NSA on Securing VPNs
The NSA’s Cybersecurity Directorate—that’s the part that’s supposed to work on defense—has released two documents (a full and an abridged version) on securing virtual private networks. Some of it is basic, but it contains good information.
Maintaining a secure VPN tunnel can be complex and requires regular maintenance. To maintain a secure VPN, network administrators should perform the following tasks on a regular basis:
- Reduce the VPN gateway attack surface
- Verify that cryptographic algorithms are Committee on National Security Systems Policy (CNSSP) 15-compliant
- Avoid using default VPN settings
- Remove unused or non-compliant cryptography suites
- Apply vendor-provided updates (i.e. patches) for VPN gateways and clients
Stephen Craven • July 15, 2020 9:48 AM
I had never heard of the CNSS policies before so I tried to download them from https://www.cnss.gov/CNSS/issuances/Policies.cfm
On my Mac I get a “Your connection is not private” error on that policy page because it claims “www.iad.gov” certificate is not standards compliant.
Anyone else have this issue or understand the root cause?
Seems silly that the Committee on National Security Systems would have an invalid cert.