NSA Issues VPN Security Guidance

The National Security Agency released guidance this week on securing IPsec virtual private networks as companies across the US continue to grapple with remote working in the wake of the coronavirus pandemic. The advice included a warning not to rely on vendor-supplied configurations.

The document came in two flavors: a guide to securing VPNs and a version with more detailed configuration examples. It warned that many VPN vendors provide cryptography suites and IPsec policies pre-configured for their devices, along with extra ones for compatibility. The Internet Security Association and Key Management Protocol (ISAKMP) and the IPsec policy define how VPNs should authenticate each other, manage their security associations, and generate their keys at different phases of a VPN connection.

"If either of these phases is configured to allow obsolete cryptography, the entire VPN will be at risk, and data confidentiality might be lost," the document warned.

The NSA advised administrators to ensure that these policies comply with the Committee on National Security Systems Policy (CNSSP)-15 standard, which defines parameters for the secure sharing of information between national security systems. Even configuring CNSSP-15-compliant default policies may not be enough, because many VPNs are configured to fall back to alternative policies if their default one is not available. That risks using non-compliant security policies if administrators leave vendors' pre-configured alternatives on their devices, the document said.

Introduced in the 1990s, IPsec is a traditional protocol for VPNs to talk to each other. It can be used ..

Support the originator by clicking the read the rest link below.