Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security

NSA, CISA Publish Guide for Securing VPN Servers (therecord.media) 31

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published today technical guidance on properly securing VPN servers used by organizations to allow employees remote access to internal networks. From a report: The NSA said it put together the nine-page guide [PDF] after "multiple nation-state advanced persistent threat (APT) actors" weaponized vulnerabilities in common VPN servers as a way to breach organizations. "Exploitation of these CVEs [vulnerabilities] can enable a malicious actor to steal credentials, remotely execute code, weaken encrypted traffic's cryptography, hijack encrypted traffic sessions, and read sensitive data from the device," the NSA said today in a press release announcing the guide's publication. "If successful, these effects usually lead to further malicious access and could result in a large-scale compromise to the corporate network," the agency added.
This discussion has been archived. No new comments can be posted.

NSA, CISA Publish Guide for Securing VPN Servers

Comments Filter:
  • by TigerPlish ( 174064 ) on Tuesday September 28, 2021 @04:34PM (#61842531)

    This is like getting lock advise from a burglar with multiple convictions and an array of lockpick tools dangling from the belt.

    • by XXongo ( 3986865 ) on Tuesday September 28, 2021 @04:43PM (#61842555) Homepage

      This is like getting lock advise from a burglar with multiple convictions and an array of lockpick tools dangling from the belt.

      I can't think of anybody who could give better advice.

      • Re: (Score:2, Insightful)

        by iggymanz ( 596061 )

        Except what he meant was

        "This is like getting lock advise from a burglar with multiple convictions and an array of lockpick tools dangling from the belt who wants the option of easily stealing all your shit"

      • I can't think of anybody who could give better advice.

        That's the conundrum here. Yes theyr'e good (supposedly) at what they do. Yes, they do it to everyone, everywhere.

        So. How to keep NSA out, along with the scriptkiddy and all the other countries' intel outfit, plus law enforcement? Blindly trusting their advise is pretty much setting up a private, quiet entrance for them -- assuming they already don't have one.

        • by tacarat ( 696339 )

          Well, RTFA and poke holes in the document's information.

        • by witz2 ( 8211674 )

          So. How to keep NSA out, along with the scriptkiddy and all the other countries' intel outfit, plus law enforcement? Blindly trusting their advise is pretty much setting up a private, quiet entrance for them -- assuming they already don't have one.

          You need to be in a government position to do that. And to have deep engineering knowledge. And guns.

      • Yea but no. Let's not forget that some of the NSA's previous "security advice" includes shit like "Install SELinux then configure your server's sudo to not require passwords. This will make you infinitely more secure, Trust us; we're in security!"

    • That happens almost every day in almost every security-related field.

  • Step 1: Add certificate for "surveillance.nsa.gov" ... /cynical

    [ On a more practical note, the NSA only really considers systems "secure" while they're still in their un-opened boxes. Even then, they keep them locked inside a safe, inside a vault, inside a volcano (along with the Starburst Juice-dratic equation) just in case. ]

  • by Anonymous Coward

    Considerations for Selecting Remote Access VPNs:

    When choosing a remote access VPN, consider these recommendations:

    - Avoid selecting non-standard VPN solutions, including a class of products referred to as Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs. These products include custom, non-standard features to tunnel traffic via TLS. Using custom or non-standard features creates additional risk exposure, even when the TLS parameters used by the products are secure. NSA and CISA recommend standardized Internet Key Exchange/Internet Protocol Security (IKE/IPsec) VPNs that have been validated against standardized security requirements for VPNs.

    Sounds like OpenVPN and bastardized vendor-specific SSL VPNs are out, standards-based IKE/IPsec is in.

    • OpenVPN and IPsec are both equally bad. They are insanely complex protocols that are difficult to deploy safely and that have a huge amorphous attack surface.

      I'd much rather deploy a lean solution such as WireGuard. It was designed by people who actually understand security as opposed to just piling yet another abstraction on top of already unwieldy protocols

      • by Anonymous Coward

        OpenVPN and IPsec are both equally bad. They are insanely complex protocols that are difficult to deploy safely and that have a huge amorphous attack surface.

        I'd much rather deploy a lean solution such as WireGuard. It was designed by people who actually understand security as opposed to just piling yet another abstraction on top of already unwieldy protocols

        There's some truth to that. There are some WireGuard concerns too:

        - It's still "new" for a few more years.

        - It's primarily designed and written by one smart person.

        - It's not yet formally reviewed and standardized. This will come. https://www.phoronix.com/scan.... [phoronix.com]

        - The one hard coded encryption algorithm that WireGuard chose isn't hardware accelerated, so while software-only speed is fast, it's significantly slower and power consuming than hardware assisted AES-GCM. Important on battery-powered devices.

        - Im

  • First off.. (Score:4, Insightful)

    by Junta ( 36770 ) on Tuesday September 28, 2021 @05:12PM (#61842627)

    Consider that a VPN is probably not affording you the protection you need.

    The usual application of VPN hinges upon a dangerous assumption, that there even exists the concept of a 'trusted network' at the scope of an internal company-wide network. If anything on your network can't withstand the onslaught of being internet connected, it's likely a matter of time before it falls to some employee's activity, either intentionally or unwittingly.

    The difference is in timescale. If your insecure crap service is on the internet, it'll probably be ransomwared before you accumulate much business critical data without another copy. If you have a critical insecure service on a 'protected' network, it may just delay the attack until it has accumulated exclusive special data to be compromised in unauthorized access or lost to malicious attack (either deleted or encrypted).

    Many companies think they have effectively blocked risk through invasive end point management requirements inflicted on users. Then ransomware comes and knocks all those unsecured services anyway, because the security suite was misconfigured, no update available in time, or suffering workarounds because your lockdowns make it impossible for some people to do their jobs and they set up an even worse unmanaged device to get around the restrictions.

    If you think you have a 'trusted network' you are almost certainly incorrect. There may be a very narrow context where a subset of the concept of 'trusted network' may apply, but the overwhelmingly more likely scenario is there is a timebomb waiting to blow you up due to that assumption.

  • I bet they take a good hard look at the IPs of the people downloading the guide. You don't need it unless you have something to hide...

  • Works cited numbers 1 and 3 link to invalid pages. 404 code returned.
  • Thinking about threat VPN poses for MiM attacks. But with basic dual factor you have your cell on one network, computer on another. Is there a way to scale that up to eradicate the local quality of communications so attacks also would have to be widely distributed? Wonder what that looks like. Its like old saying about what a tangled web we weave⦠the complexity of the MiM attack gets higher and higher as it has to alter all these distributed traces even for a completely surrounded target, so it

    • by Junta ( 36770 )

      MFA should be 'offline', either with a hardware token (e.g. YubiKey) or with some one time password application/app like freeotp or keepassxc.

      When you set up an otp, the service generates a key and that gets entered into the application and the application then just generates codes based on that shared secret and the local clock. There's no network involved.

      SMS is an exception, but other than that, the codes and the hardware tokens are all offline keys.

  • The second part of the headline was missing.

  • They have the manufacturer build their access in the silicon itself.
  • Everyone does a little whitewashing from time to time. No shame on that. NSA VPN Backdoor: https://www.wired.com/2013/09/... [wired.com]

You are always doing something marginal when the boss drops by your desk.

Working...