Press Release | Sept. 28, 2021

NSA, CISA Release Guidance on Selecting and Hardening Remote Access VPNs

FORT MEADE, Md.   –   The National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Information Sheet today detailing factors to consider when choosing a virtual private network (VPN) and top configurations for deploying it securely.  “Selecting and Hardening Remote Access VPN Solutions” also will help leaders in the Department of Defense, National Security Systems and the Defense Industrial Base better understand the risks associated with VPNs.
 
VPN servers are entry points into protected networks, making them attractive targets. Multiple nation-state advanced persistent threat (APT) actors have weaponized common vulnerabilities and exposures (CVEs) to gain access to vulnerable VPN devices. Exploitation of these CVEs can enable a malicious actor to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, and read sensitive data from the device. If successful, these effects usually lead to further malicious access and could result in a large-scale compromise to the corporate network.
 
The Information Sheet details considerations for selecting a remote access VPN, as well as actions to harden the VPN from compromise. Top hardening recommendations include using tested and validated VPN products on the National Information Assurance Partnership (NIAP) Product Compliant List, employing strong authentication methods like multi-factor authentication, promptly applying patches and updates, and reducing the VPN’s attack surface by disabling non-VPN-related features.
 
NSA is releasing this guidance as part of our mission to help secure the Department of Defense, National Security Systems and the Defense Industrial Base.
 
For more details on how to select a secure VPN and further harden your network, read the full Information Sheet here.
 
For more cybersecurity guidance, visit NSA.gov/cybersecurity.