The NSA and CISA issued recommendations on choosing and hardening VPNs to prevent nation-state APTs from weaponizing flaws & CVEs to break into protected networks.
Unsecured VPNs can be a hot mess: Just ask Colonial Pipeline (which got pwned by the REvil ransomware crooks with an old VPN password) or the 87,000 (at least) Fortinet customers whose credentials for unpatched SSL-VPNs were posted online earlier this month.
Vulnerabilities in VPN servers are like welcome mats to nation-state advanced persistent threat (APT) actors who’ve weaponized VPN CVEs and vulnerabilities to break into protected networks.
But as of Tuesday, as they have repeatedly attempted in the past, the Feds moved to whisk away that mat.
On Tuesday, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) issued guidance on selecting and hardening remote virtual access networks (VPNs): guidance that will hopefully help U.S. military leaders to better understand what risks are associated with these devices.
What’s at Stake
As the advisory from the NSA and CISA explained, exploiting CVEs associated with VPNs can enable a malicious actor “to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, and read sensitive data from the device.”
The guidance continued: “If successful, these effects usually lead to further malicious access and could result in a large-scale compromise to the corporate network.”
A recent example of nation-state actors preying on vulnerable VPNs came in May, when Pulse Secure rushed a fix for a critical zero-day security vulnerability in its Connect Secure VPN devices. The zero day was exploited by two APTs, likely linked to China, who used it to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe.
This Is So Old School
Archie Agarwal, founder and CEO of automated threat modeling provider ThreatModeler, pointed out that a quick search with Shodan – the search engine of Internet-connected devices – uncovers more than a million VPNs on the internet in the U.S. alone. “These are the doorways to private sensitive internal networks and are sitting there exposed to the world for any miscreant to try to break through,” he told Threatpost via email on Wednesday.
All of those sitting VPN ducks represent “the old perimeter security paradigm,” Agarwal said, and they’ve “failed to protect the inner castle over and again.” If credentials are leaked or stolen, or new vulnerabilities are (inevitably) discovered, “the game is lost and the castle falls,” he commented.
Better for organizations to use the Zero Trust approach being advocated by the U.S. government and NIST, Agarwal suggested. Zero Trust, an approach that pivots from a “trust but verify” to a “never trust/always verify” approach, slams shut those public doorways into the network and “throws an invisible cloak over the entire network,” he said.
In May, the White House issued an executive order mandating that the federal government move toward a Zero Trust architecture: a mandate that’s trickier to implement than may first appear. Earlier this month, the Biden administration also offered guidance on how to implement it.
VPNs: Here to Stay or Headed to the Dust Bin?
Will the push to Zero Trust spell doomsday for VPNs? Agarwal thinks so: He pointed to startups that are pioneering Zero Trust and predicted that “the days of VPNs on the Internet are thankfully numbered.”
But there are those who would beg to differ.
Heather Paunet, senior vice president at SMB network security provider Untangle, noted that while the concept of Zero Trust is clear, the term has been interpreted differently “by both those trying to implement it and vendors moving fast to be able to state that they provide it.”
She told Threatpost via email on Wednesday that Zero Trust “can incorporate VPN technologies,” and that the NSA’s guidelines on selecting and hardening VPN standards “clearly show that it’s important to look carefully at selecting which VPN technology to use. Vendors that don’t fully research VPN technologies can end up with a solution that is less likely to stand up to an attack.”
Paunet painted a pro-VPN future: “While there has been a rise in vulnerabilities of VPNs due to more VPN usage over the last year and a half, newer VPN technologies with newer types of cryptography are evolving to ensure the protection of information transmitted across the internet. WireGuard VPN, for example, uses state-of-the-art cryptography and is becoming more popular.”
How to Choose and Harden a VPN
For now, the future of VPNs is moot: VPNs haven’t disappeared yet, so for now, there’s clearly still work to be done to harden their defenses.
To that end, the federal agencies released an information sheet (PDF) that details what to take into account when selecting a remote access VPN, as well as how to harden these devices from compromise.
One of the recommendations: use tested and validated VPN products listed on the National Information Assurance Partnership (NIAP) Product Compliant List that employ strong authentication methods like multi-factor authentication (MFA).
- Configure strong cryptography and authentication
- Run only strictly necessary features
- Protect and monitor access to and from the VPN
Don’t Forget the Human Element
Untangle’s Paunet sees a missing piece of the guidance: namely, humans. Besides following strict guidelines, IT professionals are also challenged with getting employees to effectively use the technology, she noted, and “if the VPN is too difficult to use, or slows down systems, the employee is likely to turn it off.”
Paunet noted that VPN technologies “have come a long way over the last two to three years, with newer technologies … providing fast connections that are easy to set up by administrators and simple to use by employees. The challenge for IT professionals is to find a VPN solution that fits the guidelines, but is also fast and reliable so that employees turn it on once and forget about it.”
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the SACUT community.