Jul 08, 2020 Implementing Work from Home? Read the NSAs Guidance on IPSec VPNs
The National Security Agency (NSA) recently issued a set of guidelines for configuring IPsec VPNs.
You can read the guidelines here; the key points are the following:
- Reduce the VPN gateway attack surface
- Verify that cryptographic algorithms are Committee on National Security Systems Policy (CNSSP) 15-compliant
- Avoid using default VPN settings
- Remove unused or non-compliant cryptography suites
- Apply vendor-provided updates (i.e. patches) for VPN gateways and clients
So far so good; this advice appears to be pretty much motherhood-and-apple pie. But enterprise cybersecurity professionals need to consider the broader context: As organizations increasingly implement work-from-home (WFH) policies, and as these policies will likely continue for the foreseeable future , the criticality of securing IPSec VPNs is skyrocketing.
In other words, properly configuring IPsec VPNs has always been the right thing to do. Now it’s also an incredibly important thing to do. Which means, in turn, that cybersec operations folks need to build in a “VPN check” to their routine efforts.
The NSA provides solid guidance, including configuration commands for specific vendor solutions (Cisco, Juniper, Palo Alto, and others). The trick is making sure the configurations (and other recommendations) are instantiated across the enterprise. Not rocket science, but very, very important.
So if you haven’t revisited your IPsec VPN configurations in a few months, now is a good time to revisit them. And now, if you’ll excuse me, I’m off to have a slice of apple pie and call my mother!