The National Security Agency (NSA) has published a series of recommendations on how to properly configure IP Security (IPsec) Virtual Private Networks (VPNs).
Used within organizations of all sizes for remote connection to assets and for telework, VPNs can deliver the expected level of security if strong cryptography is employed and if admins perform regular assessments to identify and eliminate misconfigurations and vulnerabilities.
Thus, the NSA recommends that network administrators avoid default settings and reduce the attack surface of VPN gateways, ensure that only CNSSP 15-compliant cryptographic algorithms are used, remove unused or non-compliant cryptography, and keep both VPN gateways and clients up to date.
Administrators, the NSA says, should avoid using default configurations or the vendor-supplied tools for automated configuration or VPN access, as they might include undesired, non-compliant ISAKMP/IKE (Internet Security Association and Key Management Protocol/Internet Key Exchange) and IPsec policies.
Restricting traffic to the VPN gateway to only UDP port 500/4500 and ESP, and limiting traffic to known VPN peer IP addresses should reduce attack surface. Using an Intrusion Prevention System (IPS) to monitor IPsec traffic should help as well.
The NSA also points out that the ISAKMP/IKE and IPsec policies should be configured with recommended settings, otherwise they would expose the entire VPN to attacks.
Per CNSSP 15, as of June 2020, minimum recommended settings for ISAKMP/IKE are Diffie-Hellman group 16, AES-256 encryption, and SHA-384 hash, while those for IPsec are AES-256 encryption, SHA-384 hash, and CBC block cipher mode.
“Cryptography standards continue to change over time as the computing environment evolves and new weaknesses in algorithms are identified. Administrators should pr ..
Support the originator by clicking the read the rest link below.
