Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

US, Allies Publish Guidance on Securing Network Access

Government agencies in the US, New Zealand, and Canada have published new guidance on improving network security.

Government agencies in the US, New Zealand, and Canada have published new guidance for organizations to adopt more robust security solutions to improve their visibility into network activity.

Titled Modern Approaches to Network Access Security (PDF), the document details modern security solutions – such as Secure Service Edge (SSE) and Secure Access Service Edge (SASE) – that organizations can transition to beyond VPNs to ensure secure access to their hybrid environments.

VPN solutions, the guidance shows, have been involved in multiple recent high-profile cyber incidents, and, while some of them are more secure than others, modern network access solutions provide granular access controls that traditional VPNs do not offer.

“Organizations that embrace these newer practices will reach an overall outcome closer to zero trust (ZT) principles,” the document reads.

Authored by CISA, the FBI, New Zealand’s Government Communications Security Bureau (GCSB) and CERT, and the Canadian Centre for Cyber Security (CCCS), the document outlines the vulnerabilities and risks associated with VPNs and remote access misconfigurations, and is meant to help organizations transition to more secure solutions.

“The authoring organizations are releasing this report to provide leaders with guidance to help prioritize the protection of organizations’ remote computing environment security while operating under the fundamental principles of least privilege,” the document reads.

VPN solutions, the authoring agencies say, are susceptible to vulnerabilities and misconfigurations, and, unless network segmentation and principles of least privilege and zero trust are implemented, do not protect against other network weaknesses, including device compromises and poor cyber hygiene.

“Vulnerabilities in VPN systems can lead to substantial impacts to organizations if exploited by threat actors because they may enable easy access across a large enterprise network after successful exploitation of the device,” the guidance shows.

Advertisement. Scroll to continue reading.

Roughly two dozen security defects in CISA’s Known Exploited Vulnerabilities (KEV) catalog are related to VPN compromise – and leading to broad access to victim networks – including Ivanti gateway bugs (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) and a Citrix appliance flaw (CVE-2023-4966, aka CitrixBleed).

“Current modern solutions – Zero Trust, SSE, and SASE – provide remote access to applications and services based on a granular access control policy. This type of policy rejects access to users who are not explicitly authenticated and authorized for a particular application or service,” the gov agencies say.

Organizations can implement zero trust principles and continuously monitor user activity to leverage a more secure approach to network access, and can reduce the risk of compromise and better secure data at rest by not exposing internal assets, the guidance notes.

Enabling safe browsing, more secure SaaS applications, and easier validation of user access to data, SSE includes cloud security capabilities such as Zero Trust Network Access (ZTNA), Cloud Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Firewall-as-a-Service (FWaaS).

Combining network- and security-as-a-service capabilities, SASE is a cloud architecture that includes Software-Defined Wide Area Networking (SD-WAN), Next Generation Firewall (NGFW), hardware-enforced network segmentation, SWG, CASB, and ZTNA.

“SASE, SSE, and hardware-enforced network segmentation provide organizations the potential to replace traditional VPNs and security features and foster policies that offer a zero-trust approach to modern security implementation,” the authoring agencies note, urging organizations to assess their security posture, perform risk analysis, and review the recommended guidance.

Related: US Government Releases Guidance on Securing Election Infrastructure

Related: US Government Issues New DDoS Mitigation Guidance

Related: NIST Finalizes Cybersecurity Guidance for Ground Segment of Space Operations

Related: Five Eyes Cybersecurity Agencies Release Incident Response Guidance

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights