Optimizing VPNs for security: 5 key tasks

It appears that companies will need to support and protect work-from-home employees for a prolonged period of time. Maybe it’s time to review that virtual private network (VPN) you set up for vulnerabilities. Recently the National Security Agency released its Securing IPsec Virtual Private Networks document, which discusses the regular tasks you should do to keep your network secure: 

• Reduce the VPN gateway attack surface
• Verify that cryptographic algorithms are Committee on National Security Systems Policy (CNSSP) 15-compliant
• Avoid using default VPN settings
• Remove unused or non-compliant cryptography suites
• Apply vendor-provided updates (patches) for VPN gateways and clients

Let’s take a deeper look at these and other tasks you can do to lock down your VPN connections:

Use the current version of your VPN software

Ensure that you are using up to date and supported VPN software. In January 2020, USCert noted that attackers were using vulnerable Pulse VPN software to drop ransomware on networks. The vulnerability was a worst-case scenario attack: “A remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.” The only way to protect your network was to apply the available patches. 

Check VPN connections

Review your VPN connections to see if they are as secure as they can be. First, review your settings to optimize management of systems. Earlier, I discussed the issue of split tunnel VPN and the use of Office 365. For many years the best practice was to route all traffic through the VPN tunnel. With the use of click-to-run and Office 365, it’s now recommended to split that traffic and have the Office 365 servicing go through the user’s internet connection, while the rest of the traffic needed for office work to be directed over the VPN. 

If you use Microsoft’s Always On VPN with Windows 10 Enterprise edition 1709 or later and the client device joined to the domain, you can set up device tunnel feature. It allows the computer to establish an Always On VPN connection prior to the user logging on. This allows users to use cached credentials without risk.

This is important, especially with so many new users remotely logging in for the first time without them coming into the office for training and setup. The device tunnel also allows administrators to manage remotely connected Always On VPN clients without having a user logged on. Finally, the device tunnel can assist with the user issues that are caused by admins changing and resetting remote worker’s passwords and by users initiating Self-Service Password Reset (SSPR). 

Filter VPN traffic

Too often we set up VPN and do not take additional steps to protect and defend the VPN openings. Attackers scan for and attempt to enter via VPN connections. Set strict traffic filtering rules to limit the ports, protocols and IP addresses of network traffic to VPN devices. If you can’t filter to a specific IP address (and clearly at this time we cannot), have your firewall set to provide inspection and monitoring for IPsec traffic and inspect IPsec session negotiations. 

If you have a Cisco model, the following ACL Examples allow you to limit ISAKMP traffic to only known peers: 

Access-list deny-ike extended permit udp  eq isakmp  Access-list deny-ike extended permit udp  eq 4500  Access-list deny-ike extended permit esp    Access-list deny-ike extended deny udp any eq isakmp  Access-list deny-ike extended deny udp any eq 

Next, set cryptographic settings and suites to be the most secure. If you use out-of-date cryptographic settings, attackers can breach the connection and confidentiality can be lost.  As noted in a Cisco document, you can review the current IPSec SAs in use by entering the following commands: 

• To display the settings used by the current IPSec SAs, issue the show crypto ipsec sa detail command
• To display all current IKE SAs at a peer, issue the show crypto isakmp sa command

As noted in Configuring IPsec Virtual Private Networks, the minimum recommended ISAKMP/IKE settings per CNSSP 15 as of June 2020 are as follows: 

• Diffie-Hellman Group: 16
• Encryption: AES-256
• Hash: SHA-384

For any other vendor review your firewall documentation or reach out to your vendor. 

Review VPN settings

Also review any default settings or wizards used to set up VPN as it may have enabled older vulnerable settings. Review when you set up VPN on the firewall. If it has been many years since you set it up, chances are that the settings you chose then are not good enough now. Even though it may be disruptive, review your VPN configurations. 

For example, with Cisco SA devices NSA recommends IKEv2, since the IKEv1 implementation only supports SHA1. Use the following commands to configure ISAKMP/IKE and IPsec Configuration:

IKEv2: 

crypto ikev2 policy 1  encryption [aes-256|aes-gcm-256]  integrity [sha384|sha512]  group [16|20] 

IPsec: 

crypto ipsec ikev2 ipsec-proposal   protocol esp encryption [aes-256|aes-gcm-256]  protocol esp integrity [sha-384|sha512] 

Apply VPN patches

As the Pulse VPN vulnerability has taught us, deploying patches on your VPN solution is critical for security. As noted by US-Cert, in April 24, 2019, Pulse Secure releases initial advisory and software updates addressing multiple vulnerabilities. Yet on August 24, 2019, Bad Packets identified over 14,500 vulnerable VPN servers globally that were unpatched and in need of an upgrade. The attacks on Pulse VPNs could have been prevented with an easy, available fix. Review your patching processes to ensure that you can install patches for firewalls and other VPN platforms in a timely manner.