentials.
    • Revoke and generate new VPN server keys and certificates.
    • Monitor for suspicious activity.
  • For IKE/IPsec VPNs: Only allow UDP ports 500 and 4500 and Encapsulating Security Payload.
  • For SSL/TLS VPNs: only allow TCP port 443 or other necessary ports and protocols.
  • Add an “allowlist” for known VPN peer IP addresses and block all others.
  • Remove or disable non-VPN-related functionality (e.g., RDP, SSH) and advanced features that will have future vulnerabilities that could be exploited.
  • Restrict management interface access via the VPN (e.g., disable remote admin access to VPN devices, only allow access from trusted “management” networks).

Monitor VPNs

Finally, entities should also follow these VPN monitoring safeguards:

  • Deploy intrusion prevention system (IPS) in front of remote access VPNs.
  • Use Web Application Firewalls (WAFs) and enable enhanced web application security.
  • Segment networks and restrict access.
  • Enable local and remote logging to record and track VPN user activity (e.g., authentication and access attempts, configuration changes, and network traffic).

In conclusion, remote access VPNs are prime targets for malicious actors since they provide direct access to corporate networks and sensitive data.

They guidelines can help organizations harden VPNs and prevent future cyberattacks.

Related Articles