In an attempt to reduce the vulnerability and attack surface for secure remote access, Norway's National Cyber Security Center (NCSC) invites all companies to replace their SSLVPN/WebVPN solutions.
The recommendation is to switch to services that offer Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2) or, where this is not possible, use 5G broadband. The suggested date for completing the transition is the end of 2025. The good news is that all of the best business VPN services on the market right now already include this system by default (more on this below).
Norway joined countries like the US and UK in recommending using a VPN with IPsec connections for added security. Let's now look at why this is important in more detail.
SSL VPNs are convenient, but flawed
First, let's clarify the differences between VPN solutions that use Secure Socket Layer/Transport Layer Security (SSL/TLS) and those that implement Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2).
The main difference between the two is where encryption and authentication are performed. IPsec with IKEv2 VPNs do that at the network level. This means that they encrypt data packets sent between systems that can be defined by an IP address, while periodically updating a set of encryption keys.
SSL VPNs, also known as WebVPN or clientless VPN services, operate on data in transit by encrypting data sent between any devices identifiable by port numbers on hosts connected to the network. Unlike IPsec products, SSL VPNs do not require the installation of additional hardware or software. However, this facility seems to have a drawback.
“The NCSC has long observed and reported on critical vulnerabilities in VPN solutions that use Secure Socket Layer/Transport Layer Security (SSL/TLS),” the NCS wrote in its official announcement.
TLS, IPsec, and SSH are three prominent security protocols used to secure communication over networks. Each one has different purposes and operates at different layers of the network. Let's do a quick summary of their differences 😎👇 #infosec #CyberSecurity pic.twitter.com/UmsdLoPLChMarch 6, 2024
The biggest problem with SSL VPN is that, unlike IPsec, it does not have an open industry standard, meaning different manufacturers create their own implementation on a case-by-case basis. Over the years, this approach has led to numerous security flaws.
For example, two of Fortinet's SSL VPN credential exposures were the most exploited security vulnerabilities in 2022. These were also exploited by the Chinese hacking group Volt Typhoon again in 2023, Fortinet revealed in February.
“The severity of the vulnerabilities and the repeated exploitation of this type of vulnerability by actors means that the NCSC recommends replacing secure remote access solutions that use SSL/TLS with more secure alternatives. The NCSC recommends Internet Protocol Security (IPsec ) with Internet Key Exchange (IKEv2).”
Specifically, Norway's recommendations include:
- Reconfigure your existing VPN solution to support IKEv2 IPsec: If this is not possible, companies should plan and replace the solution with one that works with 5G broadband systems.
- Migration of users and systems: using SSLVPN for IPsec IKEv2.
- Disable SSLVPN functionality: while verifying that some endpoint is not responding.
- Block all incoming TLS traffic to the VPN server.
- Adoption of certificate-based authentication.
At the same time, the NCSC also emphasizes that VPN products using IPsec with IKEv2 are also not free of vulnerabilities.
Take, for example, the case of Ivanti VPN. In 2023, Ivanti discovered multiple security vulnerabilities in its VPN products, which different threat actors exploited to launch data stealers, malware, and ransomware on vulnerable targets. After fixing these bugs, the provider encountered even more problems in February of this year.
However, the NCSC explained: “This choice of technology [IPsec] It implies a smaller attack surface and a lower degree of fault tolerance in the solution configuration.”
The best VPN for your business
At TechRadar, our experts have spent more than 3,000 hours testing more than 100 VPN services, including a wide range of enterprise VPN services. From the most important features ranging from security levels and speeds to their interface and ease of setup, we also consider other important variables, including the number of devices they support, their pricing plans, and overall performance, among other things.
Below are our three favorite business VPNs on the market right now:
We test and review VPN services in the context of legal recreational uses. For example:
1. Access a service from another country (subject to the terms and conditions of that service).
2. Protecting your online security and strengthening your online privacy when abroad.
We do not support or tolerate illegal or malicious use of VPN services. Future Publishing does not endorse or approve the consumption of paid pirated content.
