As the need to support remote workers becomes long-term, it's wise to check your VPN configuration to minimize vulnerabilities. Credit: Funtap / 200Degrees / Getty Images It appears that companies will need to support and protect work-from-home employees for a prolonged period of time. Maybe it’s time to review that virtual private network (VPN) you set up for vulnerabilities. Recently the National Security Agency released its Securing IPsec Virtual Private Networks document, which discusses the regular tasks you should do to keep your network secure: Reduce the VPN gateway attack surfaceVerify that cryptographic algorithms are Committee on National Security Systems Policy (CNSSP) 15-compliantAvoid using default VPN settingsRemove unused or non-compliant cryptography suitesApply vendor-provided updates (patches) for VPN gateways and clientsLet’s take a deeper look at these and other tasks you can do to lock down your VPN connections: Use the current version of your VPN softwareEnsure that you are using up to date and supported VPN software. In January 2020, USCert noted that attackers were using vulnerable Pulse VPN software to drop ransomware on networks. The vulnerability was a worst-case scenario attack: “A remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.” The only way to protect your network was to apply the available patches. Check VPN connectionsReview your VPN connections to see if they are as secure as they can be. First, review your settings to optimize management of systems. Earlier, I discussed the issue of split tunnel VPN and the use of Office 365. For many years the best practice was to route all traffic through the VPN tunnel. With the use of click-to-run and Office 365, it’s now recommended to split that traffic and have the Office 365 servicing go through the user’s internet connection, while the rest of the traffic needed for office work to be directed over the VPN. If you use Microsoft’s Always On VPN with Windows 10 Enterprise edition 1709 or later and the client device joined to the domain, you can set up device tunnel feature. It allows the computer to establish an Always On VPN connection prior to the user logging on. This allows users to use cached credentials without risk. This is important, especially with so many new users remotely logging in for the first time without them coming into the office for training and setup. The device tunnel also allows administrators to manage remotely connected Always On VPN clients without having a user logged on. Finally, the device tunnel can assist with the user issues that are caused by admins changing and resetting remote worker’s passwords and by users initiating Self-Service Password Reset (SSPR). Filter VPN trafficToo often we set up VPN and do not take additional steps to protect and defend the VPN openings. Attackers scan for and attempt to enter via VPN connections. Set strict traffic filtering rules to limit the ports, protocols and IP addresses of network traffic to VPN devices. If you can’t filter to a specific IP address (and clearly at this time we cannot), have your firewall set to provide inspection and monitoring for IPsec traffic and inspect IPsec session negotiations. If you have a Cisco model, the following ACL Examples allow you to limit ISAKMP traffic to only known peers: Access-list deny-ike extended permit udp eq isakmp Access-list deny-ike extended permit udp eq 4500 Access-list deny-ike extended permit esp Access-list deny-ike extended deny udp any eq isakmp Access-list deny-ike extended deny udp any eq Next, set cryptographic settings and suites to be the most secure. If you use out-of-date cryptographic settings, attackers can breach the connection and confidentiality can be lost. As noted in a Cisco document, you can review the current IPSec SAs in use by entering the following commands: To display the settings used by the current IPSec SAs, issue the show crypto ipsec sa detail commandTo display all current IKE SAs at a peer, issue the show crypto isakmp sa commandAs noted in Configuring IPsec Virtual Private Networks, the minimum recommended ISAKMP/IKE settings per CNSSP 15 as of June 2020 are as follows: Diffie-Hellman Group: 16Encryption: AES-256Hash: SHA-384For any other vendor review your firewall documentation or reach out to your vendor. Review VPN settingsAlso review any default settings or wizards used to set up VPN as it may have enabled older vulnerable settings. Review when you set up VPN on the firewall. If it has been many years since you set it up, chances are that the settings you chose then are not good enough now. Even though it may be disruptive, review your VPN configurations. For example, with Cisco SA devices NSA recommends IKEv2, since the IKEv1 implementation only supports SHA1. Use the following commands to configure ISAKMP/IKE and IPsec Configuration:IKEv2: crypto ikev2 policy 1 encryption [aes-256|aes-gcm-256] integrity [sha384|sha512] group [16|20] IPsec: crypto ipsec ikev2 ipsec-proposal protocol esp encryption [aes-256|aes-gcm-256] protocol esp integrity [sha-384|sha512] Apply VPN patchesAs the Pulse VPN vulnerability has taught us, deploying patches on your VPN solution is critical for security. As noted by US-Cert, in April 24, 2019, Pulse Secure releases initial advisory and software updates addressing multiple vulnerabilities. Yet on August 24, 2019, Bad Packets identified over 14,500 vulnerable VPN servers globally that were unpatched and in need of an upgrade. The attacks on Pulse VPNs could have been prevented with an easy, available fix. Review your patching processes to ensure that you can install patches for firewalls and other VPN platforms in a timely manner. Related content news Apple patches info-stealing, zero day bugs in iPads and Macs The vulnerabilities that can allow the leaking of sensitive information and enable arbitrary code execution have had exploitations in the wild. By Shweta Sharma Dec 01, 2023 3 mins Zero-day vulnerability feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff Dec 01, 2023 6 mins Technology Industry IT Skills Events news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware news Okta confirms recent hack affected all customers within the affected system Contrary to its earlier analysis, Okta has confirmed that all of its customer support system users are affected by the recent security incident. By Shweta Sharma Nov 30, 2023 3 mins Data Breach Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe