May 16, 2024 at 03:08PM
The Norwegian NCSC advises replacing SSLVPN/WebVPN with more secure options due to repeated vulnerabilities exploitation in network devices. The transition deadline is 2025, with critical infrastructure entities expected to switch by the end of 2024. The recommended alternative is IPsec with IKEv2, aiming to decrease the attack surface for secure remote access.
Based on the meeting notes, here are the key takeaways:
1. The Norwegian National Cyber Security Centre (NCSC) recommends replacing SSLVPN/WebVPN solutions with alternatives due to repeated exploitation of related vulnerabilities in edge network devices, which has led to breaches in corporate networks.
2. The transition to safer alternatives is recommended to be completed by 2025, with organizations subject to the ‘Safety Act’ or those in critical infrastructure advised to adopt safer alternatives by the end of 2024.
3. NCSC officially recommends switching from SSL VPN/WebVPN products to Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2) for secure remote access.
4. The proposed implementation measures include reconfiguring existing VPN solutions or replacing them, migrating all users and systems to the new protocol, disabling SSLVPN functionality, and using certificate-based authentication.
5. For organizations unable to implement IPsec connections, NCSC suggests using 5G broadband as an alternative.
6. NCSC has also shared interim measures for organizations needing time to plan and execute the migration, which include implementing centralized VPN activity logging, strict geofencing restrictions, and blocking access from VPN providers, Tor exit nodes, and VPS providers.
7. SSLVPN flaws have been actively exploited by threat actors, leading to breaches in various networks and organizations.
8. The NCSC’s recommendations are in line with similar recommendations from other countries such as the USA and the UK, all of which advocate for using IPsec over other protocols.
These takeaways should provide a clear understanding of the discussions and the recommendations made during the meeting.