NSA Issues VPN Security Guidance

Spread the love

NSA Issues VPN Security GuidanceThe National Security Agency released guidance this week on securing IPsec virtual private networks as companies across the US continue to grapple with remote working in the wake of the coronavirus pandemic. The advice included a warning not to rely on vendor-supplied configurations.

The document came in two flavors: a guide to securing VPNs and a version with more detailed configuration examples. It warned that many VPN vendors provide cryptography suites and IPsec policies pre-configured for their devices, along with extra ones for compatibility. The Internet Security Association and Key Management Protocol (ISAKMP) and the IPsec policy define how VPNs should authenticate each other, manage their security associations, and generate their keys at different phases of a VPN connection.

“If either of these phases is configured to allow obsolete cryptography, the entire VPN will be at risk, and data confidentiality might be lost,” the document warned.

The NSA advised administrators to ensure that these policies comply with the Committee on National Security Systems Policy (CNSSP)-15 standard, which defines parameters for the secure sharing of information between national security systems. Even configuring CNSSP-15-compliant default policies may not be enough, because many VPNs are configured to fall back to alternative policies if their default one is not available. That risks using non-compliant security policies if administrators leave vendors’ pre-configured alternatives on their devices, the document said.

Introduced in the 1990s, IPsec is a traditional protocol for VPNs to talk to each other. It can be used for remote access, or for inter-VPN communications. It is an alternative to SSL/TLS VPNs, which offer entirely browser-based access without using a dedicated software application on the client side.

The NSA also advised administrators to reduce the attack surface of their VPN gateways. Because these devices tend to be internet-accessible, they are prone to network scanning, brute-force attacks, and zero-day vulnerabilities, it warned. One way to reduce this risk is to limit accepted traffic to known IP addresses if working with peer VPNs.

“Remote access VPNs present the issue of the remote peer IP address being unknown and therefore it cannot be added to a static filtering rule,” it noted. However, admins can still limit access to specific ports and protocols, such as ports 500 and 4500, accessible via UDP.

X ITM Cloud News


Leave a Reply

Next Post

Getting a grasp on India's malaria burden

Mon Jul 6 , 2020
Spread the love          A new approach could illuminate a critical stage in the life cycle of one of the most common malaria parasites. X ITM Cloud News

Cloud Computing – Consultancy – Development – Hosting – APIs – Legacy Systems

X-ITM Technology helps our customers across the entire enterprise technology stack with differentiated industry solutions. We modernize IT, optimize data architectures, and make everything secure, scalable and orchestrated across public, private and hybrid clouds.

This image has an empty alt attribute; its file name is x-itmdc.jpg

The enterprise technology stack includes ITO; Cloud and Security Services; Applications and Industry IP; Data, Analytics and Engineering Services; and Advisory.

Watch an animation of  X-ITM‘s Enterprise Technology Stack

We combine years of experience running mission-critical systems with the latest digital innovations to deliver better business outcomes and new levels of performance, competitiveness and experiences for our customers and their stakeholders.

X-ITM invests in three key drivers of growth: People, Customers and Operational Execution.

The company’s global scale, talent and innovation platforms serve 6,000 private and public-sector clients in 70 countries.

X-ITM’s extensive partner network helps drive collaboration and leverage technology independence. The company has established more than 200 industry-leading global Partner Network relationships, including 15 strategic partners: Amazon Web Services, AT&T, Dell Technologies, Google Cloud, HCL, HP, HPE, IBM, Micro Focus, Microsoft, Oracle, PwC, SAP, ServiceNow and VMware