Security News > 2020 > July > 5 NSA-recommended strategies for improving your VPN security
A senior NSA official speaking to reporters last week said that telework infrastructure like VPNs have become a focus for malicious actors, which led the NSA to release a formal advisory on how to secure VPNs from cyberattacks.
"VPN gateways tend to be directly accessible from the internet and are prone to network scanning, brute force attacks, and zero-day vulnerabilities," the NSA bulletin said.
Mitigation efforts should include implementing strict traffic filtering rules to limit ports, protocols, and IP addresses that can transmit on VPNs, and using an intrusion prevention system in front of the VPN gateway that can inspect traffic.
Configuring a VPN deployment can be difficult, which leads many organizations to leave default settings in place, said the NSA. The NSA specifically states that administrators should avoid using auto config tools or GUI wizards because they can leave undesired cryptographic suites behind, giving a potential attacker more avenues to break in.
"Over the past several years, multiple vulnerabilities have been released related to IPsec VPNs. Many of these vulnerabilities are only mitigated by routinely applying vendor-provided patches to VPN gateways and clients," the NSA said.