Keep Attackers Out of VPNs: Feds Offer Guidance

The NSA and CISA issued recommendations on choosing and hardening VPNs to prevent nation-state APTs from weaponizing flaws & CVEs to break into protected networks.

Unsecured VPNs can be a hot mess: Just ask Colonial Pipeline (which got pwned by the REvil ransomware crooks with an old VPN password) or the 87,000 (at least) Fortinet customers whose credentials for unpatched SSL-VPNs were posted online earlier this month.

Vulnerabilities in VPN servers are like welcome mats to nation-state advanced persistent threat (APT) actors. Often, they weaponize VPN vulnerabilities to break into protected networks.

But this week, as they have repeatedly attempted in the past, the Feds moved to whisk away that mat.

Infosec Insiders Newsletter

On Tuesday, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) issued guidance on selecting and hardening VPNs. The guidance will hopefully help U.S. military leaders to better understand the risks associated with these devices.

What’s at Stake

As the advisory from the NSA and CISA explained, exploiting CVEs associated with VPNs can enable a malicious actor “to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions and read sensitive data from the device.”

The guidance continued: “If successful, these effects usually lead to further malicious access and could result in a large-scale compromise to the corporate network.”

A recent example of nation-state actors preying on vulnerable VPNs came in May, when Pulse Secure rushed a fix for a critical zero-day security vulnerability in its Connect Secure VPN devices. The zero day was exploited by two APTs, likely linked to China, who used it to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe.

How to Choose and Harden a VPN

There’s clearly still work to be done to harden VPN defenses.

To that end, the federal agencies released an information sheet (PDF) that details what to take into account when selecting a remote access VPN, as well as how to harden these devices from compromise.

One of the recommendations: use tested and validated VPN products listed on the National Information Assurance Partnership (NIAP) Product Compliant List that employ strong authentication methods like multi-factor authentication (MFA).

Other tips:

  1. Configure strong cryptography and authentication
  2. Run only strictly necessary features
  3. Protect and monitor access to and from the VPN

The feds also recommend moving to a zero-trust paradigm (more on that below). And many researchers are also pushing a move away from VPNs entirely.

This Is So Old School

VPNs are common fixtures in the perimeter landscape, but some say that should change.

Archie Agarwal, founder and CEO of ThreatModeler, pointed out that a quick search with Shodan – the search engine for internet-connected devices – uncovers more than a million VPNs on the internet in the U.S. alone.

“These are the doorways to private, sensitive internal networks and are sitting there exposed to the world for any miscreant to try to break through,” he told Threatpost via email on Wednesday.

All of those sitting VPN ducks represent “the old perimeter security paradigm,” Agarwal said, and they’ve “failed to protect the inner castle over and again.” If credentials are leaked or stolen, or new vulnerabilities are (inevitably) discovered, “the game is lost and the castle falls,” he commented.

Better for organizations to use the zero-trust approach being advocated by the U.S. government and NIST, Agarwal suggested. Zero trust, an approach that pivots from a “trust but verify” to a “never trust/always verify” approach, slams shut those public doorways into the network and “throws an invisible cloak over the entire network,” he said.

In May, the White House issued an executive order mandating that the federal government move toward a zero-trust architecture: A mandate that’s trickier to implement than may first appear. So, earlier this month, the Biden administration offered further guidance on how to implement it.

VPNs: Here to Stay or Headed to the Dust Bin?

Will the push to zero trust spell doomsday for VPNs? Agarwal thinks so: He pointed to startups that are pioneering the architecture and predicted that “the days of VPNs on the internet are thankfully numbered.”

But there are those who would beg to differ.

Heather Paunet, senior vice president at SMB network security provider Untangle, noted that while the concept of zero trust is clear, the term has been interpreted differently “by both those trying to implement it and vendors moving fast to be able to state that they provide it.”

She told Threatpost via email on Wednesday that zero trust “can incorporate VPN technologies,” and that the NSA’s guidelines on selecting and hardening VPN standards “clearly show that it’s important to look carefully at selecting which VPN technology to use.”

She added, “Vendors that don’t fully research VPN technologies can end up with a solution that is less likely to stand up to an attack.”

Paunet painted a pro-VPN future: “While there has been a rise in vulnerabilities of VPNs due to more VPN usage over the last year and a half, newer VPN technologies with newer types of cryptography are evolving to ensure the protection of information transmitted across the internet.”

Don’t Forget the Human Element

Untangle’s Paunet sees a missing piece of the guidance: namely, humans. Besides following strict guidelines, IT professionals are also challenged with getting employees to effectively use the technology, she noted: “If the VPN is too difficult to use, or slows down systems, the employee is likely to turn it off.”

Paunet also said that that VPN technologies “have come a long way over the last two to three years, with newer technologies … providing fast connections that are easy to set up by administrators and simple to use by employees.”

The challenge then for IT professionals is to find a VPN solution that fits the guidelines, but “is also fast and reliable so that employees turn it on once and forget about it,” she said.

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles