Connect with us

Hi, what are you looking for?


Identity & Access

NSA Publishes Recommendations on Securing IPsec VPNs

The National Security Agency (NSA) has published a series of recommendations on how to properly configure IP Security (IPsec) Virtual Private Networks (VPNs).

The National Security Agency (NSA) has published a series of recommendations on how to properly configure IP Security (IPsec) Virtual Private Networks (VPNs).

Used within organizations of all sizes for remote connection to assets and for telework, VPNs can deliver the expected level of security if strong cryptography is employed and if admins perform regular assessments to identify and eliminate misconfigurations and vulnerabilities.

Thus, the NSA recommends that network administrators avoid default settings and reduce the attack surface of VPN gateways, ensure that only CNSSP 15-compliant cryptographic algorithms are used, remove unused or non-compliant cryptography, and keep both VPN gateways and clients up to date.

Administrators, the NSA says, should avoid using default configurations or the vendor-supplied tools for automated configuration or VPN access, as they might include undesired, non-compliant ISAKMP/IKE (Internet Security Association and Key Management Protocol/Internet Key Exchange) and IPsec policies.

Restricting traffic to the VPN gateway to only UDP port 500/4500 and ESP, and limiting traffic to known VPN peer IP addresses should reduce attack surface. Using an Intrusion Prevention System (IPS) to monitor IPsec traffic should help as well.

The NSA also points out that the ISAKMP/IKE and IPsec policies should be configured with recommended settings, otherwise they would expose the entire VPN to attacks.

Per CNSSP 15, as of June 2020, minimum recommended settings for ISAKMP/IKE are Diffie-Hellman group 16, AES-256 encryption, and SHA-384 hash, while those for IPsec are AES-256 encryption, SHA-384 hash, and CBC block cipher mode.

Advertisement. Scroll to continue reading.

“Cryptography standards continue to change over time as the computing environment evolves and new weaknesses in algorithms are identified. Administrators should prepare for cryptographic agility and periodically check CNSSP and NIST guidance for the latest cryptography requirements, standards, and recommendations,” the NSA notes.

Any unused or non-compliant cryptography suites could expose the VPN to downgrade attacks and administrators are advised to remove them from their deployments, so that only compliant ISAKMP/IKE and IPsec policies are used.

On top of ensuring that only strong cryptography is employed and that default settings don’t create an additional attack surface, administrators should always apply the available patches for the VPN gateways and clients used within the organization.

“VPNs are essential for enabling remote access and connecting remote sites securely. However, without the proper configuration, patch management, and hardening, VPNs are vulnerable to many different types of attacks,” the NSA concludes.

Related: NIST, DHS Publish Guidance on Securing Virtual Meetings, VPNs

Related: Patching Pulse Secure VPN Not Enough to Keep Attackers Out, CISA Warns

Related: ‘Black Kingdom’ Ransomware Operators Target Pulse Secure VPNs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...