The NSA and CISA issued new guidelines released yesterday on VPNs. The guidance provides direction for selecting VPN solutions that follow the industry standards and the best practices for using strong authentication credentials.
As general rules for hardening the VPN, CISA and the NSA recommend reducing a server’s attack surface by:
Configuring strong cryptography and authentication
Running on strictly necessary features
Protecting and monitoring access to and from the VPN
Archie Agarwal, Founder and CEO at ThreatModeler, a Jersey City, New Jersey-based automated threat modeling provider weighed in on this latest government announcement:
A quick Shodan search reveals over a million VPNs on the Internet in the US alone. These are the doorways to private sensitive internal networks and are sitting there exposed to the world for any miscreant to try to break through.
These represent the old perimeter security paradigm and have failed to protect the inner castle over and again. If credentials are leaked or stolen, or new vulnerabilities discovered, the game is lost and the castle falls.
The new zero trust approach being advocated by the US government and NIST takes this public doorway offline and throws an invisible cloak over the entire network. Innovative startups like Enclave and Tailscale are pioneering this work and the days of VPNs on the Internet are thankfully numbered.
Heather Paunet, Senior Vice President at Untangle, a San Jose, Calif.-based provider of comprehensive network security for SMBs weighed in as well:
The Cybersecurity Information Sheet on VPNs provides guidelines to help IT professionals choose and deploy a secure VPN for their business. A cyberattack on a VPN has the potential to be very costly, either in terms of ransom or data accessed, as with the Pulse Secure VPN exploit in April that compromised government agencies and companies in the U.S. and Europe.
The document provides sound guidelines including researching and scrutinizing the vendor and technology to ensure you are getting a standard, reputable product. Guidance on deployment is also provided to harden a VPN against compromise.
These guidelines from the NSA come shortly after the White House issued an executive order, in May 2021, mandating the Federal Government to move towards a Zero Trust architecture. Whilst the concept of Zero Trust is clear, this has been a term that has been interpreted differently by both those trying to implement it and vendors moving fast to be able to state that they provide it. Zero Trust can incorporate VPN technologies, and NSA’s guidelines on selecting and hardening VPN standards clearly show that it’s important to look carefully at selecting which VPN technology to use. Vendors that don’t fully research VPN technologies can end up with a solution that is less likely to stand up to an attack.
While there has been a rise in vulnerabilities of VPNs due to more VPN usage over the last year and a half, newer VPN technologies with newer types of cryptography are evolving to ensure the protection of information transmitted across the internet. WireGuard VPN, for example, uses state-of-the-art cryptography and is becoming more popular.
What is missing from the guidelines are taking the human element into consideration. Along with following the strict guidelines, IT professionals are also challenged with getting employees to effectively use the technology. If the VPN is too difficult to use, or slows down systems, the employee is likely to turn it off. VPN technologies have come a long way over the last two to three years, with newer technologies, such as WireGuard VPN, providing fast connections that are easy to set up by administrators and simple to use by employees.
The challenge for IT professionals is to find a VPN solution that fits the guidelines, but is also fast and reliable so that employees turn it on once and forget about it.