Security News > 2020 > July > NSA Publishes Recommendations on Securing IPsec VPNs
Used within organizations of all sizes for remote connection to assets and for telework, VPNs can deliver the expected level of security if strong cryptography is employed and if admins perform regular assessments to identify and eliminate misconfigurations and vulnerabilities.
Thus, the NSA recommends that network administrators avoid default settings and reduce the attack surface of VPN gateways, ensure that only CNSSP 15-compliant cryptographic algorithms are used, remove unused or non-compliant cryptography, and keep both VPN gateways and clients up to date.
Administrators, the NSA says, should avoid using default configurations or the vendor-supplied tools for automated configuration or VPN access, as they might include undesired, non-compliant ISAKMP/IKE and IPsec policies.
The NSA also points out that the ISAKMP/IKE and IPsec policies should be configured with recommended settings, otherwise they would expose the entire VPN to attacks.
"VPNs are essential for enabling remote access and connecting remote sites securely. However, without the proper configuration, patch management, and hardening, VPNs are vulnerable to many different types of attacks," the NSA concludes.