Security agencies offer guidance on VPN selection

The National Security Agency and the Cybersecurity and Infrastructure Security Agency recommended Tuesday that in choosing a virtual private network, companies avoid selecting non-standard VPN solutions, carefully read vendor documentation and check that a product supports strong authentication credentials and protocols and disables those that are weak.

These were among the recommendations issued by the two agencies in an information sheet, Selecting and Hardening Remote Access VPN Solutions, to address security risks associated with using VPNs.

“VPN servers are entry points into protected networks, making them attractive targets,” the agencies said in a statement. “Multiple nation-state advanced persistent threat actors have weaponized common vulnerabilities and exposures to gain access to vulnerable VPN devices.”

Exploitation of these exposures “can enable a malicious actor to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, and read sensitive device from the device,” it said.

“If successful, these effects usually lead to further malicious access and could result in large-scale compromise to the corporate networks.” 

The information sheet details factors in selecting a remote VPN and actions that will protect them from compromise.

This website states: The content on this site is sourced from the internet. If there is any infringement, please contact us and we will handle it promptly.