NSA, CISA Publish Guide for Securing VPN Servers (therecord.media) 31
The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published today technical guidance on properly securing VPN servers used by organizations to allow employees remote access to internal networks. From a report: The NSA said it put together the nine-page guide [PDF] after "multiple nation-state advanced persistent threat (APT) actors" weaponized vulnerabilities in common VPN servers as a way to breach organizations. "Exploitation of these CVEs [vulnerabilities] can enable a malicious actor to steal credentials, remotely execute code, weaken encrypted traffic's cryptography, hijack encrypted traffic sessions, and read sensitive data from the device," the NSA said today in a press release announcing the guide's publication. "If successful, these effects usually lead to further malicious access and could result in a large-scale compromise to the corporate network," the agency added.
Uh-huh. Fox guarding henhouse? (Score:3, Insightful)
This is like getting lock advise from a burglar with multiple convictions and an array of lockpick tools dangling from the belt.
Re:Uh-huh. Fox guarding henhouse? (Score:4, Insightful)
This is like getting lock advise from a burglar with multiple convictions and an array of lockpick tools dangling from the belt.
I can't think of anybody who could give better advice.
Re: (Score:2, Insightful)
Except what he meant was
"This is like getting lock advise from a burglar with multiple convictions and an array of lockpick tools dangling from the belt who wants the option of easily stealing all your shit"
Re: (Score:2)
I can't think of anybody who could give better advice.
That's the conundrum here. Yes theyr'e good (supposedly) at what they do. Yes, they do it to everyone, everywhere.
So. How to keep NSA out, along with the scriptkiddy and all the other countries' intel outfit, plus law enforcement? Blindly trusting their advise is pretty much setting up a private, quiet entrance for them -- assuming they already don't have one.
Re: (Score:1)
Well, RTFA and poke holes in the document's information.
Re: (Score:1)
So. How to keep NSA out, along with the scriptkiddy and all the other countries' intel outfit, plus law enforcement? Blindly trusting their advise is pretty much setting up a private, quiet entrance for them -- assuming they already don't have one.
You need to be in a government position to do that. And to have deep engineering knowledge. And guns.
Re: (Score:1)
Yea but no. Let's not forget that some of the NSA's previous "security advice" includes shit like "Install SELinux then configure your server's sudo to not require passwords. This will make you infinitely more secure, Trust us; we're in security!"
Re: (Score:1)
That happens almost every day in almost every security-related field.
NSA Guide, Step by Step (Score:2)
Step 1: Add certificate for "surveillance.nsa.gov" ... /cynical
[ On a more practical note, the NSA only really considers systems "secure" while they're still in their un-opened boxes. Even then, they keep them locked inside a safe, inside a vault, inside a volcano (along with the Starburst Juice-dratic equation) just in case. ]
Re: (Score:2)
True. Supply chain attacks don't work very well if you never connect the equipment to power.
Re: (Score:2)
Now, now no need to exaggerate you only need to put it in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying "Beware of The Leopard" [blogspot.com] (having gone down the stairs without the light).
Re: (Score:2)
I just took a look at the actual PDF (https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF) - it basically says "don't use a TLS based VPN" (which means OpenVPN to most of us). It says instead to go with Ipsec, which I've gotta say, just isn't an option - it's far, far too hard to make it work in a lot of situations. OpenVPN is actually pretty easy and supports decent authentication. Wireguard looks great, but is no good for the "road warrior" type
OpenVPN no, standards-based IKE/IPsec yes (Score:1)
Considerations for Selecting Remote Access VPNs:
When choosing a remote access VPN, consider these recommendations:
- Avoid selecting non-standard VPN solutions, including a class of products referred to as Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs. These products include custom, non-standard features to tunnel traffic via TLS. Using custom or non-standard features creates additional risk exposure, even when the TLS parameters used by the products are secure. NSA and CISA recommend standardized Internet Key Exchange/Internet Protocol Security (IKE/IPsec) VPNs that have been validated against standardized security requirements for VPNs.
Sounds like OpenVPN and bastardized vendor-specific SSL VPNs are out, standards-based IKE/IPsec is in.
Re: OpenVPN no, standards-based IKE/IPsec yes (Score:3)
OpenVPN and IPsec are both equally bad. They are insanely complex protocols that are difficult to deploy safely and that have a huge amorphous attack surface.
I'd much rather deploy a lean solution such as WireGuard. It was designed by people who actually understand security as opposed to just piling yet another abstraction on top of already unwieldy protocols
OpenVPN no, IKE/IPsec yes, WireGuard maybe (Score:2, Informative)
OpenVPN and IPsec are both equally bad. They are insanely complex protocols that are difficult to deploy safely and that have a huge amorphous attack surface.
I'd much rather deploy a lean solution such as WireGuard. It was designed by people who actually understand security as opposed to just piling yet another abstraction on top of already unwieldy protocols
There's some truth to that. There are some WireGuard concerns too:
- It's still "new" for a few more years.
- It's primarily designed and written by one smart person.
- It's not yet formally reviewed and standardized. This will come. https://www.phoronix.com/scan.... [phoronix.com]
- The one hard coded encryption algorithm that WireGuard chose isn't hardware accelerated, so while software-only speed is fast, it's significantly slower and power consuming than hardware assisted AES-GCM. Important on battery-powered devices.
- Im
First off.. (Score:4, Insightful)
Consider that a VPN is probably not affording you the protection you need.
The usual application of VPN hinges upon a dangerous assumption, that there even exists the concept of a 'trusted network' at the scope of an internal company-wide network. If anything on your network can't withstand the onslaught of being internet connected, it's likely a matter of time before it falls to some employee's activity, either intentionally or unwittingly.
The difference is in timescale. If your insecure crap service is on the internet, it'll probably be ransomwared before you accumulate much business critical data without another copy. If you have a critical insecure service on a 'protected' network, it may just delay the attack until it has accumulated exclusive special data to be compromised in unauthorized access or lost to malicious attack (either deleted or encrypted).
Many companies think they have effectively blocked risk through invasive end point management requirements inflicted on users. Then ransomware comes and knocks all those unsecured services anyway, because the security suite was misconfigured, no update available in time, or suffering workarounds because your lockdowns make it impossible for some people to do their jobs and they set up an even worse unmanaged device to get around the restrictions.
If you think you have a 'trusted network' you are almost certainly incorrect. There may be a very narrow context where a subset of the concept of 'trusted network' may apply, but the overwhelmingly more likely scenario is there is a timebomb waiting to blow you up due to that assumption.
Honeypot! (Score:2)
I bet they take a good hard look at the IPs of the people downloading the guide. You don't need it unless you have something to hide...
References lead to 404 (Score:1)
How do you generalize dual factor auth? (Score:2)
Thinking about threat VPN poses for MiM attacks. But with basic dual factor you have your cell on one network, computer on another. Is there a way to scale that up to eradicate the local quality of communications so attacks also would have to be widely distributed? Wonder what that looks like. Its like old saying about what a tangled web we weave⦠the complexity of the MiM attack gets higher and higher as it has to alter all these distributed traces even for a completely surrounded target, so it
Re: (Score:2)
MFA should be 'offline', either with a hardware token (e.g. YubiKey) or with some one time password application/app like freeotp or keepassxc.
When you set up an otp, the service generates a key and that gets entered into the application and the application then just generates codes based on that shared secret and the local clock. There's no network involved.
SMS is an exception, but other than that, the codes and the hardware tokens are all offline keys.
"... in a way that still lets them in easily." (Score:1)
The second part of the headline was missing.
And why not (Score:1)
Whitewashing (Score:1)