Critical infrastructure organizations need to change their network protection.
The National Cybersecurity Center of Norway (NCSC) strongly advises organizations to replace SSL VPN/WebVPN with more secure alternatives due to frequent cases of exploiting vulnerabilities in network devices. This measure is aimed at protecting corporate networks from hacking and other cyber attacks.
NCSC emphasizes the need to complete the transition to new solutions before 2025. For organizations that fall under the "Security Law", as well as for critical infrastructure, the deadline is reduced until the end of 2024.
The NCSC recommends replacing SSL VPN/WebVPN products with IPsec-based solutions using IKEv2. Unlike SSL VPN/WebVPN, IPsec with IKEv2 provides a higher level of security by encrypting and authenticating each data packet, which reduces the likelihood of successful attacks.
Advantages of IPsec with IKEv2
SSL VPN and WebVPN provide secure remote network access over the Internet using SSL/TLS protocols, creating an encrypted tunnel between the user's device and the VPN server. However, frequent vulnerabilities in these protocols make them less reliable.
While IPsec with IKEv2 also has its drawbacks, NCSC claims that switching to it will significantly reduce the attack surface for remote access incidents due to its lower resistance to configuration errors compared to SSL VPNs.
NCSC Best Practices
For a successful transition to IPsec from IKEv2, NCSC offers the following steps:
In cases where IPsec connections are not possible, NCSC suggests using 5G broadband connections.
For organizations whose VPN solutions do not support IPsec with IKEv2 and that need time to plan and complete migration, NCSC offers temporary recommendations. These include a centralized VPN activity log, strict geographical restrictions, and blocking access to VPN providers, Tor exit nodes, and VPS providers.
Similar recommendations for using IPsec instead of other protocols were also given in the United States and the United Kingdom. Various vulnerabilities in the SSL VPN implementation discovered in recent years in Cisco, Fortinet, and SonicWall products are actively exploited by hackers to break into networks.
For example, in February, Fortinet reported that Chinese hackers used two FortiOS SSL VPN vulnerabilities to break into organizations, including the Dutch military network. In 2023, Akira ransomware operations exploited an SSL VPN vulnerability in Cisco ASA routers to break into corporate networks, steal data, and encrypt devices.
The National Cybersecurity Center of Norway (NCSC) strongly advises organizations to replace SSL VPN/WebVPN with more secure alternatives due to frequent cases of exploiting vulnerabilities in network devices. This measure is aimed at protecting corporate networks from hacking and other cyber attacks.
NCSC emphasizes the need to complete the transition to new solutions before 2025. For organizations that fall under the "Security Law", as well as for critical infrastructure, the deadline is reduced until the end of 2024.
The NCSC recommends replacing SSL VPN/WebVPN products with IPsec-based solutions using IKEv2. Unlike SSL VPN/WebVPN, IPsec with IKEv2 provides a higher level of security by encrypting and authenticating each data packet, which reduces the likelihood of successful attacks.
Advantages of IPsec with IKEv2
SSL VPN and WebVPN provide secure remote network access over the Internet using SSL/TLS protocols, creating an encrypted tunnel between the user's device and the VPN server. However, frequent vulnerabilities in these protocols make them less reliable.
While IPsec with IKEv2 also has its drawbacks, NCSC claims that switching to it will significantly reduce the attack surface for remote access incidents due to its lower resistance to configuration errors compared to SSL VPNs.
NCSC Best Practices
For a successful transition to IPsec from IKEv2, NCSC offers the following steps:
- Reconfigure or replace existing VPN solutions;
- Migration of all users and systems to the new protocol;
- Disabling SSL VPN functionality and blocking incoming TLS traffic;
- Using certificate-based authentication.
In cases where IPsec connections are not possible, NCSC suggests using 5G broadband connections.
For organizations whose VPN solutions do not support IPsec with IKEv2 and that need time to plan and complete migration, NCSC offers temporary recommendations. These include a centralized VPN activity log, strict geographical restrictions, and blocking access to VPN providers, Tor exit nodes, and VPS providers.
Similar recommendations for using IPsec instead of other protocols were also given in the United States and the United Kingdom. Various vulnerabilities in the SSL VPN implementation discovered in recent years in Cisco, Fortinet, and SonicWall products are actively exploited by hackers to break into networks.
For example, in February, Fortinet reported that Chinese hackers used two FortiOS SSL VPN vulnerabilities to break into organizations, including the Dutch military network. In 2023, Akira ransomware operations exploited an SSL VPN vulnerability in Cisco ASA routers to break into corporate networks, steal data, and encrypt devices.
