CISA and NSA Release Joint Cybersecurity Information Sheet on Selecting and Hardening VPNs

Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) released a Joint Cybersecurity Information Sheet detailing factors to consider when choosing a virtual private network (VPN) and recommending top configurations for using it securely. The Information Sheet, “Selecting and Hardening Remote Access Virtual Private Network (VPN) Solutions,” also will help critical infrastructure owners and operators better understand the risks associate with VPNs, such as active exploitation of known vulnerabilities by multiple nation-state advanced Persistent Threat (APT) actors.


Remote access VPN servers are entry points into protected networks. Exploitation of common vulnerabilities and exposures (CVEs) to vulnerable VPN devices can enable a malicious actor to steal credentials, remotely execute arbitrary code and hijack encrypted traffic sessions. If successful, these effects usually lead to further malicious access and could result in a large-scale compromise to the corporate network. Multiple nation-state APT actors have weaponized CVEs to gain access to vulnerable VPN devices.


To secure VPN systems against these types of attacks, CISA and the NSA recommend implementing the detailed mitigation measures described, which include selecting standards-based VPNs from reputable vendors that have a proven track record of quickly remediating known vulnerabilities. Top hardening recommendations include using tested and validated VPN products on the National Information Assurance Partnership (NIAP) Product Compliant List, employing strong authentication methods like multi-factor authentication, promptly applying patches and updates, and reducing the VPN’s attack surface by disabling non-VPN-related features.


Leaders at every level of an organization should read this Information Sheet, assess their unique cybersecurity environment, and implement recommended mitigations for any observed security gaps or weaknesses. Any support you and your organizations can do to amplify this Joint Information Sheet through your communications and social media channels is appreciated. And as always, thank you for your continued collaboration.


The Information Sheet can be found here.


Steve Lyddon
Protective Security Advisor, Region 5, Illinois
Cybersecurity and Infrastructure Security Agency