The Norwegian National Cyber Security Center (NCSC) has recently issued a recommendation urging organizations to replace their SSLVPN and WebVPN solutions with more secure alternatives. This advice comes in response to the repeated exploitation of vulnerabilities in edge network devices, which has enabled attackers to breach corporate networks in the past.
As a key player in Norway’s cyber security landscape, the NCSC serves as the primary coordinating body for national efforts to prevent, detect, and respond to cyber attacks. They provide strategic guidance and technical support to enhance the overall cyber security posture of the country, conducting risk assessments, disseminating threat intelligence, and promoting best practices in both the public and private sectors.
The NCSC’s latest guidance focuses on enhancing the security posture of organizations, particularly those operating within critical infrastructure sectors. By advocating for the transition to more robust and secure remote access protocols, the NCSC aims to strengthen the country’s overall resilience against cyber threats.
The recommendation to replace SSLVPN and WebVPN solutions is rooted in the recognition of the inherent vulnerabilities present in these protocols. While SSLVPN and WebVPN offer secure remote access via SSL/TLS protocols, they have been frequent targets for malicious actors due to their exploitable weaknesses.
To address these issues, the NCSC advises organizations to migrate to Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2) as a more secure alternative for remote access. This protocol encrypts and authenticates each packet of data, using periodically refreshed keys to enhance security. While no protocol is completely immune to flaws, the NCSC believes that IPsec with IKEv2 significantly reduces the attack surface for secure remote access incidents, offering a more secure option compared to SSLVPN.
In light of these recommendations, organizations subject to the Safety Act or classified as critical infrastructure are encouraged to complete the transition to IPsec with IKEv2 by the end of 2024. Other organizations are urged to finalize the switch by 2025, emphasizing the importance of swift action to mitigate potential risks.
The NCSC’s advice aligns with global trends, as countries like the USA and the UK have also endorsed similar guidelines promoting the adoption of IPsec with IKEv2 for enhanced security. This consensus underscores the effectiveness of this protocol in bolstering cyber defenses against evolving threats.
In situations where implementing an IPsec connection is not feasible, the NCSC recommends utilizing 5G from mobile or mobile broadband as an alternative to enhance security.
This recent recommendation from the NCSC follows a prior notice issued last month regarding a targeted attack campaign against SSLVPN products. In this campaign, attackers exploited multiple zero-day vulnerabilities in Cisco ASA VPN, affecting critical infrastructure facilities since November 2023. The NCSC’s earlier notice highlighted the critical vulnerabilities present in SSLVPN products and recommended transitioning to IPsec with IKEv2 as a proactive measure to mitigate risks.
Overall, the NCSC’s proactive approach to enhancing cyber security measures underscores the importance of staying vigilant and adopting secure protocols to safeguard against potential threats. By prioritizing the transition to more robust and secure alternatives, organizations can bolster their defenses and protect against evolving cyber risks.