The Norwegian National Cyber Security Centre (NCSC) has issued a crucial warning regarding the use of Secure Socket Layer/Transport Layer Security (SSL/TLS) based VPN solutions, such as SSLVPN and WebVPN. It has been advised that these VPN services should be replaced with safer alternatives due to ongoing security vulnerabilities that malicious actors are exploiting.

The NCSC has long been aware of the significant security flaws present in SSLVPN systems and has consistently reported on these vulnerabilities. Incidents of exploitation of these flaws have prompted the NCSC to advocate for a transition to more secure remote access technologies. Reports by NSM highlight the urgent need for organizations to consider alternatives such as Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2) as a safer option.

This recommendation aligns with cybersecurity authorities in other countries, all of whom emphasize the importance of reducing attack surfaces and vulnerabilities associated with secure remote access. The NCSC warns that new and unforeseen vulnerabilities are likely to surface in SSLVPN products, further underlining the urgency of making the switch to IPsec IKEv2.

While IPsec IKEv2 has its own set of flaws, it offers a smaller attack area and better capability to handle configuration errors. The NCSC advises companies to devise a strategic plan to phase out the use of SSLVPN gradually and migrate to IPsec IKEv2 to mitigate the risks associated with VPN usage for remote access.

The transition process will vary in complexity depending on factors such as the size of the organization, number of employees, network infrastructure, choice of vendors, and deployment scope. The NCSC aims for all businesses to have completed the migration from SSLVPN to IPsec IKEv2 by the end of 2025, with companies impacted by security regulations or deemed socially significant expected to make the change by the end of 2024.

To facilitate a smooth transition, the NCSC outlines several implementation steps:

– Modify existing VPN setups to accommodate IPsec IKEv2.
– Transition all servers and users from SSLVPN to IPsec IKEv2.
– Disable SSLVPN features and block incoming TLS traffic.
– Implement certificate-based identification for enhanced security.

During the transition period, the NCSC recommends certain measures to ensure the security of VPN services:

– Maintain centralized logging for quick threat detection.
– Employ geofencing to restrict traffic from specific regions.
– Block traffic from unsafe sources such as VPN providers and Tor exit nodes.

In cases where setting up an IPsec link is not feasible, the NCSC suggests using 5G mobile or mobile broadband services as an alternative. Additionally, organizations are encouraged to explore modern, secure built-in solutions for operating systems, such as Always On VPN on Windows or solutions based on the WireGuard protocol.

By heeding the NCSC’s advice and migrating from SSLVPN to IPsec IKEv2, businesses can significantly enhance the security of their remote access systems and fortify their defenses against cyber threats. This proactive approach to cybersecurity will safeguard organizations from potential attacks and bolster their resilience in an evolving threat landscape.

Source link