The National Security Agency released guidance this week on securing IPsec virtual private networks as companies across the US continue to grapple with remote working in the wake of the coronavirus pandemic. The advice included a warning not to rely on vendor-supplied configurations.
The document came in two flavors: a guide to securing VPNs and a version with more detailed configuration examples. It warned that many VPN vendors provide cryptography suites and IPsec policies pre-configured for their devices, along with extra ones for compatibility. The Internet Security Association and Key Management Protocol (ISAKMP) and the IPsec policy define how VPNs should authenticate each other, manage their security associations, and generate their keys at different phases of a VPN connection.
“If either of these phases is configured to allow obsolete cryptography, the entire VPN will be at risk, and data confidentiality might be lost,” the document warned.
The NSA advised administrators to ensure that these policies comply with the Committee on National Security Systems Policy (CNSSP)-15 standard, which defines parameters for the secure sharing of information between national security systems. Even configuring CNSSP-15-compliant default policies may not be enough, because many VPNs are configured to fall back to alternative policies if their default one is not available. That risks using non-compliant security policies if administrators leave vendors’ pre-configured alternatives on their devices, the document said.
Introduced in the 1990s, IPsec is a traditional protocol for VPNs to talk to each other. It can be used for remote access, or for inter-VPN communications. It is an alternative to SSL/TLS VPNs, which offer entirely browser-based access without using a dedicated software application on the client side.
The NSA also advised administrators to reduce the attack surface of their VPN gateways. Because these devices tend to be internet-accessible, they are prone to network scanning, brute-force attacks, and zero-day vulnerabilities, it warned. One way to reduce this risk is to limit accepted traffic to known IP addresses if working with peer VPNs.
“Remote access VPNs present the issue of the remote peer IP address being unknown and therefore it cannot be added to a static filtering rule,” it noted. However, admins can still limit access to specific ports and protocols, such as ports 500 and 4500, accessible via UDP.