NSA: Gives instructions for protecting VPNs from attacks!

His pandemic COVID-19 has led many organizations to recommend remote work to their employees, in an effort to reduce the chances of the virus spreading and ensure security their. On the occasion of the new conditions, the National Security Service USA (NSA) has published some guidelines that organizations must follow to enhance the security of virtual private networks (VPNs) and IPsec tunnels from possible attacks. In addition to providing advice to organizations on how to secure IPsec tunnels, NSA's guidance on VPN also highlights the importance of using strong encryption to protect sensitive and confidential information contained in traffic, crossing unreliable networks when connecting. to distant ones servers.

The NSA states that VPNs are necessary to enable remote access and secure connection to remote sites, but without proper configuration and patch management, VPNs are vulnerable to attack. Among the measures that network administrators need to take to ensure the security of their VPNs, the NSA emphasizes the need to reduce the level of attack, adjust the default VPN settings and implement any security updates released by suppliers.

More specifically, the NSA recommends that organizations follow the following guidelines to ensure the security of their VPNs:

• Reduce the VPN gate attack area.
• Make sure the cryptographic algorithms comply with CNSSP.
• Avoid using default VPN settings.
• Remove "unused or non-compliant" suites encryption.
• Apply updates provided by suppliers, ie code updates, for gates and VPN customers.

Initially, administrators are advised to apply strict traffic filtering rules designed to restrict ports, protocols, and IP addresses that can be used to connect to VPN devices. If this is not possible, an Invasion Prevention System (IPS) can help by monitoring the unwanted movement of Ipsec. Managers must also ensure that ISAKMP / IKE and IPsec policies do not allow outdated encryption algorithms to prevent confidential data breaches. As for the default VPN settings, NSA recommends avoiding the use of wizards, scripts or defaults provided by suppliers, as they may form non-compliant ISAKMP / IKE and IPsec policies.

The removal of non-compliant and unused encryption suites is another measure recommended for defense against attacks, where VPN endpoints are forced to negotiate non-compliant and unsafe cryptographic suites by exposing encrypted VPN attempts. Another measure that is very important for organizations to follow is to make sure that the latest code updates provided by a supplier are implemented as soon as possible to mitigate errors recently discovered security and affect both portals and VPN customers. The NSA has also issued instructions providing managers with examples of IPsec VPN configurations and specific instructions on how to implement the above measures and ensure the most secure VPN configurations.

In late 2019, the NSA warned many state-sponsored APT (Advanced Persistent Threat) hackers who exploit the vulnerabilities CVE-2019-11510, CVE-2019-11539 and CVE-2018-13379 to compromise vulnerable VPN devices. The NSA has also issued mitigation instructions to customers of Pulse Secure, Palo Alto and Fortinet VPN to enhance the security of their VPNs. In early 2020, CISA warned organizations to fix their Pulse Secure VPN servers to bolster their defenses against attacks attempting to exploit a vulnerability remote code execution (RCE) identified as CVE-2019-11510. This was followed by another warning issued by CISA in October 2019 and others issued by the National Security Service (NSA), the UK's National Cybersecurity Center (NCSC) and the Canadian Center for Security. in cyberspace.

That same month, an FBI security alert said state hackers had breached the networks of a U.S. financial entity and a U.S. municipal network after exploiting servers that were vulnerable to vulnerabilities identified as CVE-2019-11510.
Shortly afterwards, CISA reported that hackers had successfully developed ransomware in US hospital systems and government agencies, with the help of thieves credentials by Active Directory, months after the exploitation of Pulse Secure VPN servers that was unpatched against the vulnerability identified as CVE-2019-11510. In March, CISA also shared a series of tips, in an effort to help home-based organizations insure their corporate VPNs properly. hackers they were expected to focus their attacks on workers who resorted to remote work.