Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

NSA and CISA Issue Release Guidance on Proper VPN Deployment

This week, the National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) jointly released guidance on the process organizations should use when choosing a VPN and deploying this technology, particularly in light of recent attacks that have taken advantage of poorly secured VPNs.

Kevin Kerr, Lead Security Principal Consultant Kevin Kerr, Lead Security Principal Consultant

"The guideline is good and timely with the increased risks and attacks. Sooner would have been better, but most good network and cyber teams already did a lot of the hardening in there," said Kevin Kerr, Lead Security Principal Consultant Americas for Trustwave's Consulting & Professional Services.


 The NSA and CISA believe such guidance is needed based on the danger posed by using poorly designed and implemented VPNs, leading to the large-scale compromise of a corporate network.

"Multiple nation-state, advanced persistent threat (APT) actors have weaponized common vulnerabilities and exposures (CVEs) to gain access to vulnerable VPN devices," the agencies said. "Exploitation of these CVEs can enable a malicious actor to steal credentials, remotely execute code, weaken encrypted traffic's cryptography, hijack encrypted traffic sessions, and read sensitive data from the device."

Kerr agreed, noting the risk associated with VPNs is not new, and it is an issue that organizations have been dealing with for several years.

"VPNs have always been a risk as they allow direct access into the company and their systems from remote users, 'trusted' partners/vendors/subs/etc., and they can hide what is going in/out of the company," he said.

Regardless of the VPN product chosen, the federal government said organizations have to maintain a strong patching program as threat actors will quickly, sometimes within 24 hours, attack a known vulnerability.

The risk of what can happen when VPNs are not adequately maintained is evident in the Colonial Pipeline Co. attack in July. The investigation into the attack found the attackers likely compromised months earlier using the login credentials for a legacy VPN application that the IT team had lost track of and lacked protections such as multifactor authentication.

This oversight resulted in the attacker placing ransomware into Colonial Pipeline's network, forcing the company to shut down its fuel pipelines, pay a $4 million ransom and have the data of 5,800 current and former employees compromised.

Federal Recommendations

The government suggests organizations avoid entire classes of VPNs, particularly those referred to as Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs.

"These products [SSL/TLS VPNs] include custom, non-standard features to tunnel traffic via TLS. Using custom or non-standard features creates additional risk exposure, even when the TLS parameters used by the products are secure," the agencies said.

Instead, the agencies recommend implementing standardized Internet Key Exchange/Internet Protocol Security (IKE/IPsec) VPNs that have been validated against standardized security requirements for VPNs. Additionally, those in the market for a VPN should refer to the National Information Assurance Partnership (NIAP) Product Compliant List. The products recommended on this list are NIAP-certified devices that are rigorously tested by third-party labs against well-defined security features and requirements.

Other federal recommendations include:

  • Reading vendor documentation to ensure potential products support IKE/IPsec VPNs;
  • Disable the SSL/TLS proprietary or non-standards-based VPN fallback, if possible;
  • Ensure that potential products use FIPS-validated cryptographic modules and can be configured to use only approved cryptographic algorithms;
  • Check that a product supports strong authentication credentials and protocols and disables weak credentials and protocols by default;
  • Request and validate a product's Software Bill of Materials (SBOM), so the risk of the underlying software components can be adjudicated.

Trustwave Chimes In

While the federal suggestions are spot on, Kerr noted some, such as limiting functionality and capability, ensuring logging, and emphasizing patching, are not new. However, CISA and the NSA did slip in a few new thoughts, he said.

"There were some new items in there too. For example, it looks like they added some supply check items based on the SolarWinds compromise and its impact on companies," he said. "They also upped emphasis on using IKE/IPsec encryption."

Following federal guidelines and having solid cybersecurity practices in place is a great start, but Kerr noted there are areas where companies lag.

Kerr observed:

  • Companies may be relying on network staff that are great with internal networks but do not understand or are not trained on remote access,
  • Network and cyber teams are not working in unison when implementing and managing remote access;
  • Teams are not looking at defense-in-depth capabilities;
  • Endpoint security is not integrated with remote access tools;
  • System health is not checked when remoting in;
  • Behavior analytics (time of use, geolocation, etc.) are not being used, and staff is relying on traditional logging;
  • Companies are not using industry best of breed commercial VPNs or are using consumer-grade gear.

Kerr also suggested that organizations look at newer Secure Access Service Edge (SASE) technology allowing greater granularity of remote access control.

John Cartrett, director SpiderLabs North America, recommends that any organization worried about being the next headline evaluate how an adversary simulation engagement would help validate any assumptions of its current preventive and detective capabilities and bring clarity to any areas that require immediate attention.

“Here at SpiderLabs, adversary simulation engagements have two distinct paths, red and purple. Red teaming is an adversarial operation bent on making an organization's worst nightmares come true in a controlled manner and under the light of full disclosure,” Cartrett said. “A purple team operation is a collaborative project where an organization's defenders are coached in detecting the dark arts by senior defenders and red team operators.”

Latest Trustwave Blogs

Trustwave Webinar: Getting Started with Microsoft Copilot for Security

As a Microsoft security partner, Trustwave has committed itself to helping clients get the most out of their Microsoft E5 license, including properly setting up one of E5's primary features -...

Read More

Think Pink

There are some people who say, "I already conduct red team exercises, why would I need something different that is nothing more than a watered-down red team?"

Read More

Unlock Zero Trust: Why Database Security is the Missing Piece

As organizations consider their journey to establishing a strong Zero Trust culture, they must adopt a data-centric approach, and this begins with ensuring database security.

Read More