Last year, the Department of Homeland Security issued a vulnerability notice that disturbed many in the cybersecurity community: Several popular virtual private network solutions insecurely stored authentication cookies in their memory or log files.
An attacker gaining access to that information could steal a legitimate user’s session and gain access to services protected by the VPN without going through the normal authentication process.
Vendors have since issued patches for this vulnerability, but the announcement underscores the importance of carefully configuring and managing all components of an organization’s security program. VPNs play a crucial role in these programs, safeguarding network traffic between sites for remote and mobile users.
Yet VPNs often get very little attention — the modern VPN is a workhorse that simply works properly and doesn’t demand administrator intervention. This lack of attention can lead to serious security issues over time.
Let’s take a look at three ways that agencies can enhance the protection of their VPN implementations.
Agencies Need to Patch VPNs Regularly
Like all technology components, VPNs require regular maintenance. Whether they run on dedicated VPN hardware or use software to run on standard servers, VPNs can contain software and firmware that are subject to security vulnerabilities. Emerging threats, design flaws and code bugs create issues that, when discovered, may allow attackers to compromise VPN connections.
By their nature, VPN devices must be exposed to the outside world to allow inbound connections. This places them in the same risk category as web servers, mail servers and other intentionally exposed systems and increases the importance of ensuring that they are protected against known exploits.
Security teams should place VPN patching high on their priority list. Monitor the security announcements from vendors associated with the agency’s VPN deployment and apply patches as promptly as possible following release. Once a security announcement occurs, the race is on between attackers seeking to exploit a new vulnerability and defenders seeking to secure the VPN from attack.
Also, don’t forget that all components in a VPN stack require regular maintenance. Agencies using server-based VPNs must ensure that the operating system supporting the VPN server also receives regular updates and is protected against compromise.
Follow Best Practices for VPN Management
VPNs rely upon a set of underlying security technologies. These include transport protocols such as Transport Layer Security and IPSec, and encryption algorithms such as AES and RSA.
When configuring encryption settings, administrators must choose a key exchange protocol, bulk encryption algorithm, hash function and digital signature algorithm.
Choosing an appropriate set of these algorithms and configuring their parameters securely is crucial to establishing a secure VPN. Small errors can have significant consequences.
Fortunately, administrators have a good deal of advice available to help build secure configurations. Agency security teams should consult with the vendors of their specific VPN solutions and may also turn to more generic federal publications from the National Institute of Standards and Technology.
For example, NIST Special Publication 800-77, Guide to IPsec VPNs, and NIST SP 800-113, Guide to SSL VPNs, offer important security guidance.
The percentage of Android VPN apps that fail to properly protect user privacy
Source: Top10VPN.com, VPN Risk Index, February 2019
VPNs should also be included in routine security assessments, including vulnerability scans and penetration tests. Conducted on a periodic basis, these assessments may identify newly discovered security issues, facilitating a prompt remediation.
MORE FROM FEDTECH: Find out how to choose between software-defined perimeters and VPNs.
IT Admins Should Monitor VPN Use
Many attacks against VPNs, including the one publicized by DHS earlier this year, focus on giving attackers control of VPN sessions.
Agency teams should integrate their VPNs with their security information and event management (SIEM) infrastructure and specifically watch for these signs of successful session hijacking attacks:
- Users logging in from unusual locations, particularly from foreign countries where agency employees do not normally travel
- Use of Tor circuits to connect to a VPN, potentially indicating attempts to hide the user’s true location
- Simultaneous connections from multiple geographic locations
- Unusual patterns of data transfer
- Scanning activity and other network probes that indicate network reconnaissance by VPN users Using a SIEM to automate this monitoring frees up human analysts’ time, allowing them to focus on more value-added work.
Agency security teams should configure their VPNs according to industry standards, patch VPN firmware and software regularly, and routinely monitor employee VPN use for signs of malicious activity. By following these best practices, agencies will ensure VPNs remain a trusted component of the security infrastructure for years to come.